November 2020 | ROUNDTABLE | FRAUD & CORRUPTION
Financier Worldwide Magazine
November 2020 Issue
During times of economic stress corporate wrongdoing often comes to light, and the impact of the coronavirus (COVID-19) pandemic is a case in point. Companies may become embroiled in accounting misstatements, corruption, fraud or other misconduct, with third-party relationships one of the biggest fraud-related risk areas. It is therefore critical to establish and maintain effective risk management processes and controls, so fraud can be identified, investigated and eradicated.
FW: How would you characterise the impact of legislation and regulation on corporate efforts to mitigate and manage fraud? To what extent have companies tailored their governance and control procedures to accommodate tighter regulatory scrutiny?
Igra: Corporates must adapt their compliance programmes to meet the demands of changing legislation and regulation across all financial crime areas. Good compliance programmes constantly evolve – though of course there are some fundamentals that do not change. Companies must remain alive not only to specific acts of legislation and regulations but also to guidance and communications issued by relevant authorities. The US Department of Justice (DOJ), for instance, publishes updates on its ‘2017 Guidance on Evaluation of Corporate Compliance Programs’. The June 2020 revision underlines that corporates must invest in and give authority to their compliance functions. One of the key questions in the guidance – “Is the program being implemented effectively?” – now asks if it is “adequately resourced and empowered to function effectively”.
Garrett: Over the last few months many jurisdictions across the globe have eased or relaxed various laws and regulations to address the health challenges of coronavirus (COVID-19) and stimulate the economy. Further, governments, regulatory agencies and industry groups have had to focus and allocate resources to combat the impact of the pandemic in their respective markets, necessitating a lack of attention to other risk areas. One unintended result of the intense focus on COVID-19 and many of the ‘stimulus’ efforts being promulgated across the globe has been the creation of large gaps in corporate compliance and governance mechanisms. Compliance professionals are well aware of the logical nature of the risk – that there is an increased risk – but the fact is that it is extremely difficult in the current environment to garner the resources and support necessary to combat the increased risk. Making matters more difficult is the inability to travel and get boots on the ground to do audits and monitoring.
Foley: Recent legislation, regulatory actions and guidance issued by government authorities have required organisations to enhance their overall compliance programmes and processes, which includes anti-fraud measures and a focus on internal controls that may illicit sharper regulatory scrutiny. Part of these efforts include undertaking a broad view of control procedures for regulated and non-regulated activities to include all areas that introduce potential risk to a company. An increased focus on the use of data to proactively identify risk and support fraud remediation activities also has warranted investment in tools and resources. In addition, many companies are revisiting their training and communication strategies and content to strengthen guidance provided to employees so that they are aware that fraud can affect any level of an organisation.
Good: Generally, legislation and regulation will have a modest impact on corporate efforts to mitigate and manage fraud. The truth is that most corporations are already working to prevent fraud, regardless of legislative or regulatory changes. However, corporations do look for guidance from regulators about how to target and improve their efforts. Where legislation and regulation are specific, particularly as to reporting or structural requirements, companies ensure that their programmes comply. Similarly, an active enforcement environment often makes dedicating resources to fraud prevention easier for companies.
Sikellis: Legislation and regulation have been critical to corporate efforts to mitigate and manage fraud. Of course, companies never want to be victims of fraud, and a certain amount of self-policing is to be expected. But legislation such as the Foreign Corrupt Practices Act (FCPA) and Sarbanes-Oxley, which effectively required publicly-traded companies to implement internal controls and compliance programmes, and the US Sentencing Guidelines and various policies from the DOJ, which attempted to reward companies for doing so, really drove companies to seek to effectively prevent, detect and mitigate fraud and other abuses. Many companies have become proactive in these efforts.
FW: Have any particular corporate fraud cases gained your attention in recent times? What do these cases tell us about the extent of the threat facing the corporate world?
Garrett: A recent case in the US is a good example of the kind of threat facing the corporate world, particularly when e-commerce is at all-time high. The case, US v. Rosenburg, et al, alleges that the defendants used bribery and fraud to benefit merchant accounts on Amazon, resulting in competitive benefits to those accounts, harm to competitors and harm to consumers. According to the complaint, the defendants, among other things, facilitated attacks against competitors’ accounts and product listings by sharing competitive intelligence about competitors’ revenues, customers, advertising campaigns and suppliers, using their inside access to Amazon’s network to suspend competitors’ accounts and providing consultants with information about Amazon’s internal algorithms which allowed the consultants to flood competitors’ product listings with fictitious negative product reviews. The case raises numerous allegations that call into question the security and legitimacy of online commercial platforms and highlights novel threats to corporate actors, and their customers, in today’s technology driven and increasingly electronic marketplace.
Foley: A number of recent fraud cases have gained attention. ‘Operation Varsity Blues’ was a 2019 investigation by the US government into a college admissions bribery scandal that included criminal conspiracy to influence admissions decisions at American universities and involved US celebrities and business executives. A 2019 data breach involved a third-party obtaining access to over 100 million Capital One customers’ account details. There have also been allegations that Huawei, a global telecommunications provider, misled the US government as it related to the company’s business in Iran, which was under US economic sanctions, by conspiring to commit bank and wire fraud to circumvent the imposed sanctions. These matters variously highlight that individuals participate in unethical acts without always acknowledging their wrongdoing, that due diligence measures are important to understanding risks associated with third-party business partners, and that while technology is an important resource to mitigate fraud, it also has increased fraud risk by potentially causing individuals to commit fraud that could be harder to detect by a company.
Good: The Wirecard case has been well covered. It shows that the threat of corporate fraud can be existential to individual corporations, but further, it underlines the risk that corporate fraud can have to financial systems. When large-scale corporate fraud goes undetected, it can erode faith in the institutions that support public markets. Observers have questioned the reliability of auditors and regulators following revelation of the extent of the fraud at Wirecard. This case has shown us that the impact of a fraud can extend beyond its direct victims.
Sikellis: No one case stands out, but like many other industries, the pharmaceutical industry certainly gets its fair share of attention from enforcement agencies around the world. The industry is closely scrutinised from virtually every angle, including antitrust, bribery and fraud, to name a few. This focus has certainly gained attention and will provide firms in the pharmaceutical industry with an important opportunity to be better and to take a proactive stance against antitrust, bribery, fraud and the other challenges the industry faces.
Igra: Perhaps the standout financial crime case of the year so far is the record $3.9bn settlement in January between Airbus and authorities in France, the UK and the US. The huge fine, and the extent and nature of the misconduct, grabbed the attention. Airbus’s controls were inadequate, particularly around the use of third parties, and its culture allowed bribes to become the norm. There are lessons for corporates beyond the importance of sound controls and a strong ethical culture. For one, corporates need to be aware of the enforcement risk in various jurisdictions and have a coordinated approach where more than one agency is involved. The case also shows the value of cooperation: despite the severity of the conduct, Airbus’s extensive cooperation meant it was able to negotiate settlements – in France and the UK, sanctioned by the courts – and avoid criminal conviction.
FW: How would you advise companies go about setting up systems to detect potential fraud? In what ways is technology assisting?
Foley: A first step is for an organisation to identify basic anti-fraud controls that include segregation of duties, asset management and reporting on transactions. Once identified, technology can support real-time transactional monitoring and provide predictive learning and intelligence that can identify fraudulent patterns and enable an organisation to promptly respond to possible misconduct. Examples of risk areas that are monitored utilising technology include purchasing, disbursements, corruption and bribery, travel and entertainment, third parties and inventory. A 2019 benchmark survey performed by the Association of Certified Fraud Examiners reflected that organisations’ use of data analytics to monitor risk allows companies to easily scale the scope of their anti-fraud efforts through exception reporting and automated monitoring. That same survey also highlighted that predictive learning and artificial intelligence (AI) capabilities, as part of an anti-fraud programme, are expected to triple by 2021. Although technology provides a ‘lift’ to an organisation’s anti-fraud programme, implementing it is not without challenges, which could include the budget impacts, limited internal capabilities to support complex analyses, and poor data quality and availability.
Good: Taking a dynamic approach is key to setting up a system. Companies should analyse their operations and identify areas of risk. They should then look to set up controls that mitigate those risks. But the system should not be static. Periodic analyses are necessary to examine whether the systems remain effective, and personnel at the company need to be empowered to make adjustments where necessary. There is no one-size-fits-all technological solution to fraud prevention. Technology is particularly helpful in processing large amounts of data and in performing surveillance of activity. Some businesses produce large volumes of data that could be used to identify fraud, and technology tends to be most useful there.
Igra: There are common features of all good compliance programmes. The ‘Six Principles’ set out in the UK Ministry of Justice’s guidance document on the Bribery Act 2010 cover most of them: proportionate procedures, top-level commitment, risk assessments, due diligence, communication, including training, and monitoring and review. Also critical to detecting potential fraud and other wrongdoing is creating a culture that is committed to ethical conduct, which encourages employees to report concerns about possible misconduct, and which has the resources and processes to investigate and, where necessary, remediate those concerns fully. Technology is becoming increasingly important in detecting possible wrongdoing. Corporates should have processes to gather, store and display relevant data and then be able to mine it for patterns, discrepancies and anomalies, in turn detecting and heading off possible fraud and other misconduct.
Sikellis: Companies should take a proactive, risk-based approach to detecting potential fraud. Moreover, being compliant is no longer enough; companies need to ensure a strong culture of ethics, risk and compliance to increase transparency, make more informed decisions about mitigating risk, and better align enterprise risk management with corporate strategy. Companies that get this right can turn compliance into a competitive advantage, while companies that neglect compliance are being left behind. Leveraging technology can help companies prevent, detect and respond to challenges in real time. For example, technology can assist in the active monitoring of ongoing behaviour, while data analytics can assist in predicting areas of risk that need to be mitigated.
Garrett: Remote work has become the new normal for many companies, bringing with it new challenges for risk, compliance and privacy professionals. One of the benefits of the remote working environment brought on by COVID-19 is the wealth of data available through existing IT systems and software platforms that employees are using to collaborate, communicate and stay connected while working remotely. Many companies are using this data to analyse and boost remote employee productivity and corporate risk and compliance functions can leverage this data to do both active and passive monitoring and refine, and enhance, communication and training programmes. Many of these technologies already have tools and functions that help protect and secure company data, and many of those same tools may be used to help identify and protect against corporate fraud. Moreover, platforms like Microsoft Teams and Zoom provide a direct communication and training channel that can be leveraged to expand and broaden the reach and depth of compliance programmes.
FW: In terms of third-party relationships, could you outline the main fraud-related risks that companies face? What measures can be taken to mitigate them?
Good: When we look at fraud risk from third-party relationships, we look at a couple of areas. There is the risk that a third party has a relationship with someone at the company, introducing an opportunity for inflated pricing or kickbacks. There is also a risk with third parties that are providing services to an ultimate client that the third party is making corrupt payments to the final client. Due diligence on third parties can help mitigate these risks. The existence of conflicts and compliance policies at the third party can provide comfort, and the resulting diligence may identify a relationship with a company insider. Another fraud-prevention tool is to include audit rights in third-party contracts. The threat of an audit can deter misconduct, and exercising audit rights can identify whether misconduct has occurred.
Sikellis: Third parties present numerous compliance challenges. For example, around 90 percent of FCPA cases involve allegations that a third party paid a bribe to a government official. And where there is bribery, there is often also embezzlement, conflicts of interest, self-dealing and other abuses. For this reason, companies must implement a robust third-party management system, beginning with a robust risk-based due diligence, and continuing with appropriate onboarding, active monitoring and periodic re-evaluation.
Garrett: COVID-19 has fundamentally changed, at least temporarily, the working relationship that many companies have with third-party consultants, suppliers and distributors. First and foremost, travel restrictions and health and safety concerns have made on-site inspections and audits extremely difficult, causing even more reliance on local teams to self-govern and ensure third-party compliance with company policies and regulations. For many smaller third parties, the lack of direct visibility is exacerbated by the economic impact being felt across global markets, widening the door for bribery, corruption and other fraudulent activity. The lack of direct visibility can be mitigated, at least to some extent, by increasing the amount of communication with third parties – and partnering to the extent possible with third parties – in dealing with local economic and business challenges, such as providing support with regard to country-level stimulus efforts and extending payment terms to assist with the economic recovery of the third party. Efforts to increase fraud training and awareness may be difficult during this recovery period, due to a lack of focus, but risk and compliance professionals should try to make themselves available to support third-party partners during these difficult times. Increased communication and support will help mitigate the immediate fraud risk and will engender goodwill and a stronger relationship going forward.
Igra: Third-party relationships remain arguably the single biggest fraud-related risk area for corporates. Around 90 percent of all FCPA enforcement actions involve some sort of third party. Risk comes in many forms, such as improper relationships between company employees and subcontractors and suppliers, intermediaries seeking to influence unfairly customers through lavish gifts or hospitality, among other things. Third-party risk can only be mitigated through a comprehensive compliance programme which puts in place the features described here.
Foley: Third parties can pose exceptional risk to an organisation demonstrated through bribery, asset misappropriation, tax evasion, money laundering and cyber breaches, to name just a few examples. Therefore, it is critical for companies to establish and maintain effective risk identification and management processes specific to the engagement of third parties. This can be accomplished through procurement procedures that outline and implement effective control measures that address cost and understand with whom the company is ultimately conducting business and strong contracting that permits compliance training, auditing and acknowledgements. In addition, an effective, risk-based due diligence programme also can successfully identify third-party risks to an organisation, not only at the outset of the engagement, but also throughout the engagement through ongoing monitoring activities that can leverage data to help promptly identify potential abnormalities and concerns related to the third-party engagement that could pose a risk to the company.
FW: What do you consider to be the indispensable elements of anti-fraud programmes, policies and procedures?
Garrett: First and foremost, it is imperative to have an open-door, anti-retaliation policy that is clear, understood and enforced by management. Having such a policy not only increases the likelihood that fraud will be uncovered quickly, but it may help to prevent bad acts from occurring because employees will not be afraid to ask challenging questions or raise issues before taking steps that could lead to fraud. Open-door practices and policies have numerous other benefits as well, including fostering a culture of innovation and problem solving because employees feel comfortable challenging the status quo and are not afraid to speak their mind or share ideas. Such a policy starts at the top with executive management and needs to be conveyed throughout the organisation so that it ideally becomes part of the fabric of the culture. Also critical to an effective programme is management training and buy-in for the company’s anti-fraud programmes. Most compliance programmes focus on employee and third-party training, but it is just as important to provide regular training to the board of directors, executives and senior management, so that they are aware of both internal and external trends and risk areas.
Igra: Key elements of an effective anti-fraud programme include the following. Risk assessment to identify unique risks the company may face given its industry, business model, geographical presences, customers, employees, and so forth. Appropriate oversight and top and middle-level management commitment to drive ethical behaviour and culture. Codes, policies and procedures that are regularly assessed to ensure compliance with internal values and applicable laws and regulations. Regular and effective communication and training plans that educate and also test employees’ understanding. Processes for employees and externals to report concerns without fear of retaliation and proper investigation of those reports. Finally, periodic monitoring and assessment of anti-fraud measures to ensure they are continuously improved.
Foley: There are many indispensable elements of anti-fraud programmes. There must be concise policies, procedures and processes that are integrated throughout a company’s commercial and operational processes. There must be training that outlines for employees what fraud is and how to promptly report potential fraudulent activities to the organisation. Companies must carry out periodic risk assessments and ongoing monitoring that focus on evaluating internal controls established to prevent fraudulent activities. There must be a strong compliance culture that is reinforced by top and middle management, who also encourage a ‘speak up’ culture protected from all forms of retaliation. There must be an independent investigative process to address allegations of fraud and other categories of misconduct, involving individuals with the requisite experience looking into these types of concerns. There must be support from the board of directors which includes allocating attention and resources to an anti-fraud programme. And companies must maintain disciplinary principles that are consistently leveraged to address situations where fraud is identified.
Sikellis: Every anti-fraud system must be risk-based, proactive and supported throughout the organisation. Defining risk and mapping that risk onto policies and procedures are the bedrock of any anti-fraud programme. Ongoing monitoring, testing and periodic re-evaluation are key to ensuring that the anti-fraud system is working and is tailored to the company’s needs. Data analytics and technology are key means to accomplish this. And the company must have the right tone from the top to set the right culture so that everyone in the enterprise is committed to mitigating fraud risk.
Good: Risk assessment, ownership and empowerment are vital. Clearly identified stakeholders should be responsible for anti-fraud programmes, including identifying risks and creating measures to combat them. A compliance committee can fulfil this function. Invested tone at the top of the company can ensure that the compliance team is empowered to perform its function effectively. As to specific procedures, regular reviews of business activity, whether performed by the compliance or internal audit function, are critical in identifying potential problems and deterring fraudulent behaviour. Whistleblowing protections and mechanisms are also important. Finally, data privacy policies are crucial in allowing a company or its counsel to obtain and review the evidence necessary to investigate potentially fraudulent activity.
FW: Based on your experience, what steps should a company take when responding to a report of actual or suspected fraud?
Sikellis: Depending on the nature and severity of the fraud, there are numerous steps a company must consider taking. First, the company should stop the conduct that is leading to fraud, such as stopping payments to a third-party or restricting access to a bank account. Second, depending on the circumstances, the company should consider whether to involve law enforcement or self-report. Third, the company must identify and preserve the evidence that will allow for an investigation and root-cause analysis. Fourth, the company should investigate. The type of investigation and who it is conducted by and how involved it should be will be dictated by the nature and circumstances of the suspected fraud. Fifth, the company should perform a root-cause analysis. Finally, and importantly, the company should remediate as appropriate, including taking disciplinary actions.
Foley: Companies should unequivocally communicate that fraud is unacceptable in all aspects of its operations, regardless of industry and business model complexity. Allegations of fraud should be taken seriously and be promptly referred to and responded to by internal resources that have the capability and expertise to initiate and perform a thorough investigation. Recent guidance from the DOJ has specifically referenced the importance of internal investigators maintaining the appropriate experience to conduct investigations. Companies should capture trends and important insights from investigations into allegations of fraud to help support continuous improvement priorities and enhancements to internal controls and processes that prevent misconduct.
Igra: The immediate steps when responding to reports of fraud should be to acknowledge receipt of the concern to show the raiser’s report is valued and will be handled effectively. The report should be triaged and dealt with in accordance with the company’s established policies and processes. Reports of suspected fraud need to be treated seriously and investigated thoroughly, whether by the internal investigation function or external counsel or consultants. The initial assessment of the report should seek to establish if there is a risk that the fraud might be ongoing and, if so, how best to put a stop to it, being conscious that taking action might tip-off suspects. Other functions within the company may need to be notified, such as the communications team to prepare for any press interest, while having in mind the need to limit information on a need-to-know basis. Of course, the scope and resources required to investigate will be an important initial consideration as well.
Good: Companies should preserve evidence and put in place legal holds on relevant data storage and communications systems. Legal and compliance functions should confer and analyse the potential risk exposure from the suspected fraud. If potential exposure is substantial, companies should retain outside counsel to provide advice and coordinate an investigation. Whether or not outside counsel is engaged, suspicions of fraud should be investigated. Relevant data and materials should be reviewed in a manner that is consistent with the law. Interviews of relevant employees should be conducted. If misconduct is determined to have occurred, it should be remediated, and an assessment should be made as to whether it needs to be reported to authorities.
Garrett: Each investigation of suspected fraud is unique and the steps a company must take are topic dependent, but in my view, the most important initial step, regardless of subject matter, is to do objective fact gathering. The scope of the initial fact-gather exercise will depend on the amount of information gathered from the report, but it is important to fully assess the initial fact, and get outside counsel involved, before broadening fact gathering to include potential witnesses. Doing the initial assessment provides an opportunity to develop and, in most cases, document, a detailed investigation plan. This step also helps protect legal privilege, if applicable, narrow the scope of the investigation, and often get to the root cause more quickly. Once the initial and preliminary fact gathering is completed, the assessment step should be repeated, and any conclusions validated before expanding the scope of the investigation further.
FW: In the months and years ahead, what notable changes do you anticipate in the way companies mitigate and manage fraud?
Foley: Leveraging technology will be an asset companies utilise to mitigate and manage fraud. The use of technology also delivers efficiencies when detecting fraud and offers organisations invaluable insights and capabilities to prevent fraud. A company should understand its internal technology platforms and how they could be impacted by vulnerabilities. This can be addressed through data analytics and mining, which establishes rules and associations to segment data and identify patterns that may suggest fraudulent activities are occurring. Obtaining this baseline on potential risk will help organisations implement effective mitigation strategies that effectively address and monitor fraud, as well as other risks. In addition to identifying possible compliance gaps through technology, organisations should proactively evaluate existing and contemplated operating models through risk assessments, which help identify control failures that may expose the company to fraud and lead to regulatory scrutiny.
Igra: There is now an expectation on companies to use data to prove compliance programmes are effective. The June 2020 DOJ compliance guidance update asks prosecutors to evaluate how a company uses data to assess how company policies, training and concern reporting processes and systems are being utilised and to consider the steps the company has taken to build on lessons that can be drawn from the information. The updated guidance also requires companies to use data to conduct monitoring and testing of controls. This will of course not be new to most companies. The expectation to prove effectiveness through data may accelerate the move toward using technology proactively to detect fraudulent activity and other compliance concerns.
Good: Going forward, companies will need to allocate more resources to protecting their IT systems. The global pandemic has meant that more economic activity is being conducted remotely. Remote activity creates more opportunity for fraud to be carried out online. Unauthorised access and social engineering fraud are going to become more prevalent.
Garrett: It may be rather obvious, but I believe that risk and compliance professionals, and company compliance programmes, will have to become far more sophisticated in their approach to mitigating and uncovering fraud. In the same way that cyber fraud seems to morph every few months, so too will general corporate fraud schemes. COVID-19 has likely changed the corporate workplace, at least in many industries, forever, with remote working and corporate travel, entertainment and real estate budgets being cut to address economic challenges brought on by the pandemic. This has resulted in rapidly expanding, and new, fraud risks. Risk professionals need to quickly adapt and leverage IT communication and collaboration tools to maintain their existing compliance programmes and learn from the forensic nature of cyber security professionals to get out in front of the next wave of corporate fraud.
Sikellis: Technology and data analytics are already playing an extraordinarily important role in the way companies mitigate and manage fraud and we fully expect this to increase in the months and years to come. The more notable changes in the way companies mitigate and manage fraud will likely come from new technological advances. Companies are becoming more sophisticated in the way they use technology and data analytics in their compliance and risk programmes and are constantly identifying new applications. And the tech is growing exponentially. Today, enforcement agencies expect that companies will use these tools.
Daniel Igra is legal counsel for Nokia handling ethics & compliance investigations in West Europe and Latin America. Prior to joining Nokia in November 2019, he was a lawyer at the UK Serious Fraud Office (SFO) where he investigated and prosecuted major international economic crime cases. He can be contacted on +44 (0)7949 451 112 or by email: email@example.com.
Robert Sikellis is head of US litigation for Novartis where his responsibilities include overseeing internal investigations. Prior to joining Novartis, he was chief counsel Compliance for Siemens, where he oversaw all internal investigations. He started his career as a prosecutor in Massachusetts. He can be contacted on +1 (862) 223 0780 or by email: firstname.lastname@example.org.
James Garrett is senior vice president, government and regulations strategy, and is responsible for designing and executing non-market strategies to assess opportunities and threats that may impact business results. His prior role at NuVasive was leader of business and quality systems, responsible for global risk and integrity, regulatory affairs, quality affairs, information technology, and environmental health and safety. He has also served as chief risk and compliance officer, and associate general counsel. He can be contacted on +1 (858) 320 4554 or by email: email@example.com.
Sarah Foley is deputy compliance officer and director, compliance for Patterson Companies, Inc. In this role, Ms Foley has responsibility for the company’s global ethics and compliance programme, initiatives and strategy. She can be contacted on +1 (651) 405 5116 or by email: firstname.lastname@example.org.
Andrew Good has significant experience representing clients from a variety of industries in regulatory investigations, including those brought by the Department of Justice (DOJ), the Securities and Exchange Commission (SEC) and the Commodity Futures Trading Commission. He has conducted numerous internal investigations concerning insider trading, financial fraud and the Foreign Corrupt Practices Act (FCPA). He also advises clients on insider trading compliance and training programmes. He can be contacted on +44 (0)20 7519 7247 or by email: email@example.com.
© Financier Worldwide