Corporate fraud

November 2023  |  ROUNDTABLE | FRAUD & CORRUPTION

Financier Worldwide Magazine

November 2023 Issue

Amid a volatile global environment, enforcement agencies remain focused on a range of potential fraud by corporations – activities that span a range of industries and offences. Much of this activity is well established, such as accounting fraud, asset misappropriation and corruption, but some is of more recent vintage, spawned by supply chain disruptions due to the war in Ukraine and cyber-related fraud in the wake of the pandemic. Old and new, the types of fraud have changed, as have the techniques being used to perpetrate them.

FW: Could you describe the main types of corporate fraud that you are typically seeing across the current financial and economic landscape?

Andres: The Department of Justice (DOJ) and other US enforcement agencies remain keenly focused on a range of potentially fraudulent activity for both corporations and individuals – and that focus is not limited to particular industries or offences. Foreign corruption always remains top of mind for the DOJ and the Securities and Exchange Commission (SEC) – both agencies have large, dedicated units that enforce the Foreign Corrupt Practices Act (FCPA), and those investigations often involve money laundering offences as well. Furthermore, international cooperation between countries in this space continues to grow. As for what is new, the DOJ recently announced a new initiative to address threats to US national security posed by corporate fraud and, in September 2023, it announced key appointments to head the National Security Division’s corporate enforcement programme. This unit is expected to cover offences involving the Foreign Agent Registration Act, export control, sanctions evasion, cyber crime, technology theft and other corporate interactions with terrorist-related entities. The DOJ’s recent prosecution of French-based materials manufacturer Lafarge for providing material support to ISIS is just one example of this initiative.

Sengupta: Disruptions in global supply chains due to the war in Ukraine as well as the significant sanctions and export controls imposed on goods and services linked to Russia have led to the proliferation of fraud, which can attract attention of both criminal prosecutors as well as other sanctions and export control enforcement authorities. Common schemes include attempting to mask the origin of sensitive technology or goods intended for export to Russia, or non-disclosure of the intended final export destination to suppliers in the country of origin. Supply chain disruptions have also led to attempts by suppliers to fraudulently replace more expensive or harder to obtain materials with cheaper materials, notably in the mining and metals space. Corporations are also dealing with increased threats to their cyber security, resulting in phishing attempts on employees inducing them to transfer funds or sensitive corporate data to fraudsters. Enforcement actions targeting the misuse of government relief funds, as well as a variety of medical scams, including counterfeit vaccines and medical supplies, continue to wind their way through courts. Similarly, insider trading by publicly listed company insiders using material non-public confidential information, such as confidential acquisitions, continues to attract attention from authorities.

Zack: The types of fraud have changed, but so too have the techniques used to perpetrate old and new frauds. Two examples illustrate this well. First, studies show that it is becoming more common for frauds to be executed in collusion by multiple co-conspirators. What was once a rare instance is now commonplace. Collusion makes both preventing and investigating fraud more difficult. Additionally, while some frauds utilise the same techniques that were used years ago, it is becoming more common that perpetrators of fraud are using technology as an integral part of their work. Even some of the longstanding disbursement, expense reimbursement and payroll frauds are now being perpetrated in more sophisticated manners than in the past. Ill-intentioned employees learn the intricacies of employers’ systems and figure out ways to circumvent IT controls to access data they should not be able to access or manipulate data and records that should be secure.

McGoldrick: According to the UK’s Office of National Statistics (ONS), for the year ending March 2022, fraud offences increased by 25 percent, with the proportion of fraud incidents that were cyber-related increasing significantly to 61 percent. The uptick in cyber-related fraud may be related to behavioural changes due to the coronavirus (COVID-19) pandemic and increased online activity. The pandemic has also resulted in an increase in supply chain fraud due to the global nature of supply chains, the complex operating environment, the involvement of third parties and volume of transactions.

Russo: In France, a large number of ongoing corporate criminal investigations relate to tax fraud and corruption-related offences, like misappropriation of public assets, unlawful conflict of interest and offences related to public procurement contracts. According to recent statistics, the French Parquet National Financier (PNF) has been carrying on not less than 700 investigations in relation to such misconduct. Cyber crime and misuse of personal data are also on the rise globally, while environment offences have become a major focus of judicial authorities. In a recent joint statement, the European Union (EU) and the US committed to further strengthen cooperation against environmental crime, including by developing cooperation tools and mechanisms to share information and best practices. In France, no less than 14 CJIPs – the French equivalent of deferred prosecution agreements – were concluded over the past three years in order to settle criminal investigations on corporate environment offences.

Silveira: Accounting fraud, asset misappropriation, corruption, such as collusion among vendors, and conflicts of interest are the main types of corporate fraud being seen. Greenwashing is also an area of growing attention. Investors, activists and customers are all demanding greater transparency from companies around their environmental, social and governance (ESG) practices. Regulators are also increasing their activity in this area, with some disciplinary action taken against companies that made false claims and exaggerated their positive environmental impact without clear evidence.

The new corporate offence will make it easier for criminal prosecutions to be brought against companies, however enforcement actions will depend on the resources available to enforcement authorities.
— Vanessa K. McGoldrick

FW: Could you highlight any recent, noteworthy cases of corporate fraud which caught your eye? What would you say are the most important lessons that the corporate world can learn from the outcome of such cases?

Sengupta: Two of the most noteworthy cases in the last two years have been the civil and criminal proceedings in connection with the collapse of cryptocurrency exchange FTX and the trial of Theranos founder Elizabeth Holmes, who had falsely claimed to have created a revolutionary medical device. Both cases highlight investors’ rush to invest in privately held new-technology companies led by founders who generated tremendous media hype, leading to rapid capital flows into companies that were ultimately intentionally misleading investors and misusing investor funds. The prosecution of former Wirecard executives in Germany in 2022 was similarly noteworthy in Europe, as it remains the largest corporate fraud case in German history. While each case is different, for both FTX and Theranos the key lesson is investors failing to conduct satisfactory due diligence and demand transparency. For Wirecard, it was a tremendous failure of regulatory oversight of a publicly traded company, inadequate internal controls and poor statutory audits.

Zack: Some of the cases that have caught my attention in recent years involve new types of fraudulent reporting perpetrated by organisations. Accounting fraud continues to be a significant risk area. But more recently, it is fraudulent reporting of nonfinancial information that is in the news every day. In many cases, sustainability or other ESG-related data is reported fraudulently, designed to make the organisation look good. It has become so common that entirely new terminology has been created to describe it. Terms like greenwashing, bluewashing and others did not exist just a few years ago. Now, we hear them all the time. And the techniques used to engage in this type of fraudulent reporting have become quite sophisticated, making prevention and detection more complicated.

McGoldrick: On 13 September 2023, the UK Serious Fraud Office (SFO) charged four individuals in relation to the collapse of Patisserie Valerie, including the former director and chief financial officer (CFO) of the company. The SFO has charged all four suspects with conspiring to inflate the cash in Patisserie Holdings’ balance sheets and annual reports from 2015 to 2018. The company’s former financial consultant, financial controller and CFO are also charged with five counts of fraud by false representation and one count of making and supplying articles for use in frauds. The former CFO is also charged with making false statements as a company director. The new corporate offence of failure to prevent fraud will cover some of the same offences, with which these individuals have been charged, including fraud by false presentation and false statements by company directors. As such, it will be easier for enforcement authorities to prosecute a company in circumstances where the fraud intended to benefit a company. The only defence available to a company will be to demonstrate that it had reasonable procedures in place to prevent fraud.

Russo: In June 2023, France’s PNF entered into a convention judiciaire d’intérêt public (CJIP) with two energy companies that allegedly bribed African officials to obtain commercial contracts. The €209m fine included the disgorgement of profits derived from the alleged corruption and a penalty. In accordance with the new PNF guidelines on CJIP issued in January 2023, the penalty was calculated considering aggravating factors – like the systemic nature of the alleged misconduct – and mitigating factors, including the companies’ voluntary and timely disclosure, the relevance of the internal investigations and cooperation with the criminal investigation, and the implementation of appropriate corrective measures. This case illustrates that large anticorruption corporate resolutions are still a huge priority for French authorities as well as the financial benefits that a company can get from cooperating with a criminal investigation. In parallel, another major trend in France and globally is the emergence of the duty of corporate vigilance. Since last year a growing number of companies have been brought before courts by non-governmental organisations (NGOs) that claimed they were in violation of their duty to prepare a ‘vigilance plan’ designed to identify and prevent violations of human rights and environmental crimes, resulting from their own activities and those of their subsidiaries, subcontractors and suppliers. In the context of these legal actions from authorities and NGOs, companies should carefully consider reviewing their internal compliance programmes in order to detect and fix potential shortcomings. Major legal, financial and reputational consequences can be associated with the failure to implement an effective compliance programme that covers all corporate activities, especially for international corporate groups.

Silveira: Americanas.com in Brazil and Wirecard in Germany are recent fraud scandals that provide strong lessons. They both demonstrate that accounting fraud is still an issue in large corporations in spite of external audit and reporting obligations. The key lessons in these two cases are that companies may have strict policies and internal controls, but if corporate governance and business integrity are not taken seriously enough, the risk of fraud may increase significantly. Senior management play a key role in these organisations in terms of investing in adequate internal controls and propagating a culture of integrity. Recent fraud cases underscore the need for a robust internal controls framework, starting with clear policies and guidelines and including continuous training and communications, and diligent monitoring and follow through on misbehaviour.

Andres: In the US, the LaFarge case is noteworthy because it highlights the DOJ’s focus on national security-related corporate offences. The Glencore FCPA and market manipulation case stood out for the harsh punishment imposed, which included two separate guilty pleas – in two separate courthouses on the same day – and the imposition of not one, but two, monitors. Finally, the DOJ’s decision to breach several corporate resolutions agreements demonstrates its focus on not just the prosecution of corporate entities, but its intent to strictly enforce the accompanying agreements in a way that was previously less common. To the extent there are lessons to be learned from these, it is simply that the DOJ is intensely focused on rooting out corporate malfeasance, including by the use of new theories and tools to both bring prosecutions and enforce any ensuing agreements.

Individuals looking to perpetrate fraud are using more sophisticated techniques and are becoming more likely to collaborate with other co-conspirators. This makes detection more difficult, which leads to larger losses.
— Gerry Zack

FW: What advice can you offer to companies in terms of implementing and maintaining a robust fraud risk assessment process, with appropriate controls to detect potential misconduct? For example, what measures should they take to strengthen processes around third-party relationships?

Zack: The biggest thing I see is a lack of granularity in fraud risk assessments. It is too easy to put frauds into large buckets and think the risk assessment process can work well that way. For example, an organisation should not simply list ‘bribery’ and attempt to assess it effectively at that level. There are just too many ways of paying a bribe, and the internal controls needed to mitigate the risk vary from one method to another, even though in the end they are all bribes. The same holds true for third-party relationships. There are so many aspects of these relationships that are prone to fraud. Identifying and assessing each of the highest risk aspects of these relationships is essential in order to manage this category of risk.

McGoldrick: Top-level commitment by senior management to prevent fraud needs to be embedded into a company’s culture, which can sit alongside updated risk assessments, periodic reviews and monitoring of anti-fraud measures and appropriate policies and procedures on fraud, which should work in conjunction with training for employees. Understanding the third parties that a company works with is critical and includes understanding who the third party is and what services they provide. This means that appropriate due diligence should be conducted to assess any potential risks, and screening should be reviewed and monitored periodically to address any changes in the relationship. In addition, companies should include adequate provisions in third-party contracts, requiring the third party to properly comply with applicable financial crime legislation and, where appropriate, allowing a company to access and inspect information held by the other party where wrongdoing is alleged.

Russo: Companies, especially those with international operations, should put in place a fraud prevention mechanism based on three main pillars. First, the commitment of the management body, such as a firm undertaking from the company’s management to prevent and detect any fraud. Second, the implementation of a tailored risk map allowing identification and prevention of fraud risks specific to each organisation. Third, measures and procedures specifically designed to control these risks, notably with respect to third-party counterparts, including clients, suppliers and intermediaries.

Andres: Compliance remains the best, and sometimes the only, defence to a corporate fraud investigation and resulting resolution. The DOJ has repeatedly said as much and, in a series of policy statements and guidance, has emphasised the essential role of compliance officers. Compliance functions must understand a company’s risks even as they evolve and necessarily involve frequent, sometimes annual assessments, occasionally aided by outside consultants. This is no longer a tick the box or one-time affair. As for third-party relationships – often a fertile ground for corruption risk – companies must be diligent in background checks and establish onboarding procedures and even exercise audit risks where appropriate. In either case, companies must be focused on, and invest in, having an effective compliance programme.

Silveira: Risk assessment should not be a one-off exercise, but a continuous effort alongside regular training, communication and audit. A proper risk assessment exercise should be reviewed periodically, taking into account recent internal and external issues. But for that to be possible, companies should focus on making sure that employees and third parties feel free to report their concerns with no fear of retaliation. Building trust with employees, customers and suppliers is key to creating psychological safety and ensuring that stakeholders understand how they can communicate their concerns to the right channels in the organisation, and are confident that their concerns will be investigated seriously. Additionally, companies should have strong processes to select and retain third parties based on integrity criteria, on top of commercial considerations. This means that, prior to vendor engagement, risk-based due diligence processes should be implemented and supported by the board in case existing vendors are involved in misconduct.

Sengupta: The size and scale of a company’s operations, as well as the nature of its business, will determine a company’s fraud risk assessment process, including the level of sophistication of its internal controls. For global financial institutions, this starts with an effective compliance programme that covers prevention, detection and remediation, and will include codes of conduct, appropriate governance structures where control functions like compliance, internal audit and external audit are truly independent, rigorous periodic risk assessments which evolve with changing risks, technology-driven prevention tools that detect unusual or suspicious activity that raises red flags, confidential whistleblower hotlines and employee training, and a team of legal advisers who can conduct internal investigations as necessary and guide the company with any regulatory reporting and remediation obligations. Depending on the nature of a third-party relationship, enhanced efforts may be necessary, including more frequent due diligence reviews, checking negative news databases, application of internal gift and hospitality policies and proper record keeping, among others, especially where such relationships could expose the company to a higher risk of fraud or other financial crimes.

Year after year, new legally binding obligations are imposed on companies in the fields of compliance and corporate social and environmental responsibility.
— Eric Russo

FW: In what ways is technology, such as data analytics, helping companies manage the risk of fraud? Are you seeing a rising appetite among companies to explore these solutions?

Silveira: The role that big data and data analytics can play in this area is huge, but in my opinion there is way more that companies can do to leverage technology to enhance their risk management processes. Data mining and analytics tools are still quite expensive and require a strong business case for organisations. There is certainly appetite, but cost is still a barrier. However, several companies are already investing in new artificial intelligence (AI) tools, which may certainly be used for the purpose of data analytics and risk management in the near future. Clearly, this is a field to be explored.

Sengupta: Technology, particularly data analytics and algorithms, has a key role in managing the risk of fraud and other financial crimes in the financial services industry, as well as across other sectors, and the appetite for such technology has grown as the technology has improved. Advanced analytics tools can help analyse large datasets to identify patterns, aberrations and typical trends that can help in early detection and prevention. Real-time transaction monitoring can lead to immediate responses to suspicious behaviour and prevent significant losses. For large financial institutions, monitoring algorithms can routinely trigger alerts for unusual or high-risk transactions, enhancing fraud prevention. Technological tools can also generate predictive models to assess the heightened risk of fraud in particular scenarios, where compliance and audit teams can dedicate trained human resources to defend potential vulnerabilities. Finally, automating processes that eliminate the likelihood of rogue behaviour by individual employees, especially in procurement or contracting, can meaningfully reduce risks. Technological tools allow for scaling large volumes of transactions that would otherwise be too resource-intensive to monitor in real time, thereby mitigating risks and preserving reputational risks.

Andres: Technology, and more importantly data analytics, are a key measuring stick for the effectiveness of a company’s compliance programme. The DOJ has repeatedly emphasised that corporate entities should use available data to test and enhance their compliance function. While the DOJ has provided few specifics about the best use of particular technologies or data analytics, it has said that their use should be tailored to the specific risks each company faces. For example, do companies compile and analyse the number of hotline calls they receive each month and are there too many or too few? What are a company’s gift and entertainment policies? What data is collected and analysed? As technologies continue to advance, companies are certainly increasing their use of data analytics and not just in a generic way, but in a manner that aligns with a company’s highest risks.

Russo: The use of technological tools such as algorithms, blockchain, smart contracts and AI, enabling greater transparency and traceability of operations, is becoming essential to the implementation of an effective compliance policy by a corporate group made up of numerous employees spread across the globe. Indeed, the use of technology allows companies to monitor day to day business activities, identify potential risks and optimise the compliance controls required, given the many actions taken by company employees that may be incompatible with the company’s internal and external standards. A growing number of companies have already implemented such innovative systems, and there is little doubt that those which have not yet done so will follow them, especially as these innovations also enable a significant reduction in certain costs and greater precision in the analysis and prevention of non-compliance risks.

McGoldrick: There is an increasing interest by companies to utilise technology and data analytics to manage and monitor fraud risks. Technology is rapidly evolving to help companies keep pace with the evolving types of fraud. However, it can be challenging for companies to ensure that resources are deployed in an effective way. Ultimately, data analytics cannot be used in a silo; rather it should complement the work undertaken by employees who have an understanding of the business, alongside strong fraud risk management frameworks.

Zack: Data analytics is an essential element of fraud risk management. The vast majority of frauds leave digital markers that can be used to distinguish fraudulent activities from legitimate ones. Having access to data across numerous systems, not just financial data, is an important consideration in developing a robust data analytics programme. What makes data analytics so valuable is the ability to analyse 100 percent of a population, not just a small sample. Analytics can point you to the transactions or activities that warrant further examination, those that have the telltale signs of a fraudulent transaction. But the value of analytics extends well beyond detecting fraud. Properly designed analytics can have a preventive effect by identifying areas in which internal controls appear to not be working as expected. By identifying control breakdowns, it becomes possible to prevent fraud from happening before someone attempts to capitalise on a broken internal control.

Targeted training combined with the use of technological tools and strong governance controls can help companies build a culture of compliance that can mitigate the risk of fraud.
— Joydeep Sengupta

FW: How important is it to train staff to identify and report potentially fraudulent activity? In your experience, do companies pay enough attention to employee education?

Sengupta: Training frontline employees to identify and report potentially fraudulent activity is critically important in the fight against fraud. Frontline employees who interact directly with customers and vendors and process day to day operations may be well-positioned to identify irregularities and detect early warning signs of fraud. Targeted training combined with the use of technological tools and strong governance controls can help companies build a culture of compliance that can mitigate the risk of fraud. Because fraud can be perpetrated at the highest levels of a company, employees at all levels of the hierarchy should be made aware of alternative escalation options, such as independent whistleblowing channels, that can be used if they suspect irregular behaviour involving their manager. In the financial services sector in Europe, we have definitely seen an increase in the quality and sophistication of staff training on compliance matters, which include managing fraud risk, often in combination with risk management, anti-corruption and anti-money laundering training.

Andres: Education and training must be an essential part of any company’s compliance programme, both to make employees aware of the relevant laws and policies in each jurisdiction and to empower employees to report any misconduct. In this way, when an employee violates those laws and policies, a company can assert a defence that the individual was aware of those standards due to training, and therefore the company is not liable accordingly. Formal training should happen at least annually, and it should be specific to the risks a company faces. Informal training is equally important – whether through reminder emails or informal meetings with compliance officers – and can be used to enhance either online or in-person education sessions. Even when there is training, the challenge that remains is to engage employees effectively and to embed compliance functions in business units, so they are known and accessible.

Russo: Training for managers and staff considered most exposed to the risk of corporate fraud is of the utmost importance. It is a sign of the company’s management commitment to prevent and detect fraud and a cornerstone of the fight against corporate fraud. Kenneth Polite, assistant attorney general at the DOJ, recently stated that a company’s commitment to promoting compliance, from the chief executive to lower-level managers, is critical and should also be measured by employees’ knowledge and ownership of the compliance programme, and not only by the amount of money that has been invested in developing it. In our experience, companies are paying growing attention to employee education. Managers understand that effective training facilitates the detection, reporting and handling of illegal behaviour, thereby significantly reducing the company’s exposure to risk.

McGoldrick: It is very important to ensure staff are appropriately trained to identify and report potentially fraudulent activity. As part of the UK’s Economic Fraud and Transparency Bill, the new corporate offence of failure to prevent fraud has shone a spotlight on companies needing to ensure that there is appropriate training for employees, who themselves can be considered ‘associated persons’, triggering corporate liability for the corporate. If the anticipated guidance from the government is similar to that issued for the failure to prevent bribery and facilitation of tax evasion, then large companies caught by the legislation should be taking various steps to ensure fraud is covered within their risk assessments and compliance procedures, for example ensuring that that whistleblowing procedures are adapted or adopted that cover fraud.

Zack: Statistics show that the most common method of detecting fraud is through a reporting system that allows employees and perhaps others to report things that appear to be inappropriate, including suspected fraud. But people do not report what they do not observe. This is where training has value. While training can never go into the depth that would be necessary to make someone a fraud expert, informing employees of the red flags of fraud relevant to their particular job enables that employee to be far better prepared to notice when something does not look right. Another important aspect of training is the reinforcement it provides that reporting suspected wrongdoing is valued and an important part of each employee’s responsibilities. At the same time, training should inform employees of all of the methods that can be used to report concerns, whether through an anonymous reporting line, email to supervisors or others.

Silveira: Training is definitely important, and not surprisingly a key element of any compliance programme in areas such as bribery and corruption and fraud. However, more important than training itself is awareness. Raising awareness should be the utmost focus of all companies when it comes to integrity and compliance. Constant communication, clear messages coming from senior managers and scenario-based training are elements that often help companies to raise awareness around detecting and preventing fraud and other corrupt activities. Employees are not expected to become experts in fraud prevention, but they should be able to spot red flags and report their concerns to the right areas in their organisations.

Risk assessment should not be a one-off exercise, but a continuous effort alongside regular training, communication and audit.
— Bruno Silveira

FW: When suspicions of fraud arise within a firm, what steps should be taken to evaluate and resolve the potential problem?

Silveira: Internal investigations are often time consuming and expensive, but proper investigation is critical to eradicate fraud in organisations. The immediate impact of an internal investigation that evidences fraud is to stop the misconduct, but in most cases the most important consequence of the internal investigation is to prevent recurrence and clearly communicate to employees – and potentially vendors and other external stakeholders – that the company has no tolerance for corruption. For this reason, the importance of serious internal investigations, followed by strict disciplinary action, cannot be underestimated by organisations.

Russo: If fraud is suspected, good practice – in accordance with French and foreign prosecution authorities’ expectations – is to initiate an internal investigation. The investigation plan should be defined and formalised in accordance with the seriousness and the specificities of the identified misconduct brought to management’s knowledge. The risk of breach of confidentiality is also key and should be specifically assessed prior to the launch of the investigation, so as to preserve the quality of the evidence collected and to avoid any uncontrolled disclosure that could jeopardise the very purpose of the investigation. The investigation should end with a clear recommendation on the actions to be taken in response to its findings. Internal procedures will need to be updated, in particular to include the scenario which led to the alert, if it was not previously referenced. The decision to disclose the findings of the investigation to the authorities should also be carefully weighed to avoid adverse consequences, notably regarding the waiver of privilege with regard to foreign jurisdictions.

McGoldrick: In order to evaluate and ultimately resolve a potential fraud issue, a company needs to independently investigate the issue to understand the facts. Steps to investigate should happen quickly, in an organised and appropriately scoped manner, to ensure that self-reporting decisions and remediation can be considered against a full factual matrix. Where potential corporate liability is identified in the investigation, the issue as to whether to self-report to law enforcement will require balancing various fact-specific factors, but other factors such as whether the company is regulated or publicly listed, or where there is a cross-border element and differing self-reporting obligations across jurisdictions should not be forgotten.

Zack: One of the first important steps involves a type of risk assessment that informs decisions around the scope of and approach to an investigation. If there is a specific allegation or suspicion, it is important to begin by determining how, if the suspicion is true, the fraud could have been committed. Would it require access to data or systems that the employee does not or should not have? Could the employee carry this out by themselves or would participation by someone else be necessary? The answers to these questions provide the basis for planning the first investigative steps. Often, allegations of fraud can be assessed using analytics. Determining what characteristics of the data would distinguish fraudulent activity from legitimate activity is often a useful way of assessing whether an allegation warrants further investigation. These are just a couple of the many important steps in the early stages of an investigation.

Andres: Companies must react quickly to fraud allegations to include the preservation and review of relevant documents and employee interviews. Depending on the issues and their magnitude, decisions must be made expeditiously in order to preserve the opportunity to make a timely disclosure to relevant authorities. The DOJ, for example, has tied leniency and possible declinations to timely disclosure. That is not to say disclosure must be immediate and, in fact, should not be made until some investigation has been conducted. Companies owe it to their stakeholders to evaluate allegations before notifying the DOJ, for example, and the DOJ recognises this reality, while continuing to press for timely disclosures. Ultimately, the decision to disclose or not – and who to disclose to – is among the thorniest issues that arise in corporate investigations. To be clear, not every issue requires disclosure.

Sengupta: If fraudulent activity is suspected, a swift and systematic incident response plan is needed to assess the facts and act quickly to preserve evidence, prevent further financial losses and comply with regulatory obligations. It is critical to conduct a rigorous internal investigation to gather the necessary facts and preserve evidence, where a well-trained internal legal and compliance team may be assisted by external counsel and forensic accountants. Engaging external counsel early ensures attorney-client privilege, protects sensitive communications during the investigation and helps the company in determining any regulatory notifications that may be necessary, depending on the nature of the fraud. Preserving evidence, especially transaction records and internal communications, is essential, should they become necessary as part of legal proceedings. External counsel would be able to guide the company in conducting employee interviews, managing any notifications to regulatory authorities or customers, and designing a remediation plan that meets regulatory scrutiny. If the fraud was perpetrated due to weak internal controls in a regulated industry, such as banking, penalties may be mitigated by demonstrating the strength of the company’s compliance programme as well as its remediation efforts.

Technology, and more importantly data analytics, are a key measuring stick for the effectiveness of a company’s compliance programme.
— Greg D. Andres

FW: Looking ahead, will there be greater pressure on companies to enhance their measures to mitigate potential fraud in the coming months and years? What are the potential consequences for those that fall short?

Russo: Year after year, new legally binding obligations are imposed on companies in the fields of compliance and corporate social and environmental responsibility. The role and responsibility of the corporate compliance officer has never been more crucial than it is today. At the same time, authorities – whose requirements tend to converge, as shown by recent guidelines published by the DOJ and the PNF – are always expecting more cooperation and involvement from companies and their management regarding the prevention, detection and disclosure of fraud. Companies that are not proactive in this regard are at risk of facing higher sanctions when a fraud is identified that their internal procedures failed to prevent and detect. Authorities, in France and abroad, are also now showing a growing willingness to hold managers personally accountable. Management should be fully aware that legal and financial risks will less and less be limited to their company.

McGoldrick: The UK’s introduction of the corporate offence of failing to prevent fraud has resulted in companies needing to enhance fraud management measures. The new corporate offence will make it easier for criminal prosecutions to be brought against companies, however enforcement actions will depend on the resources available to enforcement authorities. Although only large corporates are currently within scope of the legislation, at least two of the following criteria has to be met: a company has more than 250 employees, a turnover of more than £36m and more than £18m in total assets. The threshold may be reviewed and reconsidered in the future. In addition to the risk of criminal prosecution, an investigation by a relevant authority can result in significant indirect costs to a company, caused by business disruption, such as a loss of customers, legal costs, reputational damage and the cost of implementing remediation steps.

Zack: The pressure to effectively manage fraud risks is definitely increasing and will likely only become greater. Individuals looking to perpetrate fraud are using more sophisticated techniques and are becoming more likely to collaborate with other co-conspirators. This makes detection more difficult, which leads to larger losses. As a result, the need for enhanced mitigation is twofold. First, there is the simple fact that greater financial losses are possible. But additionally, stakeholders are increasingly expressing their frustration with organisations that repeatedly fail to take fraud risk seriously. And this frustration leads to obvious additional consequences based on whether these stakeholders are owners, customers, suppliers, government officials or other parties. It makes business sense to take fraud risk management seriously, as far too many organisations have learned the hard way.

Andres: Companies are under continuing pressure to build, maintain and improve their compliance programmes, at least because of the importance that government authorities place on compliance. Failing to do so may not only result in a harsh prosecution, but a long and expensive investigation. Guilty pleas, fines and monitorship are more commonplace, and the DOJ has made it clear that the only defence to these punishments is an effective compliance programme. Successful defence depends on thorough detection and self-reporting – both of which rely on an effective compliance programme. We often preach to clients: compliance, compliance, compliance. Investment and care of a properly resourced compliance programme is not a new concept, but it is one that cannot be ignored.

Sengupta: Pressure will increase, especially for large actors in the financial services industry, for which the regulatory expectation for taking adequate measures to prevent and detect fraud is high. AI-driven enforcement by banking and securities regulators is expected to grow, and global financial institutions are already relying on advanced AI to prevent, detect and investigate financial crime, including fraud. Consequently, failure to adequately invest in data security, take defensive measures against cyber attacks, deploy available technical tools, periodically test the effectiveness of internal controls, or conduct periodic due diligence on vendors and suppliers, may lead to higher penalties. If weaknesses are detected during an incident or an audit, external counsel should be consulted when rolling out a remediation plan – which may be discussed with regulators – and may be critical in preventing future financial losses and managing reputational risks.

Silveira: There is already growing pressure on companies to enhance their measures to mitigate potential fraud. A good example is the failure to prevent fraud offence, proposed by the UK government with the purpose of holding organisations to account if they profit from fraud committed by their employees. Another important form of pressure comes from activists in different areas, and companies should be aware of the reputational risks that may arise from fraudulent and corrupt activities within their organisation.

 

Greg D. Andres is co-head of white-collar defence & investigations practice at Davis Polk and one of Benchmark Litigation’s ‘Top 100 Trial Lawyers’. He focuses on white-collar defence, congressional investigations, complex civil litigation and crisis management. In forums including federal and state court, mediation and arbitration, Mr Andres represents financial institutions, hedge funds, private equity firms and companies in multiple industries. He can be contacted on +1 (212) 450 4724 or by email: greg.andres@davispolk.com.

Bruno Silveira is group compliance and privacy director for Kingfisher plc. He has responsibility for the company’s global ethics and compliance programme, including antibribery and corruption, fraud and internal investigations. His experience includes ethics and compliance, cross-border investigations, as well as privacy and technology in a variety of sectors such as aviation, banking and oil and gas. He can be contacted on +44 (0)7760 465 608 or by email: bruno.silveira@kingfisher.com.

Joydeep Sengupta is a member of the compliance, investigations and regulatory team within the litigation and dispute resolution department of Mayer Brown’s Paris office. He focuses on cross-border litigation, compliance and enforcement matters for financial institutions and corporations, including the resolution of administrative and enforcement proceedings involving regulators and prosecutors. He has also conducted internal investigations around the world, including in France, Japan, Italy, Luxembourg, Singapore, Spain, Switzerland, the UK and the US. He can be contacted on +33 (1) 5353 3949 or by email: jsengupta@mayerbrown.com.

Eric Russo joined Quinn Emanuel as a partner in January 2021. He has 20 years’ experience in the French court system, where he was successively assigned to high-profile positions such as investigating judge, prosecutor at the Appellate Court of Paris and deputy prosecutor of the Parquet National Financier (PNF). In France, he is the first and only senior prosecutor to have moved from the prosecutor’s office to a law firm. He can be contacted on +33 6 2412 7302 or by email: ericrusso@quinnemanuel.com.

Gerry Zack is chief executive officer of the Society of Corporate Compliance and Ethics (SCCE) and the Health Care Compliance Association (HCCA). He leads the global strategy and activities of SCCE & HCCA and its 19,000 members across 100 countries. He has more than 35 years of experience providing preventive, detective and investigative services involving fraud, corruption and compliance matters. He can be contacted on +1 (952) 567 6215 or by email: gerry.zack@corporatecompliance.org.

Vanessa McGoldrick advises clients on a broad range of cross-border regulatory, criminal and civil investigations and financial crime matters, including bribery and corruption, money laundering, financial sanctions, fraud and tax evasion. Ms McGoldrick has represented clients before a range of UK prosecutors and regulators, including the FCA, the SFO, HMRC, the OFSI and the CMA, as well as advised clients facing parallel investigations and proceedings by other international regulators. She can be contacted on +44 (0)20 7519 7278 or by email: vanessa.mcgoldrick@skadden.com.

© Financier Worldwide

THE PANELLISTS

 

Greg D. Andres

Davis Polk

 

Bruno Silveira

Kingfisher plc

 

Joydeep Sengupta

Mayer Brown

 

Eric Russo

Quinn Emanuel Urquhart & Sullivan LLP

 

Gerry Zack

Society of Corporate Compliance and Ethics & Health Care Compliance Association

 

Vanessa K. McGoldrick

Skadden, Arps, Slate, Meagher & Flom LLP and Affiliates

©2001-2024 Financier Worldwide Ltd. All rights reserved. Any statements expressed on this website are understood to be general opinions and should not be relied upon as legal, financial or any other form of professional advice. Opinions expressed do not necessarily represent the views of the authors’ current or previous employers, or clients. The publisher, authors and authors' firms are not responsible for any loss third parties may suffer in connection with information or materials presented on this website, or use of any such information or materials by any third parties.