A race against crime

Fraud investigation is like travelling in a taxi stuck in a traffic jam. The longer you delay it, the greater the price and the less chance you have of meeting your destination in any sensible time. That is the metaphor used by Ken Farrow, the former head of economic crime at the City of London Police and now a director at Control Risks, the investigative company. In today's unstable economic environment, companies are advised to mount investigations quickly and thoroughly, before the crook has fled with the evidence.

They are also advised to look in new crannies of the organisation. For today's turmoil is not just exposing large frauds, it is exposing them in unexpected places. Survival strategies in today's untested waters are increasingly testing the boundaries of probity.

Ironically, at the point when the risk is greatest, the pressure on spending on compliance is most intense. Richard Parlour, managing director of the UK-based Financial Markets Law International, says: "A lot of people are spending less time and effort on due diligence and they are sitting on a big risk pile. Now is a fantastic time for fraudsters and launderers because people aren't coming up with the money for due diligence."

The price of delaying an investigation is best demonstrated by the extraordinary Madoff fraud. This was an exceptional event in the sense that he ran his own company and could thus control the investigatory and compliance procedures. But this $65 billion ponzi scheme is believed to have lasted for no less than 40 years and defrauded a host of wealthy and sophisticated investors. The alleged fraud that has been perpetrated by Allen Stanford's organisation in Houston and Antigua has also extended over a long period. The more typical fraud in a financial institution is likely to be intercepted rather more quickly, but the damage to clients and staff still has the potential to devastate a firm.

Reluctance to put a transaction or suspicious event under scrutiny is motivated by fear of reputational damage. Frauds are relatively rare events and companies simply may not have the tools to spot it quickly. When they do start to sniff something bad, there will be some time before a manager takes it in hand. Farrow identifies a number of stages. "There is first a period of disbelief. Somebody low down the pecking order thinks that something does not look right but that individual is frightened to speak out initially and does two or three checks before they tell the supervisor. The supervisor does the same thing because he doesn't want to look a fool, raising a red flag and that he is barking up the wrong tree. It's like getting into a taxi, from the moment of discovery to the moment of reaction, the journey gets more expensive because you are losing ground all the time. The message to organisations is 'if you spot it, go for it straight away, encourage your staff to speak out. Put it under the microscope at the earliest opportunity and let's begin an investigation.'"

Parlour puts the reluctance to investigate a fraud in colourful terms. "Firms can be like virgins who are reluctant to take the plunge," he says. "Many need to be guided by a consultant to the point where they accept that there is a problem."

The speedy interception of a fraud is particularly critical in the financial services area, says Farrow, because of the power of electronic funds transfer. "Fraudsters are prepared to move large amounts of money in a split second. A banking institution's risk profile as far as fraud is concerned is much higher than the run-of-the-mill manufacturing operation because of the scale of its liquidity."

Retrieval of data is also assisted by the early investigation of a fraud. Farrow says: "It is very hard to bury something totally. There is usually an audit trail somewhere. One of the first courses of action is to freeze and get an image to copy of the relevant server controlling that account or that area of the operation, so you can say, that was the position on discovery. Look at that and compare it with earlier backup copies of data and let's see where the changes have occurred. You still get documentary frauds, where a document causes an authorisation to occur. If that goes missing or gets destroyed by the criminal, it will never be recovered. That's evidence lost."

As evidence of fraud accumulates, pressure to report to a law enforcement authority grows. Here, observers see a marked shift in attitudes since the onset of the financial crisis. Banks that were once reluctant to take the risk of reputational damage are now persuaded to come clean quicker to state bodies, for fear of premature disclosure or later censure. This reflects the new environment of transparency and public interest prompted by government involvement in the equity of financial institutions. John Smart, the head of fraud investigations and disputer services at Ernst & Young in London, says: "We are seeing a trend to voluntary disclosure. This may even take place during the course of the investigation so that the regulator appreciates that the issue is going to be investigated thoroughly on a collaborative basis. The bank wants the regulator to accept the investigative method." This is confirmed by Parlour: "We are going to see a sea change in attitude. So many banks are owned by the public, a lot of the competitive edge has diminished. The fear of having taken part in a concealment or a cover-up just won't be worth the risk of non-disclosure. If it was something major, and you have the FSA crawling all over it, you'll be for the absolute high jump if you haven't made some active response to it, to protect the assets of the bank."

Public investigative agencies support this shift. The UK's Serious Fraud Office (SFO), for example, wants to get involved in internal investigations. "We want to be proactive rather than reactive," says Sam Jaffa, spokesman for the SFO. Richard Alderman, director of the SFO, told a private meeting held by KPMG recently that he wanted to "change the previous business model where the SFO would wait until reports of crimes reached us (often some years after the event). This reactive model may well have worked in a different environment, but I was absolutely clear that it was not the right model for the contemporary SFO. The model needed is very different and needs to be proactive." Alderman went on to say that the SFO had begun an investigation of the hedge fund sector. He said: "We have been asking about areas of risk that are being uncovered as a result of financial turmoil and the opportunities for new frauds in the environment in which we find ourselves."

Smart has already seen evidence for this change of business model. "Law enforcement is becoming more business-friendly. They try and act in co-operation with financial institutions, investigators and lawyers. They have perceived that simply acting as a prosecutor, rather than to assist the institution in recovering funds, is not a helpful position. They are trying to be collaborative in the way they approach institutions."

Fraud investigations are beset by legal as well as regulatory pressures. For example, the hunt for data and evidence must comply with a growing body of data protection legislation. Ernst & Young advises paying particular attention to national law. "If you are looking at the parties connected to a particular fraud, one of the key techniques is to look at email traffic and laptop information from the potential parties. In some countries, you have to get consent before you are allowed to look at those laptops. If you are trying to do this without tipping off the fraudsters, that can cause great difficulty. It varies depending on which international jurisdiction you are in. There are quite severe penalties if you fall foul of the legislation in Russia, for example. It protects the rights of the individual and of the employee, but it doesn't help your investigation get to a speedy conclusion.'

Data protection also affects the systems and data banks devised by financial institutions to create warning systems against fraud. Some banks use systems that collate global data about convicted criminals and current scams. These provide bank branches in different countries with advance notice of current problems. However, such systems may fall foul of data protection and privacy laws. Brad Massam, a director at Ernst & Young's fraud investigations and disputes services, says: "In some countries, you can't collect an individual's personal data, which includes banking data. Most banks have outsourced a bunch of their IT functions, which might include sensitive data. If you outsource it outside the country, you can be guilty of breaking the law in that country. That is true in European countries and Latin America. It is particularly true in France and Switzerland, which have very strong data privacy laws."

Organisational factors can present further hurdles to the launch of a full-scale investigation. These may arise long before it has reached the disclosure point. For example, the report of a fraud will need to be escalated up the compliance ladder. But there is a risk that a manager may thwart its progress for fear that an employee that makes lots of money for the firm will be identified as a culprit. Jack Blum, a Washington attorney, says: "There is a high risk that the junior compliance officer will be neutralised by a manager who sees his bonus threatened."

Blum recounts an occasion when an internal auditor found that a unit of the company was laundering money for some drug dealers in Miami. "He raised hell, he said we have to do something. The boss said, we're not going to do something. The upshot of his heroic efforts was that he was fired and blacklisted. He could not get a job in the securities industry. How do you do business in an environment like that. Once something like that happens, nobody wants to raise his head above the surface, because the minute you do so, you're dead meat." The compliance and internal policing of a firm is secured by the support of state agencies, says Blum. "What stiffens the back of internal auditors is when there are regulators who are on the job and say, you can't do that kind of thing, or we'll come after you. Unless the regulators are on the beat and doing what they're supposed to be doing, it won't happen."

Parlour recalls how a compliance officer was threatened in a European financial organisation based in London. He was concerned that "if he didn't report, the cops might be following the trail and told him he should have reported it. The boss says, it's your problem, you do the reporting. The compliance officer says I didn't. The boss says you did nothing of the sort."

The process of uncovering suspicious activity, leading to investigation, has been greatly aided by the passing of legislation to support whistle-blowing in many jurisdictions. However, employee enthusiasm for the system varies greatly according to culture and practice. Smart says: "Whistle-blowing works well in Anglo-Saxon countries. But in other places it is much less well accepted. That includes many western European countries where there is a cultural issue with squealing on your neighbour or your fellow worker. This was because of the problems in the Cold War and during the Second World War." He reports that a major financial institution established a whistle-blowing policy and had a third-party vendor to monitor it. The results were very patchy. "There was no whistle-blowing outside the US and UK sphere of operations. They couldn't understand why that was the case. It was a cultural issue, the employees were uncomfortable with blowing the whistle on their supervisors."

Patchy systems of compliance are likely to be tested as never before as economic winds put institutions under unprecedented economic pressures. Dean White, a managing director at London-based Marsh, the consulting organisation, says fraud will hit, "at the point when you are weakest to protect yourself. In today's markets, where margins are squeezed, if you rely solely on the accidental discovery of claims, Murphy's law says it will come at the point when you don't have the financial resources to survive it. We urge clients not to reduce their risk management expenditure, or their focus on good ethics, good compliance, and transparency hiring and firing policies. In a recession, this is one of the last areas you should reduce spending on. It is more important that employees think like owners, recognise that a failure to report a suspicion, an unawareness of what fraud is, and the effects on the company. They need that level of knowledge and they need the procedures that facilitate reporting suspicions."

Companies that think they are doing the right thing for the bottom line by cutting costs may also be doing the worst thing from a fraud perspective. Employers who slash layers of management in a bid to cut costs may be undermining their systems for reporting suspicions. The supervision by one employee of another is the best way to maintain probity, so when one employee is taken out of the system in a cost-cutting exercise, the entire control function may be undermined. Smart of Ernst & Young says: "Through cost-cutting in the back office, the number of management involved in authorising transactions and so the number of people you have in your circle of influence has decreased, so the opportunity for fraud has increased, because you only have two or three people within an authorisation chain. You can exercise influence."

The impact of a cost-cutting exercise can create weaknesses in areas as diverse as the computer system, the control of passwords, the checking of documentation procedures for the authorisation of payments and the financial reconciliation structures. The person best suited to exploit such a weakness is the internal manager. White says employers expect the employee or manager to have noted the weakness, even if he did not deliberately introduce the weakness for the purpose of a fraud. The once efficient and diligent employee can no longer be trusted to be honest as he realises he cannot deliver on targets.

Smart describes the situation: "If you are a chief financial officer of a subsidiary business and your profits are going south and you want to maintain the appearance of being profitable, you may be tempted to fabricate transactions."

The motivation of the recessionary fraudster is survival rather than a necessary enrichment, but the techniques match those of the determined fraudster. Smart says: "They may not be out-and-out fraudsters, like the potential criminal or organised criminal, but they are looking at the survivability of a firm they have built up over 20 years. As a result, the odd invoice gets inflated or the quality control on the product that's delivered is slightly compromised. They may view themselves as the corporate saviour, but they might stray into that fraudulent activity that could have an impact on a financial institution."

Knowledge of loopholes and grey areas in a firm's anti-fraud systems enable them to perpetrate and maintain a fraud. They may have had responsibility for implementing the systems, so they have a unique ability to subvert them. Marsh's White says: "You know the control environment, you know how it operates, you're 50 years' old, your pension fund has shrunk, you're thinking, 'I have the opportunity.' The natural human reaction is fight or flight. A lot of people facing that situation, where job prospects are not good, where there are serious issues with lifestyle, is to exploit the control weaknesses that they know exist."

Those organisations that do not batten down their hatches with tight anti-fraud controls risk the stability of their organisations. Something that was merely a weakness in the good times could deliver a fatal blow as recession deepens.