November 2017 Issue
All available data seems to suggest that corporate fraud is unlikely to diminish any time soon, if at all. Indeed, such fraud permeates every country, every sector and every jurisdiction across the globe, with high volumes of anticorruption and antitrust enforcement cases testifying to its pervasiveness. Prioritising the issue is key. Companies need to implement far-reaching risk assessment programmes and take steps to ensure that company culture is based on integrity, not greed.
Ratley: Could you provide an insight into the types of corporate fraud that are typically being seen across the current financial and economic landscape?
Grantham: Cyber crime has been one of the prevalent themes this year and we expect that will continue to be the case going forward. The global cyber attack in May, which caused chaos for many organisations, such as the NHS, exploited vulnerability in an operating system for those who had not updated their systems. This high-profile attack has highlighted the importance of investing, not just in financial and compliance controls but also in the security and governance of IT systems and operations in order to reduce exposure to such risks. Whether they are organised criminals or unaffiliated hackers, attackers will be less inclined to target a company with good cyber security, and will choose instead to focus on less well protected alternatives.
Binning: Corporate financial crime is extremely diverse, ranging from unscrupulous individuals taking advantage of weakness in a company’s procedures to line their own pockets, to board level grand corruption. Wherever there is insufficient division of responsibilities or oversight, dishonesty sometimes for huge personal gain, becomes possible. One key recent trend has been the upsurge in digital fraud, with malware and ransomware being extremely damaging to businesses of all sizes. The most recent figures from the UK’s Office of National Statistics show 1.8 million computer related crimes in a 12-month period. In many cases, the massive increase in portable digital technology has probably made it easier for relatively low-level employees or employees of contractors to target businesses through their banking arrangements. At the other end of the scale, competition in overseas markets, particularly in the developing economies, has proved fertile ground for high-stakes deals on questionable terms brokered by top executives.
Sallaway: Rates manipulation and false accounting cases continue to be high profile and attract significant media and public attention. The LIBOR cases were specifically referred to in the call for evidence on the proposed reform of corporate liability for economic crime, so it is clear that this conduct, and the desire to hold corporates accountable for it, remains a key area of concern for the UK government. In addition to fraud, prosecutors and regulators have continued to focus on all forms of financial crime, including bribery and corruption, money laundering and cyber crime and the Financial Conduct Authority (FCA) in particular has continued its focus on market abuse.
Sikellis: We have not seen a significant shift in trends over the past year or so. We still note a high volume of anticorruption and antitrust enforcement cases around the globe. Foreign Corrupt Practices Act (FCPA) cases in the US have been down, but that might be simply the result of the transition to a new administration. Just recently, the largest FCPA settlement to date was announced, so perhaps that is a sign of things to come. Regardless of the effects of political changes, the current regulatory landscape demands that companies constantly evaluate and improve their anti-fraud and compliance programmes to stay abreast of any trends.
Küster: What we are seeing is an increase of food fraud cases across Europe. Digitalisation is creating new types of fraud based on generating or use of fake data or the manipulation of data.
Milford: The best place to go to for a broad overview is the National Crime Agency’s (NCA) National Strategic Assessment, which it publishes annually. The Serious Fraud Office (SFO) is a small specialist authority with a specific statutory remit to pursue cases involving the most serious or complex of frauds, a concept that extends to bribery, corruption and money laundering. As such, we only cover some of the threats set in that assessment, while colleagues in other law enforcement bodies cover others. That said, we do see a wide range of corporate fraud referrals made to us, including procurement frauds and fraud against the UK government. The primary type of fraud we see, however, continues to be investment fraud, particularly targeting those with access to pension funds.
Williamson: Fallout from the financial crisis is still driving a surprisingly large proportion of investigation work but there are signs that this is tailing off. Investigation and litigation in connection with internal frauds, such as procurement or business diversion schemes, is generally up but this may simply be a reflection of organisations’ increased appetite to investigate. The most significant change in the fraud landscape is technology driven, and cyber fraud has become an enormous problem. Organisations are falling victim to large-scale financial thefts and, often more seriously, to data breaches. With the introduction of the new General Data Protection Regulation (GDPR), this is set to become an even greater focus for businesses.
Ratley: Could you highlight any recent, noteworthy cases of corporate fraud which caught your eye? What would you say are the most important lessons that the corporate world can learn from the outcome of such cases?
Binning: There have been several major cases on both sides of the Atlantic, such as the Petrobras scandal in Brazil, the Wells Fargo fraud in the US, the Malaysian 1MDB case and, in the UK, the DPA’s entered into by Rolls-Royce and the prosecution of Barclays Bank senior executives by the SFO. The lessons to be learned are that corporate accountability, at least in the West, is on an upwards only trajectory. Companies doing business where the corruption risk is high or with high ranking state actors need to take special care and the threat of individual prosecution at the highest levels of large companies is now a very real risk.
Sallaway: One case of note is the investigation into the alleged money laundering of billions of dollars from Malaysia’s state development fund, 1MDB. The funds were apparently routed through the international banking system and ended up in accounts and assets in various jurisdictions around the world. There are two aspects of the case which I consider significant. First, it is one of the best examples to date of multiple authorities in Asia, the US and Europe acting in a concerted and cooperative way to pursue a transnational anti-money laundering investigation. Second, it is the first time we have really seen the Monetary Authority of Singapore bring such public and high profile enforcement action. Increasingly proactive and coordinated action by agencies in different jurisdictions is a trend which we can expect to continue.
Sikellis: Over the last year, multijurisdictional anti-corruption actions by regulators have certainly been common. The recent settlement with the Department of Justice (DOJ) and the Securities and Exchange Commission (SEC) by Swedish company Telia relating to FCPA violations in Uzbekistan is particularly noteworthy because it constitutes the biggest settlement and disgorgement ever in an FCPA case. Another case is the $800m fine for Rolls-Royce to settle with UK, US and Brazilian anti-corruption authorities for bribe payments made throughout Africa, Asia, the Middle East and Brazil. Notably, the Rolls-Royce fine and settlement stemmed from multijurisdictional collaboration of various regional anti-corruption authorities. We would expect to see similar enforcement actions, especially ones targeting international conglomerates, as global regulators continue their enforcement efforts.
Küster: The Volkswagen emissions case is one case that caught my eye. Although the case began about two years ago, it is still discussed often. Another example of corporate fraud is in the area of online dating services, with fake profiles or fake chat content designed to create higher profits. I would also mention the horse meat scandal. A Dutch meat producer reportedly declared and sold cheap and low quality horse meat as high quality beef. This meat was used for production of meat products like burgers or lasagne. It seems that greed creates the belief that misconduct like this will remain undiscovered, but there is always a disgruntled employee or a furious wife or a smart competitor who will make the issue public. In the end, it is just a question of time and the corporate world should learn from the impact of such cases. The reputational damage can be enormous and spread throughout entire industries. To fix this will cost far more than any fines a company has to pay.
Williamson: I think the most telling, relatively recent fraud is the Volkswagen emissions matter. It is a fascinating example of how behaviour, no matter how extraordinary it might appear to the outsider, can be rationalised and accepted within an organisation. And we can see this in all sorts of organisations, where unethical or even illegal behaviour becomes accepted as normal – everything from fiddling expenses to misselling complex derivatives to small businesses. I think Volkswagen’s experience illustrates the need for organisations to constantly challenge themselves and consider whether their behaviours are really consistent with the expectations of their shareholders, customers and the rest of society.
Grantham: One of the most noteworthy cases this year was the SFO’s DPA with Rolls Royce. This was the third time that the SFO had entered into a DPA and provided the highest enforcement penalty awarded to date. It is interesting to note that in this case, compared to the two previous DPAs, Rolls Royce did not self-report the offences; the SFO was instead tipped off by a whistleblower. This indicates that self-reporting is not a prerequisite for a DPA to be granted. The predominant theme that has emerged from the case is the importance of cooperation in securing a DPA, reinforcing the SFO’s previous rhetoric on the matter. The case represented a significant triumph for the SFO and it will be interesting to see if successes such as this can secure the future of the organisation.
Milford: In respect of lessons to learn, I would recommend that corporates study with care the Code of Practice on Deferred Prosecution Agreements (DPA) and the three published judgments approving such agreements. While the seriousness of the criminality will always be the first consideration, as the Rolls Royce case shows it need not, in itself, be a reason to refuse a DPA. But any company seeking a DPA will have to demonstrate both a very high level of cooperation and that it is serious about reform. Corporates should also note the SFO’s willingness to prosecute companies that do not meet those standards.
Ratley: What impact have legal and regulatory developments had on the landscape of corporate fraud and misconduct in your region over the past 12-18 months?
Sallaway: The recent decision in Serious Fraud Office (SFO) v Eurasian Natural Resources Corporation Ltdhas brought into sharp focus the issue of legal professional privilege. Although some regard it as representing a seismic shift in the application of legal advice privilege, in my view it essentially restated and applied the 2004 decision in Three Rivers District Council and Others v The Governor and Company of the Bank of Englandwhich set out the narrow definition of who, within an organisation, is the client for the purposes of legal advice privilege – a decision that many lawyers have been keen to see the Supreme Court grapple with. It is certainly true that the Eurasian Natural Resources Corporation (ENRC) decision further narrowed the operation of litigation privilege.
Sikellis: We have not seen any significant shift in law enforcement priorities over the past year or so. There is still a strong focus on corruption and antitrust, as well as on banking, as a result of the financial crisis and LIBOR. In some countries, it appears that money laundering is perhaps gaining more attention. It is likely that political uncertainty around the world has had an impact and, at least for the short term, has helped maintain the status quo.
Küster: Increasing cross-border regulations and related collaboration of authorities has an impact on corporate fraud and misconduct. Companies that operate internationally have to be familiar with related laws and regulations and put the right measures in place. The use of independent third parties is not the solution to limiting the liability of a company or its management when operating in foreign countries. How you operate in foreign countries and with whom you collaborate is different today. If product compliance was the main interest of a company before it started to do business abroad, corporate compliance should be at the same level.
Milford: I would mention two important developments. First, the creation of a corporate offence of failing to prevent the facilitation of tax evasion, particularly as the SFO will be lead enforcement authority of the overseas offence. Second, the creation of a register of persons of significant control. Transparency is a significant weapon against fraud. Looking forward, we at the SFO are following with great interest the government’s consultation on corporate criminal liability.
Grantham: In June, the Money Laundering Regulations 2017 came into force, which updated and enhanced the UK’s existing anti-money laundering regime. The focus on due diligence and risk assessment should encourage firms to reassess their policies, procedures and internal controls which address money laundering and terrorist financing. Recent judgments in the English courts have shone a spotlight on the question of privilege in internal investigations and when it does and does not apply. These judgments mean that companies will need to carefully consider how they gather information as the assertion of privilege in internal investigations is likely to continue to come under close scrutiny and challenge.
Williamson: The process leading up to the introduction of the Criminal Finances Act has had a big impact. A lot of organisations have started to think, often for the first time, about how they may be inadvertently aiding in tax evasion or even money laundering. They are assessing their risk, understanding their customer base in more detail and in some cases disengaging with parts of their business that simply will not be viable going forward.
Binning: As has been the case for several years, UK legislation has continued to increase the powers of prosecutors and regulators to pursue both companies and individuals associated with them. Most recently, the Criminal Finances Act has created a corporate offence of failing to prevent the facilitation of tax evasion by a person associated with it – including, but not limited to, employees. The same piece of legislation creates unexplained wealth orders which require the owner of property to explain how it was acquired and make it possible for property to be seized if such an explanation is unsatisfactory or not forthcoming. In the regulatory sphere, the FCA has made it mandatory for most regulated firms to implement formal whistleblowing procedures as part of its drive toward enhanced personal accountability through the senior managers and certification regime.
Ratley: If a company finds itself under investigation by the authorities and subject to potential litigation, what general steps should it take in response?
Sikellis: The first step a company must take is to conduct a thorough and professional internal investigation to ensure all of the relevant facts are known and understood. If it uncovers wrongdoing on the part of its employees or that internal control processes failed, the company needs to take prompt disciplinary action and all other appropriate remedial action. Then a company needs to consider whether to cooperate and to what extent. Does it waive the attorney-client privilege? Does it, per the Yates memo, provide information that establishes criminal actions by employees? Do employees need private representation? These are often very difficult questions to consider and they are certainly interrelated. And the issues can be all the more complicated if there are cross-border investigations, as country-host rules and expectations may be very different.
Williamson: I think it is absolutely essential to seek expert advice. The number one mistake firms make is to go straight to their corporate lawyers and maybe their auditors when they really need litigators, investigators and forensic accountants. The right legal advice, the right investigative response and the right engagement with the authorities as soon as problems start to emerge, serve to minimise the legal, reputational and financial damage to a firm. There is quite a lot an organisation can do to prepare itself before it is actually under investigation by the authorities or subject to potential litigation. It can be incredibly challenging to start to pull together a team of advisers under the intense pressure of an investigation or pending litigation. Taking time to engage with potential legal and investigative professionals before problems emerge is a simple and generally cost-free investment, and an opportunity to plan ahead for the worst happening.
Milford: Plainly, firms under investigation will want to take their own, independent legal advice. With that caveat, I would suggest that firms should not wait until they learn they are under investigation before taking action. They should consider proactive engagement with the SFO from the moment they conclude they have a problem – in the same way that Standard Bank did, for example. In that way, the firm would maximise its prospects of being able to enter into a DPA. This would not only result in a discounted penalty, but it would also allow the firm to demonstrate it had acted responsibly and put its house in order. That, I would suggest, is a good way to manage the reputational impact.
Binning: While all investigations are different and no standard ‘tick box’ response is available, there are certain steps which should be taken when faced with potential litigation. Legal advice should be sought by the corporate entity at the earliest possible opportunity. Decisions made at the investigation stage of a case can have a profound impact on the outcome of a case and it is important to ensure that directors are fully informed when taking decisions. Equally, it will be important to make sure that early consideration is given to individual employees or directors of the company being offered separate legal representation where they may be suspected of wrongdoing. It will often be in the best interests of both the individual and the company for each to be legally represented.
Grantham: Whenever a company faces potential litigation, a crucial first step is to take appropriate legal advice. It is sensible that a company brings lawyers onboard at an early stage so that they can assist in mitigating any damage suffered by the company and put in place a strategy to respond effectively to the investigation. An independent review of the allegations is also useful in order to limit questions of impartiality at a later date. It would also be remiss if a company did not consider how to respond to the imminent media attention, which is inevitable when a crisis erupts. The message it presents to its employees is as important as the message it broadcasts to the outside world.
Küster: Every company should make sure it is well prepared for such a situation. Procedures should be in place that are understood by the company’s employees, guarantee good collaboration with the authorities, have the right level of transparency, provide a thorough handling of the case and allow for clear communication.
Sallaway: Each situation is very fact-specific so it is difficult to give general advice on the steps a firm should take when it finds itself under investigation. However, if there was one piece of advice I would give to every organisation it is that the better you know your own business, the better placed you will be to respond if this occurs. The more a business has done in advance to understand its own risks and exposures, including its relationships with third parties and the key risks in that context, the better prepared management and employees will be to respond proactively and swiftly if an issue arises.
Ratley: In your opinion, are boards and senior executives doing enough to reduce potential corporate fraud and avoid costly investigations and litigation?
Binning: Many companies now take the threat of corporate fraud extremely seriously. Of course no matter how assiduous directors are in maintaining their anti-fraud defences, investigations cannot always be avoided. Human factors are a constant threat when compliance systems are under stress. The watchword now in corporate management goes beyond mere ‘tone from the top’ and extends to all employees, helping to cultivate and actually live a set of shared values. The key elements of any fraud-prevention strategy are clear policies on relevant issues and high-quality training to accompany them. The relevant law differs significantly across jurisdictions and entities operating in more than one country must ensure that staff are appropriately prepared.
Grantham: It is important that companies have robust corporate governance processes and systems in place to identify risks and weaknesses before they become a problem. Boards and senior executives need to ensure that the company demonstrates a proactive approach to detecting and preventing economic crime. Companies are coming under increasing pressure from stakeholders – regulators, shareholders and even their customers – to demonstrate that they are taking their compliance obligations seriously. With the ever-increasing focus on individual accountability, boards and senior executives must recognise the personal consequences of failing to prevent corporate crime and take steps to mitigate their exposure. A culture which encourages senior individuals to hold one another to account can help to create a healthy, compliance-focused environment.
Küster: The reality is that a board that has gone through a fraud investigation will pay more attention to anti-fraud campaigns and the procedures of its company. Anti-fraud procedures do not come without costs and the positive impact on your company is not always directly visible. That still leads to the fact that companies do what they have to do and only go an extra mile when times get difficult for them. Taking the time to establish a compliance culture is still getting little attention from boards and senior executives.
Sallaway: There are, in my view, ever-increasing levels of appreciation within organisations of the significant impact these events can have on a business, including the significant adviser costs and lost management time associated with responding to investigations and litigation, even where there may be no ultimate liability for individuals and the organisation. Additionally, boards continue to face increasing scrutiny of their conduct by investors and the market more generally, the media, and the public. The ‘failure to prevent’ model of both the Bribery Act and the new corporate criminal offences in relation to facilitation of tax evasion under the Criminal Finances Act underscores the need for boards and senior executives personally to engage with and ensure the risk of potential fraud is addressed effectively, and indeed prosecutors and regulators expect nothing less.
Williamson: There certainly is an increased awareness of the risk of fraud and its impact on an organisation among senior executives and board members. But that general awareness and the anxiety it generates is simply not being translated into proactive measures to reduce the occurrence or value of fraud and to deal with it effectively when it does inevitably occur. It is not all bad news though. There are some honourable exceptions. Some companies are really investing time and resources and taking a proactive approach to their fraud risk. And I think this is only set to improve as boards and senior executives become increasingly aware of their personal liabilities and the authorities’ increasing appetite to hold individuals to account for the behaviour of their organisations.
Sikellis: In this day and age, given the costs, both financial and reputational, it is impossible for board members or senior executives to not have this high on their priorities. They must have insight into what boards and senior executives are doing outside their company. There is a consensus that compliance is essential to doing business today. In fact, given the global regulatory environment and the serious consequences, for both the company and senior executives, that can result from compliance violations, I would be shocked to learn that boards and senior executives do not take fraud seriously.
Ratley: What advice can you offer to companies in terms of implementing and maintaining a robust fraud risk assessment process, with appropriate controls to detect potential misconduct? For example, what measures should they take to strengthen their internal procurement or supply chain processes?
Williamson: The art of effective fraud risk assessment is in harnessing a combination of skills from very different perspectives and parts of an organisation – employees with an in-depth knowledge of the organisation’s processes, risk management professionals and individuals with real experience of fraud prevention and detection. Workshops can be an especially effective way of getting the key people in one room interacting with each other. I would caution against the temptation to impose anti-fraud control frameworks from above. Too much input from risk management professionals or, dare I say, an organisation’s audit or finance team, and you generally end up with a very impractical set of controls straight from a textbook. It is worth bearing in mind as well that, done properly and involving an appropriate range of staff across the organisation, the fraud risk assessment process can also be an excellent training exercise.
Küster: A compliance programme or anti-fraud campaign can only be called robust when it becomes a long-term and integral part of a company’s business. This means, at a minimum, the right level of human and financial resources being utilised. A robust anti-fraud programme should contain written policies and procedures that give the right level of rules and guidance, and employees need to know where to find such documents and be trained on how to use them in their daily work. An auditing process to ensure policies are actually implemented and applied as well as regular refreshers of the employees’ training is also advisable. Potential penalties should also be communicated and consequently applied if necessary. Furthermore, companies need to implement a general risk assessment process that monitors and anticipates potential risks for their business and assets.
Sallaway: Any risk assessment process must be business-specific and targeted to the risk faced by your organisation. It is critical to understand your own business, your relationships and your risks in that particular context. You should also be alive to issues affecting your industry – if you see agencies showing an interest in conduct which is occurring in other organisations operating in your sector, you should take steps to look at your own position on these issues.
Grantham: The implementation of a risk-based process, tailored to the specific needs of the company, is vital when implementing a fraud risk assessment programme. To maximise this process, a company must spend time at the outset, considering the various risks it faces and the challenges of the industry in which it operates, and then plan how to respond effectively. It is important that the process is actively monitored and refreshed on a continual basis, and instances of misconduct are seen to be investigated and dealt with accordingly. But implementation is only one part of the process, it will only succeed if it is whole-heartedly supported from the top. The board and senior management need to set the tone and demonstrate that the system is not just a ‘tick box’ exercise but is integral to the company’s core values.
Sikellis: A robust compliance risk assessment programme needs to start at the operational level and work its way through the layers of the organisation until a company-wide risk catalogue is developed. This risk catalogue will serve to identify points of weakness and where to focus resources. Ultimately, the people in the field – the ones selling the products, the accountants managing the books, and so on – will know exactly where your risks are. Equally critical to the success of a compliance programme is a company-wide, top-down culture of integrity, a strong tone from the top and a ‘speak up’ culture. Without such a culture, you will never get ahead of potential misconduct. Warren Buffet said, “in looking for people to hire, you look for three qualities: integrity, intelligence and energy. And if you don’t have the first, the other two will kill you”. The first step in designing a successful compliance programme is ensuring a company culture based on integrity.
Binning: All risk assessment processes should aim for the right division of responsibilities between employees and ensure that all vital functions are monitored by at least two individuals. Procurement and supply processes are particularly vulnerable to abuse by individuals within an organisation – as is so often seen in the field of bribery and corruption. Maintaining high-level communication with contractors and clearly setting out intercompany procedures can go a long way to ameliorating risks in this area. With regular suppliers it may be advisable for companies to formulate joint policies dealing with their relationship. The time and resources such procedures require is more than justified by the protection they offer.
Ratley: When suspicions of fraud arise within a firm, what steps should be taken to evaluate and resolve the potential problem?
Milford: A firm will want to understand whether there is anything in an allegation of fraud that comes to its attention. But once it has concluded that there may be something in it, I would suggest that it is reported to the authorities. The police advise that allegations of a fraud committed against a company are reported once the company has conducted a sufficient investigation to form a reasonable suspicion. That would be a sensible test for reporting to the SFO suspected criminality committed by the company. The SFO is anxious that any investigative steps taken by a firm do not cut across or make harder any criminal investigation we might mount. Data collection should be prompt, covert, coordinated and simultaneous.
Küster: A team with clear roles and responsibilities should be put in place quickly. In addition, an analysis of the available data should be thoroughly carried out. Depending on the situation, the involvement of external experts, such as lawyers or data analysis specialists, may be necessary. It is always advisable to inform necessary parties and at the right time. Very often, employee’s rights, corporate liability risks and legal obligations have to be balanced carefully before decisions or measures are taken.
Sallaway: Increasingly, agencies do not just look at the underlying conduct, but at the manner in which the organisation has dealt with the issue. Given this, the response of the organisation to ‘red flags’ is absolutely critical, as it will be seen as indicative of the underlying culture of the business and, importantly, whether the relevant conduct is likely to happen again. You want to avoid an ‘investigation into your investigation’, so you need a comprehensive response, but also one which is proportionate to the conduct identified, is robust and which has integrity of process.
Grantham: The first step is to consider the manner in which the suspicions will be investigated. In the event that fraudulent activity is uncovered or that allegations are subsequently made public, findings from the company’s internal investigation may ultimately end up being disclosed to a regulator. Given the legal developments regarding privilege, a company may want to consider how this information is compiled. Companies will need to demonstrate that they conducted an independent investigation and performed a thorough review of all the evidence available to them. In these instances, it is sensible for a company to engage an independent third party to conduct the investigation to avoid the results of the internal review being challenged on the grounds of impartiality.
Sikellis: Suspicions of fraud must be carefully and quickly vetted by a thorough internal investigation that is sufficiently resourced and autonomous. If wrongdoing is discovered during that investigation, and depending on the nature and scope of the misconduct, the company must ask itself whether self-disclosure and cooperation with government authorities are warranted under the circumstances. Swift and transparent disciplinary sanctions and any other remedial measures identified during the investigation should also be undertaken. But there is no precise roadmap to the best answers to these questions, which are heavily dependent on the type of misconduct, the facts and circumstances of each case, the jurisdictions involved, and so on. Other considerations involve the potential for harmful media attention and resulting public backlash.
Binning: Whenever a firm learns it is under investigation, it will usually be necessary to convene a fully independent committee of the board as swiftly as possible to manage the situation. Failure to do so may result in decisions being made by senior executives who may fall under suspicion and could result in serious prejudice to any investigation and lasting harm to the company and its shareholders. One vital issue for the company will be how to approach communication with the prosecutors or regulators. While full cooperation is often the best approach, it may not always be required or in the best interests of shareholders. Moreover, the precise scope of the investigation will need to be considered. Defining the precise ambit of the investigation is necessary to determine which classes of document should be disclosed and which can be legitimately withheld.
Williamson: There are two critical steps that should ideally be taken immediately when suspicions of fraud arise. The first seems obvious but is occasionally forgotten in the rush to assemble lawyers and investigation teams: the organisation needs to take steps to plug any ongoing loss. The second is to ensure that all potential evidence is protected and secured. These steps buy an organisation breathing space to make some initial enquiries, to consult with their advisers and, if there appears to be any substance to the suspicions, to structure an appropriate investigation without the risk that evidence has been lost or compromised. It is worth saying a word about technology in the context of fraud investigation. Our corporate and personal lives are all lived through email, text messages and instant communication apps. In this digital world, the facts and circumstances around a suspected fraud are more often determined by our recovery and analysis of this type of electronic evidence than old fashioned paperwork in a physical file.
Ratley: In terms of third-party relationships, what are some of the main fraud-related risks that can emerge? What can companies do to manage such risk in connection with suppliers, agents, intermediaries and consultants?
Küster: A company implements sourcing and purchasing processes to ensure the buying of goods and services in line with its needs and for a reasonable price. Misconduct related to sourcing and purchasing processes can cause financial damage, because the company is paying high prices. It can also cause loss of quality, if the goods and services received are actually not the best the company could get. Bad quality products can lead to consumer complaints, loss of business and consequently loss of reputation. To avoid all this, different measures can be considered, for example an independent purchasing department with purchasing experts, segregation of duties and a strict third-party vetting process.
Sallaway: In terms of managing risk with respect to your supply chain, it is important to know who you are dealing with, particularly where you may have less visibility of the day-to-day conduct of business for you or on your behalf, and to understand the particular fraud and bribery and corruption risks in the regions you operate in. It is important to avoid complacency with respect to established relationships and regularly review the risk profile of all the parties you deal with, even those you believe you know well.
Binning: The risks to companies from third parties are manifold. Individual fraudsters may exist within suppliers, contractors and clients. Clearly, the most prevalent risks will lie in the area of payments to contractors where the diversion of monies is a perennial issue. More sophisticated frauds may involve the movement of money or property through an unsuspecting company. A comprehensive programme of supplier or third-party vetting and assessment is needed in many businesses to ensure that the other party will observe the same high standards of business integrity. Where suspicion arises, it will be necessary to investigate and sometimes require significant cooperation from the other party. Sometimes contractual terms will assist here; for example, clear commitment to common compliance standards and mutual transparency and audit requirements.
Williamson: A simple rule of thumb is that the actions taken by a company’s agents, intermediaries and consultants will often be considered by regulators and law enforcement to be actions of the company itself. So the challenge for every company is to ensure that their third parties understand the standards with which they are expected to comply and that these are properly and demonstrably enforced. UK companies have become very good at policing their third parties in the years since the introduction of the Bribery Act but this really is still a weak link in any compliance framework and a significant source of fraud and related litigation.
Sikellis: One of the biggest risks a company faces from third parties – whether they are sales agents, suppliers, customers, consortium partners or any other – is when they engage in illegal behaviour for which your company can be held accountable. One safeguard against this is a robust due diligence programme that pre-identifies and categorises each third party by risk in a uniform and objective manner. The next step is to ensure your company’s integrity expectations are communicated and discussed at the outset of the third-party relationship and regularly reinforced. Clearly articulated codes of conduct and standard integrity clauses in contracts help that process. And finally, abide by the well known old saying: ‘trust, but verify’. Partner relationships must be closely monitored and managed through, among other things, compliance audits.
Grantham: One of the biggest challenges to any company attempting to effectively manage its exposure to fraud risk is its relationships with third parties. The implementation of a robust due diligence programme to continually screen and monitor third-party providers is an essential part of any compliance programme. An annual ‘health check’ of the due diligence programme ensures that it remains relevant and is able to respond to the evolving needs of the business. Education and training of employees is an important element in managing this risk. Individuals on the front line need to be aware of the red flags to look out for and how to respond if they see something which does not look right. As with most issues, the approach should be risk based. Some third parties – those interacting with government officials on your behalf, for example – present more of a potential exposure to bribery and corruption and so require thorough vetting and regular oversight.
Ratley: How important is it to train staff to identify and report potentially fraudulent activity? In your experience, do companies pay enough attention to employee education?
Grantham: A company’s personnel are one of it first lines of defence in identifying and reporting fraudulent activity, so training them in this area is essential. Education on how to spot fraudulent transactions and what to do when they are identified should be a key element of a training programme. There is a tendency for companies to train their employees in this area as a one-off, but it is vital to refresh employee training on an annual basis, especially as those who perpetrate the fraud are continually devising new methods. If a company wants its employees to be invested in its compliance programme, they must understand the wider context as to why fraud is bad for business and the potential financial, legal and reputational consequences of economic crime.
Williamson: Staff training is the single most effective anti-fraud measure for any organisation to focus on. The vast majority of frauds and other types of business crimes are uncovered by chance by co-workers and line managers, so smart organisations spend time educating staff to recognise a fraud when they see one and how to report their concerns. In almost every fraud investigation, we find that there were plenty of warning signs well before any misconduct is uncovered but that all the warnings, all the red flags, had been repeatedly disregarded. People are naturally trusting and can overlook even the most suspicious activity occurring around them. Simply reminding staff that fraud happens in every organisation, spending a little time considering what it might look like in the context of their workplace, and what actions they might reasonably take to report it, can improve detection rates dramatically.
Sikellis: An essential part of an effective compliance programme is the creation and maintenance of an environment where employees are encouraged to report potentially fraudulent activity without fear of retaliation. Certainly, hotlines are essential because they can provide anonymity. But there are many, equally effective channels, such as direct reporting to compliance, legal and human resources. A business culture where employees feel comfortable raising potential non-compliant behaviour through their managers or other business professionals is ideal. As for training, it is also essential. We cannot assume that employees inherently understand the obligations imposed upon them by laws and internal policies. Indeed, there are often grey areas that require guidance and it is the responsibility of companies to provide that guidance. In this sense, training becomes a key ingredient for establishing the right compliance culture.
Küster: If the relationship between management and staff is strong enough to be able to report such cases openly, then a company should be proud. But this is rare, as employees often fear the consequences of reporting their colleagues or even managers. Whistleblowing systems can help to solve these situations, as they give employees a safe environment in which to report potential misconduct or suspicions. Encouraging staff to identify and report potential misconduct and to train them on how to identify and report such cases is a key element of a robust anti-fraud programme. Early reporting gives a company the chance to investigate and solve potential issues before they cause real damage.
Binning: Training of staff is absolutely vital to any fraud-prevention strategy for the simple reason that procedures can only be as good as those operating them. With the legal and regulatory landscapes in a semi-fluid state, it is important not only to train staff but to do so regularly, as new legislation and rules come into force frequently. Clearly, companies will have to conduct a cost benefit analysis in relation to training, and any resources devoted to it must be both targeted and proportionate. It is also vital that employees of sufficient seniority are trained – this, incidentally, is a requirement of the new whistleblowing rules set out by the FCA. However, the benefits of training can be huge. Fraud often goes undetected for some time within a company and ending it at an early stage can mean significant resources are saved.
Sallaway: Employee education is an extremely important element of any well-run organisation. Generally, organisations know to provide a range of training to employees, especially ones operating in higher risk roles. One aspect which can be overlooked, however, is the need to provide training to the specialist employees whose role it is to identify potential fraudulent activity. Fraudulent activity, by its nature, is not easy to uncover and those in control functions need to be able to spot what can be very subtle signs that something may be going wrong. I would also recommend using, on occasion, external specialist providers as they can bring a new perspective and the firm’s investment in this training can serve to emphasise how important these issues are to senior management.
Ratley: In what ways have companies changed the way they manage and respond to fraud in light of the renewed focus on encouraging and protecting whistleblowers? What more do you think needs to be done in this area?
Williamson: The main mechanism for identifying fraud in any organisation is the internal ‘tip-off’, the whistleblower. Audit, compliance and other proactive anti-fraud measures can be incredibly effective fraud prevention tools but consistently underperform in terms of detecting fraud. Therefore, organisations rely on those brave individuals who are prepared to speak up about their suspicions and concerns. Organisations do seem to have improved processes and procedures around tip-offs – most have anonymous reporting mechanisms in place and procedures for responding to reports. But I still see a lot of poor practice around the treatment of whistleblowers which can completely undermine the anti-fraud culture of an organisation. When an individual experiences hostility within an organisation, when he or she is seen to suffer financially, career-wise or in any way at all for reporting their suspicions, it has a chilling effect on the whole organisation.
Sikellis: Complete and unrestricted whistleblower protection is a prerequisite for any successful corporate compliance programme. As whistleblowers are often the ‘front-line’ of defence to fraud, companies must implement programmes that protect whistleblowers from retaliation, especially via confidential reporting channels. They must also ensure anonymity during all stages of a complaint, from initial reporting of a suspected fraud through any investigation and resulting disciplinary action. There still seem to be cultural obstacles to whistleblowing in certain countries. Companies must find creative ways to overcome this stigma, given the importance of the topic.
Binning: In the UK, the FCA’s reforms have made whistleblowing policies compulsory in most companies within the regulated sector. The regulations are necessarily general and individual companies have significant scope to develop their own regime. Many companies will have opted to implement the bare minimum procedures – though these may sometimes be onerous. The FCA whistleblowing regime provides a strong framework to protect whistleblowers, although it does not afford them protection from prosecution. However, some work does need to be done on the harmonisation of data protection legislation on the one hand and whistleblowing regimes on the other. This issue arises particularly in the context of anonymous whistleblowing which may violate data protection laws in some jurisdictions.
Küster: I have not experienced a change in company behaviour because of this renewed focus on whistleblowers. But companies should invest in whistleblowing systems and in creating a culture of trust around compliance topics. An employee should feel safe when reporting about potential misconduct without fearing the potential consequences.
Sallaway: The culture around whistleblowing is changing, but there is still progress to be made in ensuring staff genuinely believe there will not be reprisals for reporting possible misconduct and that they will be fully supported by their managers, and ultimately, the board, for taking this step. In the financial services sector, in particular, regulators are taking a robust approach to this issue, emphasising the importance of the most senior individuals promoting and supporting whistleblowing.
Grantham: Companies are coming under increasing pressure to prioritise corporate governance and a robust whistleblowing policy is a valuable tool in identifying illegal or dishonest conduct. In order for it to be effective, however, whistleblower protection is vital – if a witness has the courage to come forward to disclose pertinent information, their anonymity must be guaranteed by their employer. In the UK, whistleblowers are protected under the Public Interest Disclosure Act 1998 but there is limited awareness that this protection exists. Under the UK’s anti-corruption plan, the government is exploring ways in which it can enhance support for whistleblowers; raising awareness that these protections are in place would be a positive step.
Ratley: How do you envisage the regulatory and legislative landscape unfolding in the coming months and years? Against this backdrop, do you expect companies to enhance their measures to mitigate potential fraud in future?
Sikellis: We live in a time of unusual uncertainty, so I think it is difficult to predict where the regulatory and legislative landscape will go in the future. In the US, there seems to be a focus on immigration enforcement and border protection, but there is no reason to believe that corruption and antitrust enforcement will abate. Because an important component of an effective compliance programme is continual monitoring of the legal landscape in which the company does business, we fully expect compliance programmes to be modified and enhanced as the landscape changes. Companies must constantly evaluate legal and regulatory developments globally to ensure compliance detection mechanisms are sufficient for the current business climate.
Küster: Globalisation and digitalisation is not only shaping the economic landscape, but also the regulatory and legislative landscape around corporate fraud. We expect to see an increase in regulatory requirements related to food fraud and data protection. Cross-border regulations and the related collaboration of authorities will be supported by the increasing possibilities of prompt exchange and analysis of data and information. Companies are being forced to continuously enhance and adapt their compliance programmes to such developments.
Binning: The trend toward increasing enforcement against both companies and their senior employees shows little sign of abating. While it is not certain exactly how recently implemented powers will be used, it seems likely that prosecuting agencies in more countries will continue to pursue fraudsters with all the tools at their disposal. They will expect to share the fines levied between them. A key aspect of such enforcement is therefore likely to be enhanced international cooperation between major jurisdictions and a growing number of very large corporate non-conviction financial settlements through DPA’s of similar disposals. There will be more prosecutions of senior executives on the back of these corporate settlements. In light of these factors, it is crucial that companies devote sufficient resources not only to fighting fraud but to ensuring that they remain attuned to a continually changing legal landscape.
Sallaway: The Criminal Finances Act came into force on 30 September 2017. The two new offences in the Act will take time to bed in, and it remains to be seen how active investigation and enforcement will be in the early months. However, there is no doubt that the introduction of the new offences means that many firms will need to review existing financial crime controls and ensure necessary enhancements are made to mitigate the risk of any conduct that may engage the new offences. The outcome of the call for evidence in relation to corporate liability for economic crime will be of interest. Any expansion to corporate criminal liability for economic crimes, particularly given the wide variety of behaviours which make up ‘economic crime’, has the potential to substantially increase the regulatory burden on both small and large businesses. Given this burden, careful consideration needs to be given to whether such an expansion will in fact materially reduce the risks of misconduct occurring.
Grantham: It will be interesting to see the impact on the FCPA in the US under the current administration. The president had previously called it a “horrible law” and has appointed an SEC chief who has previously criticised the enforcement of the Act. Understandably, there are international concerns that this signals a change of focus away from aggressive pursuit of bribery and corruption in the US. However, weakening the enforcement of the Act seems unlikely and in the last few years, other countries have introduced and strengthened anti-corruption laws and it would appear at odds if the US were to go against this trend. A key area of uncertainty for the UK is its imminent departure from the EU and the impact that may have on cross-border cooperation.
Milford: We are following with great interest the consultation on reforming the law on corporate criminal liability. How companies react to any such reform will of course be a matter for them.
Williamson: The single greatest factor likely to impact on a company’s appetite to invest in anti-fraud measures will be law enforcement and regulators’ appetite to prosecute individuals. As long as the principle risk of fraud and other business crime is financial – a large fine levied on the business and borne by the shareholders – senior management will sleep relatively easy at night. It seems clear to me that the authorities are increasingly focused on pursuing the individuals responsible for committing the fraud and those who were responsible for failing to prevent it. This is a message that really resonates with senior managers.
James D. Ratley, CFE, has worked as part of the Association of Certified Fraud Examiners (ACFE) since 1988 and now serves as president and CEO. In this role, he works to promote the ACFE to the public and other professional organisations and continues to assist in the development of anti-fraud products and services to meet the needs of the ACFE’s members. In addition, he is a member of the ACFE’s faculty, and teaches regularly at workshops and conferences. He can be contacted on +1 (800) 245 3321 or by email: firstname.lastname@example.org.
Andrew Grantham is an experienced financial and accounting expert with over 25 years’ experience in financial investigations and as an accounting and damages expert witness. His experience covers many aspects of accounting, valuation and financial matters, including breach of contract and loss of profits claims, minority shareholder and joint venture disputes and claims arising following acquisitions and sales of businesses. He has given evidence in the High Court, Crown Court and in international arbitrations on over 30 occasions. He can be contacted on +44 (0)20 7098 7474 or by email: email@example.com.
Gavin Williamson is a partner in BDO’s UK Forensic practice. A chartered accountant and certified fraud examiner, Mr Williamson specialises in forensic accounting investigations on behalf of corporate and institutional clients. His practice ranges from the investigation of financial fraud, theft and bribery, to wider forms of employee and institutional misconduct such as confidentiality breaches and conflicts of interest. He can be contacted on +44 (0)20 7486 5888 or by email: firstname.lastname@example.org.
Peter Binning is a highly respected criminal defence lawyer who specialises in fraud and regulatory litigation, much of it international. He has many years’ experience of investigations and prosecutions relating to fraud, regulatory breaches, corruption, cartels, export control, sanctions and tax evasion. Past cases include investigations and prosecutions by all major prosecuting bodies in cases relating to international fraud, corruption, money laundering and all forms of tax and duty evasion. He can be contacted on +44 (0)207 353 6000 or by email: email@example.com.
Nadine Küster currently serves as general secretary of Germany, Austria and Switzerland for Danone, a leading multinational food company operating in 130 countries. Ms Küster’s is a newly created role which supports all four of Danone’s business divisions – fresh dairy, waters, early life nutrition and advanced medical nutrition – covering legal, regulatory affairs, compliance, communications and public affairs. She is a frequent speaker on the topics of global food law and regulatory affairs. She can be contacted on +49 175 2936 872 or by email: firstname.lastname@example.org.
Ali Sallaway is a partner in the corporate crime team and co-head of Freshfields’ global investigations practice in London. With a record of acting on significant cross-border and domestic investigations for clients in all sectors, Ms Sallaway specialises in corporate and financial crime defence and regulatory enforcement actions. She has significant expertise handling fraud, bribery and corruption, money laundering and terrorism-related matters and in relation to market abuse, disclosure and listing obligations for listed companies. She can be contacted on +44 (0)20 7936 4000 or by email: email@example.com.
Alun Milford is general counsel at the Serious Fraud Office (SFO), a position he has held since 2012. Prior to this, he was head of the Crown Prosecution Service’s (CPS) organised crime division, with responsibility for all CPS casework with the Serious Organised Crime Agency (SOCA), as well as the CPS’ Proceeds of Crime Unit. He also worked in the Attorney General’s Office, where his caseload extended to all aspects of the Law Officers’ coroners and criminal casework. He can be contacted by email: firstname.lastname@example.org.
Robert N. Sikellis is chief counsel compliance for Siemens AG. In this capacity, Mr Sikellis leads the global compliance governance organisation for the legal compliance management, compliance policies, internal investigations, disciplinary sanctions and remediation and compliance in mergers and acquisitions. Prior to assuming his current position, Mr Sikellis held a number of important leadership roles within Siemens, including most recently senior vice president & general counsel of Siemens North East Asia and Siemens Ltd., China. He can be contacted on+49 89 636 32523 or by email: email@example.com.
© Financier Worldwide