Fraud360 issue 1 2016

Pre- or Post-employment Screening: Which is More Critical? PG. 14

ISSUE 1 2016

Is Technology a Double-edged Sword? PG. 25

Case Studies: Forged Documents, Due Diligence and Health Insurance Fraud PG. 28

SPECIAL MIDDLE EAST EDITION

Digging Deeper: The Importance of Vetting Third-Party Partners PG. 31

CRIGROUP.COM

BEST PRACTICES FOR

CROSS BORDER

INVESTIGATIONS PG. 18

Published by

Fraud and White-Collar Crime Investigations | Background Investigations | Business Intelligence | Corporate Security | Forensic Accounting | Investigative Due Diligence

Fraud 360 issue 5.indd 1

2/9/16 9:43 PM

Letter from the CEO When it Comes to Fraud Risk, Think Global Welcome to the latest edition of Fraud360. Once again, we present you with articles that examine best practices, resources and techniques aimed at helping you prevent and detect fraud. First, I am proud to announce that CRI Group is a platinum sponsor for the first-ever 2016 ACFE Middle East Fraud Conference, being held this month in Dubai. CRI Group is a natural fit for the conference as we have our headquarters here in Dubai, and if you are in attendance I invite you to meet us at the conference. You can read more about this exciting event on page 6. Our cover story, “Best Practices for Cross-Border Investigations,” provides an expert’s view at navigating the challenging waters of international fraud prevention. Drawing on scholarly articles from various studies on fraud, we’ve identified five best practices to help your company remain FCPA compliant and reduce risk when conducting business across borders. What does background screening mean to you? Does your company conduct checks, and if so, are they pre- or post-employment, or both? Check out “Pre- or Post-employment Screening: Which is More Critical?” for some insight into this critical tool for fraud risk management. Technology: We need it, we use it, and it has changed our lives and the way we do business. But like many things, it has a dark side. In “Is Technology a Double-edged sword?” we examine how companies are scrambling to improve their information security, and how businesses that fail to do so risk losing their customers’ trust, and face harm to their reputation. We also present case studies, the latest fraud news and other engaging articles to help you stay informed and educated on the anti-fraud front. As always, I invite you to reach out to us and tell us about the issues that are important to you. Just send us an email at Javeria@Fraud360.com. Fraud360 is your magazine. I hope you enjoy this edition, and thank you for reading.

Zafar I. Anjum, CFE, CIS, MICA, Int. Dip. (Fin. Crime), MBCI Chief Executive Officer of CRI Group

2 | FRAUD360 | ISSUE 1 2016 Fraud 360 issue 5.indd 2

2/9/16 9:43 PM

Spotlights & Features Fraud360 | Issue 1 | 2016

SPECIAL MIDDLE EAST EDITION

18

14

25

18

Best Practices for Cross Border Investigations

Preparedness for investigations and management of vulnerabilities is critical for organizations seeking to maintain a global competitive advantage. Learn five best practices for risk management, investigations and FCPA compliance.

14

Pre- or Post-employment Screening: Which is More Critical?

28

Case Studies: Review of Conflicts of Interest, Pre-employment Screening and Due Diligence

31

Digging Deeper: The Importance of Vetting Third-Party Partners An Interview with Zafar I. Anjum, CEO of CRI Group

25

Is Technology a Doubleedged Sword?

CRIGROUP.COM | 3 Fraud 360 issue 5.indd 3

2/9/16 9:43 PM

SUBSCRIPTIONS To subscribe to Fraud360, please email us at info@Fraud360.com. Or contact one of our worldwide locations directly.

Fraud360 is created for business leaders, directors, investors and professionals who need the latest information and best practices for protecting their assets from fraud. Presenting practical tools, case studies, and articles focused on fraud prevention and detection, Fraud360 provides an insightful look at the issues impacting businesses worldwide. Fraud360 is published by Corporate Research and Investigations, LLC. (CRI Group).

WORLDWIDE LOCATIONS MIDDLE EAST & NORTH AFRICA

Dubai CRI Group Corporate Headquarters Level 9, #917, Liberty House, DIFC P.O. Box 111794 Dubai, UAE Tel: +971-4-3589884 Fax: +971 4 3589094 Email: cridxb@CRIGroup.com Web: CRIGroup.com Abu Dhabi Office No: 3509, 35th Floor Al Maqam Tower, ADGM Square Al Maryah Island, Abu Dhabi, UAE Tel: +971 2 4187568 Email: abudhabi@CRIGroup.com

Qatar QFC Branch Office No. 130, 1st Floor Al – Jaidah Square, 63 Airport Road P.O. Box 24369 Doha, Qatar Mobile: +974 7406 6572 Tel: +974 4426 7339 Email: doha@CRIGroup.com

EUROPE

London EMEA Head Office Level 37 1 Canada Square London E14 5AA, United Kingdom Tel: +44 207 712 1626 or +44 203 4782449 Email: london@CRIGroup.com

NORTH AMERICA

New York 445 Park Avenue 9th Floor – Suite 957 New York, NY 10022 United States of America Tel: +1 (212) 745-1148 Email: newyork@CRIGroup.com

ASIA

Pakistan Level 12, #1210, 1211 55-B, Islamabad Stock Exchange (ISE) Towers Jinnah Avenue, Blue Area Islamabad, Pakistan Tel: +92 51 111 888 400 Toll Free: 0800 00 CRI (274) Email: pakistan@CRIGroup.com

ADVERTISE WITH US To advertise with us, please send an email to Javeria@Fraud360.com. Space is available for our printed magazine as well as our email newsletter, Fraud360 News Brief International. Contact us today for more information.

EDITORIAL For editorial inquiries, questions and comments, please email us at Javeria@Fraud360.com. Fraud360 is published by Corporate Research and Investigations LLC: Global Headquarters Level 9, #917, Liberty House DIFC, P.O. Box 111794 Dubai, UAE Tel: +971-4-3589884 Fax: +971 4 3589094 © 2016 Corporate Research and Investigations, LLC. Copyright is reserved throughout. Although Fraud360 may be quoted with proper attribution, no part of this publication may be reproduced without the express written permission of the publisher. Contributions are invited but copies of all work should be kept as Fraud360 can accept no responsibility for loss. The views expressed in Fraud360 are those of the authors and might not reflect the official policies of CRI Group.

Singapore 1 Raffles Place, #19-61, Tower 2 One Raffles Place Singapore 048616 Tel: +65 6808 5634(35)(36) Email: singapore@CRIGroup.com Hong Kong Rooms 05-15, 13A/F, South Tower World Finance Centre, Harbour City 17 Canton Road Tsim Sha Tsui Kowloon, Hong Kong Tel: 852-2208-6064 Email : CRI.hongkong@CRIGroup.com Malaysia Lot 2-2, Level 2, Tower B, The Troika, 19 Persiaran KLCC,M 50450 Kuala Lumpur, Malaysia

4 | FRAUD360 | ISSUE 1 2016 Fraud 360 issue 5.indd 4

2/9/16 9:43 PM

About CRI Group Corporate Research and Investigations, LLC (CRI Group) is a global supplier of investigative, forensic accounting, business due diligence and employee background screening services for some of the world’s leading business organizations. A licensed and incorporated entity of the Dubai International Financial Centre (DIFC), CRI safeguards businesses by establishing the legal compliance, financial viability, and integrity levels of outside partners, suppliers and customers seeking to affiliate with your business.

Connect with us on the web via your mobile device or social media. LinkedIn Facebook Twitter Blog: FraudInsider.com

Certifications

CRIGROUP.COM | 5 Fraud 360 issue 5.indd 5

2/9/16 9:43 PM

News & Media Upcoming Events Find CRI Group at the following events around the globe in 2016: 2016 ACFE Middle East Fraud Conference Platinum Sponsor Atlantis, the Palm Dubai | February 14-15, 2016

27th Annual ACFE Global Fraud Conference Gold Sponsor ARIA Las Vegas, NV | June 12-17, 2016

CRI Group is Platinum Sponsor of the 2016 ACFE Middle East Fraud Conference this February in Dubai CRI Group is proud to be a Platinum Sponsor of the upcoming 2016 ACFE Middle East Fraud Conference, Feb. 14-15, 2016 in Dubai. More than 300 anti-fraud professionals will gather under the kind patronage of His Highness Sheikh Maktoum Bin Mohammed Bin Rashid Al Maktoum, the Deputy Ruler of Dubai and Chairman of FAD, at the conference hosted by the Financial Audit Department of Dubai. The event will be held at Atlantis, the Palm in Dubai. Attendees to the Middle East Fraud Conference will: • Learn the latest trends in fraud prevention, detection and deterrence during interactive sessions, educational workshops and an informative panel discussion • Meet with high-ranking and reputable speakers from leading organizations in the Middle East • Gain insights to best practices and learn about cutting-edge tools and techniques to detect fraud • Forge strong alliances with new and existing contacts who share similar challenges and goals Featured speakers include Bruce Dorris, J.D., CFE, CVA , vice president and program director for the Association of

Certified Fraud Examiners (ACFE); Prof. Dr. Marco Gercke, director, Cybercrime Research Institute; Jeffrey Robinson, author and international expert on organized crime and fraud; and Hamed Kazim, CEO, HK Consulting (United Arab Emirates). CRI Group’s CEO Zafar I. Anjum, CFE, said that his company eagerly embraced the opportunity to be a Platinum Sponsor at the Middle East Fraud Conference. CRI Group’s world headquarters is located in Dubai. “This opportunity for training and sharing best practices for fighting fraud is unmatched in the Middle East,” Anjum said. “We look forward to meeting attendees personally at the conference, discussing their challenges and how we can work together to prevent and detect more fraud — not just in the Middle East, but around the world.” The host of the conference, the FAD, conducts regular financial audits, information systems audits and performance audits for ascertaining the extent of legality, adequacy of financial prudency and management of financial operations. The objectives include reviewing of efficiency, effectiveness and economy in planning, directing, execution, controlling and monitoring of operations.

6 | FRAUD360 | ISSUE 1 2016 Fraud 360 issue 5.indd 6

2/9/16 9:43 PM

CRI Group Earns BSI Certification for Security Checks CRI Group has become the first investigative research company in the Middle East to receive the BS 7858:2012 certification for security checks from internationally recognized training and certification body BSI. The certification recognizes CRI Group’s expertise in screening services including identity Zafar I. Anjum, CRI Group’s president and CEO, receives the official BSI certification from Mr. Ahmad checks, financial Al Khatib, General Manager for Assurance and Testing. checks, employment checks and and safety of people, goods or property is a criminal records checks, as follows: requirement of the employing organization’s • Identity checks. ID confirmation, five years operations, or where such security screening address history, right to work check, charis in the public interest.” The certification proacter references, SIA (UK)/Relevant Licence cess includes a rigorous audit and inspection check (if applicable). of CRI Group’s quality management systems. • Financial checks. Bankruptcy / Insolvency Zafar I. Anjum, CRI Group’s president and / IVA, CCJ (Up to £10,000) for UK, Regional CEO, said that the being the first investigative Trial Courts (outside UK), credit score. firm in the Middle East to earn BS 7858:2012 • Employment checks. Five or 10 years is a point of pride for the company. The employment history, gap referencing (more certification demonstrates the firm’s commitin-depth and extended to 31 days). ment to “providing the highest standards and • Criminal records. Basic disclosure, local delivery of professional background screentrial court record. ing services.” Founded in 1901, BSI (also known as British Standards Institution) is the UK national standards body that works with thousands of organizations in more than 150 countries. BSI is accredited by 20 local and international bodies. BSI’s security checks certification recognizes CRI Group’s capabilities “regarding the background screening (vetting) of individuals employed in an environment where the security

“CRI Group has always provided the highest level of professional security checks, and we frequently conduct background screening investigations in geographic regions not serviced or accessible by larger investigative firms,” Zafar said. “Conducting thorough security checks is an important proactive measure to help keep any business safe.”

CRIGROUP.COM | 7 Fraud 360 issue 5.indd 7

2/9/16 9:43 PM

Fraud News Brief Is Sentiment Analysis Helping in the Fight Against Fraud? The way we write says a lot about our intentions. “Sentiment analysis” is predicated on the idea that writing — whether in an email, text or memo to a colleague, for example — can be generally defined in one of three ways: positive, negative or neutral. It uses algorithms that can scan large amounts of text, looking for keywords and measuring tone much more quickly, and efficiently, than could a person. The applications for this kind of technology are nearly endless. Companies can scan social media messages to learn what about their business or products is trending, whether it be in a negative or positive way. Marketers can measure keywords to discover buying tendencies and analyze their audience demographic.

Sentiment Analysis for Internal Use Employers can (and have) used it to monitor employees, including one case (cited by an article in Harvard Business Review) in which “semantic analysis identified a small team of salespeople in the middle of negotiating their defection to a competitor. The sentiment analytics software had identified both atypical frequency and vocabulary between the sales people and — more provocatively — radically different exchanges between the sales people and key accounts.” That last example should spark a light bulb in every fraud investigator’s head. When analyzing employees’ communication, there are keywords and language that can tip companies off that their employers are engaging in fraud. It can be an invaluable tool

that raises red flags, hopefully before a fraud scheme is so far developed that it is costly and crippling to the company.

History of Sentiment Analysis The concept isn’t all that new: The New York Times reported in 2009 on sentiment analysis and its potential. In “Mining the Web for Feelings, Not Facts,” Alex Wright explained: An emerging field known as sentiment analysis is taking shape around one of the computer world’s unexplored frontiers: translating the vagaries of human emotion into hard data. This is more than just an interesting programming exercise. For many businesses, online opinion has turned into a kind of virtual currency that can make or break a product in the marketplace. Yet many companies struggle to make sense of the caterwaul of complaints and compliments that now swirl around their products online. As sentiment analysis tools begin to take shape, they could not only help businesses improve their bottom lines, but also eventually transform the experience of searching for information online. Even back then, as the NYT reported, an industry was emerging and several companies were already offering subscription services to provide sentiment analysis – though it was geared chiefly toward companies measuring sentiment among buyers, not their own employees.

Test Case: Enron However, researchers have already been able to test sentiment analysis within the fraud realm in a backward-looking way. Using Enron emails (that were made public during the scandal), sentiment analysis revealed a series of red flags throughout the lifetime of the

8 | FRAUD360 | ISSUE 1 2016 Fraud 360 issue 5.indd 8

2/9/16 9:43 PM

fraud: “the red marks flag emails where the sender’s sentiment suddenly turned sharply negative (and would therefore be a good place to start looking for evidence).” Right now, sentiment analysis still seems to be used only on a limited basis. However, we may one day see a time when it is a standard internal control, and a part of most fraud prevention strategies. Sentiment analysis won’t prevent every fraud, nor help close every case. But it can provide a good starting point to knowing that something is amiss.

When Gifts in Business are Tools of Corruption In many cultures, we celebrate giving gifts during the holiday season. In the business world, however, sometimes gift-giving is a year-round occurrence … and it can take the form of corruption. World Bank’s Enterprise Surveys provide detailed statistics on where this type of corruption, which encompasses bribes and “illegal gratuities,” is most rampant. BusinessTech, a South African based-site for business and technology news, recently provided an analysis of World Bank’s findings and distilled the results in “The biggest corruption problems in the world — and where they happen most.” Among its conclusions, BusinessTech found that “the most corrupt region in the world is South Asia, which includes countries such as India, Pakistan, Afghanistan, Bangladesh and Sri Lanka.” Not too far behind is Africa: “The data shows that the Sub-Saharan Africa region is far above the global average when it comes to incidences of corruption experienced by global enterprises.” It is unfortunate when more than a quarter of firms surveyed in those regions expect to give gifts to public officials in order to “get

things done,” a matter-of-fact way of “greasing the wheels,” as one might say. As the article states: According to the survey findings, the most prominent form of corruption around the world involves giving gifts to governments to secure contracts. 27.1% of enterprises, globally, have indicated having been expected to do this. In U.S. law, an illegal gratuity is defined as the following: Illegal gratuity is something of value that a person gives, offers or promises for the purpose of influencing the action of an official in the discharge of his or her public or legal duties. For example, it is an offence to improperly influence judges or other judicial officers, members and officers of public bodies, or voters at public elections. There are plenty of case studies in which contractors, government officials, or even business executives have been on one side or the other of bribery or illegal gratuities. TheCGP.org provides two cautionary tales on their website: On April 25, 2013, the U.S. Department of Justice issued a press release announcing that a Bureau of Prisons (BOP) employee had pled guilty to a charge of receiving unlawful gratuities. The BOP employee, a supervisory traffic management specialist in the BOP Relocation Services section, was responsible for giving relocating BOP employees a list of approved movers and then referring their move to agents of the chosen carrier. While performing these duties the employee received spa and salon gift cards in the amount of $1,007 and $790 from one carrier’s agent, as well as free moving services from moving companies. The BOP employee was subsequently assessed a fine of $1,500 and placed on probation for 18 months. And: On June 5, 2013, the Washington Post reported that the Internal Revenue Service (IRS) had placed two managers on administrative leave for accepting free food and other gifts

CRIGROUP.COM | 9 Fraud 360 issue 5.indd 9

2/9/16 9:43 PM

in violation of government ethics rules. These violations were discovered during an audit of a years-old conference, at which the managers “allegedly held an after-hours party in their private hotel suites.” It apparently was not clear who gave the managers the food, worth $1,162. Acting Commissioner Danny Werfel said in a statement to the Post that the IRS has started the process of firing the managers. Gift-giving — to loved ones, friends, and even colleagues — can be a fulfilling and wonderful endeavor. In business, however, it can sometimes take the form of corruption. Businesses should be quick to adopt a no-tolerance policy for bribery and illegal gratuities, and make sure it is communicated across the entire organization.

However, some experts see a new wrinkle in the changeover. Chip technology only makes “card present” transactions more secure. Naturally, since a merchant’s card reader needs the actual credit card to read the chip, that’s the only way they can control fraud from a point-of-sale transaction. The problem, critics say, is what happens during “card-not-present” transactions. In a commentary piece for DarkReading.com, Ben Jackson writes that a “fraud tsunami” is headed to the shared economy — via “card-not-present fraud.” As head of risk management and fraud prevention for PromisePay, Jackson warns that due to the clampdown on fraud through chip technol-

Is a Tidal Wave of Online Credit Card Fraud on the Horizon?

ogy, fraudsters are likely to simply take more

The U.S. has a serious credit card fraud problem. In fact, a Nilson report (as cited by the Wall Street Journal) estimated that for every $100 spent using a credit card, 13 cents is lost to fraud. That may not sound like much, but when multiple by thousands of such transactions and spread across millions (or billions) of dollars, the impact is significant. But here’s the kicker: outside of the U.S., only 4 cents is claimed to fraud (three times less than in the U.S.). The difference has generally been attributed to less secure credit cards in the States. Until this year, banks were resistant to using chip and pin technology, which provides more protection (and has been the standard in Europe for over 10 years). Now, the U.S. is going part way, at least: the newest cards are embedded with chip technology (but are without PIN, notably). This is expected to help decrease fraud in the States and bring the number back closer to the rest of the world.

crease dramatically over the next 12 months.

of their business online: Fraud in the online world is about to inWith the introduction of Europay, MasterCard, Visa (EMV) chip technology in the United States, card-not-present fraud (CNP) will show a substantial increase, and if the results of EMV adoption in the UK and Australia are any indication, CNP fraud could rise anywhere between 10- to 20%. A recent LexisNexis report outlines how merchants are left liable to online fraudulent activity — with them paying out $3.08 for each dollar lost to fraud. Jackson follows that up with an illustrative comparison: Think of fraud as water running downhill — it will always follow the path that allows it to flow in the easiest way possible. This could mean big trouble for banks, who are already inundated with fraud claims and subsequent investigations, and also merchants who now bear a greater share of risk overall in credit card transactions.

10 | FRAUD360 | ISSUE 1 2016 Fraud 360 issue 5.indd 10

2/9/16 9:43 PM

So what can your clients do to be better protected as fraudsters shift gears and take more of their business to the Internet? Five things, according Jackson: • Educate. “Knowledge is power. Learning about the latest fraud trends is essential.” • Verify data. “This can incorporate IP identification and proxy piercing, device fingerprinting, and more basic level user data such as email/mobile/social media.” • Employ a rules engine. “The rules engine is a middleware application that allows you to create rules when tracking and managing fraud. You can perform pre- and postauthorization tests and rules, as well as rules to handle the return results from authorization. This is a musthave for any medium- to largesized merchant.” • Use chargeback reporting. The final rung of the ladder against fraud is at the chargebacks layer. It is commonly accepted that up to 1 out of every 100 transactions will result in a chargeback, and 86 percent of these chargebacks are fraudulent. It is also accepted that there is a 1 in 10 chance of the merchant winning the chargebacks — clearly a costly situation for the merchant. Chargeback reporting is so important because they show the merchant what they’ve missed, and allow them to analyze the event, and so better protect against it in the future by implementing risk-based controls.” The idea that fraud may become worse after new protection methods are employed is not what anyone (other than fraudsters) wants to hear. But as every fraud investigator knows, con artists and other criminals adapt to 1) follow the money, and 2) find the path of least resistance. Right now, the Internet provides both of those elements. It is up to businesses and their security personnel to find a way to thwart them.

Mafia, Hells Angels: Extreme Construction Fraud in Quebec The construction industry is susceptible to corruption on many levels. Bid rigging, procurement fraud, overbilling, just to name a few of the types of schemes — with each different layer and a variety of contractors involved, the risk of fraud is high. While government regulations and industry best practices have evolved to help mitigate the risk of fraud, there are many opportunities to work outside of those guidelines to gain an unfair advantage. In Quebec, fraud in the corruption industry has recently been revealed to be widespread and extreme. So widespread and extreme, in fact, that the Mafia and the Hells Angels are alleged to be deeply entrenched in the industry, according to Superior Court Justice France Charbonneau. As reported in the Toronto Star: “This investigation confirmed that there was a real problem in Quebec and that it was far more widespread than we originally believed,” Charbonneau said. She said that the Mafia and Hells Angels worked their way deep into the industry, gaining access to public and private contracts and worker’s pension funds. “A culture of impunity developed,” Charbonneau said, reading from a prepared statement. The commission heard of bribes, kickbacks, assaults and even murder. Charbonneau addressed the corruption problem during the release of her highly anticipated report on corruption in the province. Conclusions on the state of the problem were drawn from the testimony of 300 witnesses since the opening of an inquiry three years ago. “Contractors revealed that they were the victims of threats, intimidation and assault,” she said. “Their testimony took us to the heart of our mandate.”

CRIGROUP.COM | 11 Fraud 360 issue 5.indd 11

2/9/16 9:43 PM

The problem is not limited to Quebec. Construction fraud is on the rise, experts say, fueled by economic pressures, tight credit, subpar controls and a lack of whistleblower protections. An article in Construction Business Owner offers the following tips for spotting irregularities: • Schedule out the subcontractor pay applications. • Compare actual to budget on a line-item basis. • Reconcile the payments to the pay applications. • Reconcile the pay applications to the underlying cost records. • Track changes in the SOV. • Track changes in the contingency account. • Compare change order signature dates to the actual time the work was completed. • Inventory the lien waivers. • Make a list of purchased equipment, and inventory the remainder. • Conduct supplier confirmations. • Prove reimbursable charges. • Tie subcontractor bills to the payment applications. • Compare drawing/spec material volumes to claimed actual volumes. • Review the subcontractor bid selection process and selection documentation. Fraud and corruption in the construction industry isn’t going away any time soon. But companies at each level of the process can reduce risk by implementing the proper controls. By following anti-fraud policies and being attuned to red flags of fraud, business leaders can help protect themselves, and their clients, from serious financial loss.

Background Checks: BMW Case is a Cautionary Tale Pre-employment screening can provide a critical level of protection for organizations. Obviously, any business owner wants to weed out potential “bad actors” before they end up on their staff roster. When it comes to screening existing employees, however, there are important considerations and legal implications that need to be addressed. It is a lesson that revered German automaker BMW is learning the hard way, and other business leaders should be aware of the consequences. BMW finds itself having to pay a $1.6 million settlement in a race discrimination suit that stems from performing background checks on current (at the time) employees. As detailed in Human Resource Executive Online, here is what happened: In the summer of 2008, BMW switched contractors handling the company’s logistics at its Spartanburg, S.C., production facility, and required the new contractor to perform criminal background checks on all existing logistics employees who re-applied to keep their jobs. At the time, BMW’s guidelines regarding criminal convictions excluded individuals with convictions in certain categories of crime from employment, regardless of how old the conviction, or whether it was classified as a felony or misdemeanor. So, the reader might wonder, where was the fault in their process? The article goes on to explain the point at which things became problematic: In the suit, the EEOC alleged that BMW discriminated against a group of African-American logistics workers when the new contractor excluded these employees at a disproportionate rate after performing criminal background checks and learning that roughly 100 of these incumbent workers did not pass the screen.

12 | FRAUD360 | ISSUE 1 2016 Fraud 360 issue 5.indd 12

2/9/16 9:43 PM

According to the EEOC, 80 percent of the existing employees who were subsequently disqualified from employment — some of whom had worked there for several years — were black. By implementing their screening, and then sticking firm to employment policies with either an ignorance or a disregard for what could appear to be racial profiling, BMW opened itself to the lawsuit that led to the $1.6 million settlement. While $1.6 million won’t break the bank, by any means, for a large automaker, it probably more than offsets any trivial gain BMW hoped to achieve by protecting itself from potential worker misconduct or potential fraud, whichever may be the case. As the article notes: As evidenced by this settlement, conducting criminal background screens on existing employees seems to be a risky and potentially costly proposition. The BMW case shows this to be true, but even more so, the decisions made based upon the information provided from background checks are where the risk and cost ultimately lay. At CRI Group, we excel at providing every level of background screening in all parts of the world. Our screening agents are in countries and locations that other networks don’t reach. The reason? Business leaders need information in order to make the right decisions — about their businesses, their employees and their partners. However, after receiving information from background screening, executives and human resources professionals must make reasoned and careful decisions on personnel rather than following strict, sweeping policies. If the BMW employees had been reviewed on a case-by-case basis, it stands to reason that many of them would be seen as valuable in their jobs, and without conduct violations or any recent legal problems, there would

be little risk — and more reward — in keeping them in their positions. One should not seek to remove skilled and qualified workers based on inflexible policies that don’t serve the company. The message from the BMW case should not be, “avoid performing background checks on current employees.” Instead, it should be emphasized that background screening is important, and should be used as part of an overall review process that weighs an employee’s performance, conduct, trustworthiness and tenure at the company. If BMW had followed such a reasonable path, they would be able to keep the $1.6 million … and some longtime employees. — By Kanwal Zafar General Manager, CRI Group

Advertise With Us

To advertise with us, please send an email to Javeria@Fraud360.com.

Space is available for Fraud360 magazine as well as our monthly email newsletter, Fraud360 News Brief International. Contact us today for more information.

CRIGROUP.COM | 13 Fraud 360 issue 5.indd 13

2/9/16 9:43 PM

Pre- or Post-employment Screening: Which is More Critical? BY JAVERIA ADEEL

M

ost of us are familiar with the AXACT diploma mill/fake degrees case that came to light in May 2015 through an exposĂŠ by

the New York Times. Following this breaking news, investigators descended on Axact, a company based in Karachi, Pakistan that mysteriously provided phone numbers

14 | FRAUD360 | ISSUE 1 2016 Fraud 360 issue 5.indd 14

2/9/16 9:43 PM

for dozens of fake online programs and had stacks of diplomas from these schools in their headquarters. The fake colleges had American-sounding names, like Newford, Rochville and Drumount University. Axact is just one example, as there are many such fake degrees available online. The problem of fake degrees is nothing new, but the Internet has made it easier than ever to obtain a bogus qualification. With competition still fierce in the jobs market, some people are tempted to beef up their résumé by buying a fake degree. The institutions that sell these fake qualifications are known as either diploma mills or degree mills. Diploma mills issue fraudulent diplomas supposedly granted by real universities, while degree mills pose as real universities. Setting up a degree mill is simply a matter of creating a website that looks like it belongs to a genuine university. The website includes a method for customers to pay for their qualifications online and a place for prospective employers to contact to verify the degree is genuine. Some degree mills award degrees on the basis of the buyer’s supposed “life experience,” while others require a small amount of coursework. One degree mill required about a week’s worth of coursework to earn a masters degree. As detailed by CNN, George Gollin, a board member of the U.S.-based Council for Higher Education Accreditation, estimates that more than 100,000 fake degrees are sold each year in the U.S. alone. Of those, around one third are postgraduate degrees. He added that a bogus degree will typically cost $1,000. While some people might be duped into believing they are obtaining a legitimate qualification, almost everyone buying from a degree mill knows they are getting a fake. But for some, knowingly buying a fake degree is an easy way of improving their job prospects. Generally, fake degrees

are bought for economic advantage for people who are seeking promotion or seeking to get jobs where the employer wants them to have a degree. If it’s difficult for the authorities to keep tabs on the degree mills, it can be even harder for employers to spot if a potential employee has fake qualifications. But there are steps that employers can take to guard against fraudsters. Many countries have government-run websites through which one can easily check if a university is officially accredited. But because diploma mills offer fake degrees from real universities, it is essential that employers also check with someone at the university to confirm that the degree was actually issued. If someone claims to have an advanced degree for which they should have written a thesis, they should be able to produce a copy of that thesis. If they can’t provide contact details for their graduate studies advisor, be suspicious, because that should raise a red flag. But separating the real from the fake becomes even more complicated if a job candidate has a qualification obtained overseas. It can be increasingly difficult to verify that a foreign university is genuine. This discussion raises one important question in regards to which is more critical: pre-employment or post-employment screening? Let’s first understand what pre-employment screening is. Basically, pre-employment screening refers to the process of investigating the backgrounds of potential employees, and is commonly used to verify the accuracy of an applicant’s claims as well as to discover any possible criminal history, workers compensation claims, or employer sanctions. Some employers do provide pre-employment screening — whereas postemployment screening is totally ignored by most employers. Even some employers are more likely to screen entry-level

CRIGROUP.COM | 15 Fraud 360 issue 5.indd 15

2/9/16 9:43 PM

employees than senior executives, but which type of employee could do more damage to the company’s assets, brand and reputation? Organizations who give the C-level a pass on the most thorough background checks leave a glaring gap in their protection that could have catastrophic consequences. Several CEOs of some of America’s largest companies have been caught lying about their qualifications or fudging their résumés. It is equally, if not more important to thoroughly screen all C-level and senior executive hires. Fourty-four percent of employers review the screening results for workers who are hired by a staffing agency. Of the remaining employers, 35 percent stipulate compliance in the staffing agency’s contract terms, and 8 percent conduct periodic audits. What is most concerning, however, is that 13 percent of human resources professionals are unaware of whether the staffing agencies they work with even perform background checks. This is absolutely one area where employers must not drop the ball. Every employee should be thoroughly screened regardless of whether they were hired directly by HR or through a staffing agency. The optimal solution is for employers to run their own background checks on any workers supplied by a staffing agency. If an employer opts to review the screening results instead of conducting their own thorough and up-to-date check, then they should first check that the staffing agency is permitted to share the results by both the Consumer Reporting Agency (CRA) and the candidate. Secondly, even if the employer is only reviewing previously completed background checks, they may be subject to consult with counsel before viewing such reports.

Post-Hire Screening & Employee Monitoring Approximately two thirds of organizations fail to conduct any sort of post-hire

44+35+138C Hiring by staffing agency

Staffing contracting term Periodic audit

HR unaware of background checks

Figure 1: Percentage of hiring screening or employee monitoring. Just because an employee’s criminal history was clean when they were hired doesn’t mean that it will always stay that way. A criminal records check depicts a moment in time and becomes outdated almost instantly. The solution to closing this gap is either through post-hire screening, which can be conducted at specified intervals (i.e. annual re-checks), or employee monitoring, which alerts employers when one of their employees has been arrested. The most recent tragedy occurred in Roanoke, Virginia, where a disgruntled and terminated employee allegedly murdered two journalists on live TV. All three had worked at local TV station WDBJ. Reports have surfaced that Vester Flanagan, the alleged shooter, had a history of mental instability. The question arose: Why didn’t the employer in this case perform due diligence in regards to the employee’s previous records, plus provide post-employment screening?

16 | FRAUD360 | ISSUE 1 2016 Fraud 360 issue 5.indd 16

2/9/16 9:43 PM

While pre-employment screening plays a critical role in helping to protect companies from dishonest employees, too few realize that post-employment screening, conducted at regular intervals throughout an employee’s term of tenure, is equally as important in protecting company assets. However, post-employment screening allows employers to quantify the risk to which they are exposed, and then to manage that risk. Regular credit checks, sudden judgments, criminal convictions — these are all developments which a responsible employer should be aware of in their workforce. Post-employment screening can be applied differently according to job level status — or put more bluntly, at what potential level of risk the employee carries for the company. A cleaner, for example, will be less of a risk than a buyer, and a cashier more of a risk than a switchboard operator. A company carrying out post-employment screening must prioritize how far they wish to take such checking. This is where using an outside third party, whose specialist skills and core function it is to asses such potential risk, can be of great benefit. If an employer carefully observes his employees, the first sign to watch out for is a change in lifestyle of the employee concerned. This can be either an upgrade in lifestyle, such as the acquisition of material goods — a new, flashy car for example; but also a downgrade in lifestyle. Such signs can be displayed in terms of physical appearance, punctuality, work levels and declining productivity, which are often signs of either substance abuse, domestic crises or other personal problems of some sort. It is not only permanent staff who need regular screening — outsourced staff, or sub-contracted companies, also need to agree to independent third-party screening. Cleaners, security guards and all personnel who come onto a company’s prem-

ises, in the same way that permanent staff do, are subject to the same opportunities, stresses and social issues, and therefore need to be treated accordingly. Post-employment screening therefore takes on a wider scope than pre-employment screening. It will deliver to the employer vital information on lifestyles and social issues, apart from the more conventional driver’s license, educational qualification, credit and criminal record checks. While pre-employment screening will help companies identify problem areas before they start, post-employment screening will ensure that companies can minimize the risk to which they are exposed over the long term. CRI Group’s background screening and post-employment screening services expose vulnerabilities and threats within your organization and can significantly reduce the potential of business and financial crime, fraud and malpractice from occurring within your workplace. CRI Group provides a host of professional services to HR managers representing major corporations worldwide, including: Managing employee background screenings across borders; employee monitoring and risk management; data protection compliance; employee testing and confidentiality; employee risk management; background information on former employers; analytic research of credential breaches and bankruptcy, civil litigation, criminal record history, credit and financial regulatory checks. For a full list of services, visit CRIGroup.com. ABOUT THE AUTHOR Javeria Adeel is a Media Researcher and Fraud360 Correspondent for CRI Group. She can be reached at Javeria@Fraud360.com. CRI Group maintains offices in the UAE, Pakistan, Qatar, Hong Kong, Malaysia, Singapore, London and New York.

CRIGROUP.COM | 17 Fraud 360 issue 5.indd 17

2/9/16 9:43 PM

BEST PRACTICES FOR

CROSS BORDER

INVESTIGATIONS

IVE FC 5 BEST PRAC TICES FOR PROACT

PA COMPLIANCE

BY ZAFAR I. ANJ UM, MSC , CFE ,

CIS, RESE ARC HER PRO FESS IONA L DOC TOR ATEMIC A, INT. DIP. (FIN . CRIM E), CII, MIP I IN CRIM INAL JUST ICE (DCR IMJ)

Fraud 360 issue 5.indd 18

2/9/16 9:43 PM

Preparedness for investigations and management of threats and vulnerabilities is critical for organizations seeking to maintain competitive advantage and global positions.

T

he U.S. Department of Justice (DOJ) acknowledges that the Foreign Corrupt Practices Act (FCPA) of 1977 was “enacted for the purpose of making it unlawful for certain classes of persons and entities to make payments to foreign government officials to assist in obtaining or retaining businesses.” Although simplified to a form of antibribery or anti-corruption initiative, the FCPA plays a critical role in corporate governance, accounting best practices, auditing, and cross-border negotiations. As a direct result of legislative oversight, and in an effort to systematically reduce the frequency and limit the effects of cross-border deficiencies and liabilities, corporations have undertaken to define, embrace and implement

a compendium of institutional best practices. This article identifies and discusses a variety of best practices for managing and mitigating the effects of cross-border investigations. By highlighting potential benefits and implications of effective, high-performing standards in corporate preparedness, this analysis demonstrates opportunity costs and benefits of effective investigatory protocol in identifying and resolving FCPA concerns.

A Delimitation of Best Practices In spite of auspicious and aspirational foundations, Ashcroft and Ratcliffe’s “The Recent and Unusual Evolution of an Expanding FCPA” (Notre Dame Journal of Law, Ethics, and Public Policy, 2012) suggests that over its first several decades of existence, the

‘FCPA remained a largely unenforced and nearly dormant piece of legislation.’ In the wake of a robust information economy, the prevalence of financial conflicts and uncertainty, and robust corporate governance standards, settlements and corporate penalties related to violations of the FCPA have increased significantly over the past decade. In fact, Fraedrich, Ritcey-Donohue and Schafer’s “Foreign Corrupt Practices Act Conviction of Lindsey Manufacturing May Embolden U.S. Authorities, but Should it?” (Global Trade and Customs Journal, 2011) noted that while in 2002 just two claims were successfully prosecuted, by 2011, this figure had increased to more than 20 claims for financial penalties in excess of $3.4 billion.

CRIGROUP.COM | 19 Fraud 360 issue 5.indd 19

2/9/16 9:43 PM

More recent statistics from E. Silverstein’s “FCPA Penalties Relatively High During 2014” (FC&S Legal, 2015) reflect that the average FCPA claim in 2014 was more than $156 million, as punitive penalties are designed to discourage and prevent future replication of corrupt business practices. As a result, the financial and reputational consequences for FCPA indictments and violations can have significant impacts on corporate performance. It is for this reason that corporations must adopt and sustain anti-corruption policies and strategies, internal assessment and investigation resources and third party audit capabilities in order to make a significant impact on vulnerability and exposure to FCPA prosecution.

1

Best Practice #1: Have a Plan, Define Policies and Actions and Ensure Consistent Implementation

Perhaps the most critical best practice in FCPA investigation management is corporate preparedness. Emphasizing the role of internal investigations in FCPA enforcement efforts, Carberry and Deane’s “Corporate Internal Investigations: Best Practices, Pitfalls to Avoid” (Jones

Day, 2013) proposes that preparedness including the structuring and strategic anticipation of interviewing processes is critical to revelatory objectives. By failing to anticipate potential findings, investigators are not only likely to overlook critical connections and evidence, but may ultimately become vulnerable to legal or institutional defenses that inhibit a comprehensive assessment. Highlighting the need for anticipatory investigative practices in the recent case of AstraZeneca, R. L. Cassin’s 2015 FCPA Blog piece “Two AstraZeneca Whistleblowers Share $1.4 Million in FCA Settlement” observed that whilst compensatory settlement payments in excess of $7.9 million were agreed to in bribery and false claims allegations, the failure to establish legal liability significantly reduced the consequences of the legal process. In spite of whistleblower evidence and a verified, informal agreement between AstraZeneca and Medco, internal information controls and proprietary information management rights were used to not only impede investigator interventions,

but to protect the organization and its managers from legal prosecution.

2

Best Practice #2: Be Prepared and Actively Control the Flow of Information and Evidence

Anticipation of investigator objectives in relation to FCPA violations may provide corporations with a strategic advantage, allowing internal assessments to focus on a more comprehensive and strategic range of evidence. In an effort to systematise this protocol, Baker and McKenzie propose in 2014’s “Responding to Misconduct” five core steps to corporate responses to misconduct including: 1. Receiving the allegations 2. Preliminary assessment 3. Initial planning and preparation 4. Developing an investigative plan 5. Analysis and resolution This framework reflects a pro-active, anticipatory approach that may be used to not only identify the underlying costs and risks associated with a federal investigation, but could

20 | FRAUD360 | ISSUE 1 2016 Fraud 360 issue 5.indd 20

2/9/16 9:43 PM

allow the determination of an effective remediation plan that can be used to mitigate losses once the process has commenced.

Perhaps the most critical best practice in FCPA investigation management is corporate preparedness.

3

Best Practice #3: Anticipate Investigator Objectives and Evaluate Cost/ Benefit Formula to Maximize Corporate Benefits Under Best, Medium, and Worst Case Outcomes At the root of an FCPA investigation is the attempt by officials and agents to determine whether intraorganizational relationships were in violation of corruption and bribery laws. Originating from a recent case of FCPA prosecution against Lindsey Manufacturing and Comisión Federal de Electricidad (CFE), efforts to affect and influence government officials both directly and indirectly may ultimately result in a violation and significant penalties (Fraedrich et al., 2011). Yet such influence extends beyond more overt bribery/influence cases such as BNY Mellon, recently prosecuted by the SEC for high profile appointments and internships to relatives of key foreign officials in an effort to secure status and international positioning. According to FCPA

Blog’s October 2012 article “Barclays FCPA disclosure,” the Barclays PLC case, its post-stock market crash financial hedging strategies and its partnership with Qatar Holdings are indications of how third party collaboration and collusion can expose organizations to unwanted scrutiny and investigation. As reported in the Wall Street Journal’s “Barclay’s Faces FCPA Probe,” however, it is only through collaboration between Barclays and Qatar Holdings that the inquisition itself has been fundamentally constrained to causal analyses of mis-

conduct and purposive corruption. Exemplifying the need for a functional and collaborative response, the forthcoming internal reports and feedback from both organizations have served as a buffer mechanism to reduce the relative and immediate implications of this investigation. Such joint defence initiatives, as idealized by Carberry and Deane, reflect a foundation of confidentiality that is reciprocated across partners in an effort to reduce the long term costs and consequences of an FCPA investigation.

CRIGROUP.COM | 21 Fraud 360 issue 5.indd 21

2/9/16 9:43 PM

4

Best Practice #4: Collaborate and Coordinate (Joint Defense Agreements) to Prevent Agency Conflicts and Uncertainty

A challenge in international commerce, translational and cultural differences may ultimately lead firms to experience vulnerability and disclosure risks during an FCPA investigation, according Senn and Albert’s “Internal Investigations: How to Conduct an Anticorruption Investigation: Developing and Implementing the Investigation Plan (Part Two of Two),” (FCPA Report, 2014). In an effort to comply with domestic legal and labor requirements, organizations are compelled to make strategic decisions that require both legal and experienced insights and recommendations. By preparing for potential security risks (e.g. non-disclosure agreements), securing local counsel, and preparing for potential local enforcement initiatives and controls, Senn and Albert suggest that firms will mitigate the broader spectrum of international pitfalls that emerge during extended multinational commercial activities. In “Senn on 10 Best Practices in a Cross-Border Investigation — Part II” (FCPA

Compliance Report, 2015), T. R. Fox refers to this process as “putting form in native translations,” creating legal and conceptual alignments and understandings that transcend the foreignness of international partnerships. Such vulnerabilities in labor agreements are indicative in the recent Walid Hatoum/PBSJ Corporation case investigated by the SEC in which foreign officials were provided privileged employment posts and corporate membership in exchange for government contracts. Alternative agreements and positioning could have ultimately been used to not only eliminate the risks associated with such partnerships, but to protect the conglomerate from any adverse activities.

5

Best Practice #5: Evaluate Efficacy and Results

After the aforementioned best practices have been implemented, it is not enough to simply move on and let them do their work. Controls must be monitored for effectiveness, with a regular review process to measure their success. Industry best practices dictate that ideally, these measurements and review should be conducted by an organization’s security

professionals, and a summary of the results with all supporting documentation should be provided to the board of directors. It is only through this process that internal controls can be refined and adjustments made, as needed. It is also important to stay informed of any governance changes that might affect FCPA compliance, or might otherwise require changes in the organization’s anti-corruption controls. Review and measurement of internal controls should be conducted quarterly, if possible (and no less than on an annual basis). The review process is even more effective when conducted by a third party that specializes in FCPA compliance (this removes bias — even where unintentional — from the process, providing a clearer picture of the results).

Conclusion The risks associated with FCPA investigations are significant, and as the financial and reputational costs of indictment and prosecution continue to balloon, the need for effective and pro-active best practices is imperative. This report has identified five leading best practices that are indicative of industryobserved needs, expectations, and opportunities.

22 | FRAUD360 | ISSUE 1 2016 Fraud 360 issue 5.indd 22

2/9/16 9:43 PM

Borderless Business Intelligence Required “Today we were unlucky, but remember we only have to be lucky once — you will have to be lucky always.” This was the Irish Republican Army’s (IRA) statement soon after the Brighton hotel bombing that attempted to kill Prime Minister Margaret Thatcher and her Cabinet in 1984. Twenty years after, the shape and authors of terrorist threats in Europe may have changed, but the threat still exists. And with two series of terrorist attacks in France in 2015, it seems that luck has deserted. It is time to think about how we can be more efficient, together, to fight back. The recent events that occurred in Paris showed that the terrorists are starting to work multilaterally. The terrorist attacks of French publication Charlie Hebdo and a Jewish supermarket in January 2015 were perpetrated by French citizens who acquired firearms in Belgium. The attacks of last November were

perpetrated by French citizens who had travelled from Syria through several European countries. What if business intelligence agencies had been working closely to assist government authorities in tracking these bad actors from the beginning? Would it have been possible to avoid those murders? If wishes were horses then beggars would ride, but it is clear that the lack of share in business intelligence between governments serves as a benefit to the terrorists and buys them time and opportunities. Criminality doesn’t know borders. Investigators and prosecutors among neighboring countries should be on the same page. In the 1970s, French police partnered with their American counterparts to stop the French Connection, a large heroin smuggling

operation, and likewise partnered with the Spanish in the 1990s to pursue Basque terrorists. Europol, the European Police Office, contributes to more than 18,000 cross-border investigations each year, and according to Europol Director Rob Wainwright, there are approximately 3,600 internationally active organized crime gangs operating just in Europe. But coordination still requires loads of preparation through formal channels, according to the United Nations Office on Drugs and Crime (UNODC). Operational problems include “lack of commons standards and accepted practices, the actual supervision of the investigation, the prevention of intelligence leaks and the absence of mechanisms for quickly solving these problems,” according »» continued on next page

“Criminality doesn’t know borders. Investigators and prosecutors among neighboring countries should be on the same page.”

CRIGROUP.COM | 23 Fraud 360 issue 5.indd 23

2/9/16 9:43 PM

to the UNODC. Crossborder investigations must be carefully framed and processed to be really efficient. Cross-border investigation is a reality and requires a global mindset and a legal framework, including laws and regulations, but it must also account for cultural similarities or differences. It is about providing national agencies with the intelligence and processes to make it easier and faster Based upon a cost-benefit trade off and core strategies of preparedness and proactivity, corporations operating in international markets must not only recognise the risks of FCPA violations, but take steps and implement policies to reduce and minimize the consequences of an investigation. By planning for FCPA investigations, identifying and controlling internal sources of information and evidence, creating a cost/ benefit profile for violation settlements, partnering with international organizations and allies and reviewing and measuring results, firms will not only navigate such investigations more effectively, but may mitigate or eliminate

for them to go after the right people. Between 2011 and 2013, the number of terrorists or combatants from Western Europe ranged from 400 to 2000, with most recruits from France, Britain, Germany and Belgium, and traveling across several European Union member states. Allowing ongoing exchanges of information and intelligence would permit investigators to have more accurate data and identify general trends. Determintheir consequences altogether. The testament of firms currently being confronted with high costs and punitive injunctions following recent investigations is a foundation for developing and implementing a more pro-active management strategy. However, given the highly competitive nature of international commerce, the variability of contracts and positioning initiatives, and the intensified demands of growth-centred corporations, it is evident that ethical decisions must be made strategically and judiciously. In this way, the costbenefit trade-off of international partnerships and positioning initiatives has a direct effect on the

ing who should be notified, identifying who will oversee and conduct investigations and then harmonizing procedures would permit authorities to act quickly and coordinate actions. If the information is available, there is no excuse for failing to share it or act on it. Through these measures, terrorist will no longer be able to bet on luck. — By Anne-Solene Spido Research Analyst, CRI Group, London Office

planning and positioning of firms within foreign environments. As a result of domestic responsibilities, the cultural and economic values of one government or business environment may not translate directly into actionable and ethical behaviors within a U.S.based context. Accordingly, preparedness for investigations and management of threats and vulnerabilities is critical for firms seeking to maintain competitive advantage and global positions. ABOUT THE AUTHOR Zafar I. Anjum, CFE, CIS, MICA, Int. Dip. (Fin. Crime), MBCI is Chief Executive Officer of CRI Group. He can be reached at zanjum@CRIGroup.com. CRI Group maintains offices in the UAE, Pakistan, Qatar, Hong Kong, Malaysia, Singapore, London and New York.

24 | FRAUD360 | ISSUE 1 2016 Fraud 360 issue 5.indd 24

2/9/16 9:43 PM

Is Technology a Double-edged Sword? BY JAVERIA ADEEL

T

he power of technology offers businesses many new opportunities that were not available just a few years ago. Unfortunately, this same technology has also cleared the way for countless online scams and fraud. Cyber criminals steals billions of dollars every year from small and big businesses, in addition to causing financial losses that

result from security breaches. But the risk of a damaged reputation, and the safety of your customers’ information, are major concerns for any business, as well.

Online business fraud Online fraud takes many forms and faces, and it is not always clear that fraudulent activity is taking place until it is too late.

CRIGROUP.COM | 25 Fraud 360 issue 5.indd 25

2/9/16 9:43 PM

Fraud may target a business and its employees directly, or it may target the customers. The only way to be protected from the threat of cybercrime is by effectively securing your company’s network. The most recent Global Fraud Study conducted by the Association of Certified Fraud Examiners (ACFE) determined that businesses can lose, on average, 5 percent of revenue each year to fraud, which amounts to nearly $3.7 trillion across the globe. Massive data breaches have caused serious damage, including a $146 million loss for Target Corp. and an estimated $200 million for Sony. Although highprofile technology breaches of consumer data dominate the news, your company’s financial data and assets could also be at risk. The recent climate of fraud begs the question: What can we expect in 2016? Technology is getting more sophisticated day-by-day, and so is cybercrime. Our life is becoming increasingly technofriendly. We pay our electricity bill online, we buy groceries and do other shopping online, we conduct bank transactions online — so much of our lives are online, even our personal lives are not so personal these days. Everyone, no matter what age, use social media: We share our life events and pictures, and we even check-in to different locations on social media. We have solutions for all types of different problems through just one click of an app. And this just refers to personal use. These days, most companies conduct business online. Business transactions are conducted online. Sounds familiar, right? Internet technology is so prevalent in our lives that we can’t hardly function without technology these days. Just think of one day at work without the Internet or technology — it’s difficult to imagine! As technology becomes more advanced, fraudulent schemes will become more complex, while more sophisticated fraud solutions will be developed to

combat hackers’ best efforts. As the landscape of fraud continues to shift, business leaders must be aware of trends and predictions that will allow them to implement internal/external controls and systems to

FACT: Business fraud cases have more than doubled in past years. Source: Gulf News

help reduce the risk of fraud and keep them from becoming another victim of fraud.

The double-edged sword of technology gets sharper It has been estimated that nine out of 10 breaches can be described by nine basic patterns. However, as technology advances, we are seeing a distinct proliferation of more complex fraud schemes. At the same time, we are seeing more breakthroughs in the use of technology to detect fraud. Strategies that we’ve used in just the past few years will become completely outdated, as a fresh set of tactics will debut. As money becomes more digital, there is increasing concern surrounding the vulnerability of cloud-based applications. The cloud is not going to stop growing. It is going to continue to evolve and become the norm because the business and personal benefits are far too strong. Any centralization of data without the right protocols can become a target, but banks and credit cards are even bigger targets, and they’ve been around for a while.

Improving information security will be a major priority The recent data breaches in large corporations have exposed vulnerabilities in the way personal information is maintained

26 | FRAUD360 | ISSUE 1 2016 Fraud 360 issue 5.indd 26

2/9/16 9:43 PM

and stored. Because of this, we are expecting more massive data breaches throughout 2015, which makes improving information security a top priority. We will likely see more IP addresses, with bigger sites getting better at the game.

Employee theft and fraud will continue to be a serious threat According to the U.S. Chamber of Commerce, 75 percent of all employees steal at least once, and half of these individuals steal repeatedly. Even the most trustworthy employees will go to desperate measures, giving way to employee theft and fraud. Even the most steadfast employees, who would normally never think of com-

FACT: The majority of UAE online fraud victims are unable to recover their losses. Source: Gulf News

mitting fraud against their employers, are more willing to take unlawful risks in order to have some extra money in their pockets. Most organizations place their antifraud emphasis on external fraud and security. Ironically, somewhere between 50 percent and 75 percent of the financial losses due to computer incidents result from inside threats, according to the FBI and Computer Security Institute. Combating fraud requires businesses to place equal value on the detection of internal and external fraud, developing necessary strategies to address both. To minimize the potential damage of fraud, companies need to invest not just in more advanced technology but in people and policies for detecting attacks

as quickly as possible. While networks are just too large to prevent every attack from occurring, detection is crucial. Most companies do not have adequate protocols and staff in place to deal with incidents of fraud. While advanced technology serves as a great tool to combat fraud, the issue should be viewed as more than just an IT problem and looked at as a business problem. Here are some steps to take: • Identify all devices and network connections. • Put a clear focus on segregation of duties (spread and rotate financial responsibilities, control who views sensitive documents). • Set boundaries between your network, the internet and other networks. • Enforce controls and policies that prevent misuse, unauthorized access and denial and services. • Enforce a strong password policy. • Offer internal and external audits (monthly profit and loss reviews, monthly balance sheet reviews). • Develop protocols for electronic banking transactions (e.g., limiting access, verbally confirming requests, two-step authentication process, safeguard data). By taking these actions, companies can begin building a culture of system-wide accountability rooted in honesty, integrity and transparency. Remember, the cost of trying to prevent fraud is far less expensive to a business than the cost of fraud committed on a business. ABOUT THE AUTHOR Javeria Adeel is a Media Researcher and Fraud360 Correspondent for CRI Group. She can be reached at Javeria@Fraud360.com. CRI Group maintains offices in the UAE, Pakistan, Qatar, Hong Kong, Malaysia, Singapore, London and New York.

CRIGROUP.COM | 27 Fraud 360 issue 5.indd 27

2/9/16 9:43 PM

Case Studies CASE STUDY: Lack of Due Diligence Leaves Office Supply Company’s Bill Unpaid

A professional office supply company enlisted CRI Group to conduct a potential fraud investigation regarding one of their customers. The office supply company had provided this new customer with products valued at $15,000 — all on a credit basis, after negotiating payment terms with them. However, no formal credit check or standard due diligence measures were performed. The office supply company invoiced their client, but no payment was sent and there was no indication that a payment was forthcoming, even after extensive requests and inquiries. To add to their suspicions, the office supply company’s financial team noticed that the client company’s website was down, emails were bouncing and its telephone numbers were no longer in service. CRI Group’s local investigators went to work, beginning with an on-site visit to the physical address that had been provided by the customer. However, when they

examined the location, it was obvious that no such business existed at the address and it was simply a “virtual” business front. When investigators checked local court records, they found that the client company had four civil court judgments against them within the space of one week. Further checking of media resources led to the discovery that the client company had been labelled a “scammer” on an Internet forum; had registered its website domain to a “Mr. J. Smith” (with no further physical location or contact details); and the domain for the website that was eventually used to help trick the office supply company had been registered only two weeks before the order was placed. Finally, our investigators discovered through corporate record resources that the client company had only been incorporated for six weeks. It was clearly obvious that the fake company was set up as a means to commit fraud. The lesson learned is that there is no replacement for due diligence: When dealing with a new customer, especially one making a substantive order, requests to pay on credit should raise a red flag. Such an arrangement should only be made after a proper credit check and verification that the client is a legitimate business.

TWO CASE STUDIES: Fake, Bogus or Forged Documents

28 | FRAUD360 | ISSUE 1 2016 Fraud 360 issue 5.indd 28

2/9/16 9:43 PM

There are fake educational documents for sale at cheap rates. But for those who have bought them, now is the time to pitch them in the trash — or risk getting caught. Businesses, government agencies and other organizations take it seriously when it comes to whom they are hiring. Those that want the best protection will conduct thorough background investigations to check the credentials presented by any employee. CRI Group’s investigators have a long, successful track record in uncovering such cases in which fake educational documents were presented. The following are two examples of such cases. As disclosure of names is not possible, we will refer to the prospective employee as a POI (Person of Interest).

it is to buy or forge a fake degree. Using standard procedures to verify the documents, CRI Group contacted the university in question and provided them with the necessary information to check their validity. The results were amazing: the registration number for the POI had no such authenticity; but in addition to that, even the name of the person who was the issuing authority at that particular university had been substituted. When the name of the person listed on POI’s documents was checked, it was discovered that no person by that name had ever worked at the university. This just further confirmed that the documents presented by the POI were fake, bogus or forged.

Case One

CASE STUDY: Health Insurance Fraud

The POI presented educational documents that appeared to be issued by a well-known university in Pakistan. They closely resembled the university’s official documents, and each and every detail was faked with tremendous precision. Yet one major piece was missing that cannot be faked: the information about the supposed degrees was not reflected in the university’s own files. Using the university’s prescribed process for verifying information, CRI Group opened an inquiry, and soon confirmed through the university that no such degree was issued, and no such candidate was registered under the provided registration number. In conclusion, CRI Group informed the client that the POI’s documents were fake, bogus or forged.

Case Two In the second case, the fraud committed by the POI went even further. As in the previous case, the POI presented documents that were very precise imposters compared to the originals. But while conducting an investigation, CRI Group’s investigators revealed how much trickery can be done with just some time spent on a computer using some basic software, and how easy

One of CRI Group’s prestigious international clients requested an investigation of a health insurance claim filed by one of their employees, “Mr. ABC.” Mr. ABC claimed per billing invoices (which the client shared with CRI Group’s investigators) that while he was on an official visit to UAE from the U.S., while traveling on a plane, he felt sudden abdominal pain with nausea and vomiting lasting 18 hours. He was admitted to a clinic and stayed under observation for two days, which cost him around $4,000 (US).

CRIGROUP.COM | 29 Fraud 360 issue 5.indd 29

2/9/16 9:43 PM

Mr. ABC was discharged from the clinic, but then felt the return of his sickness, so he was admitted to another clinic for two more days. During this time, he was kept under observation. For this second clinic visit, he was charged nearly $1000. As part of CRI Group’s “boots on the ground” approach, a local agent visited both of the clinics involved in the claim. One clinic was located in Dubai, while the other was in Abu Dhabi. When he arrived at the Dubai clinic, CRI Group’s local agent immediately learned that the clinic deals specifically in cosmetic surgery for women. In fact, as advertised on the outside of the clinic, its services are only for women. But CRI Group’s agent wanted to get solid proof to for the clients. When the clinic’s receptionist was asked to verify the bill, she notified an administrator — who told CRI Group that the clinic does not treat that kind of illness. Furthermore, the administrator confirmed that the clinic is only in the business of providing cosmetic surgery for women. CRI Group’s local agent then visited the clinic in Abu Dhabi. This clinic also appeared to be — as you might guess — in the business of providing cosmetic surgery for women. When the local agent tried to contact the doctor who was named as the treating physician for Mr. ABC, the doctor was hesitant to meet the agent. CRI Group’s agent showed the report to the doctor, and though it was on official letterhead of the clinic, the doctor first denied involvement in the case. But afterward, the doctor told CRI Group’s agent that while “we don’t treat that kind of illness,” the patient “was in such bad condition that we treated him on humanitarian basis.” Yet the doctor was hesitant to accept that the bills came from his clinic (the agent had already learned that the doctor in question was also the owner of the clinic). Regardless, CRI Group successfully secured the evidence that the

health insurance invoices were fake and Mr. ABC was making false claims to get money from his employer. That’s how CRI Group’s investigation of false healthcare insurance claims saved one client a significant amount of money. CRI Group not only verifies false invoice claims, but also works with clients to uncover provider fraud, patient fraud and insurer fraud. Some of the common methods of fraud that require investigation include: • Charging, invoicing for facilities and services not performed • Billing, charging, invoicing for duplicate times for one service • Falsifying a diagnosis • Billing, charging, invoicing for a more costly service than performed • Accepting kickbacks for patient referrals • Billing, charging, invoicing for a covered service when a no covered service was provided • O rdering excessive or inappropriate tests • Prescribing medicines that are not medically necessary or for use by people other than the patient • Billing, charging, invoicing verifications CRI Group’s insurance fraud claim investigations services include: • Investigation of cause • Statement of claimant/employer • Activities check/claimant interviews • Background investigation • Medical/hospital records • Telephonic interviews • Clinic inspections and onsite verification • Disability claim reports • Death claims investigations — Case studies compiled by Javeria Adeel, Media Researcher and Fraud360 Correspondent for CRI Group.

30 | FRAUD360 | ISSUE 1 2016 Fraud 360 issue 5.indd 30

2/9/16 9:43 PM

Digging Deeper:

The Importance of Vetting Third-Party Partners

An Interview with Zafar I. Anjum, CFE CEO of CRI Group

Javeria Adeel, Fraud360 Correspondent, sat down with CRI Group CEO Zafar I. Anjum to discuss the importance of vetting third-party partners. Anjum will be at the 2016 ACFE Middle East Fraud Conference, February 14-15, in Dubai. JA: Do companies know all of their business partners as well as they should? ZA: In my experience, no. However, they have a false impression that they do, or that they know their business partners as well as they should. They might consider that certain information is confidential and proprietary, in other words “none of their business,� and so they might feel it is not appropriate to dig too deep. When in

a pre-IPO or pre-merger situation, a company is more likely to engage in thorough due diligence. But beyond that, companies usually do not engage in, nor do they realize the importance of, a thorough vetting process for their business partners. At least until problems begin to arise, and at that point it might be too late. The potential harm that lurks from association with the wrong partners includes not just

CRIGROUP.COM | 31 Fraud 360 issue 5.indd 31

2/9/16 9:43 PM

financial repercussions, but damage to reputation, as well. CRI Group has experts who conduct a thorough vetting process, helping companies take a proactive stance to avoid problems with their third-party affiliations. The biggest issue right now for many companies is that in emerging markets, there is still a lack of reliable online and public data to assist with the vetting process. That is why CRI Group has investigators on the ground in hard-to-access locations around the world to gather information in a grassroots way. JA: There are risks associated with major business actions like engaging in a joint venture, for example. Are companies assessing (and addressing) these risks appropriately? ZA: In many cases, companies don’t appreciate the risks that come with actions like forming a business alliance, joining a licensing arrangement, or any other situation that closely engages them with a third-party partner. They might think that having a contract reviewed carefully by their legal department, for example, provides the protections they need — along with usual hedges against risk such as insurance and reinsurance policies. Unfortunately, such business owners and operators don’t fully grasp the implications of financial and reputational harm that can occur in a business relationship, to the degree that it can sink their business. There are several potential flags for a business when entering into an arrangement with a third-party partner. The following are just a few of them: • The partner, or potential partner, is unable or unwilling to share necessary information (usually through claims that it is privileged or confidential)

• The partner, or potential partner, has not presented a clear and compelling goal or motivation for the future of the partnership • The arrangement, or proposed arrangement, is largely unequal — one partner stands to gain more, or is valued more, than the other • There are issues of honesty, usually observed in “shifting numbers” (financials) or other information that changes or is contradictory during the negotiation phase or during the partnership There is a deeper problem. Even going beyond the red flags and necessary due diligence I’ve already described, there is also the issue of what pre-existing business relationships a prospective partner already has in place. The only way to really conduct a thorough vetting process is to look into those ties a prospective partner has to other companies, as well as how they interact with local agencies and within their local environment to determine whether they are a safe partner with which to conduct business or enter a partnership. This is another reason why CRI Group’s agents on the ground conduct their due diligence checks at a local level to uncover all relevant information and create a full picture of a prospective partner and their interactions. JA: Will proper due diligence with potential business partners help companies avoid unnecessary disputes? ZA: There will always be some disputes in business. However, performing proper and thorough due diligence will help a company negate that “unknown” factor that can lead to financial and reputational harm. I mentioned the need to conduct due diligence as part of a proactive measure to reduce risk. The best way to do this

32 | FRAUD360 | ISSUE 1 2016 Fraud 360 issue 5.indd 32

2/9/16 9:43 PM

Javeria Adeel, Media Researcher and Fraud360 Correspondent, interviews Zafar I. Anjum, CEO of CRI Group, at CRI Group Headquarters in Dubai, UAE. is to make due diligence for third-party partners a part of the company’s core operational methodology. In other words, any time a prospective arrangement is being proposed or considered, the due diligence process should be automatic, a pre-cursor to any further negotiations and definitely conducted prior to any formal agreement or contract. The following are a few ways that a partners are vetted: • Any government records that include sanctions lists or other corporate wrongdoing blacklists must be checked. • The details of the target company’s associations with other companies, vendors and government should be reviewed. • An analysis of the target company’s contractors and vendors should evaluate whether their involvement is legitimate and necessary. • All financial information provided by the target company should be reviewed and vetted for accuracy. • The contracting process should identify potential risk or liability areas, and also clearly define the parameters of the

relationship (all timing and deliverables, as well as any government sanctions or taxes, for instance). JA: If a dispute should arise, what are some of the potential consequences? ZA: Financial and reputational damage are the key risk areas. Business leaders often consider the former, but don’t give enough thought to the latter. Reputational harm has the potential to do great damage, sometimes greater than the initial financial loss. A company might feel that since they are legally protected to some degree from liability, or insured against fraud, that any harm from a third-party partner is a reasonable level of risk for what might be a lucrative arrangement. Unfortunately, simply being tied to the wrong company can create a public relations nightmare and cause negative repercussions that last for years. The horse meat scandal in Europe showed us how a few bad suppliers caused a loss of consumer trust and damage to well-known distributors that were caught up in the fraud through their third-party affiliations. JA: In conducting due diligence, what should companies do to investigate their

CRIGROUP.COM | 33 Fraud 360 issue 5.indd 33

2/9/16 9:43 PM

Ms. Javeria and Mr. Anjum discuss the importance of proper due diligence and vetting third-party partners during their meeting at CRI Group Headquarters in Dubai, UAE. potential (or existing) partners and their partners’ employees? ZA: Some companies are large enough and have the proper staff to launch due diligence investigations, but many don’t have that capability. For them, there are reputable firms that can conduct thorough due diligence on a regular basis to help their company be proactive against risk. CRI Group’s experts use a combination of public record searches, in-person interviews, court records searches and governmental records checking during the review process. This includes 1) a review of the target company’s ownership and management. This should include anyone with influence over the company, including beneficial owners and shareholders; 2) civil, criminal and regulatory history checking of the target company, including its risk and compliance programs; 3) a checking of references that can establish details on the target company’s business practices and history. This information can come from business partners, business liaisons and other stakeholders. JA: Can doing business with the wrong partner lead to problems with regulators?

ZA: Yes, indeed. That’s why a proper risk assessment should address the following: • What is the relationship between the target company and its own vendors and contractors? In other words, does it have a proper degree of oversight of its partners? • What are the particular regulatory issues affect the region or country where the target company is based? • Does the target company have a history of sanctions or other government action? What is its relationship to government officials and the courts? • Does the company have a strong compliance program? Does it conduct risk assessments? Is it transparent in regards to its own due diligence and risk management efforts? • Are there any “unknowns” that should have been disclosed in the vetting process? There are red flags to look for. One of them would be if the target company has an unusual or complicated relationship with a government entity or figure that affects its business operations. Another would be if it uses unorthodox accounting methods or is not transparent in regard to its financial dealings (it does not conduct audits or

34 | FRAUD360 | ISSUE 1 2016 Fraud 360 issue 5.indd 34

2/9/16 9:43 PM

won’t provide the results, for instance). Also, it is certainly a red flag if a company doesn’t disclose all of its owners or key principals, or if it is very recently formed — as it might be a shell company created for an adverse purpose. Due diligence experts know to look for anything suspicious and will endeavour to clear up any question marks before advising their client to move forward with a target partner. JA: What final thoughts would you give business leaders to help them appreciate the importance of conducting due diligence with third-party partners? ZA: The nature of business has changed, and due diligence and risk management are crucial today more than ever. Business owners cannot have a false sense of security regarding their associations with other companies and organizations. It is not enough to simply have legal professionals review

contract terms, or to expect that liability can be limited or covered by insurance without a risk of greater harm. Financial, operational and reputational damage can put a business under, to speak plainly. Moreover, the increased compliance and regulatory requirements make it imperative for any company to have an established and thorough process for due diligence. Firms like CRI Group have experts who conduct such investigations as part of their core business model. They have the staff, experiences and resources at hand to conduct a thorough due diligence investigation and uncover any unseen issues with third parties or potential third parties before such issues evolve into a crisis. No smart business owner would walk into a relationship with blinders on — information is key, and the more you know, the less risk your company will face.

What Third-Party and Fraud Risks Threaten Your Business?

Estimated amount of revenues that the typical organization loses each year to fraud.*

Our 3PRM strategy focuses on:

Our fraud experts will:

; Providing third-party risk assessments

; Identify fraud risks at your organization

; Meeting contracting requirements

; Implement proactive controls to prevent fraud

; Conducting due diligence

; Investigate cases of unethical behavior

; Providing management oversight

; Measure effectiveness and results

3.7

TRILLION

Our Third-Party Risk Management (3PRM™) services provide a proactive approach to mitigating risks from third-party affiliations, protecting your organization from liability, brand damage and harm to business.

Potential global fraud loss (if applied to the estimated Gross World Product).* *Source: ACFE’s 2014 Report to Nations.

Visit our booth at the 2016 ACFE Middle East Fraud Conference CRIGroup.com | zanjum@CRIGroup.com Fraud 360 issue 5.indd 35

CRIGROUP.COM | 35 2/9/16 9:43 PM

SAVE $200! THROUGH

MARCH 28*

Find the knowledge, connections and resources you need to reach new heights in your fight against fraud at the 27th Annual ACFE Global Fraud Conference. Join more than 3,000 anti-fraud professionals in Las Vegas, June 12-17, 2016, to share insights and best practices on fraud prevention, detection and deterrence.

KEYNOTE SPEAKERS

Reach Your

Judge Jed S. Rakoff

Steve van Aperen

U.S. District Judge, Southern District of New York

“The Human Lie Detector” Body Language Expert

David Barboza

Roomy Khan

Investigative Journalist, The New York Times, Pulitzer Prize Winner

Convicted Fraudster**, Galleon Group Insider Trader Scandal

potential

Reach Your

peers

Reach Your

goals

Reach Your THIS EVENT WILL SELL OUT – Register early to reserve your spot. FraudConference.com *Payment must be received by March 28, 2016 to receive early registration discount. Offer valid on Main and Full Conference packages only and may not be combined with government, group or student pricing. **The ACFE does not compensate convicted fraudsters. © 2016 Association of Certified Fraud Examiners, Inc. “ACFE,” “Association of Certified Fraud Examiners,” the ACFE Logo and related trademarks, names and logos are the property of the Association of Certified Fraud Examiners, Inc., and are registered and/or used in the U.S. and countries around the world.

Fraud 360 issue 5.indd 36

2/9/16 9:43 PM