June 2018 Issue
Despite the efforts of authorities around the world, corrupt and fraudulent behaviour continues to flourish, with a debilitating economic effect. According to data published by Experian, fraudulent activity now costs the UK alone £190bn per year. The public sector loses an estimated £40.3bn a year, while fraud in the private sector costs the UK economy £140bn.
According to PwC’s 2018 Global Economic Crime and Fraud Survey, 49 percent of organisations said they have been a victim, up from 36 percent in 2016. And while this increase could, in part, be due to growing global awareness of the threat, the unfortunate truth is that companies today operate in an increasingly challenging environment in which both internal and external threats are becoming harder to repel. Many organisations are also unaware of the full extent of the threats they face.
The rising tide of fraud has been caused by a number of factors, with technology continuing to create new avenues. Malicious actors, both internally and externally, are seizing on the opportunities created by the digital revolution. Companies are amassing vast amounts of data, much of which is personal or other confidential information from customers. In the wrong hands this information can be used to commit fraud and other economic crimes.
Companies must respond to these threats, be it through employee education programmes or technology solutions. For example, fraud detection and analysis technologies using sophisticated analytics and predictive modelling, are able to identify potential fraud in real time during data entry, rather than after a transaction has been completed. These programmes can be beneficial in the fight against criminality. Forty-two percent of respondents to PwC’s survey said they had increased spending on combating fraud and economic crime over the past two years. Much of that spend has been on powerful technology and data analytics tools, as well as expanding whistleblowing provisions. Technology clearly has an important role to play. It provides companies with cutting edge detection and authentication processes, as well as serving to reduce customer friction. Machine learning, artificial intelligence (AI) and other sophisticated analytics tools can mitigate the damage done by malicious actors by detecting fraud more quickly. Data analytics can, for example, identify the early stages of fraud by ‘drilling down’ into financial data to identify suspicious activity or questionable transactions.
Regulators are also turning to technology to improve their tactics. “The Serious Fraud Office (SFO) recently announced that after a successful trial run during their investigation into Rolls Royce, the largest ever SFO investigation to date, it will use AI to conduct document review, across all its investigations,” says Neil Swift, a partner at Peters & Peters Solicitors LLP. “The SFO estimates that the AI reviewer can go through up to 2000 times as many documents per day as human document reviewers could. This will no doubt assist the regulator in investigating document-heavy complex fraud cases; thus, potentially reducing the lead time from the opening of an SFO investigation to charges being brought.”
However, technology can also pose a major risk to companies. In the financial services sector, banks have become increasingly dependent on technology for the delivery of their services, which have become increasingly complex. This complexity is creating new opportunities for fraudsters to gain access to banks’ information systems. Overreliance on technology is a vulnerability, according to Robert Hunter, a partner at Edmonds, Marshall, McMahon. “Some computer programmes are helpful in detecting anomalies and connecting factors that might otherwise be overlooked,” he says. “The problem with technology, sadly, is that as one door has been shut others have opened. Fraud is a ‘black swan’ – that is to say an unknown. Almost by definition it arises in ways that a company has not previously anticipated.”
“Potential opportunities for fraud are more likely to be found at organisations that neglect their internal governance structures, have insufficient IT protection and substandard internal controls.”
New technology is also helping criminals to conduct nefarious activities under the radar. Though authorities in the UK and the US have appealed in vain to gain ‘backdoor’ access to encrypted data, they have been largely unsuccessful. In August 2017, a former Bank of America IT employee pleaded guilty to passing secret information about corporate takeovers to a number of individuals. According to the Securities and Exchange Commission, the employee used an encrypted messaging service to broadcast the tip. In the UK, the Financial Conduct Authority fined an individual £37,000 for transmitting confidential deal information to individuals via WhatsApp. “The introduction of encrypted messaging services, such as WhatsApp, has provided those with bad intentions with the ability to communicate safe from the eyes of their employers and law enforcement,” says Mr Swift. “This adds considerable difficulty in the discovery and prosecution of fraud.” Granting backdoor encryption access to enforcement agencies could be part of the solution to this issue, though the tech industry has remained steadfast in the face of increasing scrutiny and critics highlight data privacy concerns.
The fraud triangle
If companies are to successfully combat fraud, they must consider the ‘fraud triangle’. A theory first proposed in the 1950s by criminologist Donald R. Cressey, the fraud triangle is a framework designed to explain the reasoning behind a worker’s decision to commit fraud. The three stages, categorised by the effect on the individual, can be summarised as some degree of pressure, some perceived opportunity and some way to rationalise the fraud as not being inconsistent with the individual’s values.
In tackling fraud, companies must begin by exploring and assessing their baseline risks and examining the different types of fraud to which they are vulnerable. While external threats such as cyber criminals may attract the most attention, companies cannot ignore risks closer to home. According to the ‘2016 Report to the Nations on Occupational Fraud and Abuse’ by the Association of Certified Fraud Examiners (ACFE), companies worldwide lose about 5 percent of top-line revenue to organisational fraud. Companies in the UK reported more than £40m in losses from employee fraud in 2016-2017, according to RSM, and Kroll’s 2017 Annual Global Fraud and Risk Report found that the most common perpetrators of fraud, cyber and security incidents during 2016 were current and former employees.
Overcoming internal fraud is a major challenge. Business owners and executives must implement anti-fraud programmes which involve training for all employees, particularly those in high-risk areas. This can help employees to identify suspicious activity and areas that malicious actors could potentially exploit. It also allows the company to communicate its commitment to high ethical standards and fraud prevention. “For those who commit so-called ‘crimes of crisis and opportunity’, factors such as corporate culture, morale, reduction of temptation and reduction of opportunity play a significant part,” says Mr Hunter. “The greatest deterrent appears to be not the severity of the punishment but the likelihood of discovery. Consequently, a framework for detecting internal fraud should be put in place, which utilises regular fraud risk assessments to identify potential schemes and events.” A robust, confidential whistleblowing programme should be a priority. Employees are often hesitant to come forward with information for fear of retaliation, so strong whistleblower protections are essential.
These training sessions can take many forms, including live, in-class instruction, pre-recorded videos or interactive self-study programmes. The programme should be specific to the company. While generic anti-fraud messages have a role to play, an approach which is tailored to the company and addresses any management and employee concerns and provides employees with the tools needed to put the company’s anti-fraud plans into practice, will ultimately be more beneficial than a boilerplate programme.
Managers and executives have a key role to play in this process. Not only must the chief risk officer and other senior managers strengthen the company’s internal controls, they should lead from the front, attending additional, specialised training which addresses fraud prevention and detection responsibilities that are part of their elevated position. The optics of executive participation in this process should not be underestimated. Board members and senior management must set the ‘tone from the top’.
Effective anti-fraud training can also improve employee morale and lead to increased compliance with legal and regulatory obligations and standards. Potential opportunities for fraud are more likely to be found at organisations that neglect their internal governance structures, have insufficient IT protection and substandard internal controls. Senior management must ensure that the company has properly designed, implemented and maintained internal control structures, including the company’s operations, compliance and financial reporting. By properly designing the risk assessment process, management can make strides toward eradicating the opportunity to commit fraud, upon which fraudsters rely.
Opportunity is where organisations can have the biggest impact on fraud prevention. As such, access should be limited to the systems, data and assets that are necessary for an employee to perform his or her duties. “Opportunity is the one building block of the fraud triangle where corporates can – and indeed are expected to – do the most to prevent employees and agents from having access to the means and the moment to misconduct themselves,” says Mr Swift. “While employees will feel under pressure to offend for a variety of external reasons, and employers can do little to prevent offender rationalisation, they can readily take steps to narrow the window of opportunity that would otherwise be present.”
Understanding motivations
It can be very difficult for organisations to exert any degree of control over an employee’s motivation to commit fraud. Motivation can, understandably, vary from the financial to the non-financial. Equally, rationalisation is difficult for companies to influence, as employees can rationalise their behaviour in a number of ways, depending on their character. For the generally dishonest, rationalising defrauding a company can be easy; however, even those employees with a stronger sense of morality can feasibly convince themselves that their actions are justified. From simply ‘borrowing’ funds from their employer, to compensating themselves for a perceived slight from management, various explanations can lead to wrongdoing.
According to Mr Hunter, a fertile area for corporate fraud arises following a corporate takeover where a subsidiary is under new management but its pre-existing employees feel no affinity to it. “This tends to breed an ‘us and them’ approach to the new owners of the business and so creates temptation to commit fraud,” he says. “If those who are being betrayed are not known to the perpetrators, the crime appears ‘victimless’. This is a classic ‘crime of crisis and opportunity’, since the opportunity arises to injure people with no known identity in perhaps the same way as many regard insurance fraud as emotionally ‘victimless’, because they have no close contact with the insurance company meeting the false or exaggerated claim.”
To stand any chance of avoiding or reducing fraud, companies must be proactive and implement internal controls. Organisations with strong anti-fraud controls in place experience fewer frauds and are able to detect them more quickly, according to the ACFE. By working with employees, the fraud triangle can be overcome.
© Financier Worldwide
BY
Richard Summerfield