Post No.: 0429
Let’s now look at some ways we can tackle fraud within an organisation, as promised at the end of Post No.: 0424…
Interventions that can get inbetween fraudsters and their criminal acts include internal organisational controls, industry-wide measures, and external societal or governmental laws and regulations. Whistleblowers play a major part in the fight too.
These approaches can be characterised by prevention (which is better than trying to catch or remedy a crime that’s already happened), detection (trying to find evidence of a crime that’s already happened) and correction (insurance or the mitigation of losses, punishments, and more importantly learning from any mistakes). These aim to reduce the probability of a fraudulent act being successful and make a crime not worth committing.
The costs of any internal controls need to be weighed with the benefits though – in any organisation, the budget to fight fraud won’t be unlimited and the economics still need to make sense. And any intervention must conform to the relevant laws and rights, such as employee privacy rights – although the law, or a clause in an employment contract, might allow an employer to check the electronic devices of its employees if there are reasonable grounds to suspect that an employee has purloined confidential company data, for instance. So check the relevant laws in your country, as well as the company’s employment contracts. Personal data should nonetheless be used fairly, lawfully and transparently, so make the purpose clear, and don’t keep the data longer than necessary.
The threat of getting caught is the main deterrent against fraud in the corporate environment. A deterrence or detection method only really needs to be perceived as being effective (e.g. having a security camera present is still quite effective even though the chances are unlikely that a security guard will actually be reviewing every single minute of footage of every single day – this is essentially exploiting the ‘panopticon effect’, where you are incentivised to behave just in case you’re being watched). If a method is later found out to be ineffective by fraudsters though then it will be ineffective.
One of the most important ways to prevent fraud is the separation of duties, such as separating the authorising, executing, recording and safeguarding of a transaction between four different people, whom are perhaps located in four different places. This will mean that no one will have the capability to commit a fraud (e.g. buy something personal by using the company’s funds) without colluding with others. Albeit if they do, frauds that involve collusion can be very difficult to detect. Some people might call this palaver ‘red tape’ or ‘bureaucratic’ but it helps to reduce the chances of fraud.
A system is only as strong as its weakest link though. For example, employees not keeping their passwords secure or using predictable passwords. (It’s no longer surprising that when people think they’re being original, they’re likely not!)
Workers must also watch out for the email addresses of their bosses being spoofed, and other increasingly used technologies or techniques that make messages sent to employees easier for criminals to fake, such as instructions to wire funds to an account that apparently came from the boss but didn’t.
Using ‘big data’ or data mining to detect anomalies first means understanding what is ‘normal’ for your business? Any anomalies then need to be queried to see if there’s a legitimate reason behind them, whether they could be genuine mistakes, or if not then they could indicate evidence of a fraudulent act.
Analyses based on Benford’s Law can work for many types of datasets because when committing fraud, people, when trying to create false accounting entries, will intuitively think that a ‘natural and random’ distribution of numbers will be roughly uniform. Their intuitions are likely to be wrong though!
It’s not just about looking at the numbers – emails and other textual evidence are useful too because lots of frauds involve more than one person, such as when they involve kickbacks or price-fixing, and these people will be communicating with each other about it. The automated data mining of digital sources can therefore also involve looking for certain keywords that are used more frequently than expected (e.g. ‘write off’, ‘adjust’, ‘just this once’). This exercise should be carried out in conjunction with human analyses and non-digital sources.
Sources of data can come from internal organisational sources, as well as from public and other sources – including social media if someone shows off their unexplained wealth, the criminal records of employees (which might not have been disclosed on their application forms) and data from electronic devices, even if the user has attempted to delete it.
One problem with disclosing these techniques for detection though is that fraudsters can learn to account for them to conceal their tracks better(!) (This is just like disclosing the algorithm of a search engine page ranking system can allow webpage creators to game the system through search engine optimisation! It’s supposed to be about relevant and quality content but most of the time it’s about whom plays the system the best.) On the other paw, in this context, it might demonstrate to a potential fraudster that it’s not worth thinking that one can get away with it. Woof!
Internal controls to fight fraud have a problem of being able to be internally overridden by management-level staff or by those whom they instruct to do these things. And again data analyses can be defeated if people learn about their algorithms. Although anti-fraud strategies are advancing all of the time, so are the strategies that criminals use. Determined and capable people will figure out ways to defeat the system.
Therefore whistleblowers are incredibly valuable – in fact, most frauds are first detected via tips provided by whistleblowers. External audits actually rank quite lowly. Although they shouldn’t be – auditors are often buttered-up and charmed with fancy dinners and gifts, clients will make themselves appear as like personal friends with them, and they are often swayed by the stock prices, the opinions of Wall Street analysts, the banks, the law firms and the media when assessing the reputation of a firm. But, year upon year, numerous high-profile examples of how trusted, and sometimes long-established, giant corporations or financiers have been committing serious frauds behind the scenes are exposed. Some caught fraudsters will argue that auditors should give up their six-figure deals to prevent the eight-figure frauds.
It’s therefore vital to emphasise that being vigilant of and reporting suspected fraud is a part of everyone’s job responsibility within an organisation. Involve your clients, vendors and other stakeholders in your reporting program too i.e. make the fraud reporting system available to the public, not just internally – in fact, let anyone be able to report any kind of violation, be it fraud, sexual harassment or whatever, to your organisation.
If a fraud is in progress, someone else will likely be aware of it or have their suspicions. However, it can be an incredibly dilemmatic and stressful situation for a furry whistleblower. Whistleblowers may at first get ignored or ridiculed for accusing a respected member of the business community, and they may fear for their own safety for challenging any rich and powerful figures. And rather than self-regulation leading to people who do the right thing getting rewarded within their industries – whistleblowers will frequently lose their jobs and will tend to get ostracised by their co-workers and community. (It’s kind of like if a footballer is honest about diving in the penalty box and foregoes a penalty kick that would’ve rescued the match for his/her team – his/her teammates and fans might actually hate rather than praise him/her for it. They’ll ask, “Whose side are you on?”) Doing the right thing isn’t always rewarded from the inside, whilst doing the wrong thing is often rewarded within a colluding group or cartel. Whistleblowers are therefore generally incredibly brave people.
This is why it’s crucial to protect whistleblowers and informants and to provide a safe and confidential mechanism and procedure for reporting suspected inappropriate behaviour. Allegations must be investigated seriously and there must be no retaliation against whistleblowers (which will likely be illegal anyway) and, if allowed by law, their anonymity must be preserved. If all of these protections are in place – to not report a fraud (or harassment of a colleague, etc.) should then strongly arguably be considered cowardly.
A person who is ‘just following orders’ is culpable too if they know or should know that what they’re being told to do is wrong, even if they do it ‘just this once’. Whistleblowing is preferable to going to prison, so if you’re about to do something that you’ll dread the scrutiny of – reconsider it and ask for independent advice.
The nature of fraud will be different for different organisations hence a fraud policy should be customised for each organisation (e.g. are gifts acceptable from vendors?) Provide examples of potential red flag behaviours to watch out for (e.g. a person blocking access to files without a good reason, the lack of delegation in a specific area). Describe the process for reporting suspected fraud and protect any whistleblowers, who must also be able to report a suspected fraud to anyone, not just to their supervisors (who might be in on it), and must have a right to remain anonymous and not be retaliated against. Underline that offenders will be punished if found guilty. And make it crystal clear that anti-fraud measures are in place and will be enforced at all times.
…The posts in this blog get first drafted usually several months before being published and, coincidentally, there’s just been another publicised leak of papers revealing how rife the business of global money laundering, tax evasion and financial crime in general is. There were the 2014 Luxembourg Leaks, 2015 Swiss Leaks, 2016 Panama Papers, 2017 Paradise Papers, and now the 2020 FinCEN Files. These exposés are almost becoming so common that these stories no longer stay in the main headlines for long (although a lot of other stuff has been currently happening too!)
Numerous big banks and other financial service companies appear to just help the criminals too. They frequently fail to act, either in good time or at all, even when they’re informed or they themselves report that some activity is potentially fraudulent. Then these banks respond with statements along the lines of, “We take tackling fraud seriously blah blah blah”, which is just as bad as when politicians make empty placating statements that don’t match their actions.
Well there’s a conflict of interest – these banks want these wealthy individuals and organisations to put their money into their systems and use their services because this helps these banks to make their money, but then they somehow have to refuse it if it’s dirty. They might get instantly heavy on their poorer clients but not their richest and most profitable clients. (It’s like social media corporations want as many users and advertisers on their platforms as possible because this helps them to generate more revenue, but then they somehow have to refuse them if it feeds hate speech or lies.) Whenever behaving morally conflicts with maximising profits, there’s always a hesitancy to act to do the right thing. It needs strong, independent regulators to separate these interests i.e. ‘you try to make as much money as you can, and we’ll judge if your activity is criminal’.
The UK essentially helps finance global crime and terror too. British overseas territories such as the British Virgin Islands and Cayman Islands help facilitate worldwide money laundering by offering criminals banking secrecy. UK company law and lax enforcement have also for a long time helped criminals hide behind effective anonymity (although reforms are currently proposed).
…Anyway, if you run an organisation, whether big or small, I hope this information empowers you in the fight against fraud. And for any whistleblowers out there – I salute you.