fraud aware 2015 - presentation to retail bank
TRANSCRIPT
KALEY CROSSTHWAITE 2015
HOW FRAUD AWARE ARE YOU?
AGENDA
• Introduction• Bribery and Corruption – an overview• Charity Fraud – an overview• Investigations:
– Hot Topic– Recent BDO investigations
• Controls and defences• What to do upon discovering a fraud
BRIBERY AND CORRUPTIONWhy it should be on your radar
• A financial or other advantage – not just cash:– gifts and corporate hospitality– promotional expenses, travel expenses and accommodation costs– employing individuals or their relatives– vouchers or other cash equivalent– provision of services such as use of a car– awarding a contract to a particular company or individual– making political or charitable donations– sponsorships
• Purpose of the bribe?– secure a new contract– keep an existing contract– gain any advantage over a competitor– “turn a blind eye”
OVERVIEW – THE BRIBERY ACT 2010 WHAT IS A BRIBE?
General bribery offences (individual or corporate body)Section 1 – Giving or offering a bribeSection 2 – Receiving or requesting a bribeKey: • Intention, knowledge or belief• Connection between the bribe and “wrongfulness element”• “Improper performance” based on a reasonable person’s view of
“improper”• Corporate offence - senior person in the organisation, e.g. the CEO or
Managing Director committed the offence and attributed to the organisation (the "directing mind" test). More likely under section 7
• Facilitation payments are considered bribes and will be prosecuted (no exemptions)
Bribing a public official (individual or corporate body)Section 6 – Bribery of a foreign public official
OVERVIEW – THE BRIBERY ACT 2010 PROVISIONS OF THE ACT
Corporate offenceSection 7 – Corporate offence of failing to prevent bribery
Prosecution when:• A person associated with the organisation bribes another person
(section 1 and 6); and • The bribe was made with the intention of obtaining or retaining
business or an advantage in the conduct of business for the organisation
• Covers UK and abroad• Knowledge is not a requirement• Complete defence IF can show “adequate procedures” designed to
prevent bribery• Adequate procedures are not defined in the legislation but in guidance
OVERVIEW – THE BRIBERY ACT 2010 PROVISIONS OF THE ACT
• No retrospective element (i.e. prior to 1 July 2011)• Substantive offences (sections 1,2 and 6):
• Up to 10 years imprisonment• Unlimited fine• Or both (corporate fine only)
• Corporate Offence (section 7):• Crown Court• Strict liability (i.e. a company can be convicted even where
it had no motive to commit a bribe)• Unlimited fine
• Debarment from public contracts (EU Public Sector Procurement Directive 2004)
OVERVIEW – THE BRIBERY ACT 2010 PENALTIES
OVERVIEW – THE BRIBERY ACT 2010 DEFENCES – ADEQUATE PROCEDURES
• The only defence to section 7 is “adequate procedures” to prevent bribery. They are considered adequate when they are proportionate to the risk
• Six broad principles:1. Proportionate procedures2. Top level commitment3. Risk assessment4. Due diligence5. Communication and training6. Monitoring and review
OVERVIEW – THE BRIBERY ACT 2010 DEFENCES
Key:• Zero tolerance approach communicated widely• Action must be continually reviewed• Audit trail to show action taken• Core policies in place:
– Anti bribery and corruption– Anti Fraud and Fraud Response Plan– Conflicts of Interest– Gifts and Hospitality– Whistleblowing– Code of conduct
OVERVIEW – THE BRIBERY ACT 2010 KEY CONCERN FROM EMPLOYEES?
• Hospitality unlikely to breach Act if:• Reasonable or proportionate• Has bona fide business purposes• Is not intended to influence performance of function
• Unduly lavish hospitality could infer impropriety • Consider internal Codes of Conduct
ACTION TO DATE?
• First conviction: November 2011 Munir Patel was sentenced to 3 years imprisonment
• Handful of low level cases• First SFO prosecution: convictions
in December 2014 (£23 million case)
• A body or partnership incorporated or formed which carries out business, or part of its business in the UK
• If an organisation is incorporated (by whatever means) or is a partnership, it does not matter whether it pursues primarily charitable, educational or public functions
• If it engages in commercial activities it is covered by the legislation
• Corporate offence if:• A senior person’s activities (bribery) could be attributed to
the charity; or• A person associated with the charity (i.e. an employee, or
someone acting on behalf of the charity) bribes another person (section 1 or 6)
OVERVIEW – THE BRIBERY ACT 2010 ARE CHARITIES/NFPS CAPTURED BY THE CORPORATE OFFENCE?
• Jurisdiction - certain activities and jurisdictions are more risky than others– Cultural issues– Reliance on local staff– Lack of control/oversight– Consider risks associated with overseas jurisdictions (Organisations
provide guidance: eg Transparency International, Amnesty International)
• Sector issues (eg construction, healthcare, infrastructure)• Dependency on Partner Organisations• Transactions (eg large transaction, payments to Governments)• Urgency – impact on policies and procedures• Critical skills of an employee• Procurement and tendering
OVERVIEW – THE BRIBERY ACT 2010 KEY RISK AREAS
• Procurement is high risk area for bribery and corruption• Reliance on private sector organisation to procure billions of goods and
services from the private sector– Long standing companies– Companies formed for the opportunity (including recruitment of
former staff)• Procurement process:
1. Assessment of service required2. Bid design3. Award of contract4. Assessment of contract implementation
• Internal vs. External threats– Collusion between suppliers– Collusion between employees and suppliers
OVERVIEW – THE BRIBERY ACT 2010 KEY RISK AREA: PROCUREMENT
• Outsourced maintenance contracts previously managed in-house• Procurement director had sole responsibility for control of suppliers and
the bid process• Whistle-blower alleged that the procurement director was ‘meddling’ in
the bid process• Further allegations included similarities between the director’s car and
a key supplier• Background research was done without alerting the individual – there
were many links between the director and key suppliers - including matching addresses and shareholder with the same name as the director’s wife
• Procurement director had not declared any interests• Eventually suspended and ultimately removed from post admitting
links to companies and conflicts of interest• Core member of the team suspended after admitting suspicions
BDO CASE STUDYPROJECT ALPHA
• Anti-bribery stance – tone from the top• Transparency in activities and operations• Anti-bribery policy and training - offering guidance to employees• Gifts and hospitality policy and register - training and guidance to
employees• Due diligence on employees, volunteers, partners, suppliers and
contractors• Appointment of a bribery lead and regular risk assessments - take into
account:• New activities and ventures• Jurisdictions and risks associated• The requirement for constant monitoring
• Investigate reports of bribery and self report where necessary• Incorporate bribery reporting into whistleblowing policy
OVERVIEW – THE BRIBERY ACT 2010 WHAT CAN YOU DO?
CHARITY FRAUDAN OVERVIEW…
INTRODUCTIONFRAUD MYTHS AND MISCONCEPTIONS
• Fraud only happens in large organisations• Fraud is a victimless crime• It’s all about the money• Fraud is highly complex and elaborate• Fraudsters are easy to spot• If the team have suspicions they WILL report it• “It will never happen to us”• No-one in a position of trust or authority would do that!• Fraudsters keep their money in Swiss bank accounts and tax havens• It’s all about cyber crime
• Difficult to quantify accurately• Many organisations deal with fraud in-house• Many fraud statistics based on reported fraud, for example:
• UK Cards Association - £388m• Association of British Insurers - £1bn detected and suspect £2bn
undetected• Department for Work & Pensions -£3.4bn (2% of total expenditure
due to fraud/error)• FraudTrack (BDO research) - £2bn
• Attempts to assess unreported fraud:• National Fraud Authority’s Annual Fraud Indicator (2013):• Total - £52bn• Charity fraud - £147m
INTRODUCTIONHOW BIG IS THE PROBLEM?
INTRODUCTIONHOW DOES FRAUD OCCUR – FRAUDSTER PERSPECTIVE
Ince
ntiv
esRationalisation
Opportunities
• Financial pressure / debt
• “Need or Greed”• Living beyond
means• Loss of earnings by
a family member• Failed investments• Personal
circumstances / issues
• Additional relationships
• Blackmail (rare)
• Poor governance and risk management procedures
• Weak internal systems and controls
• Lack of segregation of duties
• No fraud prevention or detection polices
• Cultural issues• Easy access to funds /
assets• Lack of due diligence on
employees, suppliers and customers
• Ability to override controls
• Confidence in not getting caught
• Other people are doing it• No pay rises and poorly paid• Badly treated / overlooked for
promotion• Organisation can take the loss• Organisation is poorly managed
anyway
INTRODUCTIONHOW DOES FRAUD OCCUR – COMPANY PERSPECTIVE
• Poor systems and controls• Lack of due diligence on suppliers, customers, third parties
employees• Ignoring the red flags• Cultural issues• Lack of policies and procedures• Lack of whistleblowing program• Too much trust
Behaviours• Dominant management
style/personalities• High staff turnover• Lifestyle of employees vs.
remuneration• Low staff morale• Not taking holidays/long hours• Unusual/uncharacteristic
behaviour• New staff resigning quickly• Resistance to help/change• Refusing promotion• Whistleblowers
Other• Variances between
forecasts/budgets• Problems with reconciliations• Changes in financial reporting• Unrestricted funds spent
without prior authorisation• Duplicate payments/cheques• Missing/incomplete documents,
i.e. major income/expenditure streams including grant funding
• Consistent alterations/deletions• Journal adjustments
INTRODUCTIONFRAUD INDICATORS – RED FLAGS
• Loss of funds / assets• Cost of investigation, legal advice and
recovery• Management/Trustee time and
commitment• Reputation• Public trust and confidence• Employee/volunteer morale• Security and existence• Increased insurance costs• Funding (funding bodies, community
etc)• Less funds for beneficiaries• Relationships with external parties• Other linked criminal activities i.e.
money laundering/terrorist financing• It’s not just about the money
INTRODUCTIONFRAUD CONSEQUENCES
WHO WILL DEFRAUD YOU?
WHO WILL DEFRAUD YOU?
• Professional fraudster?• Opportunist fraudster?• Trustees?• Employees?• Volunteers?• Beneficiaries?• Partner organisations?• Suppliers?• Collusion – combination of the
above?• Others?
PROFILE OF A FRAUDSTER
• Research suggests….• Male • 36 – 45 years old • Works in the finance function or
in a finance related role • Holds a senior management
position • Employed by the company for
more than 10 years • Commits fraud against his own
employer • Works in collusion with another
perpetrator BUT….. relevance?
WHO WILL PROTECT YOU?
WHO WILL PROTECT YOU?
• Trustees?• Employees?• Volunteers?• Beneficiaries?• Partner organisations?• Suppliers?• External Auditors?• Internal auditors?• The Police?• Regulators?• Others?
ARE CHARITIES VULNERABLE?
ARE CHARITIES VULNERABLE?
• Charity ethos: altruism / honesty / trust / pursuit of common and shared goals
• High levels of public trust and confidence• Rely on goodwill and support of employees and volunteers• Smaller charities may lack scrutiny / division of duties• Reliance on cash based fund raising – attractive to opportunist and
organised fraudster• Administrative and control functions may be weak / carried out by
volunteers• International work increases risk of fraud, bribery and corruption• International work may increase lack of management oversight and
may weaken controls• Technological advances make donations easier but also increase risk• Fraudsters are targeting NFP organisations…. You have assets (Registered charities - net assets worth approx. £125 billion)!
Internal vs. external (+ collusion):• Income generation, i.e. grants,
donations, fundraising• Internal management of funds, i.e.
internal financial systems and controls
• Recruitment and screening of employees, volunteers, beneficiaries, suppliers etc
• Management of expenditure, i.e. large complex projects and contracts, budget vs. actual spending, beneficiaries, supplier payments and expense claims
• External threats, i.e. credit card fraud, change of supplier details, IT/cyber crime
ARE CHARITIES VULNERABLE?KEY RISK AREAS
ARE CHARITIES VULNERABLE?TYPES OF FRAUD• Misappropriation of funds vs. Fraudulent financial reporting• Income-related fraud
• Diverting donations, grant funding, sales proceeds• Impersonating charities
• Expenditure fraud• Fraudulent invoices / misuse of bank, credit and debit cards• Overpaying for goods/services
• Misuse of funds/assets/charity identity• Payroll fraud• Fraudulent grant applications
• Fictitious charities• False applications received by charity / made by the charity
• Procurement fraud• External/third party fraud – phishing/change supplier details• Financial manipulation fraud
• Under reporting costs/inflating assets• Misclassifying restricted donations, fundraising or administrative expenses
HOT TOPICTHIRD PARTY FRAUD
HOT TOPICTHIRD PARTY FRAUD - SWITCHING1) Common approach• Letter to change supplier details• Large port hit for bulk purchase of oil (average purchase £1 million per
week)• 3 weeks of supplier not receiving payments = £3 million loss
2) Low value – additional issues• Phone call to change supplier bank details• Housing Association’s insurance premium targeted – non-payment led to
losses and no insurance cover
3) Head office vs. internal division• Instructions to change bank details sent to internal division of UK plc
instead of Head Office• Internal transfer of change request led to ‘assumption’ that due diligence
checks had already been carried out by division• Payments to fraudster until supplier alert of non-payment = £1 million loss
HOT TOPICTHIRD PARTY FRAUD
4) The Bank as the ‘third party’• Caller purports to be the Bank returning a failed payment• Limited information provided by the caller• Fake caller ID gives comfort over legitimacy• Provide new account details and convinced to provide account details• Convince employee to provide bank account details (username and
passcode generated by PIN code device)• Fake refund initiated by fraudster whilst logged on using details provided
5) The lawyer as the ‘third party’• Caller purports to be solicitor instructed by CEO• They have been chosen as the trusted employee• Call is “secret” and not to be discussed with anyone• Bank account has been compromised – required to transfer funds to new
account to prevent further losses
RECENT BDO INVESTIGATIONS
CASE STUDYPROJECT ACTIVE – LIVE INVESTIGATION
Background• Two separate frauds by CEO and FD• CEO fraud - awarding pay increases and bonuses, expenses fraud and other low-
level frauds• FD fraud - larger (circa £10million) – cheques, BACS and CHAPS payments to own
bank accounts• Some payments identified by staff but FD had convincing story (“confidential
projects”)• Accounts team were complicit in covering up unusual payments• Key member of staff raised issues with HR but these were not progressed – counter
grievance led to the staff member being pushed out of the organisationFactors• Culture was a key issue – accounts team desensitised to “unusual” payment activity
and accounting • Dominant CEO seen as a bully• FD used the CEO to cover for his actions• Personal relationships instilled loyalty
CASE STUDYPROJECT FLORENCE
Background• Foreign based whistleblower alleged for-profit subsidiary of a UK charity procured a
lucrative foreign Government contract through bribery• High profile/senior foreign Government official awarded contract on proviso an
element was subcontracted to his wife• Key issues:
• Management of the key parties (Government department and Regulator)• Management of reputation• Servicing the contract pending investigation outcomes
• Case presented to foreign regulator and client treated as a ‘witness’ in ongoing foreign criminal proceedings
Factors• Lucrative contract (too good to be true) but no-one questioned the good news• Contract bypassed usual legal route• No segregation of duties from winning, renewing and managing the contract• Invoices via contracts manager and not accounts team• Preferential supplier payment terms of 4 days (usually paid within 2-3 days)
CASE STUDYPROJECT JOHNSTON
Background• Whistleblower letter alleged that funding had been diverted from intended
purpose to an unrelated social enterprise venture• Other allegations of financial mismanagement including misuse of company credit
cards, inappropriate purchasing activity and abuse of Trust funds for personal use • The organisation was on the verge of insolvency• Traced the life of the funding from application to current status including funds
flow and instruction of third party contractors – identified incoming funds into ‘one pot’ and not allocated to projects
• Identified a variety of management failures and misappropriation of fundsFactors• No reconciliation of funding income and project expenditure• Management overriding controls in finance, recruitment, tendering and
procurement• The Board not ‘robust’ in their governance approach• Earlier whistleblower allegations not followed up or investigated• Grievances/exit interviews not followed up
CASE STUDYPROJECT STABLE
Background• New IT infrastructure/modernisation project for a NFP organisation• First stage of process to identify requirements – external project management
consultancy brought in with no formal tender process• Process identified need to recruit specialist into IT team – recruited and brought in
own team and pushed out previous team based on “poor performance” and “resistance to change”
• Second stage to tender for services – formal tender process managed by new team• New IT system problematic and support weak – led to investigation• Investigation hindered as external suppliers controlled networks and shut down
access• Identified IT equipment not owned by organisation – non-commercial arrangement in
place• Identified relationship between the IT specialist, the consultancy and the successful
supplierFactors• No formal due diligence on external consultants in stage one or two• Weak HR procedures when IT specialist recruited• No exit interviews on out-going staff
CASE STUDYPROJECT AFRICA
Background• International charity identified significant losses relating to a project based abroad• Bank statements altered and financial statements manipulated to conceal
extraction of funds from the project leaving a large ‘black hole’• Property and documents were destroyed in an attempt to conceal evidence• The books and records were reconstructed to identify the full extent of the loss• The fraudster was identified and removed from the organisation and steps taken
to recover losses• Checks identified discrepancies on CV provided – ‘compromised’ out of previous
organisationControls• Employee due diligence checks should confirm previous employment, referees and
qualifications• Complete personnel records should be held on file• Restrict access to ‘super user’ logons which make it difficult to identify who has
made certain transactions on accounting system• Ensure overseas bank accounts are monitored independently and using original
documentation (not documentation provided)
CASE STUDYPROJECT IPCRESS
Background• Outsourcing arrangement following formal tender process• Some elements formally carried out in-house• Blurry boundaries between supplier/customer – referred to as “partners” but not a
partnering agreement• Whistle-blower – identified as the fifth whistle-blower• Right of audit clause within the contract utilised for investigation• Supplier attempted to conceal evidence in skips - reconstruction of files took over 2
months• Identified systematic overcharging - cost plus management fee - often over 1000%• Changes to initial scope and “can do” attitude used as justification for excessive
costs Factors• Teams were too close and did not scrutinise individual work quotes• Information provided to client was overcomplicated and difficult to understand• Contract was not reviewed on an annual basis, rolled over• Key dual-purchases (machinery) not covered by contract
CONTROLS AND DEFENCES
FRAUD RISK PROFILINGPREVENTION IS BETTER THAN CURE
• Fraud awareness is key• Remain vigilant• Every charity will be different
depending on:• Fundraising activities• How you provide services• Nature of structure/locations
• Assess risk and put appropriate controls in place in high risk areas
• Direct resources appropriately• Reassess risks regularly to account for
any changes in structure to ensure fit for purpose
• Ensure key strategies in place to deal with fraud, fraud response, whistleblowing, money laundering, bribery and corruption
• Recruitment, recruitment, recruitment• Key policies in place (fraud, anti-money laundering, bribery etc)• Act on information – take whistle-blowers seriously• Risk profiling key business areas• Restrict/control access (systems, buildings etc)• Implement robust financial controls and governance measures• Segregation of duties• Training and awareness (employees, volunteers and trustees)• Systems and controls checks – high level reviews/tripwires/spot checks• Review of authorisation/mandate levels • Review key monthly management reports• Bank/asset reconciliations• Review exception reports• Robust IT controls – controls over permissions and access rights• Whistleblowing culture
FRAUD RISK PROFILING SOME FRAUD DEFENCES
The control environment:Organisation of people• Delegation• ReportingSegregation of duties• The work of one person is independent of another• No one person can authorise, execute, and recordPersonnel controls• Recruitment• Training• Capabilities matched with functionsSupervision• Control over day to day running• Management able to sort out problemsManagement• Acting on information• Being proactive and reactive• Internal audit
The control procedures :Physical• Security over assets• Controls over access to assets• Regular stock checks• Maintaining a registerAuthorisation• Who can do what• Hierarchical structure of signatoriesChecking procedures• Arithmetical• Check totals• Control accounts• Reconciliations• Trial balances
FRAUD RISK PROFILING INTERNAL CONTROLS
WHAT TO DO UPON DISCOVERING A FRAUD
DO NOT:• Ignore whistleblowers• Respond emotionally or take any
hasty actions• Immediately confront the subjects• Damage or mark any evidence or
potential evidence• Turn on computers, laptops, mobile
phones or other electronic devices• Limit the scope of your concerns to a
specific issue• Divert attention from the day to day
running of the business• Dismiss the employee – consider
suspension instead• Ignore the possibility that losses may
still be continuing• Ignore the regulator
DO:• Activate your fraud response plan and
implement a communication strategy• Contact relevant parties:
• Internal: Trustees/Board• External: Bank, Police, Insurers,
Regulator, Specialist service providers• Engage professional assistance where
required• Carefully preserve evidence (electronic and
paper documents, laptops and mobile phones)
• Take steps to stop further losses• Be objective in your assessment• Limit the number of people involved in
investigation• Assess the impact and act on lessons
learned• Consider next steps – criminal vs. civil
WHAT TO DO UPON DISCOVERING A FRAUD
POST FRAUD: NEXT STEPS
• Assess the effectiveness of your fraud response plan• Assess the effectiveness of other relevant policies• Assess the impact and act on lessons learned• Review reasons for fraud/loss and implement controls• Consider recovery of losses• Manage reputation – press strategy• Manage internal morale• Ensure remaining team are ‘clean’ and consider restructure
QUESTIONS
THANK YOU