Fraud Academy

We recently had a really interesting PwC Fraud Academy discussion around the practical challenges of managing competition risk. I wanted to share some of the key issues that struck us as important for those members that wanted to attend but were unable to do so.

We were fortunate to be able to call upon an expert comprising of experts from PwC Risk Assurance and two external companies’ compliance and anti-trust divisions. Discussion ranged across the full cycle of risk management steps and focused heavily on emerging practical issues, including measures to mitigate behavioural risks and gaining assurance around compliance programme effectiveness.

• Starting with tone from the top and commitment to compliance, our panellists discussed how competition law is not intuitive, and how it requires more explanation and communication than other compliance issues such as bribery or health and safety law. One example of tailored communication was to engage senior management by comparing the company business model and strategy to recent enforcement trends and legal developments.
• This point led to a comparison of tools for risk identification and risk assessment, including the tried and tested approach of involving the business to understand the risk profile of each division and business unit in depth. It was noted that one of the key challenges of risk assessment was to help the business units see how seemingly abstract competition issues like sensitive information sharing might present itself in their day-to-day business. One approach was to use open-ended questionnaires to reframe competition risk assessment in terms of more general issues, such as unprofessional use of confidential company information, and help people to start thinking about the topic for themselves.
• The panel considered the role of business processes in managing competition risks. Trade associations were discussed as an example where controls in day-to-day operations were a valuable addition to a wider compliance framework. It was noted how trade associations present a range of competition risks including easily overlooked activities such as joint advocacy, standardisation and industry training. Suggested mitigations included vetting the competition policies of trade associations, requiring staff to first obtain central approval to attend trade association meetings, attend specialist training and subsequently certify their compliance with the company's information sharing guidelines.
• The panel agreed that training is one of the key risk mitigation activities, provided it is tailored to the specific competition risks identified in the business. Key issues discussed included who to train, how to document training, and the pros and cons of eLearning. It was noted how some companies address the need to make competition law more intuitive by providing simple decision making guidelines, both to help identify a potential issue and to guide a correct response with appropriate consultation. One example was specialist training on trade associations, which included prompts for caution over information sharing (who am I talking to; why; am I saying something that could affect a competitor's behaviour; etc) and a disassociation protocol to follow if discussions veered into potentially illegal territory.
• It was also noted that an increasing number of Boards, and non-executives in particular, are seeking to incorporate real time monitoring as a compliance tool. In many cases this includes the analysis of market developments, as well as ongoing commercial, contractual and tendering activity. 
• The panel discussion ended by looking at evolving standards in risk monitoring and review. It was noted that gaining assurance over competition compliance activities can be particularly challenging, given that  many related controls are non-financial, with judgement and relevant subject matter expertise being required to consider their effectiveness. 

I also wanted to let you know that following this panel discussion the International Chambers of Commerce (ICC) have published an Antitrust Compliance Toolkit. This public resource focuses on practical steps companies can take internally to embed a successful compliance culture and is available from the ICC website.

Contact details:
Email: Fran Marwood
Tel: +44 (0)20 7213 4709

    The OFT does not wish to mandate any specific compliance measures. The     compliance measures that a business ought to have will be a decision for the     individual business, having regard to its competition law risk exposure and the     business’ internal culture. OFT, How your business can achieve compliance with     competition law, 2011

Last week we shared some thoughts on the importance of thinking broadly about your company’s exposure to competition law, to help ensure that your company is not turning a blind eye to this serious regulatory risk. This week we consider ways of developing a bespoke response to these risks, to help tailor mitigations and monitoring to match your company’s particular competition risk profile.

Firstly, thinking broadly about risk assessment can help develop a better understanding of the likelihood and impact of identified risks. Competition risk assessment should consider both opportunity and motive when assessing the intensity of identified risks, to reflect different functions’ varied exposure to competitors and other exacerbating factors such as behavioural or cultural risks. Exposure to competitors can come from outside of day-to-day operations, including recruitment from competitors or staff interaction with their peers at industry seminars and client social events. Communication with competitors may be a requirement of the job for a variety of reasons, but a complacent attitude to competition risk can contribute to an unprofessional business culture and the casual exchange of commercially sensitive information. Exacerbating factors can also come from unexpected sources, as seen when intense performance targets and corporate downsizing lead middle management to rationalise anti-competitive behaviour as ‘saving the business’ or ‘protecting team jobs’. Even without an economic rationale, an aggressive local business culture may lead managers of dominant firms to start price wars simply because they are overconfident, proud or arrogant.

    Policies, procedures and training are, on their own, insufficient to ensure            compliance. To be effective, all policies, procedures and training must be part of      a larger culture that instils compliance as a fundamental value. Competition Bureau     Canada, Corporate Compliance Programmes, 2010

 Secondly, in order to be more than the sum of their parts, the various competition risk mitigations should be organised into a overarching compliance programme. In this way competition risk management can become part of the company’s business culture, embedding lasting behavioural change through a blend of visible top-level commitment, integrated and formalised ownership, standard operating procedures, and a wide range of staff support. Standard policies can be supplemented through additional pre-approval and reporting requirements for higher risk activities, such as participation in trade association meetings. The company’s bespoke risk assessment can also help to target general mitigations to the more exposed roles and functions, such as through tailored training and real time monitoring for public tender bids.

     The OFT suggests that all directors can, for example, ask the following questions      regarding competition law compliance:

• What are our competition law risks at present?
• Which are the high, medium and low risks?
• What measures are we taking to mitigate these risks?
• When are we next reviewing the risks to check they have not changed?
• When are we next reviewing the effectiveness of our risk mitigation activities?    

        OFT, Quick Guide to Competition Law Compliance, 2011

The third and final point to note is that review of competition risks needs to focus on the difficult and intangible issues in order to give executive and non-executive directors a decent grip on their company’s competition risks. Compliance reporting is necessary but not sufficient and should be supplemented by robust internal audit practices, including periodic and event-triggered auditing and spot checks of transactional data for high risk activity. Those responsible for competition risk can improve their understanding of dynamic and emerging competition risks by both working closely with corporate functions, such as Human Resources, and by engaging the lines of business on their practical concerns. In this way the important but elusive issue of staff understanding can be brought into sharper focus through programmes of two-way communication with business units, strengthening employee trust and commitment as the first line of defence.

If you are interested in hearing more we will be discussing the practical challenges of competition risk management with a panel of corporate compliance and legal officers at a forthcoming PwC Fraud Academy event, in London on 17 April. For more information or to register visit our Keeping clear of cartels - International competition compliance page on our website. 

    People of the same trade seldom meet together, even for merriment and     diversion, but the conversation ends in a conspiracy against the public - Adam            Smith, The Wealth of Nations, 1776

Given the increasing levels of regulatory focus and private litigation, we believe that companies are not investing sufficient resources into their competition risk compliance activities. In particular, our view is that internal audit could have a vital role to play in helping to manage competition risks.

The serious implications of competition risk were starkly illustrated last December when the European Commission fined 6 international electronics manufacturers €1.47 billion for breaching EU competition law. This is part of a wider trend of global competition enforcement, with 2012 seeing the US Department of Justice fine one consumer electronics manufacturer $500 million and the Chinese authorities taking their first action against another international consumer electronics cartel. Competition risk also extends beyond price-fixing cartels, including abuse of a dominant position in the market. In March this year the EU fined Microsoft €561 million over the group’s failure to abide by an earlier agreement to settle an investigation by offering consumers of its Windows software a choice in web browsers.

Against this background a number of authorities have issued guidance to help companies minimise the risks of involvement in anti-competitive behaviour. In a similar vein to the UK government guidance on the Bribery Act, the UK Office of Fair Trading (OFT) has issued compliance guidance based on a cycle of risk identification, risk assessment, risk mitigation and risk review. Despite their different legal and institutional regimes, other authorities from the EU, Canada and Japan have also emphasised the importance of tailored risk management.

    Antimonopoly Act compliance should not be a mere ‘tool for complying with     laws and regulations’. It should be utilized actively and strategically as a ‘tool for     controlling and avoiding risks’. Japan Fair Trade Commission, Survey on Corporate                 Compliance Efforts with the Antimonopoly Act, 2012

But what does this mean in practice?

The first point to note is that competition risks go beyond legal compliance and can be addressed in an integrated fashion alongside other governance issues, as part of the company’s wider risk management framework. While recognising the role of standard contractual clauses and mandatory general training, all of the recent official guidance warns of the limitations of a ‘one-size-fits-all’ approach. Instead, there is a common theme across the various guidance of putting the onus on management to establish a bespoke compliance programme to match their company’s particular competition risk profile.

    Merely paying lip-service to an abstract or formalistic commitment to comply     will get them nowhere. Any credible compliance programme must be built on a     firm foundation of management commitment and supported by a ‘top-down’     compliance culture. European Commission, ‘Compliance Matters’, 2012

Secondly, competition risk identification should look beyond marketing and sales to include other corporate functions and operational activity. From trade associations and R&D to distribution and supply chains, competition risk can arise wherever there is contact with competitors or the temptations of a dominant position in the market. For example, earlier this year the activities of a handful of regional UK dealerships led to a multi-million pound fine for a major automotive manufacturer. The OFT levied another multi-million pound fine this year against a major UK grocery retailer, confirming the principle that sharing commercially sensitive information with competitors breaches competition law - even if the information is shared indirectly via common suppliers.

Next week we will set out some further thoughts on how to mitigate these risks and keep them under review.  If you are interested in hearing more we will be discussing the practical challenges of competition risk management with a panel of corporate compliance and legal officers at our forthcoming PwC Fraud Academy event, in London on 17 April. For more information or to register click here

On 5 February 2013 the European Commission issued its proposal to update the Directive on the prevention of the use of the financial system for the purpose of money laundering and terrorist financing (the “Money Laundering Directive”).  This was anticipated following the recent revisions to the international anti-money laundering (“AML”) standards published by the Financial Action Task Force (“FATF”).

A theme running through the efforts of both the European Commission and FATF is a desire to increase the effectiveness of the AML framework, whether at a Member State or institutional level.  To this end, are the proposals reflected in the updated Money Laundering Directive revolutionary or evolutionary and what is the likely impact on those institutions charged with delivering against these revised requirements?

On the face of it the Directive looks evolutionary, particularly in terms of the impact on those institutions in territories such as the UK where a risk-based approach to AML is already embedded within the regulatory landscape.  Although there are additional requirements relating to politically exposed persons (PEPs) and beneficial ownership (in the case of the former, the introduction of the distinction between domestic and foreign PEPs and risk-sensitive differentiation of the due diligence requirements for each), as well as a lower threshold triggering due diligence obligations (Euro 7,500 as opposed to Euro 15,000), the majority of the key changes are likely to be felt by the Member States themselves.

Firstly, the European Commission and its Member States would have an obligation to undertake their own assessment of their vulnerability to money laundering and terrorist financing.  The purpose of the risk assessment is three-fold: (a) to improve the Member State’s anti-money laundering and combating terrorist financing regime, in particular by identifying any areas where regulated institutions should be applying enhanced measures and, where appropriate, specifying the measures to be taken; (b) to assist it in the allocation and prioritisation of resources to combat money laundering and terrorist financing; and (c) to make appropriate information available to regulated institutions so that they can carry out their own money laundering and terrorist financing risk assessments.

Secondly, the updated Directive seeks to establish a more robust framework for international co-operation: Articles 46 to 54, for example, expand upon the original one-line aspiration to “lend such assistance as may be needed to facilitate coordination, including the exchange of information” and sets out a number of conditions that need to be applied to their respective Financial Intelligence Units to ensure the effective flow of information for AML purposes.

Indirectly, however, the updated Directive could be more revolutionary, potentially having a significant impact on institutions, particularly in terms of how Member States exercise their oversight and supervision in light of the changes described above.  In terms of the risk-based approach itself, the bar is clearly being raised: If Member States have to perform their own risk assessment it is likely that their supervisors are going to be more familiar with the requirements and willing to challenge institutions on their arrangements.  Similarly the focus on assessing the effectiveness of systems and controls and the corresponding emphasis on evidence-based measures is likely to translate to a closer scrutiny of both the method by which the risk assessment has been performed and the intelligence on which the assessment has been based.

Perhaps the most revolutionary element, though, relates to the sanctions that could be imposed: The Directive is much more prescriptive on the penalties in the event of non-compliance, outlining a series of minimum measures that Member States must consider, ranging from public censure through temporary banning of management to fines equalling 10% of annual turnover.

Ultimately, the European Commission is getting serious about combating money laundering and terrorist financing.  While recognising that the infrastructure needs to be improved (as reflected in risk assessments for Member States and enhanced co-ordination and co-operation between them), it is critical that institutions ensure the effectiveness of the systems and controls that they themselves put in place.  Where these arrangements do not meet the necessary standards non-compliance can no longer be tolerated, a message that the minimum penalties seek to reinforce.

Matthew Russell
Contact by email | Tel: 020 780 44227

Over the past twenty years corporate codes of conduct have moved from being emerging good practice to becoming an established norm, with the take-up by FTSE 100 companies increasing from 33% in 1993 to 80% in 2010 (Institute of Business Ethics). This move to formal codification of business ethics has been encouraged by a number of factors, including greater public expectations of transparency, developments in UK corporate governance and increasing business complexity. However, as more companies establish codes as a routine part of their governance the question has arisen of whether this approach adds any real value or whether it increasingly just 'ticks the box'.

This challenge follows repeated high-profile incidents of corporate wrong-doing. LIBOR benchmark rigging, media phone hacking, price-rigging manufacturing cartels and global money laundering are only some examples over the last few years where staff acted in direct contradiction to the stated values and policy of their company. This has driven scepticism over the purpose and form of codes, particularly where there is a language gap between high-level mission statements and the colloquial of daily operations.

It some cases it appears the company's code has promised more than the business was able to deliver. In some extreme cases the code commitments were not only left isolated from wider corporate governance but were only observed in the breach. For example, Enron had a detailed code but senior management exempted themselves from key policies such as conflicts of interest, with well-known consequences.

However, it would be a mistake to merely badge codes as a branch of marketing. This oversimplifies their role in corporate governance and wider risk management.

Firstly, it is important to recognise that the high-level language around purpose and commitments is a reflection of the broad diversity of corporate stakeholders. Companies can guard against the risk of overly generic and vague commitments by being clear on what type of code they are developing. Is this a code of ethics, aimed at communicating obligations to stakeholders, or a code of conduct, aimed at clarifying how employees and sometimes other parties are expected to behave?

This leads to the second point, that the complex operations of modern global companies can be potentially confusing even for those working inside them. The challenge of capturing a holistic picture of the company in a single code reflects the difficulties often faced by individual employees in their day-to-day work. A good code will provide a clear purpose and realistic examples to help staff to place their individual dilemmas in the wider corporate context. In this way codes can contribute to relevant and practical training on a range of ethical policies, as well as supporting staff to identify sources of specialist advice and confidential reporting.

Thirdly and finally, no matter how beautifully worded a code is, it is only as good as its communication and integration in the company's overall programme for governance, risk and compliance. Just like any other ethical policy framework, a code of business conduct needs to be both well designed and properly implemented. To avoid gathering dust on a shelf the code needs to be linked to the company's people processes and other key internal controls, as a practical tool to support consistent decision-making and an ethical line-of-sight from the Board strategy to the operational coal-face.

---

At our next PwC Fraud Academy event, we’ll challenge whether a code of conduct plays any meaningful role today in effectively managing ethical business conduct and corporate behaviours.

Come and join us for what will be an energetic but compelling event that will question and challenge whether or not the code of conduct is here to stay.

For more information or to register visit http://www.pwc.co.uk/events/have-codes-of-conduct-passed-their-use-by-date.jhtml

By Keith McCarthy

---

Background

On his appointment as the new Director of the Serious Fraud Office (SFO) in April this year David Green CB QC made plain the SFO intention to investigate significant strategic targets and to focus its finite resource on delivering as a independent crime fighting agency.

The SFO uniquely investigates and prosecutes serious and complex fraud and corruption within the UK. In respect of overseas anti - corruption criminal casework it is the lead agency in England and Wales. The SFO uses its own specialist powers contained within the Criminal Justice Act 1987 to obtain evidence and following conviction will actively pursue the recovery of any assets available through confiscation proceedings. The SFO liaises extensively with its domestic and overseas law enforcement partners too, often making requests using the procedures for Mutual Legal Assistance Treaties in criminal matters and executing requests made for assistance from overseas jurisdictions investigating serious or complex fraud and corruption.

Given the nature of its work the SFO has extensive guidance and policies set out on its website http://www.sfo.gov.uk/, of course not all of which will be available for public scrutiny.

In March this year the OECD Phase 3 report on the UK's implementation of the OECD Anti Bribery convention was adopted by the OECD working Group on Bribery following onsite visits that took place on the 18-20 October 2011.

The OECD report made certain recommendations and comments about the UK's implementation of enforcement measures and in particular made specific comments on Facilitation Payments and hospitality. The OECD recommended that the "UK should ensure prosecutorial discretion is exercised coherently by coordinating its approach on facilitation payments with other UK prosecuting agencies, such as CPS and the Scottish Crown office and Procurator Fiscal service"

The OECD had concerns about the inconsistencies of approach , particularly on the Joint prosecution guidance, noting that although it related to the both CPS and SFO, the CPS did not adopt the SFO's "six step solution" to Facilitation Payment's ( and also noted that in Scotland the six steps were not adopted either). The OECD recommended that this be reviewed and a consistent definition of what a facilitation payment developed.

Revsied policies

The SFO have been undertaking various reviews of its existing policies and procedures. A prudent action following the Director’s stated aim and given that the senior management team, Alun Milford (New General Counsel), Geoffrey Rivlin (Prosecution adviser) and the Kristin Jones (Head of policy) within the SFO are all newly appointed too.   On the 9^th October the SFO issued the first of its policy revisions relating to the specific Bribery Act 2010 guidance, in particular relating to facilitation payments, business expenditure and self reporting. 

The SFO is still reviewing its guidance in relation to searches, information gateways (sharing), asset tracing, Financial Reporting Orders, money laundering, and restraint and confiscation. All very significant areas of the SFO’s criminal casework that will be carefully considered by the Director and his senior team.

The 3 specific areas of revision I think are significant, in that they may signal a determination to bring prosecutions in circumstances that some commentators had, in the past, suggested might not be of great interest to the SFO:

• Hospitality: The SFO reaffirmed that bona fide expenditure in relation to hospitality or promotions is accepted as an established part of doing business. However the SFO will prosecute cases within its remit that satisfies the Full code test. Cases not meeting the Full code test might be dealt with by way of Civil Recovery settlement. Speaking at a recent conference in London the newly appointed head of the SFO’s anti corruption area, Patrick Rappo made it clear the SFO were not being prescriptive in this area and suggested that any corporate should review their gifts and hospitality policies with the MOJ’s 6 principles in mind. He reconfirmed that many of the pre bribery act prosecutions had bribes paid and disguised as gifts and hospitality. It should be recognised too that hospitality to foreign overseas officials will undoubtedly be looked at very carefully by the SFO and other Law Enforcement Agencies, particularly the City of London Overseas Anti Corruption Unit OACU.
• Facilitation Payments: The SFO have reaffirmed that such payments remain illegal and that there are no exceptions, with the Full code test being applied in those cases taken on by the SFO. Given that the UK Bribery Act needs to be seen to be effective, in my view it is in this area where companies with operations in the UK (whether registered or not in the UK) may be challenged by the SFO based on evidence/information obtained that such payments have been made. The SFO may only need the evidence/information to be able to consider more fully the adequate procedures that might have prevented the payments of “bribes” by a corporate (S7 UKBA 2010) and to consider whether the senior personnel consented or connived to the payments. What might start out as a Facilitation payments case could escalate into a wider criminal investigation and potentially a search operation of both business premise and home addresses. It is in the facilitation payment area that the SFO might consider that it has the best prospect of getting an early prosecution under the bribery Act. Strategically it will not need to prosecute ALL facilitation payment cases within its reach but the prosecution of some , particularly those cases focussing on overseas public officials in developing countries where the public interest test might be met , will be used to act as a clear deterrence and potentially encourage self disclosure by others.  Such cases would likely involve the exchange of information with overseas law enforcement partners such as for example the US Department of Justice (DOJ),Australian Federal Police,  (AFP) or Royal Canadian mounted police ( RCMP) and trigger a multi jurisdictional investigation.
• Self Disclosure ( self reporting): In removing the guidance on self reporting issued in July 2009 the Director SFO has made it plain that HE will decide on whether a corporate should be prosecuted following the application of the Full Code Test. Any self report will be taken into consideration as part of the public interest factors applied in the case. In the circumstances any self report will need to be a full disclosure and should show how the corporate has proactively dealt with the issue and that its efforts to remediate the problem have been genuine. It is important to recognise that the prosecutorial discretion has not been lost and that the revised policy confirms that where appropriate (each case will be judged on its own facts) the SFO might not prosecute and may instead pursue a civil recovery settlement. 

There has been a lot written since the 9th October about the reasons and the impact of the SFO revised policy statements. What should not be overlooked is that the new guidance is not statute and merely sets out how the SFO might apply the legislation when presented with the facts of a case.  We also need to remember that the Director of the SFO will decide personally (not the Attorney General as previously) on whether to consent to the prosecution under the UK Bribery Act.  This is a very significant responsibility and consequently David Green CB QC will need to be clear on the evidence, gaining reassurance from his prosecutors who will undertake carefully their “Code Test⁽¹⁾” (something that they always did previously in any event) and to assist him in this will need to be absolutely sure that the SFO prosecution policy is unambiguous and being applied consistently.

Furthermore, a very significant announcement was made by the MOJ on the 23^rd October confirming that UK Deferred Prosecution Agreements would be a part of the Crime & Courts Bill and should hopefully be introduced by 2014. The Bill as it moves through the Lords recognises that the Director of Public Prosecutions and the Director of the Serious Fraud Office must jointly issue a Code for prosecutors giving guidance on the general principles to be applied in any DPA and the disclosure obligations on the prosecutor. We can undoubtedly expect to see a further revision of the self disclosure policy in advance of the new DPA process and the current policy as it stands does align with the new DPA process in that there will need to be a full disclosure before any DPA can be considered and placed before the judiciary for approval.   It is expected that the proposed contents of the DPA Code of Practice issued by the Director SFO and DPP will need to be consulted on and consequently it will be crucial for any corporate to consider carefully the information within its knowledge and possession, their ability to articulate clearly their active compliance programmes, the remediation undertaken dealing with any offences identified and ultimately, if necessary, the timing of any self referral into Law enforcement.

Conclusion

Whilst some commentators have bemoaned the lack of enforcement/prosecution under the UK Bribery Act since it was implemented in July 2011 , law enforcement within the UK ( not just the SFO) have been revising their strategies, policies and procedures to enable them to deal with the cases that are currently under their review and within their intelligence units. Indeed recently the Chairman of the OECD working group on Bribery, Professor Mark Pieth, told an anti-bribery conference that he is informed on those cases that the UK SFO and others have under consideration for UK Bribery act offences as part of a “tour de table” when the OECD working group countries meet in Paris. He confirmed that cases were being developed and would be pursued as they were extensive and large. At the same meeting the Head of the City of London Police OACU, Detective Inspector Roger Cook, confirmed that his unit had increased their funding from DFID until 2016 and had over 30 cases under enquiry.⁽²⁾

The FCPA was in force for 20 years before it eventually developed into an effective prosecution weapon used by the US DOJ. The effectiveness of the UK Bribery Act will be measured by the ability of the UK prosecutors to bring cases to the courts whether as prosecutions, under the DPA or a non conviction based civil settlements. The revision of SFO policies is clearly, in my view, the tidying up of the landscape in advance of action.  

There is a lot happening between 2013 and 2014 (Deferred Prosecution Agreements, an Economic Crime Command with a fully operational National Crime Agency by December 2013 and Post Implementation Review of the UK Bribery Act) and the realignment of policies to provide a consistent approach to prosecutions will assist in the Governments endeavours to tackle economic crime. It also assists in messaging the UK’s fight against economic crimes, particularly corruption, as the Prime Minister, David Cameron, takes the chair of the G8 summit in January 2013. 

Lastly despite all the commentary no one appears to have noticed (except me) that the SFO search guidelines have been withdrawn along with the others mentioned earlier in this note. It is in my view that future actions from the SFO are likely to involve an arrest and search operation, with action under the Proceeds of Crime Act (e.g a restraint order). This will show the SFO critics within and without that David Green CB QC has a firm hand on the prosecution tiller and is good for his word. Watch this space.

Rarely does a day go by without another headline announcing the latest victim of fraud.  The scale and variety of fraudulent activity seems unprecedented, as does its frequency.  Our recent Global Economic Crime Survey found that 51% of UK respondents had fallen victim in the last 12 months.

The cost of fraud is also growing.  As well as an increase in the total proportion of UK respondents suffering fraud (up from 43% in 2009 to 51% in 2011), since 2009 the number of respondents in our survey reporting direct losses of between US$100,000 and US$5million has risen by 11%.  Similarly, the number reporting losses of over US$5million has gone up by 3%.  To make matters worse, with a significant number of frauds likely to remain undetected, the true cost of fraud could well be significantly higher.

This lack of insight makes prevention more difficult. How do you know how much to invest in to prevention, if you don’t know the impact fraud could have on your organisation? In my experience, more organisations would benefit from undertaking an overall impact assessment to give a proportionate and informed balance between preventative investment versus the risk profile.  This assessment should not only consider direct financial losses (both known and unknown), but also investigation costs, management time, reputational damage, staff morale, regulatory action etc.

Of course, not all fraud can be prevented.  Once preventative measures are in place, effective fraud detection controls are required to help identify suspicious activity.  We’re seeing more and more organisations employing automated systems to help bolster detection frameworks.  This development is significant in light of economic difficulties and resultant cutbacks on central functions like internal audit.  I believe this is a positive step forward in the fight against economic crime.  However, controls alone aren’t a panacea to detection.  The importance of organisation culture should not be underestimated; tip offs and whistle blowing accounted for almost one quarter of all detected frauds in our 2011 global survey.

When, unfortunately, incidents are detected, the ensuing investigation is of central importance in order to maximise the chances of success of; fully unearthing any wrongdoing, preventing further losses, facilitating punishment of the fraudster, aiding recovery and robust remediation.

All investigations are iterative processes which, in simplest form, follow a series of common steps: 

Each of the above stages hides pitfalls, lying in wait for the unwary.  At best, these pitfalls could result in a poorly planned and thus longer and more costly investigation.  At worst, the organisation could be exposed to further losses, reputational damage and the personal exposure of senior overseeing management.  Some important points to bear in mind include:

• One person should be nominated to lead the investigation;
• The investigation team should be independent and experienced;
• Goals should be clear and focus should not drift from the objectives;
• Secure evidence early, consider all data sources before gathering data;
• Consider legal requirements, privacy, evidence, data protection etc;
• Be prepared for new lines of enquiry to open up;
• Align the type, format and depth of data gathering and analysis work with goals and objectives;
• Maintain a log of actions, decisions taken and evidence gathered; and
• Don’t jump to conclusions.

Another common pitfall is that of not learning from past mistakes.  The occurrence of a fraud often indicates that current preventative measures and/or detection framework could be improved.  Identifying and remediating these gaps is essential to help prevent the repeat of similar frauds.  Looking at the bigger picture, the nature, frequency or location of the incident detected may indicate that the risk landscape itself has changed.  Therefore, rather than just fixing the control it may be wise to revisit the organisation’s underlying risk assessment, upon which its preventative and detective safeguards is built.

In these difficult times, it’s more essential than ever for organisations to proactively prevent losses.  Certain steps, including striking the optimal balance of preventative measures, can help.  When fraud does occur, past lessons can guide future investigations to minimise losses and maximise safeguards.  Prevent where possible, but if not, react with wisdom.

We’re running a number of events in the North focussing on fraud prevention and investigation. If you or a colleague are interested in attending, click on the link to select a location and read more information.

http://www.pwc.co.uk/fraud-academy/events/index.jhtml

Contact details:
Email: Will Richardson
Tel: +44 (0)113 289 4428

There have been many different responses to the Bribery Act coming into force in the last year, ranging from local council bans on Christmas gifts to your bin men to increasing market exits from the more notoriously corrupt countries. The development last December of a new British Standard for 'adequate procedures' to prevent bribery may help some organisations deal with process issues but does not move the agenda very far forward in how best to influence an organisation’s ethical culture.

This new specification has a lot to commend it.

• BS 10500 ('the 2011 specification for an anti-bribery management system' to give its full title) was published last December after a period of consultation with experts ranging from the National Audit Office to the City of London Police and a number of commercial organisations. 
• Standards have a long and distinguished pedigree in business improvement and quality management, and can provide a reassuringly clear and stable framework for companies that don't know where to start in addressing complex cross-cutting issues like information security or fraud. 
• The methodical approach of standards can also be helpful in promoting consistency and coordination across project teams and supply chains, a particular issue for many companies given the Bribery Act's focus on overseas corruption and intermediaries. 
• Applied sensibly, BS 10500 can make a positive contribution alongside other standards for ethical sourcing and supply chain resilience. Certified companies still suffer from occasional problems in procurement (e.g. child labour in India, flooding in Thailand) but typically bounce back quicker and are better able to integrate the experience into risk management.

So what's the challenge? 

Firstly, the regulatory agenda is looking for more than just documented systems and process improvements. Public trust in business has rarely been as tentative or as fragile as now. There have been a succession of high-profile corporate scandals where elaborate control systems failed to prevent corporate failures – Enron and Lehman Brothers are just two that spring to mind but there are many others.

In this sceptical environment people may view self-certification as another form of corporate PR, and companies seeking a professional benchmark for their systems may want to consider independent assurance on how they have applied the specification in reality rather than in theory. 

A company that responds to press allegations with 'trust us, we've got a management system' is likely to be met with the question of “how do you know it is really working in practice?”

Secondly, there's a limit to what can be achieved by management systems alone.

• The British Standards Institute notes that "responsible organisations are increasingly seeing bribery prevention on a par with safety and quality control". However, this cuts both ways. Historical lessons from health and safety show that improvements quickly plateau after physical safeguards (e.g. handrails) and process interventions (e.g. a policy of hard hats for everyone on-site), leaving a persistent remainder of accidents due to the slippery 'human factor' (e.g. the foreman being in a hurry to get home to see the football). Our experience tells us that companies who want to move beyond this plateau are now looking to supplement their processes with practical and values-driven decision-making to enable day-to-day implementation of the policies and procedures, to embed compliance into the heart of the corporate culture – the ‘DNA’ of the company - and ‘business as usual’.
• Individual behaviour is one of the hardest risks to address through a traditional process-heavy approach. PwC is helping companies address these often overlooked behavioural risks, seeking to narrow the gap between what is said (“intended behaviour”), what is visible (“expressed behaviour”),and what is done (“actual behaviour”) by defining and embedding ethical values in company strategy and individual decision-making.

Finally, while applying the specification will help demonstrate that a company has established and implemented a suite of anti-bribery procedures, this is not the same thing as demonstrating 'adequate procedures' in compliance with the Bribery Act.

• The specification is heavily caveated and is effectively a checklist of what a company has in place. This can be useful for companies at that early stage of the compliance journey, especially for those struggling to standardise their approach across different corporate functions and territories. However, there are a number of other checklist guides that are already out there for free, such as the Transparency International guidance on best practice in adequate procedures. 
• The new specification has not received any formal endorsement from the UK authorities. 

So, probably best to take the new specification at face value, and accept the limitations of peer-to-peer benchmarking within a wider due diligence process. This specification also offers value for companies seeking another tool for vetting their suppliers and categorising risks - but don’t forget that certification will be one single indicator amongst others – with its limitations.

Those seeking to ensure adequate procedures to prevent bribery should consider taking the time and investment for an independent review of their anti-bribery regime, addressing the hard-to-reach issues of behavioural risk, corporate values and ethical decision-making, as well as the policies and procedures themselves.

The problem

“Dear Accounts Payable department,
Our bank details have changed to the following.  Please can you update your records.”

Although not new, the “change of supplier bank details” scam illustrated above is staging a comeback with large companies paying out large sums to the wrong people.  To avoid being the next victim, here are some simple precautions.

What to do

Check your procedure for dealing with these requests, some of which may be legitimate:

• Do you phone the supplier using a number taken from their website, ideally speaking to someone you know and have known for some time, to confirm the details of the change?
• Do you make a note of the call?
• Does the resulting change to the supplier master file require a senior level of dual authorisation, eg the same as for authorising a BACS payment run? Are changes made reviewed and validated subsequently? (Don’t imagine that an instruction to pay funds to an account with an inconsistent account name will be picked up by your bank – it’s the sort codes and account numbers which determine where the money goes.)

Watch out for the giveaways:

• Often the letter will include the invitation “in order to confirm this instruction, please call me on my direct dial number xxx” – this will be an unconnected rented line or accommodation office manned by the fraudsters;
• Similarly beware of supposedly confirmatory emails from almost identical email addresses, eg .com instead of .co.uk, or, pricewaterhousecooper instead of pricewaterhousecoopers which has been set up by the fraudster for that purpose;
• Does the letter or email contain any errors? – it’s surprising how many typos can often be found
• Is the letter marked urgent or accompanied by pressuring phone calls, warning of the consequences if the change is not made straightaway?

Warn your staff:

• Before sending these letters, the fraudsters will often make so called “pretext” calls to your company to try and get information which will then be used to increase their chances of success.  This includes asking for the names or direct telephone numbers of people in your accounts payable department, or the supplier reference number for a particular supplier; these calls may be prefaced by an innocuous call (eg asking to check the post code) through which the fraudster establishes in the mind of the victim that he or she does indeed work for the supplier; in this way, the next time they call they are more likely to be accepted as genuine;
• Is your clean desk policy working in practice? If not, this is a far easier way for the important information above to be gathered;
• Information is also gathered by fraudsters through Freedom of Information requests and via compulsory public sector disclosure requirements. Consider if you are disclosing more than you need to.

Finally, consider the “inside job”.  Is there anyone in your organisation who could create such a letter him/herself, and then arrange for a supplier’s bank details to be changed?  If so, that person probably has too much power.

The fraud above fails in 99% of cases, but when it works, it’s very lucrative.  Implementing the steps above will stop you being in the 1%.

As investigators we tend to be very good at keeping up with latest trends; indeed many of us remember when credit card fraud and internet scams were new. As with any new fraud scheme, it’s natural for us to adapt accordingly, responding with new controls, monitoring techniques, detection methods and so on.

But how many of us are truly aware of the fraud risks posed by the significant cyber threat? And for those who are, do they have the support of a cyber-savvy organisation and senior management?

The threat from cyber crime has increased dramatically for three important reasons. Firstly, the internet de-risks fraud for the perpetrators – they can be anywhere in the world and can easily mask their identity and location. Secondly, the internet has concentrated the targets. To do business today organisations have to be connected to the internet, thus all targets are conveniently concentrated in one place: cyber space. Thirdly, functional transferrable skills are concentrated and their development is encouraged. As if it wasn’t enough that cyber criminals became organised – hiring technical talent, implementing project management, performing quality reviews and so on – the virtual ethos has been augmented by physical concentrations, so called “Silicon Valleys” of cyber crime (see How a Remote Town in Romania Has Become Cybercrime Central, Wired Magazine, February 2011).

Cyber criminals are operating in a perfect storm of opportunity, and we as fraud professionals need to up our game to meet and exceed their capabilities, skills and motivation.

To do this we need to convince our organisations that cyber crime is not just an IT or information security issue. We need to understand the nature of the threats. Is the greater threat from outside attack or from IT-literate employees stealing intellectual property? Are we more likely to suffer a network breach or be a victim of social engineering? We need to ask and answer these questions, and then achieve a balance of preventive, detective and responsive/investigative efforts.

It’s not easy; we can’t just unplug from the internet or ban the use of new technology. The business needs of the organisation will demand quick adoption of new technology, development of mobile applications, connection of unsecured devices and more. As fraud investigators we need to develop complete awareness of the situation and an unprecedented agility to respond.

The stakes are high. Press reports indicate that data breaches can cost companies hundreds of millions of dollars. The frauds against the European emissions trading registries were worth about €45 million, and that doesn’t include impact of the spot trading market being shut down for a number of weeks.

Can you remember when it was rare to see headlines about events like these? How many have you seen this week?

To understand how cyber threats have increased in scale and sophistication – and the impact this can have on an organisation – the PwC Fraud Academy is hosting an event on 5 July 2011. Our information security team, cyber crime investigators and external guest speakers will discuss their views on cyber crime, the associated risks and methods for dealing with it.