Corporate fraud is a global issue that damages reputations, costs millions (if not billions) and ruins untold lives. That said, in recent years there has been a crackdown on a broad range of corporate fraud, with the DOJ’s Yates Memorandum in the US and the first DPAs in the UK among the high-profile attempts at redress. Ultimately though, corporate fraud respects no boundaries of any kind and remains a pervasive problem with the capacity to seriously impact any business, at any time.
Ratley: Could you provide an overview of the types of corporate fraud that are typically being seen across the current financial and economic landscape?
Grantham: The types of corporate frauds we are seeing are nothing new, however, the methods by which they are perpetrated continues to evolve as technology advances. For example, we are seeing an uptick in activity involving compromised email as well as cyber crime targeting senior executives. Through hacking and open source research, criminals can gain unauthorised access to company systems and individuals and make credible requests for funds to be transferred to a false bank account. Once the transaction has been made, it is quite difficult to recover the stolen funds. This is an example of a traditional fraud employing modern technology.
Zimiles: Corporate related fraud and white-collar crime trends continue to be the traditional crimes observed in previous years, with augmentation through technology. The increased use of phishing and malware programs has led to large scale identity theft schemes in both the public and private sector. Hackers are illegally trading through consumer bank and brokerage accounts and stealing funds. Denial of service schemes have shut down company websites, preventing them from conducting business. Digital currency such as bitcoin has given criminals a new way to mask their identity. The insider threat puts company assets and sensitive and proprietary data at risk as well as presenting the potential for compromise of employee personally identifiable information (PII). Simultaneously, typical fraud and misconduct schemes such as embezzlement and misappropriation of corporate assets, insider trading and money laundering continue to occur.
Matthews: While ‘traditional’ frauds such as false suppliers and misappropriation continue, cyber crime in its various guises is a major issue. This includes intellectual property theft by outsiders, insiders or ex-employees, through to theft of a company’s own financial information or that of its clients and customers. The use of ‘ransomware’, where hackers threaten to disable systems or delete data unless a ransom is paid is also becoming an industry itself. There is a perfect storm of greater access to technology and technological advances, coinciding with businesses of all sizes being increasingly reliant on web-enabled business. Payment channels, procurement, relationships with remote and unknown third parties and sales transactions all offer potential entry points for fraudsters.
Sikellis: Globally, the enforcement environment remains very active. Currently in the US, there does not seem to be a clear single focus area, as the Foreign Corrupt Practices Act (FCPA) had been in the past, for example. That is not to say that the FCPA is not a priority – the Department of Justice (DOJ) has doubled the number of attorneys in the FCPA unit. Financial service sector fraud has been in the spotlight after the Libor and other bank issues and it will be interesting to see what happens in the aftermath of the Wells Fargo scandal. Export enforcement was predicted to be on the rise, but that now may not be such a hot topic with the easing of sanctions on Iran and Cuba. Healthcare is always a focus. In Europe, as a reaction to the Volkswagen scandal, it seems likely that authorities will begin focusing on similar or other forms of technical fraud, such as when companies improperly influence tenders or defraud consumers with manipulated technical data.
Carr-Howard: Fraud is fraud. It is simply using deception to gain financially. I think that focusing on types of fraud can take us away from the simplicity of both the act of fraud and the means to fight it. Fraud is nothing more than a lie intended to produce monetary gain. It doesn’t matter if the victim is an employer, a business partner, a government, a consumer, a supplier or a customer. If something of value is provided based on a lie, it is fraud. That conduct may be called money-laundering, corruption, embezzlement, or something else. But the common element is a lie – sometimes a lie by omission. As soon as one scheme to defraud becomes successful it is often mimicked, and then as it proliferates systems are adopted to fight that particular scheme. A focus on the lie common to all forms of fraud – by requiring transparency and confirmation, not mere trust – is the key to minimising the risk of fraud. Not merely chasing the fraud du jour.
Andres: The types of fraud that have roiled corporations for the past decade – money laundering, market manipulation and bribery, to name a few – are unfortunately still prevalent, but with advances in technology and the increasingly global nature of business, the challenges posed by these issues are growing more complex. Increased use of technology has facilitated real-time communication between industry players, leading to new issues like inter-bank manipulation, as seen with the recent Libor and foreign exchange cases. New technology has also led to the proliferation of controversial and possibly illegal trading practices. Similarly, as relationships and operations spread across the globe, corporations are confronting new business cultures and expectations while navigating varied, and not always harmonious, legal and regulatory systems.
Sallaway: In recent years we have seen a broad range of types of corporate fraud being investigated and prosecuted in the UK. Bribery and corruption makes up a significant proportion of known investigations and prosecutions, including the first deferred prosecution agreements (DPAs) for Standard Bank and XYZ, but other instances of corporate fraud are also increasingly attracting the attention of prosecutors. Of course, the Libor and Euribor cases relating to the alleged manipulation of interest rates are well-known. In addition to this, we are seeing that cyber fraud is an area of real concern and focus for financial institutions in particular.
Ratley: Using recent and noteworthy corporate-fraud cases, could you describe the current landscape of corporate fraud in your region? What are the most important lessons from the outcome of those cases for the corporate world?
Zimiles: Cases such as Volkswagen and 1MDB demonstrate significant allegations of compliance violations which can occur without a system of ethics and compliance that starts at the top of an organisation. Compliance lessons from those investigations are similar to past cases wherein companies were subjected to forfeitures and fines in the millions and billions of dollars. Board members should be regularly apprised of the status of the company’s fraud and compliance programme, its enforcement, and any current or potential violations under review. Company leadership must take ownership in compliance to reduce fraud in their organisations. Improved education and training on regulatory requirements and expectations that impact the organisation is necessary. Boards should have an enhanced understanding of the risks their organisations face that could expose them to criminal and regulatory liability, and understand the processes, procedures and controls that the organisation has developed and implemented to mitigate those risks.
Grantham: In the UK, the Serious Fraud Office (SFO) secured its second DPA in July and its director, David Green, intimated that others are in the pipeline. This case highlights the importance of operating an effective compliance programme, as the criminality only came to light when the parent company implemented a global compliance programme, which enabled it to detect possible concerns regarding the way in which some contracts had been awarded. This discovery enabled the company to conduct an internal investigation and initiate self-disclosure to the SFO. The case also highlighted the importance of self-reporting and cooperation with the prosecutor, both of which were mitigating factors that were taken into account when approving the DPA.
Sallaway: It is interesting to compare the UK’s first section 7 Bribery Act resolutions: the Standard Bank and XYZ DPAs and Sweett Group’s guilty plea. Companies hoping to enter into a DPA should note that the SFO set the bar for cooperation at a very high level with Standard Bank. By law, any financial penalty under a DPA must be broadly comparable to a fine the court would impose following a guilty plea proffered at the earliest opportunity. In its DPA, Standard Bank received a one-third discount, which is what Sweett – the first section 7 conviction – received. In the second DPA involving XYZ Ltd, a 50 percent discount was considered appropriate, principally “to encourage others how to conduct themselves”. If DPAs are to effectively encourage self-reporting, then discounts of – at least – the magnitude given in XYZ need to be on offer. In such circumstances, the SFO itself recognises that companies need to see that they are better off if they have fully cooperated.
Robertson: Without doubt, the SFO’s two DPAs and the prosecution of two companies for bribery and corruption are noteworthy. Important issues should be considered in settling a DPA. First, the company is required to make a declaration stating that it has provided accurate and non-misleading information. In practice it is not straightforward to provide this declaration and care should be taken. Second, the statement of facts is a crucial document and should be negotiated carefully. Third, the naming of individuals is still an area of uncertainty – issues could arise where the individual has been named in the US but not in the UK. Fourth, a confidentiality undertaking regarding the terms and content of negotiations is usually made, however this can be an issue if the company is listed and has obligations to announce on the market. Finally, in XYZ, the American model was adopted, where the company provided oral summaries while still preserving the actual witness accounts as privileged.
Andres: One lesson is that misconduct is rarely isolated to one institution. If regulators find an issue at one entity, other companies in that field should take notice and look at their own practices. Regulators are increasingly pursuing industry-wide investigations as a means of regulating and enforcing market integrity. For instance, regulators looked at a broad swathe of players around foreign exchange price-fixing and mortgage fraud as specific issues came to light. Another trend is that the DOJ is increasingly willing to require a corporation to plead guilty, as it and other US regulators are raising the bar to receive a non-prosecution agreement (NPA) or DPA. Self-disclosure and cooperation are more important than ever to obtaining a favourable resolution.
Carr-Howard: The DOJ’s historic loss in McDonnell v. United States will have a dramatic impact for years to come in corruption prosecutions. While it was clearly established that the disgraced governor of Virginia had accepted lavish gifts and loans from a prominent businessman, the US Supreme Court reversed his conviction. It held that the complained of gifts could not constitute bribery as the governor merely organised meetings with key government officials. Because he took no “official act” – such as making a formal decision or signing a contract – the lavish gifts did not constitute bribery under US law. The evidentiary burden on the prosecution has grown dramatically in domestic bribery and this may well present serious challenges to foreign corruption prosecutions as well.
Sikellis: The Volkswagen case is probably the most noteworthy case this year. In many ways, that scandal was unlike anything we had seen before because it stemmed from engineering problems and not business operations. Many companies are now evaluating what risk they may have in this area and whether engineering issues should be a focus of compliance. Another interesting matter is the impact of the wide variety of internal fraud cases in banks. The Berlin Airport case and some other cases in Germany show us that the public and prosecutors remain focused on cases where it is suspected that companies defrauded the state in connection with major building projects that are delayed or significantly over budget.
Ratley: Apart from specific case examples, what were the other major regulatory or legal developments in the corporate fraud landscape over the past 12 months? What impact have those developments had on corporate governance?
Matthews: UK financial regulators are ramping up the pressure on firms and individuals, increasing accountability in the banking and financial services sector. Specifically, the Senior Managers Regime and Certification Regimes place a greater burden on firms to define the role of senior management and ensure that only suitable individuals fill those roles, as well as placing a statutory responsibility on senior managers to prevent breaches in their area of responsibility. Meanwhile, the regulators continue to require firms to ‘attest’ that controls are adequate. Recent developments in the financial sector have also been aimed at ensuring that whistleblowing reports are dealt with appropriately and whistleblowers are protected. Further ahead, fraudsters will undoubtedly seek to exploit the uncertainty surrounding Brexit, whether via cyber-based routes or more traditional means, seeking to take advantage of confusion over potential changes to contractual terms and regulations, especially firms with cross-border operations.
Sikellis: There have been quite a few important and interesting developments. Two that come to mind involve developments in the US. In April, the DOJ introduced a one-year programme that offered significant credit for the self-disclosure, full cooperation and remediation of unlawful activity. It will be very interesting to see the results of the programme next year. And of course, we are now one year into application of the so-called ‘Yates Memo’, which signalled a focus on the prosecution of individuals and set a high bar for companies that seek credit for cooperation. Companies must now provide all relevant information pertaining to employee misconduct as a prerequisite for any cooperation credit.
Sallaway: The past 12 months have seen an increasing appetite by the authorities to hold individuals to account for corporate failings. In financial services this is, to some extent, driven by a perception that shareholders of public companies have effectively been punished for corporate wrongdoing, due to penalties imposed on companies, whereas senior management who may allegedly have been involved in misconduct, or turned a blind eye to it, escaped punishment. This trend has been brought into sharp focus with the introduction of the Senior Managers Regime, which requires banks and certain other financial institutions to identify the functions senior individuals are responsible for, thereby increasing individual accountability. Investors, governments and the general public, aided by the media, are increasingly scrutinising the actions and knowledge of management. This means that effective corporate governance and compliance is more important than ever.
Andres: US regulators have been trying to set clear guidelines for corporations to follow when they discover misconduct, in the hope that transparency will incentivise greater cooperation and disclosure. The clearest example of this is the Yates Memo, which sets forth a list of factors for obtaining cooperation credit and refocuses the DOJ’s energy on prosecuting individuals. More tailored examples are the DOJ’s new FCPA Pilot Program, which lists requirements for obtaining a DPA or NPA after an FCPA violation, and DOJ Tax Division’s Swiss Bank Program, which concluded its first phase this year with at least 78 NPAs reached with Swiss banks that disclosed criminal tax offences.
Carr-Howard: The biggest change in US enforcement is the renewed focus on the individual as outlined in the Yates Memo, issued by the US Deputy Attorney General Sally Quillian Yates. While initially viewed as a reiteration of past policy, it is apparent that the DOJ is seeking far greater detail about specific individuals’ role in corporate decisions under review. The impact this new focus will have on corporations’ ability to effectively conduct internal investigations is yet to be determined, but it certainly raises new challenges.
Grantham: Aggressive pursuit of bribery and corruption violations remains high on the agenda for global prosecutors. In the US, the DOJ announced that it had substantially increased its resources to investigate and prosecute FCPA violations and the Securities and Exchange Commission (SEC) reported in September that it had filed more actions in 2016 than it had compared to the same time last year. In the UK, we continue to see indications that the SFO foresee additional charges under the Bribery Act. These would follow the first two DPAs and the first conviction under section 7 for failing to prevent bribery, all of which occurred in the last year. Authorities are increasingly demanding a more proactive and participative approach from those under investigation, encouraging timely self-reporting and ongoing cooperation.
Zimiles: Shareholder activism continues to be a major influence affecting corporate governance. Boards are under tremendous pressure to not only strengthen company controls in response to continuing corporate scandals but shareholders are also demanding greater accountability. Shareholders are seeking more influence and stronger tools to promote greater transparency and accountability from their boards.
Ratley: What regulatory or legislative changes directed at curbing corporate fraud and misconduct do you expect to see emerge in the next 12 months or so?
Sikellis: This is hard to predict of course. Common sense dictates that two likely areas for regulation are in the financial service industry and cyber fraud. Both of these areas have a direct impact on consumers and that normally puts pressure on executive branches and legislators to do something. Similarly, privacy will likely remain in the spotlight as WikiLeaks-like and hacking activity continues to occur. In Germany, there are also discussions about increasing the rights of whistleblowers and their protection under the law.
Robertson: I anticipate that the area of tax transparency will continue to be a big issue in the UK and globally. The UK’s proposal for corporate criminal penalties for failure to prevent tax evasion are part of an expanding universe of domestic and international measures aimed at transparency and preventing tax evasion. The consultation for the proposed failure to prevent criminal tax evasion draft legislation ended this summer and most commentators expect it to come into force by spring 2017. The Act, if implemented, will have extraterritorial effect. There are two different tests for the two categories of tax evasion: UK and non-UK. For evasion of UK tax liabilities, the facilitation offence can be committed by a UK or non UK corporate anywhere in the world. For evasion of non-UK tax liabilities, the tax evasion offence must be an offence in both the non-UK jurisdiction and the UK. The statute aims to improve governance and make it easier to prosecute the corporate ‘directing mind’, not just employees. The draft bill has broad application with limited carve outs and will extend to third parties and overseas subsidiaries under the control of the business.
Andres: The next 12 months will be a transition period as a new administration enters the White House. Amid personnel changes and time spent taking stock of the past eight years, we are unlikely to see major regulatory or legislative changes absent a significant market event. We may start to see clues that hint at new priorities, but any administration will likely be looking to build on previous enforcement successes in its first year in office. Companies can expect a continued focus on individual accountability, expanded coordination between US regulators and those abroad – which assistant attorney general Leslie Caldwell recently called the “future of major white-collar criminal enforcement” – as well as increased whistleblower actions and assessments of recent initiatives like the FCPA Pilot Program, currently scheduled to expire in April 2017.
Sallaway: The next year or so looks like it will be quite an active one as far as legislative and regulatory changes are concerned, with the introduction of registers of beneficial ownership, strengthening of the anti-money laundering regime and, notably, the extension of the ‘failure to prevent’ model for corporate criminal liability, which already applies to bribery. Next year, two new offences on the failure to prevent the facilitation of tax evasion are expected. In the longer term, the government has said it plans to extend this model to other economic crimes such as money-laundering, fraud and false accounting. Law enforcers complain that attributing liability to large multinational companies through the identification principle – where someone who is effectively the embodiment or directing mind and will of the company must be involved in the criminal conduct – can make it very difficult to secure convictions of large companies. The ‘failure to prevent economic crime’ offence, if it does come into force, would overcome this obstacle by creating a strict liability regime akin to vicarious liability. The consultation is expected soon, although the government has changed its position on this previously. In September 2015, the government indicated the reform had been dropped, only to revive the plans earlier this year.
Grantham: In the next 12 months I expect to see tougher legislation to combat money laundering and the financing of terrorism. Although this has been a priority for some time, and banks have naturally taken the lead by strengthening their compliance programmes and transaction monitoring processes, there is an increasing risk of funds being funnelled through other organisations, such as charities or non-profit organisations and investment funds. Additional risks are beginning to surface through the use of virtual currencies and prepaid cards.
Zimiles: There will be a new administration and Congress in January 2017. It can be assumed that there is likely to be a continued focus on how well corporate governance is addressing and combating corporate fraud and misconduct as recent corporate scandals continue to be investigated and adjudicated. The specific direction, priorities and objectives of the Congress and the administration is difficult to predict.
Matthews: The UK corporate offence of failing to prevent economic crime is now back in play with the new government, having previously been proposed and discarded. Hot on its heels is the corporate offence of failing to prevent the criminal facilitation of tax evasion, which will impact the offshore and onshore financial sector. Fund managers, trustees and directors will need to ensure that their procedures are ‘reasonable in all the circumstances’ to ensure that vehicles for which they are responsible are not abused. The concept of ‘adequate procedures’ as a defence came in with the UK Bribery Act 2010, and its extension to other corporate criminality is not unexpected. The Ministry of Justice stresses that it is for businesses to design procedures appropriate to their own needs. Separately, in the data security arena, the General Data Protection Regulations will impact how EU businesses protect their customers and employees’ information.
Ratley: In your opinion, do boards and senior executives take a sufficiently proactive approach toward reducing the risk of fraud within their organisation?
Robertson: It is difficult to generalise and inevitably the larger organisations have more sophisticated systems and controls and are often better resourced. Also, extractive industries such as pharma and the financial services sectors are used to a more regulated environment and have been the subject of more enforcement. The recent focus on individual criminal liability by the DOJ in the US and by the SFO in the UK has made board members, non-executive directors and senior executives more cognisant of the need to ensure that proper procedures and system are in place.
Andres: Boards and senior executives increasingly understand the need for a compliance-oriented corporate culture that permeates all levels and divisions of the business. Regulators have made clear that an effective compliance programme requires constant vigilance and adaptation at all levels of a company, and that those in charge cannot insulate themselves from liability for corporate misconduct. As recently demonstrated when the SEC charged the CEO of a financial services firm for an FCPA violation, and again when the CEO of Wells Fargo saw his compensation clawed back, there are consequences when executives do not play an active role in their corporation’s compliance efforts.
Grantham: There are steps that companies and their senior management can take to stay ahead of the risks posed by both external and insider threats. As innovation in technology becomes more advanced, fraudsters are developing new means of accessing and exploiting company information and assets for their personal benefit. The consequences of failing to sufficiently address the risk of fraud can be significant: lengthy and costly investigations, potential intervention by regulators, reputational damage and potential criminal sanctions.
Matthews: Some may prefer not to complicate fraud prevention measures unduly, especially if they perceive the risk as low. In particular, management may underestimate their attractiveness and vulnerability to cyber criminals, especially if they are not operating in the financial services space. In regulated industries, C-suite executives are more focused on these issues, not least due to regulatory, political and public scrutiny on the sector.
Zimiles: Increasingly, boards and senior executives are more proactive as they react to law enforcement and regulatory actions that their peers are undergoing. Moreover, senior executives face increasingly aggressive shareholder demands for restitution of economic losses and to claw-back senior executive compensation.
Carr-Howard: It is human nature to believe that while fraud exists, it is ‘out there’ and wouldn’t be committed by ‘our people’. The desire to trust your own, and distrust others is natural. But it is a human reaction that fraudsters take advantage of everyday. Unfortunately, this aspect of human nature often blinds boards to the substantial risk of fraud from within. Boards are made up of human beings, of course, and they have the same blind-spots and natural desire to trust their own as any other person. Key is recognising these blind-spots and the fact that they create the greatest risk of fraud so that boards can create compliance programmes that require inquiries even when trust is well established.
Sallaway: It is difficult to generalise as to the approach of boards and senior executives to managing and reducing the risk of fraud. Each company faces different risks, depending on, among other things, the sector it operates in, the jurisdictions where it is present, and the policies and procedures it already has in place. It is trite to say that in any company there is always room for improvement. And we have seen an increasingly proactive approach by boards and senior management to reducing the risk of fraud.
Sikellis: I would find it very surprising if today boards and senior executives fail to take such topics seriously. The experience quite clearly is that clean business is good business. This is especially true in our current regulatory environment where compliance missteps could have very serious and wide ranging consequences for companies and the executives themselves.
Ratley: How would you advise companies to go about setting up systems to detect potential fraud and corruption? Furthermore, what measures should they take to strengthen their internal procurement and supply chain processes?
Andres: Every compliance programme will vary by company, depending on factors like its nature, size and corporate personality. However, best practices are frequently lauded by regulators and industry groups. Companies should pursue a fundamental set of goals in designing and updating their internal controls, examining whether their programmes address root issues, empowering ground-level employees to serve as gatekeepers and ensuring that a compliance mentality pervades all aspects of the organisation. Companies must maintain open communication between different groups responsible for legal and regulatory compliance, fostering an atmosphere where employees are encouraged to raise issues. A successful programme must also be proactive, looking for issues before they arise and evolving to respond to new challenges.
Matthews: A risk-based approach, tailored to the business’s needs, can work best when establishing systems to prevent and detect potential fraud and corruption. First, conduct a risk assessment, including internal and external risks, asset security, ABC and cyber threat assessment. Second, design mitigating controls that are appropriate for the business. Third, implement, including training and communication. Finally, monitor compliance and review adequacy as the business evolves. Having an incident response plan is an important element, especially for cyber issues. A key element to any effective system is the corporate culture set by senior management, the ‘tone from the top’, as well as nurturing an effective, independent whistleblowing system.
Zimiles: An effective system of controls to detect potential fraud and corruption requires several components that are well designed, effectively communicated, properly executed, and adapted as necessary to address new emerging risks. The system should include a comprehensive risk assessment that addresses the potential impact from both internal and external risks, which is also monitored and revised in order to strengthen existing controls and develop new controls as necessary. It should have internal controls that are not only designed consistent with the risk assessment, but also executed by everyone involved in the various processes. Significant fraudulent activity does not always require a systemic failure in controls, but can also exploit weaknesses caused by failures of a small number of stakeholders with key roles in the process. In addition, a code of conduct and ethics policies must be endorsed by the board and top management, and requires accountability from the top and throughout the organisation.
Carr-Howard: A business’ commitment to compliance with anti-bribery, antitrust, anti-money laundering, and know your customer (KYC) laws can provide an opportunity to fight the risk of both external and internal fraud and corruption. Too often this is thought of as the responsibility of the compliance or legal departments. But fighting fraud is critical to the bottom line. That is, effective compliance is good business because it reduces waste and improves profit. I can hear the groans and see the eye-rolling. But it is true. Every pound, euro or dollar spent on a bribe or stolen by fraud is taken from the corporation’s bottom line. Compliance should not be synonymous with bureaucracy; it should be an effective programme to maximise the return for shareholders.
Sallaway: Improving controls should always start with a risk assessment tailored to reflect the nature and business of the company. This will involve at least identifying where, in terms of both sector and geography, the company operates, as well as identifying those business units most at risk of fraud, reviewing existing policies and procedures, establishing the recruitment, vetting and training needs of staff, and considering what information the board and senior executives need in order to manage risk. The end product should be a policy that is as succinct as possible, accessible and easy to implement, backed up by training. Overly detailed or complex policies and procedures that are difficult to follow or which set unattainable standards and are therefore ignored in practice are of little use.
Sikellis: The basics for such a system are the tone set by the top management of a company, policies and controls around the key risk areas, well developed training and mechanisms for the reporting and handling of potentially non-compliant behaviour. Supply chain management is a major contributing factor to the sustainable success of many companies. Legal compliance and sustainability should be considered a primary duty, and suppliers should be held to that same standard.
Grantham: Pre-appointment due diligence and proactive reviews often represent best practices in the defence against possible fraud and corruption violations. Meaningful due diligence on prospective suppliers, partners and customers, before entering into a transaction, can give a company greater clarity about who they are doing business with. Once prospective parties are appointed, proactive reviews using data analytics across books and records can help to identify potential vulnerabilities and risks, which could result in damaging financial or reputational harm if undetected.
Robertson: The key is to begin with a comprehensive risk assessment that takes into account factors such as the size of the business, its sector and the countries in which it operates. Due diligence is key – it is essential to know who you are doing business with and to fully understand the nature of that relationship.
Ratley: How important are internal training programmes to a successful compliance programme?
Zimiles: Effective communication of a compliance programme’s requirements is essential and should convey the ‘tone at the top’ and cascade throughout the organisation. A training programme should provide all employees with an understanding of the company’s policies, procedures, processes and controls and how they are designed to ensure compliance with the law and regulatory expectations. Training, however, should not be ‘one size fits all’ – rather, it should be tailored to the audience.
Grantham: Training is key. It is important for companies to ensure that training is not just seen as a box that needs to be checked as part of a compliance programme checklist. Employees need to learn the importance of compliance, and that it is the responsibility of each member of the organisation, no matter what position they hold. Training can also help set the ‘tone from the top’ as it allows a company to demonstrate to its workforce that they are taking their compliance obligations seriously. However, as with all elements of an effective compliance programme, training materials should be updated on a regular basis to ensure the content remains current and relevant, given developments within the company’s industry and the regulatory landscape.
Sikellis: Regular training sessions are indispensible to a successful compliance programme and their importance to creating a strong compliance culture cannot be understated. We take training very seriously and are constantly reminded to ‘do the right thing’. But this message is not presented in a vacuum or in dogmatic fashion. Rather, by acknowledging the workplace pressures to perform and through the use of real-world examples – including those where employees have not acted consistent with the company’s values – the training becomes particularised to the business, resonates better with employees, and provides meaningful guidance on a practical level.
Carr-Howard: Internal compliance training is a fact of life in the modern multinational. And there is a place for online training, evaluation and record keeping. It is not merely a ‘check the box’ exercise designed to document that each employee was told the rules of the road, though that is part of it. The key is to target the training subject and manner to the audience to ensure engagement and understanding. Too often, training it is viewed by both the presenter and the audience as a lecture, not a discussion. But real engagement comes from the opportunity to talk about what is happening in the field and how the compliance rules and the laws to fight fraud impact that conduct. Training can only prevent misconduct when it is understood and it is only effectively understood and internalised when it is discussed.
Sallaway: Training is absolutely key to successful policy implementation. In the post-financial crisis world, boards need to understand what regulators and governments are trying to achieve – namely, higher standards of corporate integrity. Companies need to reflect those aims by building strong internal cultures that minimise risk while also enabling growth. Global buy-in to that culture is central to a successful compliance programme. CEOs need to communicate their personal values to their companies, and boards need to convince employees that they want them to behave compliantly, rather than simply giving the appearance of doing so. Internal training programmes are a real opportunity to propagate and reinforce the company’s compliance culture, which is particularly important in multinational companies where local norms may require reconciliation.
Robertson: Training programmes are important for two reasons. Firstly, they are important in establishing ‘tone from the top’. Secondly, they are an important demonstration of the systems and controls that a company needs to establish a defence to the section 7 offence in the Bribery Act covering failure of a corporate organisation to prevent bribery.
Matthews: Internal training programmes are important for two reasons: firstly, imparting knowledge and informing staff of policy, procedures and consequences, and secondly, demonstrating that ‘adequate procedures’ were in place should an incident occur. Of course, training programmes need to be culturally effective, emphasising zero tolerance. The training needs to be spearheaded from senior management and permeate throughout the organisation. The best training programmes are dynamic and up-to-date, for example drawing on topical events and news items, or recent developments in the business itself, rather than relying on more staid annual sessions alone.
Andres: Training is a cornerstone of any successful compliance programme. State-of-the-art policies and procedures lose meaning if they are not understood by those expected to implement them. As seen in the DOJ’s 2012 decision not to charge Morgan Stanley with FCPA violations despite charging one of its executives, a robust anticorruption compliance programme that features varied and frequent training can protect a company from liability for misconduct of rogue employees.
Ratley: How have whistleblower protection laws and related regulations affected the way companies manage and respond to fraud? Is enough work being done to ensure that whistleblowing is adequately encouraged?
Sallaway: The regulatory climate is increasingly favourable to whistleblowers. Guidance for employers issued by the Department for Business, Innovation and Skills in March 2015, for example, promotes an open culture in which employees are not only protected, but are actively encouraged to make disclosures. Whistleblowers are also incentivised in a number of jurisdictions, but this is itself a delicate area. Whistleblowers want protection but if incentives are too attractive, there is a risk that the credibility of those who speak up may be impugned. In this environment, companies are starting to implement comprehensive whistleblowing policies.
Sikellis: A corporate compliance programme cannot successfully manage risk without providing unfettered whistleblower protection. Regardless of the local legal or regulatory norms, whistleblowers should be given various means of reporting such as an Ombudsman and an anonymous hotline, ensured anonymity during all stages of a complaint from first reporting through closure of any investigative process, and be shielded from retaliation. The cornerstones of protection for a whistleblower are confidentially, anonymity, ease of access to filing a complaint and zero tolerance to retaliation.
Carr-Howard: Whistleblower protections are generally good public policy. But they do create new incentives for individuals, including those involved in wrongdoing who are concerned that their misconduct has been or will be disclosed. Bounties that provide whistleblowers with a portion of the fines recovered or some other financial reward create particular challenges to the internal investigator and often can unintentionally warp the reporting of facts. The best means to address these requirements and to enhance compliance is to ensure true non-retaliation, full engagement of the whistleblower by investigators, and, when possible, thoughtful regular feedback to the whistleblower to ensure that they understand their concerns were heard and evaluated by independent instigators.
Matthews: Clearly, the laws and related regulations are important, but whistleblowers really need to believe that the process is truly independent and safe. Whistleblowing is less of a focus in the UK compared with other jurisdictions, partly because there are not the same financial rewards; instead, whistleblowing relies on other motivations.
Andres: Whistleblower protection is a constant issue. As regulators increasingly rely on whistleblowers to root out corporate fraud and misconduct – chair Mary Jo White called the SEC’s whistleblower programme a “game changer for the agency” in August – those regulators are going to increasing lengths to ensure that whistleblowers are encouraged to report potential violations and are protected once they do so. Companies must regularly look at whether their policies and procedures encourage employees to be open and honest and, conversely, whether those policies might unintentionally have a potential chilling effect.
Zimiles: Andrew Ceresney, director of enforcement at the SEC, recently stated that the SEC Whistleblower Program has had a “transformational” impact on the enforcement programme. More than 14,000 whistleblower tips from all 50 states and 95 foreign countries have been received and significant financial rewards have been paid out, including the first ever payment to a whistleblower in an FCPA related matter. In addition to the United States, comprehensive whistleblower protection laws have been adopted in more than a dozen countries and several other countries provide more limited protections.
Grantham: The prevalence of whistleblowers varies significantly between jurisdictions and industries. The US is leading the way with the SEC’s well-established whistleblower programme, which, since its inception, has seen a 30 percent growth in the number of whistleblowers who have come forward. The success of this programme is largely a result of the reward whistleblowers can receive but can also be attributed to the protection afforded to those that come forward. Over the past year, the SEC has demonstrated its commitment to whistleblower protection by taking action against companies which have imposed conditions on employees in an attempt to discourage whistleblowing. In order to encourage employees to report misconduct internally, companies need to recognise the value of implementing effective programmes, which take tips seriously as well as ensuring anonymity can be provided to the whistleblower.
Ratley: Could you highlight the main fraud-related risks that can emerge from third-party relationships? What types of third parties – such as suppliers, agents, intermediaries and consultants – pose the greatest risks?
Matthews: The greatest risks include inadequate due diligence and reduced vigilance towards third parties once they become trusted, but without the same level of control as over internal parties. Further risks include third-party access to corporate systems and information, and over-reliance on the third party, especially in a sector or region with which management is less familiar. Third parties in physically remote locations pose increased risks, as do those with autonomy to act as agent for the corporate, and those handling cash. Controlling what the third party does and the access the third party has within the company is integral to managing the risk. Specifically, when considering business in other jurisdictions with third-party vendors, a risk assessment should be performed for each individual country and each vendor.
Sikellis: There are many possible risks associated with business partners and third-party intermediaries. They include antitrust issues such as collusion and price-fixing, along with disclosures of external competitor information, FCPA concerns and facilitation payments. In an effort to best manage these risks, companies should employ a thorough vetting process during the selection of third-parties. Compliance plays a critical role in supporting this process by offering a systematic and risk-based approach, which is guided by lessons and red flags from past cases. Even after selection, third-party relationships need to be monitored.
Grantham: The most serious risks posed by third parties are related to potential exposure to bribery and corruption violations, for which the company could be held liable. Any third party could present a potential risk to an organisation, which is why a meaningful due diligence and onboarding process is a critical component of any company’s compliance programme. It is important for companies to fully understand whom they are doing business with in order to reduce the risks of financial and reputational harm that may come with them. An important component of effective due diligence is that it is updated on a continual basis in order to detect any changes of ownership or concerning media reports, which would trigger the company to re-evaluate its relationship with the third party.
Andres: Companies should be aware of the particular risks of the regions where they operate. Business dealings in countries with documented corruption issues warrant additional scrutiny, no matter how remote the connection between the company and government officials or other parties. Simultaneously, companies must ensure that their systems adequately protect information and data. Material non-public information that leaks outside of the company can put an organisation at risk for insider trading violations, while gaps in data security and other issues expose corporations – and their clients – to hacking and cyber crime.
Carr-Howard: All business partners pose risk which is why compliance officers have so much anxiety about them. But not all third-parties pose the same level of risk. Indeed, many pose very little risk, such as the supplier of your paper stock. Understanding which suppliers pose the greatest risk is fairly simple and focusing on them reduces your risk and your compliance costs. Those who have the authority to act on your behalf and those who provide you with information upon which you base your decisions pose the most serious risk and the greatest direct threat for liability. As your alter-ego or the source of your decision making, they can dramatically impact your liability by taking actions that will be viewed as yours or they can provide you with such a limited view of critical information that you take a decision that creates liability you would have recognised if you had the full picture. Ensuring you fully vet and supervise these partners can dramatically reduce your compliance risk.
Zimiles: The majority of bribery-related enforcement actions brought by regulators involve improper payments facilitated through third-party intermediaries. Third-parties with government touch points in high risk geographies present the greatest risk to a global company and a question that should be asked at the outset is whether there is a valid business purpose for the third-party’s services. If there is no valid business purpose, that is a major red flag. If the answer to that threshold question is yes, risk-based due diligence to identify and assess the nature and scope of the specific risks presented by the third-party should be conducted.
Sallaway: This issue very much depends on the business and sector. When dealing with agents and intermediaries, a key risk area is bribery and corruption. With suppliers, the risks include overcharging and the payment of kick-backs to staff responsible for awarding contracts or managing the relationship. However, these risks should be capable of mitigation, and perhaps more readily than the risks associated with agents and intermediaries, through the use of regular competitive tenders and because, absent a monopoly situation, the price for goods or services can be benchmarked against the market.
Ratley: If a company finds itself subject to a government investigation or dawn raid, how should it respond? Furthermore, to what lengths should the company go to aid an investigation?
Carr-Howard: The traditional answer is to cooperate. And cooperation is key to successfully resolving government investigations and dawn raids. But cooperation does not mean capitulation. Upon learning of the inquiry or the raid, the most important thing to do is to establish a direct line of communication limited to one or two persons, preferably a lawyer on the company side. This will help avoid contradictory responses, begin to develop a level of trust between the government agency and the company, and create an opportunity for proactive communication as more details of the concerns are disclosed. It will also ensure prompt and effective responses to any requests from the government and give the company a clear understanding of the full scope of the inquiry.
Sikellis: Within many countries, the risk-reward analysis for self-disclosure is continually evolving. Should companies cooperate when there is no perceived benefit? What about if there is a possible detriment, such as the possibility of prosecution that would not exist but for the self-disclosure? Companies that voluntarily self-disclose not only face uncertainty with authorities in many countries, but there is also the potential for negative media coverage and public reactions because it is not always understood that ‘cleaning up’ is a good sign for a functioning compliance system. Stronger support from the public sector is needed in these areas.
Andres: When a company finds itself subject to an investigation, the most important issue is to maintain open lines of communication with its regulators. Transparency and a good working relationship with government investigators can help prevent surprises by regulators, allow companies and agencies to tailor investigations to the particular issues, and secure cooperation credit in the event of a resolution.
Grantham: My first piece of advice would be to involve legal counsel and at an early stage of an investigation. I would also recommend issuing a document preservation notice, as destruction of potentially relevant documents is an offence that could make a bad situation even worse. Recently, regulators have indicated that the level of cooperation provided to investigators can have a consequential impact on the ultimate penalties imposed. Cooperation in the early stages of an investigation can therefore be critical.
Zimiles: Mistakes made early on in a government investigation can have costly and far reaching consequences, thus it is important to have a protocol in place to ensure that counsel is contacted immediately in the event of a dawn raid or the receipt of a subpoena. In each case, the facts and circumstances will drive the specific response, but considerations should include document and electronic data preservation, public disclosure requirements, and whether separate counsel is required for officers and employees. With the Yates Memo and DOJ FCPA Pilot Program pronouncements, full cooperation with the government and remediation of the company’s compliance programme can lead to significant reductions in fines and also DPAs and NPAs. In the UK, DPAs are now a possibility as well for companies that cooperate and reform.
Sallaway: The company’s first step should be to assemble its core team – both internal and, if necessary, external lawyers, and constituents from the key internal departments within the company. In a raid situation, officials should be dealt with cooperatively, but the company should not answer any substantive questions or hand over any documents without first consulting its lawyers. More generally, cooperation in the course of investigations is important. There are often mandatory cooperation requirements, but even if not, having an open and engaged approach may mean that a company avoids a formal investigation from being opened, avoids criminal charges from being brought, or receives a lesser fine or charge than if they had not cooperated. Companies also need to think about their strategic response to investigations, particularly where multiple jurisdictions and hence multiple authorities may be involved, as is increasingly the case.
Matthews: An incident response plan is an important part of a comprehensive compliance and corporate governance programme. This should outline who would be mobilised and their responsibilities, dealing with matters like escalation, privilege, internal communications, document retention, public relations and coordination with regulators or law enforcement. It is also worth considering ‘on call’ arrangements with external advisers such as lawyers or investigative accountants. It is worth remembering that the investigation or dawn raid may be groundless, but not before the publicity has caused damage. Cooperation will depend partly on statutory and regulatory obligations, but deliberately obstructive or delaying behaviour is never to be advised. There can be benefits all round in retaining some control in the early-stages of an enquiry to understand what, if anything, happened and how.
Ratley: What final piece of advice can you give to companies in terms of implementing a sophisticated and effective compliance programme?
Grantham: It is important that leadership embrace compliance so that there may be an appropriate ‘tone from the top’ and culture of compliance within the organisation. Without endorsement from the senior leadership team, even the most effective compliance programmes may fail to achieve their desired objectives: protecting the organisation from fraud and other risks and the potential damage that may come about as a result of them.
Andres: A sophisticated and effective compliance programme is one that permeates the company’s culture. Employees at all levels should view compliance as their responsibility and compliance controls should be embedded throughout a company’s operations. That said, even the best compliance programme will, at times, be violated. When that happens, learn what went wrong, remediate meaningfully and consider self-disclosure and full cooperation with regulators.
Sallaway: Corporate culture and leadership are absolutely key. Boards are best protected from liability if they implement a compliance programme that has their strong support and which reflects their personal values and where employees understand and promote those cultures. To be really effective, a compliance programme needs to be more than just words – it needs to reflect the core culture of the company, and to impress upon employees their role in promoting and upholding that culture. Of course, a company’s compliance culture and policies need to be supported by robust systems and controls, and rogue employees will always be able to circumvent even the most sophisticated systems and controls.
Zimiles: Senior executives must clearly demonstrate they take compliance seriously and convey that priority to their subordinates. Executives should demonstrate there is a strong culture of compliance within the organisation. Leadership should actively support and understand compliance efforts, ensure compliance interests are not compromised by the revenue interests of the organisation, share relevant information up and down and across the organisation, provide adequate resources in terms of numbers and qualifications which are dedicated and trained to compliance, and identify and assess the controls that are in place to mitigate those risks.
Matthews: Companies should involve senior management, and the programmes should be risk based, and seen to be reasonable and proportionate for the business, with an audit trail for decisions. The programmes should aim to change behaviour through culture not compulsion. Unless employees ‘buy in’ to the programme and the controls are reasonable, they will find ways around them.
Sikellis: Without backing and support from the upper echelons of management, a compliance programme will forever be handicapped, unable to implement even the most basic policies. To that end, compliance cannot only exist in the breaths and words of management, but it must also live in acts of the whole company to be truly successful.
Carr-Howard: Just as your business is constantly evolving and growing, so too is the risk of fraud and corruption. Keeping an eye on the risk of fraud goes hand-in-hand with your most basic mission: keeping an eye on the bottom line. Just as you must be dynamic in your response to the marketplace, you must be dynamic in your response to the risk of fraud and corruption. Though fraud is simply a lie and transparency is its simple cure, it is easy to be lulled into compliancy by grand promises or distraction. Compliance must remain at the forefront if the bottom line is to be protected.
James D. Ratley, CFE, has worked as part of the Association of Certified Fraud Examiners (ACFE) since 1988 and now serves as president and CEO. In this role, he works to promote the ACFE to the public and other professional organisations and continues to assist in the development of anti-fraud products and services to meet the needs of the ACFE’s members. In addition, he is a member of the ACFE’s faculty, and teaches regularly at workshops and conferences. He can be contacted on +1 (800) 245 3321 or by email: email@example.com.
Andrew Grantham has dealt with financial investigations and expert witness assignments since 1991. His experience as a forensic accountant includes corporate investigations, financial accounting and reporting, litigation consulting and auditing. Mr Grantham has also been involved in major financial investigations, particularly in assisting corporate clients with fraud investigations or by way of carrying out forensic audits of transactions or companies. He has also given expert evidence in criminal proceedings brought against a director in respect of fraudulent trading. He can be contacted on +44 (0)20 7098 7474 or by email: firstname.lastname@example.org.
Greg Andres is a litigation partner at Davis Polk, concentrating in white-collar defence. He has represented individuals, financial institutions and other entities in regulatory and criminal investigations involving market manipulation, insider trading, securities, procurement and tax fraud, and money laundering. He previously held senior positions at the Department of Justice, including Deputy Assistant Attorney General in the Criminal Division and Criminal Division Chief at the US Attorney’s Office in the Eastern District of New York. He can be contacted on +1 (212) 450 4000 or by email: email@example.com.
Maxwell Carr-Howard is a partner and member of Dentons’ Litigation and Dispute Resolution practice specialising in white-collar and government investigations. As a former assistant United States attorney and a longtime practitioner, Mr Carr-Howard is experienced in conducting complex transnational investigations and defending cross-border enforcement actions involving anticorruption, antitrust and money laundering regulatory schemes, as well as litigation involving US economic sanctions, embargoes and export controls. He can be contacted on +44 (0)20 7320 5508 or by email: firstname.lastname@example.org.
Nick Matthews is a managing director in Duff & Phelps’ UK Dispute and Investigations practice. He has led projects in the UK, Europe, Caribbean and the US. A particular focus has been financial crime, including AML and ABC. Mr Matthews previously managed the firm’s Cayman Islands practice and was appointed liquidator over a number of collapsed investment funds. He can be contacted on +44 (0)20 7089 4813 or by email: email@example.com.
Ali Sallaway is a partner in the Corporate Crime team and co-head of Freshfields Global Investigations practice in London. With a record of acting on significant cross-border and domestic investigations for clients in all sectors, Ms Sallaway specialises in corporate and financial crime defence and regulatory enforcement actions. She has significant expertise handling fraud, bribery/corruption, money laundering and terrorism related matters and in relation to market abuse, disclosure and listing obligations for listed companies. She can be contacted on +44 (0)20 7936 4000 or by email: firstname.lastname@example.org.
Ellen Zimiles is head of Navigant’s financial risk and compliance business segment and its global investigations & compliance practice. She has more than 30 years of litigation and investigation experience, including 10 years as a federal prosecutor. Ms Zimiles is a leading authority on fraud control, anti-money laundering programmes, corporate governance, foreign and domestic public corruption matters, regulatory and corporate compliance and monitorships. She can be contacted on +1 (212) 554 2602 or by email: email@example.com.
Robert N. Sikellis is chief counsel compliance for Siemens AG. In this capacity, Mr Sikellis leads the global compliance governance organisation for the legal compliance management, compliance policies, internal investigations, disciplinary sanctions and remediation and compliance in mergers and acquisitions. Prior to assuming his current position, Mr Sikellis held a number of important leadership roles within Siemens, including most recently senior vice president & general counsel of Siemens North East Asia and Siemens Ltd., China. He can be contacted on +49 89 636 32523 or by email: firstname.lastname@example.org.
Elizabeth Robertson is a partner in Skadden’s Government Enforcement and White Collar Crime practice, based in London. Ms Robertson has more than 20 years of experience advising on multijurisdictional white-collar crime cases involving allegations of fraud, corruption and money laundering, and on internal investigations. She regularly represents clients facing prosecution by the Serious Fraud Office, the Financial Conduct Authority and other regulatory agencies around the globe. She can be contacted on +44 (0)20 7519 7115 or by email: email@example.com.
© Financier Worldwide
Association of Certified Fraud Examiners
AlixPartners UK LLP
Davis Polk & Wardwell LLP
Duff & Phelps LLP
Skadden, Arps, Slate, Meagher & Flom (UK) LLP