Whistleblowers: a path to combatting fraud
While whistleblowing laws and initiatives might differ from country to country, whistleblowers in the financial industry are now well recognized and have gained international attention. Here we analyse the steps taken in the USA to strengthen whistleblowing procedures and practices.
Recent allegations of impropriety on several levels have rekindled whistleblowers as a mechanism for identifying wrongdoing. In the Financial Services sector, corporate citizens have an incentive to ferret out malfeasance: the whistleblower program, formally created as a result of the Dodd–Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank) enacted in July 2010. The Office of the Whistleblower, established under the aegis of the Securities and Exchange Commission (SEC), administers the whistleblower program. The program provides monetary awards to individuals who deliver information that leads to a “Commission enforcement action in which over $1,000,000 in sanctions is ordered. The range for awards is between 10% and 30% of the money collected.”
That reward money is significant. For example, from 2011-2015, 34 individuals were awarded nearly $111 million. In 2016, 13 individuals collected $57 million, and the SEC assessed penalties of $4 billion. A six-figure check is a promising inducement for employees, but there are strings attached. First, the information provided must be original (i.e., not available in public sources). Second, it cannot have been previously disclosed to the SEC by anyone else. Further, it must be provided by a true whistleblower, as there is a distinction between a whistleblower and a cooperating witness. A whistleblower observes wrongdoing and reports it to the SEC. A cooperating witness, by contrast, is accused by government authorities of committing a fraud and encouraged (often through a promise of leniency) to identify other culprits.
The scope of information the SEC seeks from whistleblowers is broad, including a range of activities, such as Ponzi schemes (such as that of Bernard Madoff), improper payments to foreign officials, fraud and insider trading. And the whistleblower is protected. The SEC can bring an enforcement action against a company if there is evidence of retaliation against the whistleblower. In addition, “the SEC is concentrating its efforts on so-called ‘gatekeepers’—accountants, in-house lawyers and board members—whom the agency will seek to hold responsible should the facts show that they turned a blind eye to potential fraud,” says Scott Schirick, a partner at Pryor Cashman LLP, who specializes in white collar and securities defense matters.
The monetary cost of fraud is massive. Some estimates are that it runs around 5% of revenue of affected companies. Unfortunately, many companies lose much more. Costs to companies do not stop at monetary damage. Reputational costs may be even greater. As Warren Buffet noted, “If you lose money for the firm, I will be understanding. If you lose reputation, I will be ruthless.” There are many examples of fraud. For example, high profile examples of accounting fraud include Enron and Halliburton. Insider trading is another example, and can hit public companies and investment managers alike. The Galleon hedge fund fraud implicated Goldman Sachs, whose board member, Rajat Gupta, spent two years in federal prison whereas the fund’s founder, Raj Rajaratnam is still serving an eleven-year sentence, the longest-ever for insider trading.
All companies have exposure risks when it comes to fraud. Whistleblowers are more likely to step forward in large, public, well-known companies, where the risk to the company is both financial and reputational. Although small, private companies have less influence over financial services, and therefore are not subject to SEC scrutiny, they are also vulnerable to employee wrongdoing. The nature of the close relationship between management and employees tends to foster trust, so systems to uncover misconduct may be more lax. Individuals who discover fraud or wrongdoing in small, private companies have recourse and may report it or bring suit under the 2002 Sarbanes-Oxley law.
When fraud occurs, media headlines may take large companies to task, but in reality, those companies comprise individuals—the actual perpetrators, who of course make the choice to commit fraud. It is important to understand the backdrop for fraud in order to help prevent it. Fraud is grounded in pressure, opportunity, and justification. For example, an employee may be under financial pressure from high personal or family expenses. Weak accounting or other systems at a company present an opportunity that an employee under pressure can easily exploit. And finally an employee who was wrongfully reprimanded may feel justified in stealing.
Fraud also comes in many forms, not just simply stealing or embezzling money. It can range from a manager seeking a larger bonus who inflates orders to substantiate income, to an employee eager to curry favor with the boss turns a blind eye to blatant wrongdoing. Or a major division manipulates results to show greater profitability in order to be rewarded with a much higher budget next year. It could be the chief executive officer, under pressure to post results to impress shareholders, who manipulates the company’s stock. Or an investment manager, seeking an edge in an increasingly competitive performance environment, may obtain and act on non-public information.
Fraud is inherently expensive, and preventing it should be on every company’s radar. There are some key things that Corporations may follow to combat fraud.
Set Up a Whistleblower Policy
Because 50% of the tips to the SEC come from internal staff (nearly 40% of all discovered frauds are uncovered by whistleblowers) companies need an established policy, accompanied by training on how it works. It should protect the whistleblower from retaliation, and offer information on dealing with legal issues that could arise. Reporting mechanisms must be clear and easy to access—whether in form of a website or a dedicated hotline. Likewise, whistleblowers should be assured of anonymity, and a clear follow-up protocol is needed, including a case-management system to track and report investigations and actions.
Set a Strong, Ethical Tone and Lead by Example
Companies can help further protect themselves by setting the right tone at the top of the organization. An employee observing management committing fraud or skating close to the ethical edge may feel justified in engaging in criminal behavior too. Management should set and abides by firm ethical guidelines, and instill employees with a principled example to follow.
Set a Culture of Compliance
Management should also creating a culture of compliance—setting an expectation for employees to do what is right. That means employees understand management’s ethos, and that given the choice between following rules or generating profits, the rules will prevail. A culture of compliance also includes clearly defined roles and responsibilities, as well as dedicated and adequate resources.
Allocate Resources to Compliance
Many companies readily fund revenue-generating activities, but may be reluctant to bear the cost of properly staffing the compliance function. That failure can result in overlapping responsibilities, such as a single individual serving as both the head of loan operations and overseeing regulation—a perfect storm for fraud. However, it is important to find a balance between having enough rules to deter bad behavior and creating so many rules that employees chafe under their weight. This is especially important for small companies with limited staffing or resources.
Ensure Effective Compliance
First and foremost: have reliable data—regular reports can unearth irregularities before they gain momentum and swell into a major fraud. If data is scant, it will be tougher to provide senior management with the information needed to uncover problems. Banks, for example, are subject to the Bank Secrecy Act of 1970 (BSA), requiring them to certify that their anti-money laundering (AML) systems are adequate. “A financial institution’s BSA/AML compliance program consists of five pillars,” explains Joseph Chisolm, partner in Mazars USA’s Risk and Compliance practice, “and companies must adhere to these rules or incur substantial fines.” These pillars encompass written procedures for ensuring compliance; performing independent testing to uncover deficiencies and impose corrective action to address them; designating individuals to manage the compliance process; and training for appropriate personnel. The final pillar, mandated under the FinCEN CDD Rules, implemented in May 2016, incorporates customer identification and verification; beneficial ownership identification and verification; understanding customer relationships to determine a customer risk profile; and performing ongoing monitoring to report suspicious behavior.
Technology and data play important functions, too. Artificial intelligence deploys algorithms to pinpoint questionable activity and trends, such as suspicious credit card activity. It also can unmask abnormal behavior: implementing transactions on weekends when it would be highly unusual to do so, for example. Another data tool, e-discovery systems, mines email traffic and internal instant message systems to unearth those involved in misconduct and the nature of their communications and dialogue. These systems also can detect which vendors a suspected offender meets with and when, and oftentimes can be corroborated by corporate credit card activity. A company also can freeze all email traffic of a suspected individual to see what information was sent, and to whom and when, particularly poignant in the spate of recent sexual harassment allegations (these of course are not fraud).
Implement Other Fraud Deterrent Actions
Fraud prevention can be as simple as forcing employees to take time off. Requiring employees to take two consecutive weeks off out of the office each year is a good start. If employees know someone else will be examining work in their absence, they may think twice about doing something untoward. Segregate duties so that one individual cannot singlehandedly execute a transaction is a second step, for instance requiring multiple signatures for checks over a certain amount , or having the person who records the check be different from the one who sends it to the vendor.
In our ever-changing society, and as more avenues for fraud emerge, companies must develop more sophisticated ways to combat it. The first line of defense is performing risk assessment, having a dedicated compliance team, conducting employee training, and executing regular monitoring and testing. The whistleblower program recognizes that employees can play a vital role as well, giving those who have information on violations a safe way to report it. It behooves companies to seek professional guidance in building an adequate system of checks and balances, supported by cutting-edge technology and data, to root out fraud—and an effective whistleblower program to expose it. Of course, even with the best preventative policies, activities, checks and balances, fraud may and can still occur. The key is to take steps to prevent and detect it early.