FORUM: Mitigating fraud exposure arising from overseas operations
August 2013 | SPECIAL REPORT: WHITE-COLLAR CRIME
Financier Worldwide Magazine
FW moderates a discussion on overseas fraud exposure between Jerry Oldham at 1stWEST Financial Corporation, Michael Couzens at Baker Hughes US LLP, Luke Tolaini at Clifford Chance, and Robertson T. Park at Murphy & McGonigle.
FW: In light of reduced budgets and associated cutbacks in internal controls, how can business leaders ensure they do not leave their organisations vulnerable to fraud arising from overseas operations?
Oldham: Business leaders should not cut back their internal controls relating to this important subject with regard to their overseas operations. The level of due diligence and internal controls that are established to prevent domestic fraud should be in place relative to overseas activities.
Couzens: While budgets may have been reduced I would argue that this has not always led to cutbacks in internal controls. Further, the challenge of fraud is not unique to overseas operations. To avoid leaving themselves vulnerable, a robust multi-dimensional fraud prevention program, with both proactive and reactive measures and controls, that are risk-based and intelligence led, should be implemented. Setting the ‘tone at the top’, upholding the company’s core values and reinforcing the commitment to fighting fraud will retain focus. Optimising the available resources – such as line management, security, finance, internal audit, compliance, treasury, legal – and utilising fraud detection and data analytical tools should be sufficient to deliver an effective program. Other key areas to consider are the training of middle managers, selecting and rewarding successful managers in the highest risk countries, and supporting robust reporting systems with no retaliation.
Tolaini: Organisations may, on a superficial analysis, regard continuing and increasing expenditure on fraud prevention and compliance functions as an unnecessary cost. However, to do so underestimates the potentially significant financial, commercial and reputational consequences of becoming involved in fraud. Firms should regard investment in robust and suitable systems and controls as a necessary investment – and indeed, one which may result in a net saving. Quite apart from the heightened risk of becoming a victim of fraud associated with recessionary times, which often does not crystallise until well into the recovery, organisations – particularly those regulated by the Financial Conduct Authority in the UK or other financial services regulators overseas – should bear in mind their obligations to guard against becoming involved in or being used to facilitate financial crime. That said, fraud prevention is a process involving the deployment of resources on a risk basis. Straitened economic times bring more difficult judgments as to where best organisations’ resources should be applied.
Park: Proactive and targeted use of risk assessment tools is the most effective way to implement fulsome compliance programs and internal controls in any business environment, but it is even more critical in an environment of reduced budgets coupled with increased reliance on technology. Risk assessment is the genesis of compliance, and it informs companies about where limited resources can and should be applied. Businesses must constantly assess their risks – whether they arise under the FCPA, UK or other anti-bribery laws; anti-money laundering (AML) provisions and related sanctions issues, antitrust and cartel concerns, or other business misconduct regimes. Prudent use of limited compliance and audit resources begins with intelligent risk assessment.
FW: Although improving, emerging markets are commonly associated with fraud and corruption. To what extent is the risk of fraud heightened for companies with operations in these markets?
Couzens: With reports such as Transparency International’s Corruptions Perception Index and the World Bank Group’s Ease of Doing Business, and some well documented cases where multinational companies have received significant fines, I think there is certainly a heightened awareness of the fraud and corruption risks in some countries. It is fair to say that a number of countries still have some way to go and, in these markets, management recognise the potential fraud and corruption risks and ensure that these are mitigated through the implementation of appropriate controls. Awareness and compliance campaigns are also more likely to be targeted on these countries and possibly supplemented by more frequent internal audits.
Tolaini: Risks, not only from the perspective of avoiding becoming a victim of fraud, but also from the perspective of avoiding unwitting involvement in fraud, corruption or money laundering, will clearly always be higher in some geographical areas than others. Firms operating in the ‘regulated sector’ for the purposes of anti-money laundering legislation are obliged to assess the risks of doing business in or with different jurisdictions. This information is clearly applicable to, and may also be used to identify and mitigate the risks of becoming involved in or a victim of fraud.
Park: Companies with operations in emerging markets must consider this fact alone – a red flag that informs their operations. As these markets mature and foreign business investment gets its footing, the environment likely will continue to improve gradually; but the ‘present’ provides enormous risks for companies, and they must be prepared accordingly. That means that companies need to consider the costs associated with being compliant with laws like the FCPA or the UK Anti-Bribery Act as part of their business plan for that market, recognising the broad extraterritorial reach of both of these laws. Sufficient resources must be made available to monitor activities in the market, keeping in mind all of the fraud or bribery tripwires that are most relevant to an individual company’s operations. At the very least, companies must devote more anti-bribery resources to emerging markets because anti-bribery enforcement officials will expect them to do so. Enforcement officials will want to see that a company has devoted sufficient attention to areas perceived as being a greater threat for corruption, regardless of any progress the emerging market country may have achieved.
Oldham: Emerging markets should be managed with the same care and due diligence as non-emerging markets. If handled this way, then the risk of fraud will not be heightened. The challenge is that emerging markets don’t always have the same conscience and legal recourse in place to handle fraud and corruption.
FW: In your opinion, are governments in emerging markets doing enough to tackle the underlying causes of corporate fraud within their countries? Is the onus always on multinational companies to take preventative measures?
Park: The first question begs an assessment that is too general. There are certainly developing countries that have made significant efforts to try to address established and longstanding deficiencies in their laws and enforcement programs to root out corporate fraud and corruption. This process has been assisted in part through the momentum provided by the OECD Conventions on Anti-Bribery and Corporate Governance. There are a number of other developing countries that remain mired in government systems which perpetuate fraud and corruption. However, regardless of whatever progress governments have made or have not made, the onus will remain on companies entering these challenging markets to take the steps necessary to insulate their operations from the endemic fraud and corruption. It is simply not a prudent option for companies to ignore the increased potential exposure to business misconduct in these markets due to misguided reliance on improved efforts by local governments.
Oldham: The onus is on multinational companies to take preventive measures because, as already indicated, emerging markets don’t always have in place the same conscience and legal processes to provide legal recourse against possible fraud offenders.
Couzens: As emerging markets seek to attract greater levels of foreign direct investment and investment from multinational companies, there is a growing recognition that transparency, governance, the rule of law, and regulations are essential. Some countries are more advanced than others. I would, however, point out that corporate fraud is not unique to emerging markets and often happens in what may be perceived as developed markets; indeed greater opportunity may exist in these ‘mature markets’. Across the board there are opportunities for governments to do more to tackle corporate fraud. The best approach is for us to work together to develop the controls, share best practices, promote transparency, create trust, develop governance frameworks, and support local law enforcement efforts.
FW: What role do cultural factors play in overseas fraud exposure? What steps can firms take to address this issue, and proactively change ingrained behaviour andmindsets?
Tolaini: Different countries treat fraud risk with differing levels of seriousness. Often practices which are permissible in one country will amount to offences or give rise to potential causes of action in others. Similarly, the degree of sympathy shown by government authorities and courts to organisations who may be victims of, or in some cases unwitting participants in, unlawful activity varies according to political, cultural and other factors. It is incumbent upon organisations to ensure that they protect themselves against the particular risks associated with doing business in different jurisdictions.
Park: Cultural factors and habits can play a substantial role in differentiating the approach that businesses must take in managing operations in different markets. Family relationships often assume an outsized importance in certain markets, while gift-giving practices that are central in certain cultures can run afoul of anti-bribery laws and corresponding corporate policies. Navigating these nuanced cultural issues can often pose some of the most difficult and challenging problems for compliance and audit professionals who are trying to implement programs and procedures that will prevent fraud and corruption. Firms must be transparent with sales and other staff resident in countries with these cultural factors that impact operations. Because, just as it is likely ineffective to impose different cultural values and insist that they be observed, it is also problematic to simply accept that ‘things are different here’ and ignore the risks of business misconduct posed by certain practices and habits. It is here that compliance professionals must engage directly with local staff and discuss the best ways to respect local cultural values and norms while protecting the company from adverse enforcement actions. This can be done.
Oldham: Changing ingrained behaviour and mindsets is not easy, especially without proper legal recourse in place to prosecute alleged offenders.
Couzens: Sadly, cultural factors do continue to contribute towards fraud exposure in some countries where ‘graft’ has been a way of life and where the internal processes and controls have not yet matured. The problem may be exacerbated where banking and payment systems are immature and cash is widely used for transactions. In such places, the risks to an organisation can be high. There are a number of steps that firms can take to mitigate the risks and change mindsets; these include the promotion of the company’s core values, education and awareness programs, compliance programs, a zero tolerance towards fraud and bribery and robust consequence management, due diligence, pre-employment screening, appropriate reward and recognition, opportunities for local content, corporate social responsibility schemes, hotlines and reporting mechanisms, fraud prevention training and the communication of red flags. Attention should also be paid to vendor selection processes and robust purchasing systems. Some companies may wish to consider lobbying for the introduction of tighter regulatory frameworks, promotion of more advanced payment systems, the avoidance of cash-only transactions and the introduction of contractual agreements with partners and vendors that set out certain expectations on doing business.
FW: Companies with overseas operations are often concerned about potential financial losses arising from unscrupulous business partners. What steps should firms take when forming relationships with third-parties overseas?
Oldham: Firms should always conduct a background investigation when forming relationships with third-parties overseas, and disclose to the third-parties that they are doing so.
Couzens: It is key that appropriate due diligence is conducted of potential business partners, suppliers, agents and vendors before business arrangements are formalised. A thorough approach that examines the partner’s risk profile, internal controls, governance framework, internal structure and ownership, compliance program and investigation history will reduce risk to your own organisation and avoid future shocks. It is also advisable to conduct subsequent audits of business partners to assure continued compliance, transparency and the maintenance of high standards. It is also worth establishing what pre-employment – if permitted – arrangements exist within the prospective business partner. There are also regulatory requirements such as the FCPA and the UK’s Bribery Act that necessitate that we ‘know’ our foreign partners.
Tolaini: It will clearly always be preferable to conduct thorough due diligence on potential business partners rather than to litigate after the event or, worse, to become embroiled in unlawful activity. Effective due diligence on potential business partners will usually involve organisations not only examining the documents and information they provide, but also undertaking – and just as importantly, keeping a clear record of – separate research using independent and verifiable sources.
Park: The third-party due diligence which is required of companies by enforcement authorities and their own businesses’ self-interest has expanded exponentially. Recent joint guidance from the Department of Justice (DOJ) and the Securities and Exchange Commission (SEC) on the FCPA highlights the expectations in the anti-bribery space, but there is a broader need for companies to approach their relationships with vendors, distributors, agents, and joint venture partners with care and caution. Transparency is the key element for companies in assessing the potential risks posed by a third-party partner. The more a company knows about a partner and its practices, the less likely it has taken on an unexpected risk. Business partners, of whatever sort and for whatever purpose, should be subject to careful pre-engagement vetting, and must then be bound to the same policies, procedures and legal requirements which the business follows and observes. Businesses typically are very good at identifying the ‘bottom line’ advantages or disadvantages of business relationships with potential partners, but they are often inattentive to the collateral risks which may flow from these relationships. Again, through the prism of risk assessment, businesses must consider what is necessary to bind their partners to the same good governance and compliance practices which are implemented to protect the company from exposure to fraud and corruption investigations.
FW: What action should be taken when fraudulent behaviour is detected in a firm’s overseas operations? What steps should firms take when liaising with and assisting foreign authorities in these situations?
Couzens: When fraudulent behaviour is detected, management should conduct a thorough, objective internal investigation to determine what went wrong and take appropriate remedial actions. Remedial actions include any necessary disciplinary actions and addressing any weaknesses in internal controls. Any lessons learned should also be shared throughout the organisation. This type of investigation will also serve the company well later, if they are ever questioned in a legal setting about what actions were taken. Consideration should be given to contracting outside legal counsel for guidance regarding interacting with foreign authorities, law enforcement or legal entities.
Tolaini: Firms’ local obligations vary from country to country. However, as a general principle, where fraudulent behaviour is uncovered, preserving relevant evidence, protecting its reputation and keeping the firm’s options open will always be the immediate priorities. The firm should take steps to ensure that all documents which are relevant, or which may become relevant, to any proceedings are preserved. Beyond these general considerations, effective preparation and local knowledge are key. Firms should ensure that key individuals are designated with responsibility for preventing, detecting and dealing with fraud in every jurisdiction in which the company operates. When dealing with investigating authorities, organisations must take care to balance providing assistance, information, and documents and maintaining a constructive dialogue with investigators with any obligations of confidentiality owed to customers or others. Organisations, and in some cases their senior managers and other individuals associated with them, should also keep a careful track of how they are perceived by the authority concerned – for instance, are they being treated as a suspect or a witness?
Park: Not unlike the medical profession, whose first admonition is to do no harm, the initial action by a business when presented with potential misconduct in its overseas operations should be to halt the misconduct and protect the integrity of its investigation. Companies must work quickly to identify the problem and its location or locations, determine the scope of the problem, and then put in place directions which stop the practice and protect the integrity of the information and data relevant to the matter. These are by no means necessarily simple or easy tasks, but they enable the business to stabilise the patient and then determine the best way to proceed. The quick preservation and protection of data, consistent with relevant data protection laws, suits the dual purposes of preparing the company for its own internal review of the matter, and also positions the company for the parallel determination regarding disclosure to relevant authorities. Should the business determine that it is in their interest to provide a disclosure or disclosures to competent government authorities, the key terms are candour and transparency. This is not to say that the business must share everything or abandon privilege, but insofar as the choice is made to cooperate with the authorities – and there may well be several – the business must establish a record that it is being direct and candid, and that will let all involved government authorities know about factual developments and their investigative progress.
Oldham: The answer to this varies based upon the laws in foreign countries. Companies should seek legal counsel and comply according to what is permitted by law.
FW: Are you seeing a rising demand for asset tracing services to identify and recover the proceeds of corporate fraud in overseas jurisdictions? What challenges tend to surface in this field?
Tolaini: Demand in this area continues to rise. Identifying, locating and effectively serving proceedings on individuals holding the proceeds of corporate fraud remain the major challenges in this area.
Park: All government authorities with responsibility for asset tracing and recovery have become more aggressive and sophisticated in their operations. At the same time, private organisations and businesses devoted to providing these services, beyond the traditional large accounting firms, have proliferated. The Department of Justice – always a sophisticated enforcement and criminal authority in asset forfeiture – now has a unit devoted to locating and repatriating criminally derived assets to nations whose public officials have taken bribes and invested those assets in the US. In the private sector, entire forensics practices have been devoted to serving asset recovery undertakings by Trustees appointed to recover moneys for victimised investors. Asset tracing and recovery is a booming growth industry, and an area of concern for multinational businesses. The challenge lies primarily in the obligation that multinational companies have to monitor the movement of their own assets, insofar as this provides the basis for their own compliance programs, and then be able to preserve the records of their asset flow for regulatory and government authorities.
Oldham: I am not actually seeing rising demand for these services, but the challenges, again, are based upon the legal authority established in foreign countries to pursue assets, to recover the proceeds of corporate fraud in overseas jurisdictions.
Couzens: The tone at the top in many companies is increasingly supportive of governance, transparency and efficiency. Companies are also committed to compliance with anti-bribery and corruption laws. Improvements in technology and cooperation among governments and financial institutions have also strengthened the ability to trace fund movements. As a result of these forces, a higher number of cases are being investigated and asset tracing services are in higher demand. The challenge in asset tracing is that newer methods to hide assets are developed as older methods become known to investigators. The time it takes to accomplish asset tracing is critical and can significantly impact the ultimate collection, because relevant assets can be more difficult to locate with the passage of time. Other challenges include the cost and control over the recovery process especially when involvement of the local prosecutors is needed in overseas jurisdictions.
FW: What key steps should organisations take to implement and maintain a robust fraud risk assessment process, with appropriate internal controls?
Park: The best and most effective fraud risk assessment process derives from a careful and objective review of the specific risks in business operations. It also begins and ends with intelligent questions that inform the creation of best practices and procedures. Where does the company operate, and are there substantial operations in corruption hotspots? Will the company be required to engage key local partners to enter the market? How do we train pharmaceutical sales personnel to understand that their routine business interactions will all be with government personnel? Who are the sophisticated, high dollar clientele for a bank or financial services company, and how do they challenge existing AML and BSA procedures? What protections and procedures are in place to prevent a bank’s use as a conduit for sanctions regime accounts or funds? The answers to these questions provide an institutional road map for ongoing and living risk assessment programs to mitigate fraud. Once a company has carefully evaluated the specific risks it faces, it then must commit to serious training which penetrates throughout operations through in person sessions, webinars, web based modules; clearly written and translated policies and procedures which recognise local issues; and tone from the top loudly and routinely reiterated by senior management.
Oldham: Companies should have a fraud control procedure and internal controls at every level of their organisation, whether operating domestically or overseas.
Couzens: The fraud risk assessment’s purpose is to identify and prioritise areas that pose a higher risk of fraud. When executing a fraud risk assessment, management must understand the fraud risk environment – pressure, opportunity and rationalisation – the company operates in. Management should also evaluate and identify the potential instances and schemes of fraud that could involve asset misappropriation, misstatement of financials and bribery and corruption. The next proactive step is to identify and monitor internal controls to mitigate the risks. Action plans should be developed to evaluate and document the controls that mitigate any fraud risks found during the assessment. These plans should specify who’ll be responsible for monitoring and testing the controls, and who’ll review the results of their work. Finally, management should take a portfolio view of risks to support decision making and prioritise its responses to the most significant risks.
Tolaini: Financial services firms already have obligations to implement and maintain robust and tailored risk assessment processes under their wider anti-money laundering and regulatory obligations. Much of the content of these will be equally applicable to preventing, detecting and dealing with fraud against the organisation. Exactly which steps are appropriate will differ from business to business and country to country.
Jerry Oldham has an extensive investigations and corporate due diligence background, and a broad senior management resume in commercial banking and corporate and real estate finance. He frequently serves as a consultant or expert witness in litigation and settlement negotiations involving complex corporate finance, real estate, banking and lending practice issues, having assisted in the settlement of hundreds of lawsuits.
Michael Couzens joined Baker Hughes in September 2007 following a career in the British military and the financial services sector where he worked with the Royal Bank of Scotland Group and Zurich Insurance. He assumed his current role in April 2013 following an assignment as VP HSE & Security (Eastern Hemisphere). Other roles within Baker Hughes have included Region Security Director for the Russia, Caspian, Africa and Europe Regions and also VP Security (Eastern Hemisphere).
Luke Tolaini has a broad experience of litigation, regulatory and investigative matters. He has a particular focus on investigations and proceedings involving financial crime, antitrust and regulatory infringements. He frequently acts for companies in the management of corporate crisis and on multijurisdictional risk management and policies and procedures around corporate criminal and regulatory issues.
Robertson T. Park joined Murphy & McGonigle following 20 years service in the Fraud Section of the Criminal Division of the Department of Justice. Mr Park’s practice emphasises white-collar criminal matters, internal corporate investigations and compliance counselling. He has specific expertise in financial services fraud, commodities fraud, and foreign bribery (FCPA). Mr Park is the founding member of Murphy & McGonigle’s White Collar Defence, Investigations, and Compliance Counselling Group.
© Financier Worldwide
1stWEST Financial Corporation
Baker Hughes US LLP
Robertson T. Park
Murphy & McGonigle