November 2022 Issue
Corporate fraud is an ever-present and growing risk for companies, with a majority believing the threat level has increased over the past year. In response, boards of directors and senior executives are taking a proactive approach to fraud risk management, including risk mapping to help inform anti-fraud compliance programmes. And while statistics may vary depending on the type of fraud reported and the jurisdiction in which it occurred, one thing is certain: corporate fraud in its various forms is on the rise.
FW: Could you outline recent trends in the fight against corporate fraud? What legal and regulatory developments would you highlight?
Sikellis: In the final months of 2021, and again in September 2022, the US Department of Justice (DOJ) articulated a clear focus on corporate crime and individual responsibility for corporate wrongdoing with a commitment to strengthen the standards and practices it will apply to corporate criminal enforcement. The DOJ also announced the formation of a corporate crime advisory group, which will be made up of representatives from all divisions of the DOJ with a broad mandate to make recommendations and propose revisions to policies on corporate criminal enforcement topics. The deputy attorney general overseeing the DOJ’s white-collar criminal cases, urged prosecutors to “be bold” in bringing cases. While the actual impact of these statements remains to be seen, these changes highlight a commitment by the DOJ to provide significant resources to investigate corporate misconduct. Companies will need to be responsive to the factors that the DOJ will assess in connection with investigations of allegations of misconduct continue to enhance their risk-based programme to be mindful of the enforcement environment as it evolves.
Robertson: I would agree with the Royal United Services Institute and UK Finance’s determination that the level of fraud in the UK has reached such a level that it is now a “national security threat”. Fraud is estimated to cost the UK economy £137bn every year. Cyber fraud is one area that has grown exponentially and, according to FraudTrack, was the third “most significant” fraud in 2021, seeing a 5536 percent increase in the value of cyber-related fraud cases since 2020. Enforcement activity has not kept pace with this increased risk. Between 2020 and 2021, over 875,622 reports were made to Action Fraud, but, during 2021, 298 alleged fraud cases were heard. Instead, companies are increasingly turning away from law enforcement and making use of the tools at their disposal to tackle potential fraud – whether that be asset recovery tools in the civil courts or pursuing private prosecutions.
Peterson: The fight against fraud is a never-ending battle, but the speed at which fraud is being identified and rooted out is on the rise. There are two main factors contributing to this phenomenon. First, the use of data analytics allows forensic accountants to quickly comb through massive amounts of data to identify red-flag transactions. Because data analytics are so powerful, US regulatory agencies are engaging with the private sector to leverage these tools, which means the governments’ tools are also becoming more sophisticated. Second, global forensic accountants and investigators are noticing much more streamlined, robust collaboration between international regulatory agencies. As a result, we are seeing an increase in multijurisdictional investigations, which puts even more pressure on in-house, legal and compliance professionals as virtually all companies have international touchpoints nowadays.
Foley: Boards of directors and senior executives are taking a proactive approach to fraud risk management that includes risk mapping for which the results of these activities will help inform an anti-fraud compliance programme. A focus by boards and senior leadership will help ensure that appropriate resources are committed to risk management and an organisation’s focus remains on the areas where fraud could surface. Additionally, governments are coordinating resources across various regulatory agencies to address fraud and corruption, which strives to enable a harmonised response to risk generally, and a prioritisation of risk management and sharp focus on the most prevalent vehicles for fraud to occur, such as digital and technology platforms and ransomware.
“Companies can draw on a range of tools, including analytics technology and artificial intelligence (AI), which can help identify red flags in customer activity before a fraud is perpetrated.”
FW: Have any particular corporate fraud cases gained your attention in recent times? What do these cases tell us about the extent of the threat facing the corporate world?
Robertson: The UK’s Serious Fraud Office (SFO) has been scrutinised for the collapse of a number of its prosecutions, however it has had recent success in the case of high-value fraud. This summer saw the conclusion of the prosecution of a former lawyer in connection with a £100m fraudulent scheme to divert money from the Axiom Legal Financing Fund for his own benefit. He was sentenced to 14 years imprisonment. It is a clear indication that, despite recent setbacks, the SFO remains confident in pursuing high-value fraud. Another area to watch is cases concerning fraud-related risks emerging from new technology. In Danisz v. Persons Unknown, which concerned an alleged fraudulent cryptocurrency initial coin offering (ICO), the court was ready to apply old tools to novel situations – such as worldwide freezing orders against persons unknown. I expect we will continue to see courts adapt to apply existing remedies to new fraud-related threats.
Peterson: We are likely to see an international rise in environmental, social and governance (ESG) cases. One case illustrates a US Securities and Exchange Commission (SEC) enforcement action taken against an international company that made allegedly misleading statements regarding its ESG and its safety practices. Based on the surge in public demand for greater transparency from corporations around ESG, the SEC is establishing new climate reporting and disclosure requirements. One of the primary issues with reporting on ESG is the prevalence of ‘greenwashing’ – where companies make false claims, overstate and exaggerate their environmentally-friendly activities to appear environmentally conscious, despite their business practices failing to support such claims. The SEC has taken disciplinary actions against companies for inflating ESG claims in advance of issuance of the proposed guidance. Another case is the recently settled False Claims Act (FCA) lender matter. A community bank with branches in two states was charged with processing a Paycheck Protection Program (PPP) loan on behalf of an ineligible borrower. While the settlement was small, it is the first time the DOJ has settled publicly with a lender, rather than just pursue lawsuits against ineligible borrowers. This indicates that enforcement agencies are moving into more complex PPP cases and addressing potential fraud that occurred during the coronavirus (COVID-19) pandemic.
Foley: In the US, fraud cases that have been spotlighted recently include the 2021 Colonial Pipeline matter, which involved a hacker’s demand for cryptocurrency in exchange for decryption of certain data maintained by the company. In response to this request, Colonial Pipeline closed thousands of miles of pipeline in the US to address this threat. The company ended up paying the hackers almost $5m in bitcoin. The incident was not without substantial impact to consumers in the US, and the company closed its operations for five days while it addressed the demand. Another case involved insurance fraud arising from COVID-19 unemployment claims, which US prosecutors state was the “biggest wave” of fraudulent activity in US history. The US Department of Labor estimated approximately $87bn in improper claims were filed by impostors based domestically and abroad. Through this scheme, bots utilised stolen identities to populate unemployment forms, and criminals based overseas leveraged lower wage workers to submit data they had stolen for unemployment claims. Lastly, there was a 2021 matter involving telemedicine, which included the DOJ arresting almost 140 individuals, including doctors, nurses and other medical professionals for their involvement in fraud that involved telemedicine, healthcare fraud and the distribution of highly regulated controlled substances. These individuals’ fraudulent actions resulted in more than $1bn in losses. These three examples highlight the increase in ransomware by bad actors and the importance of companies needing to have a strategy to defend against and address these situations should they arise. They also demonstrate that technology is being utilised to facilitate fraudulent activities, which highlights the need for a robust information security framework that can identify irregularities and protect sensitive personal data from being misused.
Sikellis: In a widely publicised trial with intrigue and drama, Elizabeth Holmes, founder of a once $9bn blood testing company Theranos, was found guilty of several crimes relating to defrauding investors about the safety and accuracy of blood tests – a critical diagnostic tool that is integral to patient care. According to the DOJ press release, “Elizabeth Holmes chose fraud over business failure” once she realised that the tests were not performing. Similarly, in a related trial, Ramesh Balwani, the former Theranos chief operating officer and president, was also found guilty in July 2022 on similar counts, as well as “perpetrating fraud on unsuspecting patients”. This case is a vivid demonstration of failures at the highest levels of an organisation. Consideration should be given to whether the board was provided with the appropriate level of information so that this misconduct could have been investigated or addressed. It also calls into question the culture of the company where the dissemination of misinformation made its way into the marketplace through many channels, including marketing materials and financial statements, as well as other forms of media. The case emphasises how fear of market decline improperly motivated a lack of transparency and candour.
FW: In your opinion, are companies doing enough to improve their governance and control procedures in order to manage and mitigate corporate fraud? What do you consider to be the indispensable elements of anti-fraud programmes, policies and procedures?
Peterson: In general, companies should continuously improve their governance and anti-fraud programmes and controls. There are significant gaps in governance efforts because companies were unable to conduct in-person training, on-site visits and face to face informational meetings during the pandemic. As a result, internal workers assigned to compliance responsibilities are less visible to management. When it comes to any anti-fraud programme, there are five elements companies must have as a baseline: control environment, risk assessment, control activities, communication and awareness, and monitoring. As we come out of the pandemic and in-person activities resume, it will be important for in-house compliance professionals to return to the field and communicate compliance policies and procedures. Additionally, risk assessments should be refreshed to understand the new risks that have emerged during the pandemic and reprioritise pre-pandemic risks.
Sikellis: Most multinational corporations have a much more sophisticated compliance programme than a decade ago. Companies have recognised the importance of putting in place programmes that promote an ethical culture that is appropriately responsive to enforcement guidelines. This is also recognised under the US Sentencing Guidelines, where a company can mitigate the outcome when “the organization had in place at the time of the offense an effective compliance and ethics program”. The Guidelines further mandate that compliance and ethics programmes must be “reasonably designed, implemented, and enforced so that the program is generally effective in preventing and detecting criminal conduct”. Central to good compliance governance are policies and procedures to address reporting of misconduct, appropriate investigations of allegations, and remediation that is responsive to the root cause of the issue, whether individual misconduct, a policy gap or something requiring broader retraining.
Foley: Indispensable elements of anti-fraud programmes include the following. First, concise policies, procedures and processes that are operationalised throughout a company’s commercial and operational processes. Second, training that outlines for employees what fraud is and how to promptly report potential fraudulent activities to the organisation. Third, periodic risk assessments and ongoing monitoring that focus on evaluating internal controls established to prevent fraudulent activities. Fourth, a strong compliance culture that is reinforced by top and middle management, who also encourage a speak up culture protected from all forms of retaliation. Fifth, an independent investigative process to address allegations of fraud and other categories of misconduct, and which involves individuals with the appropriate experience looking into these types of concerns. Sixth, support from the board of directors that includes allocating attention and resources to an anti-fraud programme. And lastly, maintaining disciplinary principles that are consistently leveraged to address situations when fraud is identified.
Robertson: There has certainly been a concerted effort by companies in recent years to manage and mitigate the risks of corporate fraud. However, as with all compliance risks, companies must balance these, and the need for other compliance enhancements, against their limited resources. With the prospect of a corporate ‘failure to prevent fraud’ offence coming into law, companies should keep in mind the UK government’s ‘adequate procedures’ guidance which accompanied the introduction of similar offences. In particular, company anti-fraud programmes should be guided by risk assessments proportionate to the business and the extent of the risks it faces, to help inform policies and procedures designed to tackle fraud and other corruption. Companies should clearly communicate the principles of their anti-fraud programmes to ensure that they are embedded and understood throughout the organisation, underpinned by a zero-tolerance culture, fostered and demonstrated by top-level commitment to the programme.
“Leveraging technology and strengthening internal controls will be assets companies utilise to mitigate and remediate fraud.”
FW: How would you advise companies go about setting up systems to detect potential fraud? In what ways is technology assisting?
Foley: Leveraging technology and strengthening internal controls will be assets companies utilise to mitigate and remediate fraud. The use of technology also delivers efficiencies when detecting fraud and offers organisations invaluable insights and capabilities to prevent fraud. A company should understand its internal technology platforms and how they could be impacted by vulnerabilities. This can be addressed through data analytics, which establishes rules and associations to segment data and identify patterns that may suggest fraudulent activities are occurring, exception reporting and anomaly detection techniques. Obtaining this baseline on potential risk will help organisations implement effective and sustainable mitigation strategies that address and monitor fraud, among other risks. In addition to using technology to help identify compliance gaps, technology also can be used to support and scale risk assessments across an organisation and ferret out control failures that may expose the company to fraud and potentially lead to regulatory scrutiny.
Robertson: Technology will play an increasing role in detecting potential fraud, particularly given the impact of the pandemic in shifting more criminal activity online. Companies can draw on a range of tools, including analytics technology and artificial intelligence (AI), which can help identify red flags in customer activity before a fraud is perpetrated. However, the use of technology needs to be underpinned by employee knowledge and effective corporate governance. Training employees to recognise potential fraud is important, and training programmes should adapt to address new and emerging risks, as criminals find new ways to perpetrate fraud – as we are seeing in cyber and crypto activity. There should also be clear reporting lines for raising concerns around wrongdoing. This, together with sound policies backed up by a clear tone from the top that promotes accountability and integrity, will assist a company in embedding effective corporate governance and anti-fraud procedures.
Sikellis: There are many elements to an effective compliance programme that will assist with the detection of fraud. To start, the programme design should be considered. A well-designed programme would include risk-based policies and procedures that address and understand the company’s business in a meaningful way, so that the policies are responsive to the industry risks as well as particular risks associated with a corporate business model. In addition, training on those areas should be comprehensive and provide meaningful examples of conduct to demonstrate scenario-based decision making. Further, the mechanism to report potential misconduct should be clear, with a corresponding investigations process that remediates misconduct in a consistent and clear manner. A good programme will always include a risk assessment process that will need to be responsive to changes in the business environment on a continuous basis. No doubt, technology will be a key tool to assess risk areas by probing data sets in various areas, whether in expense reporting, or sales and promotional activities, to ensure identification of potential signals for investigation. With the advance of technological tools, companies may find themselves at a disadvantage if certain ‘smart’ technology tools are not incorporated into a risk assessment process.
Peterson: Technological advancements in forensic accounting have made it much easier to detect red flag transactions and potential fraud. We suggest three considerations for integrating a system that leverages technology to successfully detect fraud. First, increase the time allocated to planning and data normalisation by about 50 percent compared to a traditional manual review. Second, be sure to pull in the entirety of the population and various data sets. A technology tool is only as good as the data that it digests, so it is crucial to use 100 percent of the population sets from areas such as human resources, pricing and third-party data, in addition to traditional transaction modules.
“Objective criteria to assess bona fide relationships is important, and a list of approved vendors is a step that can be beneficial to ensure consistency.”
FW: In terms of third-party relationships, could you outline the main fraud-related risks that companies face? What measures can be taken to mitigate them?
Robertson: Third-party relationships remain one of the highest sources of risk from a corruption perspective. Risk can stem from the relationships a company has with its suppliers, agents, advisers or even customers. It reiterates the importance of corporate due diligence processes in ensuring that organisations can properly vet who they are working with, identify high-risk parties and implement appropriate risk mitigation measures to manage the threat. In addition to robust due diligence processes, companies should incorporate adequate provisions in third-party contracts, requiring the third party to properly comply with anti-corruption laws and, where appropriate, allowing a company to access and inspect information held by the other party where wrongdoing is alleged. With the prospect of a new corporate offence of ‘failing to prevent fraud’ in an organisation hitting the statute book in the near future, the risks posed by third-party relationships could become even greater.
Sikellis: Reliance on third parties is undeniably necessary to conduct business in a global corporation. And, while the need is vast and poses unique challenges in different parts of the world, a consistent approach to address the risk is most beneficial. From the outset, it is critical to have a strong and consistent process to conduct due diligence on third parties. Objective criteria to assess bona fide relationships is important, and a list of approved vendors is a step that can be beneficial to ensure consistency. Risks that can arise in third-party relationships can include initiating payments without appropriate contracts in place, insufficient contract terms to address the requirements of the relationship, and failure to have a right to audit or an ability to address breaches of terms. Consideration should also be given to whether it is necessary to include a provision that requires the cooperation of the third party in the event of an internal or external investigation. In the end, it is important for companies to continuously reassess risks and the effectiveness of controls on an annual basis. While diligence in the initial phase of contracting is important, attention should also be paid to monitoring existing arrangements which may also include exercising audit rights in appropriate circumstances.
Peterson: There are countless fraud risks when it comes to third parties. As we examine the Foreign Corrupt Practices Act (FCPA) settlement agreement, there is a clear risk that third parties were used to facilitate bribe payments on behalf of the company. These payments were funded by the company in different ways. In this case, the most prevalent fraud was bribes funded through an unusually low price, high commission, or reimbursement of third-party expenses. Mitigation of these risks starts with proper third-party onboarding that includes due diligence and a contract with an audit-right clause. Continuous training through annual certifications and monitoring through exercising the audit clause are good ways to reduce risk. Another salient scheme to consider is a kickback, which requires collusion between parties. Typically, company B is overcharged by the vendor and a portion is kicked back to company A’s employee. Third-party due diligence and price verification mitigate this risk.
Foley: Third parties can pose exceptional risks to an organisation, including bribery, asset misappropriation, tax evasion, money laundering and cyber breaches. It is critical for companies to establish and maintain effective risk identification and management processes specific to the engagement of third parties. This can be accomplished through procurement procedures that outline and implement effective control measures that address cost and understand with whom the company is ultimately conducting business, and strong contracting that permits compliance training, auditing and acknowledgements. In addition, an effective, risk-based due diligence programme can also successfully identify third-party risks to an organisation, not only at the outset of the engagement, but also throughout the engagement with ongoing monitoring activities that can leverage data to help promptly identify potential abnormalities and concerns related to the third-party engagement that could pose a risk to the company.
FW: Based on your experience, what steps should a company take when responding to a report of actual or suspected fraud?
Foley: First, company leadership should unequivocally communicate that fraud is unacceptable in all aspects of its operations, regardless of industry or operating model complexity. Allegations of fraud should be taken seriously and be promptly referred and responded to by internal resources that have the expertise to initiate and perform a thorough investigation. Second, companies should capture trends and insights from investigations into allegations of fraud to help support continuous improvement activities and enhancements to internal controls and processes that prevent misconduct. Lastly, employees are a critical line of defence for companies when preventing fraud. Thus, organisations should ensure that their employees are trained on fraud risk management and know how and where to report fraud concerns to the company.
Peterson: The initial steps are critical in determining the validity of the claims and any potential risk involved. We suggest consulting with general counsel and internal audit and compliance staff and then engaging with external consultants. Third-party forensic accountants and auditors ensure the investigation is performed by a neutral party. This team will work with the internal team to evaluate allegations, assess risks and schemes and identify policies violated or laws broken, as well as who may be involved. Following a review of all supporting evidence and after speaking with parties who potentially have information, the external team will conduct interviews with those allegedly involved. The team will report its findings and law enforcement may be involved. If the scheme is wide-reaching and impactful to clients or investors, the organisation may want to engage an internal or external public relations team to handle any potential public or stakeholder scrutiny.
Sikellis: Any allegation of actual or suspected fraud should be promptly addressed through the corporate investigations process. Depending on the circumstance and nature of the allegation, this investigation can be conducted by internal resources, such as compliance investigations or a security function, or, in other situations, there may be a benefit to an external law firm conducting a review under privilege. Regardless of who the fact finder is, it is important to ensure that evidence, such as emails, is preserved and that the scope of the investigation is responsive to the nature of the allegation. Good documentation of the findings is also critical so that a company can assess root cause as well as trends. A determination of whether misconduct has occurred would drive the resolution process, which can include disciplinary action up to and including termination from the company. Lastly, consideration should be paid to whether remediation should include updates to policies and processes or the retraining of individuals, or a broader company approach in unique circumstances.
Robertson: Companies should take immediate steps to investigate a report, preserve evidence and conduct an independent investigation to establish the facts. Additional steps may be taken where the report is made by a whistleblower to ensure they do not suffer retaliation. Companies should ensure the investigation is not open to challenge if, for example, employee misconduct is identified, and a report made to law enforcement. Where there is potential corporate liability, another question corporates will grapple with is whether to self-report. In England and Wales, there is no general obligation to report actual or suspected criminal activity to law enforcement. An organisation will need to consider the pros and cons of self-reporting, and weigh this against the importance prosecutors place on cooperation. Other considerations may also be relevant where the company is regulated or publicly listed, or where there is a cross-border element and differing self-reporting obligations across jurisdictions.
“There are five elements companies must have as a baseline: control environment, risk assessment, control activities, communication and awareness, and monitoring.”
FW: How do you expect the corporate fraud landscape to evolve in the years ahead? What changes do you anticipate in the way companies actively reduce and respond to fraud?
Peterson: We anticipate more international allegations. Overseas regulatory bodies are collaborating with their US counterparts in a much more engaged capacity than ever before. As a result, we are seeing more enforcement of international laws. As a global recession looms, we anticipate financial statement fraud and asset misappropriation violations may increase. Companies are already under tremendous pressure to hit earning numbers; a recession could add to that stress, increasing the probability of fraud. Finally, we expect fraud schemes to become more complex and creative. Technological solutions to fight fraud limit the tactics that wrongdoers have used in the past. Companies can reduce and respond to fraud by shifting responsibility and pushing technology. We expect to see management and business units taking ownership to mitigate fraud risks, as well as adopting new technologies that have predictive modality analysis to combat and detect fraud.
Sikellis: There will be a push toward increasing data analytics to start and drive investigations across industries. This could manifest itself in many healthcare-related industries, including newer common practices like telemedicine, telehealth and other promotional activities that target customers or use of patients’ data. Recently, the DOJ announced that it had recruited from private industry a former corporate executive with vast technology experience to join its Fraud Section as its “compliance and big data expert, advising prosecutors on the policies and procedures that companies put in place to stop employees from violating laws or internal policies”. This demonstrates the DOJ’s commitment to data analytics as a tool to home in on potential misconduct and bring cases forward that stem from the use of analytics. Companies will have to assess their own approach to analytics and their need to use technologies in their various compliance initiatives, whether during the risk assessment, investigation process, or other financial systems that may be a source to review in assessing potential fraud.
Robertson: A recent KPMG report found that there has been a “substantial rise” in fraud committed by employees and management, potentially because of weaknesses in internal controls which emerged from businesses finding new ways of working during the pandemic. The increased risks posed by employee and management-related fraud is exacerbated by likely legislative change that is incoming, which will make it easier to hold a corporate in the UK criminally liable for employee fraud. In June 2022, the Law Commission proposed a new ‘failure to prevent fraud’ offence, which would make it easier to hold corporates accountable where, for example, a senior manager perpetrates an accounting fraud with the intention of benefitting their employer. This is likely to increase pressure on companies to be proactive in preventing and investigating potential fraud. There could also be increased pressure to direct additional resources to compliance teams at a time when there are significant economic challenges.
Foley: There will be a continued focus on the use of data to proactively identify risk and support fraud-remediation activities, which may warrant additional investment in tools and resources. In addition, many companies are revisiting their training and communication strategies and content to strengthen guidance provided to employees so that they are aware that fraud can affect any level of an organisation. Proactively addressing fraud will remain critical for organisations to address the impacts fraud could have on commercial activities. Managing fraud risk will continue to be a ‘team effort’ and require investment and prioritisation from boards of directors, management, internal audit, internal investigators and business personnel. To that end, and while ‘tone at the top’ is important to drive corporate culture, and data is critical to proactively identifying fraud risk, the ongoing threat of fraud requires that mitigation efforts be embedded into a company’s ethics and compliance programme, which is the foundation for establishing expectations for how a company identifies, addresses and remediates risk that could impact a company.
Based in Washington DC, Paul Peterson is a partner in BDO’s robust forensics practice where he focuses on fraud investigations, global anti-corruption, litigation support and consulting services around forensic accounting and anti-fraud programs and controls. He has subject matter expertise in the FCPA and has worked within and managed investigations in 36 countries. As part of his international work, he relocated to Mainland China for three years helping multinational companies with their China-based fraud and compliance matters. He can be contacted on +1 (202) 644 5411 or by email: ppeterson@bdo.com.
Robert Sikellis is global head, litigation & investigations for Novartis where his responsibilities include overseeing litigations and investigations. Prior to joining Novartis, he was chief counsel for compliance at Siemens, where he oversaw all internal investigations. He started his career as a prosecutor in Massachusetts. He can be contacted on +1 (862) 223 0780 or by email: robert.sikellis@novartis.com.
Sarah Foley is deputy compliance officer and director of compliance for Patterson Companies, Inc. In this role, Ms Foley has responsibility for the company’s global ethics and compliance programme, initiatives and strategy. She can be contacted on +1 (651) 405 5116 or by email: sarah.foley@pattersoncompanies.com.
Elizabeth Robertson’s decades of experience have given her significant understanding of the priorities of the UK prosecuting authorities, including the Serious Fraud Office, the Financial Conduct Authority, HM Revenue and Customs, and the Competition and Markets Authority. She has particular experience in advising on corruption, money laundering, economic sanctions and criminal tax cases and is regularly asked by clients to assist with governance and compliance matters. She can be contacted on +44 (0)20 7519 7115 or by email: elizabeth.robertson@skadden.com.
© Financier Worldwide
THE PANELLISTS
BDO
Novartis
Sarah Foley
Patterson Companies, Inc.
Skadden, Arps, Slate, Meagher & Flom LLP and Affiliates