With the huge amount of publicity and debate surrounding bribery and corruption, in-house lawyers could be forgiven for thinking that there are no other financial and reputational risks for their companies.
This year has been all about the Bribery Act 2010, and the need to beef up anti-corruption programmes. Fraud seems to have faded into the background – even for the Serious Fraud Office (SFO). However, fraud risks are still very much a threat to every type of business – whether that be the risk of the company or its employees committing fraud, or the company being a victim of fraud at the hands of its own employees or outsiders. Compliance resources may be hard pressed at the moment but companies cannot afford to neglect their fraud prevention and detection programmes.
Economics and psychology of fraud
The Fraud Advisory Panel (FAP) gives some sobering statistics on its website:1
- fraud was estimated to have cost the UK economy £30bn during 2008;
- fraud is currently estimated to cost £621 for every adult in the UK;
- the private sector lost £9.3bn, with larger businesses accounting for more than half of this sum;
- £1.3bn of fraud went before the Crown Courts in 2009;
- almost half of UK organisations reported fraud in the past 12 months;
- almost one in five CVs in the financial sector contains at least one lie or embellishment;
- 54% of small businesses reported being a victim of fraud or online crime in the past 12 months; and
- just 5% of detected corporate fraud is reported to police.
Of course, these statistics are only an estimate, as most fraud goes undetected and unreported. When fraud is discovered, individuals may simply be too embarrassed to report the crime and businesses fear the commercial repercussions of being associated with a fraud.
The current economic environment is one that is ripe for fraud of all types. Financial instability forces companies to make cutbacks that often involve back office functions such as accounts and compliance. This, in turn, leads to weakened internal controls, which increases the risk of fraud and other financially motivated crimes, such as corruption, insider dealing, identity theft and money laundering. Individuals may be fearful of losing their jobs and some will use whatever means they can to ensure that they are financially secure. Inevitably some will resort to criminal activity: stealing from their employer, paying bribes to secure a contract, manipulating accounts, accepting payment from a third party to provide confidential customer details or engaging in insider dealing.
Financial crimes always increase during an economic downturn and historically some of the world’s biggest fraud cases have emerged in the aftermath of a recession – Enron, WorldCom and Bernard Madoff. Prevalent themes in these cases were the opportunity to deliberately falsify, alter or manipulate books, records and financial statements, or misappropriate money and deceive investors. In each case the management systems and oversight mechanisms failed, allowing the development of an environment that was conducive for fraudulent activities. As Warren Buffett, the American investor, industrialist and philanthropist, said, ‘it’s only when the tide goes out that you learn who’s been swimming naked’.
Psychology also plays a part. Dr Donald Cressey developed a concept in the 1950s known as the ‘Fraud Triangle’ to explain why people commit fraud. According to Dr Cressey, there are three elements present in every fraud: motivation, opportunity and rationalisation.
- Motivation: a person needs to feels pressure to commit fraud. It might be a financial need, such as high bills or debts; an addiction to gambling or drugs; a desire for material goods; or a promotion at work. In times of recession a person could also be driven by a need to prevent a loss, meet targets, secure a bonus or avoid redundancy.
- Opportunity: once there is motivation, the fraudster will look for opportunities to commit fraud. The workplace is always a good target. Employees may have access to confidential records, valuable documents or other information that would allow them to commit fraud. They may have heard stories from other employees, who have defrauded the employer before and got away with it.
- Rationalisation: fraudsters always try to rationalise their behaviour by convincing themselves that what they have done is acceptable. For example:
‘They don’t pay me enough. I deserve it.’
- ‘They won’t miss the money.’
- ‘I’ll borrow it until I get back on my feet then pay it back.’
- ‘I’m just bending the rules, everyone does it.’
- ‘I’ve had a pay cut, so it won’t hurt to add a bit to my expenses claims.’
Fraud risks and the Fraud Act 2006
Companies are exposed to four types of fraud risk:
- Corporate fraud: where the company itself is implicated (eg false statements to the market, providing misleading information to stakeholders).
- Internal fraud: committed by management or employees (eg false accounting).
- Collusion: between someone within the organisation and an outsider (eg data theft, identity theft, money laundering).
- External fraud: committed by individuals outside the organisation (eg targeted by organised criminals).
As an economic downturn takes hold, individuals and companies come under increased pressure and scrutiny in relation to many day-to-day activities as they:
- struggle to explain failures to meet forecasts and expectations;
- think of ways to gloss over bad news;
- face the temptation to keep quiet about a sudden downturn in financial performance; and
- try to make the company look attractive to investors.
The Fraud Act 2006 (the 2006 Act) came into effect on 15 January 2007, creating a general offence of fraud that can be committed in three ways:
- fraud by false representation;
- fraud by failing to disclose information; and
- fraud by abuse of position.
These new offences potentially criminalise a broad range of workplace and business conduct, for example:
- manipulating tenders, quotes and contracts to secure work;
- not being completely open and transparent with auditors;
- failing to correct representations that are no longer true; and
- senior managers using inside information to protect their own position.
Individuals and companies need to remember that the effect of a prosecution for a 2006 Act offence can be devastating. The maximum penalty on conviction is ten years in prison and/or an unlimited fine. Directors can be disqualified, companies can be barred from procurement contracts across Europe and assets can be confiscated.
Fraud prevention and detection
While there is no way to completely eliminate fraud, having an effective prevention and detection programme will help to minimise the risks, which ideally should include such measures as:
- A zero tolerance attitude to fraud and all types of financial crime.
- A commitment from the board of directors and senior management to set the tone for fraud risk management and implement policy that encourages ethical behaviour.
- An independent audit committee with responsibility for monitoring financial statements, reviewing the effectiveness of internal financial controls and risk management systems, and overseeing audit arrangements.
- The appointment of a senior officer with oversight, and reporting responsibility for all fraud prevention and detection programmes.
- A fraud risk assessment to identify specific potential schemes and events (which should be repeated periodically).
- A review of the business’s insurance policies to ensure they are consistent with current fraud risks.
- Training for staff on fraud risk and the different types of fraud and misconduct that may be caught by the 2006 Act and other legislation.
- A system of background checks on new employees.
- Accounting and audit controls where approval authority is only given to individuals with sufficient authority and knowledge to recognise and challenge unusual transactions.
- IT security measures to prevent malicious activity or external interference.
- Security policies: a computer security policy to ensure proper administration/access rights and a business premises access policy to restrict after-hours access/limit access to high-risk areas or property.
- A whistleblower hotline for personnel to report suspicions of fraud in confidence.
- Specific references to fraud in the disciplinary code, with details of the sanctions for breaches of company policy.
- A fraud investigation plan, with a commitment to investigate allegations of fraud appropriately and quickly.
For a fraud detection and prevention programme to work, personnel at all levels of an organisation need to be involved. The systems should be clearly defined, implemented and monitored. Finally, businesses should publicise what they are doing to detect and prevent fraud – one of the strongest deterrents is the awareness that effective controls are in place.
Fraud reporting and intelligence gathering
Businesses do not need to work alone in tackling fraud. There has to be a collective responsibility to reduce the incidence of fraud and make it more difficult for fraudsters to commit their crimes. Businesses in the UK are being encouraged to engage with the wider fraud prevention and detection community, and share their knowledge and experience. Since the 2006 Fraud Review recognised that attempts to tackle fraud were being undermined by the lack of a joined-up approach to reporting, recording and analysing fraud, the UK has been moving towards a more coherent approach to tackling fraud.
In 2008 the National Fraud Strategic Authority (now renamed the National Fraud Authority (NFA)) was set up to make substantial improvements to the UK’s ability to prevent, deter, disrupt, detect, prosecute and punish fraudsters and recover assets. In early 2010 it launched ‘Action Fraud’ (a reporting centre) to take victims’ reports of fraud, provide them with crime reference numbers, and give them the most up-to-date advice and guidance. At its launch Dr Bernard Herdan, chief executive of the NFA, said, ‘the best way to fight fraud and fraudsters is to get people talking about it and reporting it to Action Fraud’.
The NFA refers all cases of fraud to the National Fraud Intelligence Bureau (NFIB), which was also set up as a result of the Fraud Review. This is a City of London police-led initiative that collates and analyses fraud data from various public and private sources, including the Serious Organised Crime Agency (SOCA), ‘CIFAS’, UK Payments, banks, credit card and insurance companies. Analysts and police officers assess and measure the relevant data against set criteria. Frauds identified as having viable leads are then passed to a police force or other law enforcement organisation best placed to capitalise on this information.
The NFIB also aims to provide an improved picture of the nature of fraud offending across the UK. This will enable closer working and more targeted prevention activity for police and the business community over the short and long term. This will include:
- identifying the volume and value of confirmed fraud crimes in the UK;
- identifying geographical fraud hotspots;
- mapping areas where specific types of fraud are occurring and to whom;
- identifying reports linked to organised crime groups; and
- providing a national picture for law enforcement, illustrating where fraud-related crime occurs.
A special FAP project group of industry experts recently conducted an extensive review of relevant legislation, regulations and guidance, followed by stakeholder meetings, which sought the opinions of more than 50 business leaders and representatives from law enforcement, regulation and professional services.2
The report’s findings reveal that:
- there are few requirements for companies to have internal fraud reporting arrangements in place and very little appetite among stakeholders for more prescriptive arrangements;
- stakeholders have mixed feelings about the adequacy of anti-fraud systems and processes inside listed companies;
- the majority of frauds are still uncovered by accident or by a whistleblower – routine internal controls play only a minor role;
- compulsory obligations to report fraud to third parties are limited mostly to financial services companies (to the Financial Service Authority) and money laundering (to SOCA);
- there is no general obligation to report corporate fraud (other than money laundering) to UK law enforcement agencies;
- shareholders and the market need not be told about a fraud unless it threatens the company’s stability or share price; and
- the anti-fraud role of auditors is widely misunderstood and overstated.
FAP criticises the current obligations on UK companies to prevent, detect and report fraud for being ‘a patchwork of measures, with a worrying absence of any common thread’. FAP is calling for the government and the business community to take a more holistic approach to fraud prevention, detection and reporting, which includes:
- streamlining existing obligations to report fraud;
- giving greater weight to companies’ ethical and social responsibility to report fraud in the public interest;
- enhancing and extending the legal and regulatory frameworks for whistleblowing; and
- placing greater emphasis on educational initiatives to improve and promote the benefits of greater investment in mechanisms to prevent and detect fraud within companies.
Ros Wright, chairman of the FAP and a former director of the SFO, reminded businesses that:
‘Corporate fraud is a very real and pervasive threat to UK plc. It does great damage to individual businesses and to the economy as a whole. If companies do not have a true handle on the fraud problem within their organisations they are going to fall prey to fraudsters.’
Fraud still poses a major risk to UK businesses and, ultimately, to the wider economy. Companies need to make sure that they do not engage in fraudulent activity, that they take steps to protect themselves from becoming a victim of fraud, and that they fully engage in fraud intelligence and reporting initiatives.
By Robert Wardle, consultant and former director of the SFO, and Debra Baynham, senior professional support lawyer and former case controller at the SFO, DLA Piper.E-mail: firstname.lastname@example.org; email@example.com.
- The Fraud Advisory Panel is a registered charity and membership organisation that acts as an independent voice and supporter of the counter fraud community in the UK. See www.fraudadvisorypanel.org for further information.
- Fraud Advisory Panel, ‘Fraud Reporting in listed companies: A shared responsibility’, September 2010.