Fraud360 issue 3 2014 web

Celebrate! CRI Group Looks Back to Commemorate 24-Year Anniversary PG. 7

Insider Fraud: Why Are Fraud Risks From Within So Often Treated as Secondary to External Threats? Pg. 8

Anti-Corruption Compliance: Mitigating Risks of ThirdParty Misconduct PG. 11

Economic Crime Rising Globally PG. 28

Crigroup.com

ISSUE 3 2014

HOW TO COMBAT

MANAGEMENT

FRAUD Today’s economy cannot afford fraud, and prevention starts with management. Here’s how to navigate solutions from the top down. Pg. 20

Published by

Fraud and White-Collar Crime Investigations | Background Investigations | Business Intelligence | Corporate Security | Forensic Accounting | Investigative Due Diligence

Letter from the CEO How to Combat Management Fraud Welcome to the latest edition of Fraud360. As always, we endeavor to bring you carefully selected articles that are interesting and valuable to you and your business. I am also proud to note a major milestone for CRI Group: we just marked our 24th anniversary, and I’d like to personally thank all of our staff, clients and colleagues for helping us along in our journey. Because of you, CRI Group has grown as an innovative leader in the world of due diligence, risk management and investigation — while always staying focused on the needs of our clients. We look forward to our 25th year, and the next 25 beyond that. In this edition of Fraud360, you will read about management’s responsibility in preventing fraud — and how leaders in today’s business world need to look beyond bonuses and profit margins. Today, risk management and fraud are just as important to a company’s bottom line, a reality we explore in our cover article, “How to Combat Management Fraud” (page 20). Third-party partners can cause irreversible harm to your company’s reputation and even your financial stability through their unethical behaviours. “Anti-Corruption Compliance: Mitigating Risks of Third-Party Misconduct” (page 11) outlines the facts you need to know about conducting due diligence and protecting your organisation from outside threats. Not to be overlooked, however, we have also placed a special focus on insider fraud (page 8), asking the question: “Why are the fraud risks from within an organisation so often treated as secondary to external threats?” Don’t miss our special updates on where economic cybercrime is growing around the world, what you need to know about FATCA implementation and other important issues in fraud and due diligence. I invite you to reach out and provide us with your thoughts on these issues and others that are important to you. Just send us an email at media@CRIGroup.com. I thank you for reading, and I hope this edition of Fraud360 helps you prevent and detect more fraud threats to your business or organisation.

Zafar I. Anjum, CFE, CIS, MICA, Int. Dip. (Fin. Crime), MBCI Chief Executive Officer of CRI Group

2 | fraud360 | ISSUE 3 2014

Spotlights & Features Fraud360 | Issue 3 | 2014

20

11

Anti-Corruption Compliance: Mitigating Risks of Third-Party Misconduct

8

20

11

28

How to Combat Management Fraud

Today’s economy cannot afford fraud, and prevention starts with management. Review solutions to navigate solutions from the top down.

7

Celebrate! CRI Group Looks Back to Commemorate 24-Year Anniversary

8

Insider Fraud: Why Are Fraud Risks From Within So Often Treated as Secondary to External Threats?

18

Transparency International’s Corruption Perceptions Index

28

Survey Finds Economic Crime Rising Globally

31

Organisation Profile: The Society of Corporate Compliance and Ethics

crigroup.com | 3

SUBSCRIPTIONS To subscribe to Fraud360, please email us at info@Fraud360.com. Or contact one of our worldwide locations directly.

Fraud360 is created for business leaders, directors, investors and professionals who need the latest information and best practices for protecting their assets from fraud. Presenting practical tools, case studies, and articles focused on fraud prevention and detection, Fraud360 provides an insightful look at the issues impacting businesses worldwide. Fraud360 is published by Corporate Research and Investigations, LLC. (CRI Group).

WORLDWIDE LOCATIONS Middle East & North Africa

Asia

CRI Group Headquarters Dubai, UAE Level 9, #917, Liberty House, DIFC P.O. Box 111794 Dubai, UAE Tel: +971-4-3589884 Fax: +971 4 3589094 Email: cridxb@CRIGroup.com Web: CRIGroup.com

Pakistan Level 12, #1210, 1211 55-B, Islamabad Stock Exchange (ISE) Towers Jinnah Avenue, Blue Area Islamabad, Pakistan Tel: +92 51 111 888 400 Toll Free: 0800 00 CRI (274) Email: pakistan@CRIGroup.com

Qatar Level 22, Tornado Tower Al-Funduq Street PO Box 27774 Doha, Qatar Tel: +974 44292434 Email: doha@CRIGroup.com

Singapore 1 Raffles Place, #19-61, Tower 2 One Raffles Place Singapore 048616 Tel: +65 6808 5634(35)(36) Email: singapore@CRIGroup.com

Europe

London Level 33 25 Canada Square London E14 5LQ United Kingdom Tel: +44 207 038 8023 Email: london@CRIGroup.com

north aMERICA

New York 600 Third Avenue, Suite 252 New York, NY10016 USA Tel: +1 (646) 571-2501 Email: newyork@CRIGroup.com

4 | fraud360 | ISSUE 3 2014

Hong Kong Rooms 05-15, 13A/F, South Tower World Finance Centre, Harbour City 17 Canton Road Tsim Sha Tsui Kowloon, Hong Kong Tel: 852-2208-6064 Email : CRI.hongkong@CRIGroup.com Malaysia Lot 2-2, Level 2, Tower B, The Troika, 19 Persiaran KLCC,M 50450 Kuala Lumpur, Malaysia

FRAUD360 ONLINE Visit FraudInsider.com for even more fraud, compliance and due diligence coverage, including the latest news and web-only features. Want to receive Fraud360 News Brief International, our monthly magazine email newsletter? Send us an email at info@Fraud360.com or visit FraudInsider.com/Fraud360.

ADVERTISE WITH US To advertise with us, please send an email to pr@CRIGroup.com. Space is available for our printed magazine as well as our email newsletter, Fraud360 News Brief International. Contact us today for more information.

EDITORIAL For editorial inquiries, questions and comments, please email us at info@Fraud360.com. Fraud360 is published by Corporate Research and Investigations LLC: Global Headquarters Level 9, #917, Liberty House DIFC, P.O. Box 111794 Dubai, UAE Tel: +971-4-3589884 Fax: +971 4 3589094 Š 2014 Corporate Research and Investigations, LLC. Copyright is reserved throughout. Although Fraud360 may be quoted with proper attribution, no part of this publication may be reproduced without the express written permission of the publisher. Contributions are invited but copies of all work should be kept as Fraud360 can accept no responsibility for loss. The views expressed in Fraud360 are those of the authors and might not reflect the official policies of CRI Group.

About CRI Group Corporate Research and Investigations, LLC (CRI Group) is a global supplier of investigative, forensic accounting, business due diligence and employee background screening services for some of the world’s leading business organisations. A licensed and incorporated entity of the Dubai International Financial Centre (DIFC), CRI safeguards businesses by establishing the legal compliance, financial viability, and integrity levels of outside partners, suppliers and customers seeking to affiliate with your business.

MEMBERSHIPS, PARTNERS & AFFILIATES CRI Group maintains partnerships and memberships with leading global organisations in the fields of due diligence, fraud investigation, forensic accounting and more. Some of our affiliations include:

Connect with us on the web via your mobile device or social media. LinkedIn Facebook Twitter Blog: FraudInsider.com

We are proud to be named the 2013 “Business Due Diligence Firm of the Year – UAE” and “Anti-Fraud Adviser of the Year – UAE” by Acquisition International. AI’s Awards celebrate excellence and recognise investors, advisers and service providers for expertise in their specialized fields.

Professional Trade Associations

Corporate Memberships/Alliances

Implemented and Certified ISO 9001:2008 (Quality Management Systems) ISO27001:2005 (Information Security Management Systems)

crigroup.com | 5

News & Media Upcoming Events Find CRI Group at the following events around the globe in 2014: SCCE – Compliance & Ethics Institute Hyatt Regency Chicago Chicago, Illinois 14-17 September 2014 NAPBS – 2014 Annual Conference Hyatt Regency Denver at Colorado Convention Center Denver, Colorado 19-21 October 2014

In the Media CRI Group was the title sponsor for the June 2014 issue of EMEA Briefings — Buyer Beware: Do an Integrity Check Before Conducting Business in the Middle East. The magazine is a supplement to the award-winning ACC Docket, the journal of the Association of Corporate Counsel (ACC) and the premier publication for in-house counsel with more than 35,000 readers worldwide. To read the full article, visit http://tinyurl.com/qfgl6uo.

6 | fraud360 | ISSUE 3 2014

CRI Group Nominated for Awards CRI Group’s “You secure their future... We’ll secure their past” advertisement has been named one of the finalists for “Most Effective Message” and “Best Headline” in a prestigious award competition hosted by PreemploymentDirectory.com. Voting commenced 11 June 2014 for the selection of the winners in the Best Ads Awards competition in the Background Screening Industry. The “Most Effective Message” award is for the advert that “will most likely produce the intended or expected result it was designed to produce and/or will stimulate readers to take a desired action.” The “Best Headline” category recognises “the headline that grabs your attention the most and which you found to be most compelling.” The ad helps communicate what CRI Group offers clients and partners: user-friendly, web-based background screening services with flexible, bespoke employment solutions for a range of various industry sectors with clients utilising this service across the globe. Winners will be announced in July and voters can be entered for the chance to win a gift. Visit http://tinyurl.com/ks5qmmf today to cast your vote!

Celebrate! CRI Group Looks Back to Commemorate 24-Year Anniversary In 1990, Mikhail Gorbachev was premier of the Soviet Union. Great Britain was seized by a record heat wave. The space shuttle Discovery released the Hubble Telescope into orbit. And CRI Group was born, destined to be a leading due diligence firm serving clients worldwide. A lot has changed in the past 24 years in the realm of due diligence and risk management. Fraud and corruption, once kept behind closed doors, are now in the public eye and under scrutiny. New laws and regulations like the UK Bribery Act are in effect, promising steep penalties for companies that don’t conduct proper due diligence. In any business, longevity is a sign of success. CRI Group has strived to be innovative in the world of due diligence, risk management and investigation — while always staying focused on the needs of clients. “As we celebrate our 24th anniversary and service in the industry, CRI Group is proud to have become one of the most respected names in global risk management,” says Zafar I. Anjum, CFE, CIS, MICA, Int. Dip. (Fin. Crime), MBCI, CII, MIPI, CEO of CRI Group. “Since our inception, we have cultivated long-term relationships with clients, providing them with expertise in detecting and preventing risks to their business. Our wide range of specialists are experts of international law and perform their services discreetly yet effectively. We look forward to providing such expertise to clients for many more years to come.” CRI Group would like to thank all clients and staff for making this special milestone a reality. As we enter our 25th year, we hold steadfast to our commitment to integrity and remaining faithful to our customers’ trust.

1990 Year CRI Group was established

10

Number of global events CRI attended or sponsored in 2013

13,120

Number of Facebook likes

50

Number of CRI employees, working in more than 7 countries

7

Number of countries with CRI locations

crigroup.com | 7

Insider Fraud Why are the Fraud Risks From Within an Organisation So Often Treated as Secondary to External Threats? By Sophie Keen

O

rganisations have typically

Verify Applications

been able to appreciate the

Organisations do numerous checks (e.g. credit checks, voters’ roll and the CIFAS National Fraud Database) when dealing with a customer’s application to verify the information provided before any decision is made. The level of checks on applications for employment should be no different. If you wouldn’t accept an individual as a customer due to a fraudulent past why would you run the risk of employing them and giving them access to your cus-

fraud risks from outside of

their organisation (e.g. identity criminals, hackers and fraudulent applications), but the same cannot always be said for the risks inside the organisation itself. With KPMG’s latest Global Profile of the Fraudster finding that 61 percent of fraudsters are employed by the victim organisation — the risk is clearly present.

8 | fraud360 | ISSUE 3 2014

tomer’s data and accounts? Not only can employing a known fraudster pose serious financial damage, it can also result in huge reputational damage and destroy the trust of customers. While employers have commonly made use of references and criminal records checks, it is widely acknowledged that fraud is rarely reported to law enforcement and references are becoming increasingly brief. It was due to this that CIFAS and its Member organisations saw the need to establish the Internal Fraud Database. This enables organisations to share details of confirmed internal frauds with one another. The database enables an additional check during the recruitment process, but allows organisations to create a record (when a confirmed fraud is spotted), and thus protect the wider UK industry. Doing this helps to prevent fraudsters from simply moving on, unheeded, simply to commit the same acts at another unsuspecting organisation. The database is increasingly being made use of by a wide range of sectors and was described by the former National Fraud Authority in its National Fraud Strategy as a success in the area of ‘sharing data within a framework that safeguards people’s privacy’ and ‘is critical to identifying and preventing fraud’. Cases of employment application fraud reported to CIFAS have continued to rise in recent years, so this threat shouldn’t be seen as different from a potential customer making fraudulent declarations. The types of fraud seen on employment applications include false employment history, income, qualifications or attempts to conceal an adverse credit history (in regulated positions where a clean history is required). Fundamentally, the fraud threat from inside an organisation is not very different from the threat posed from outside. Therefore the same standard of check needs to be used. By performing such checks, organisations can gain a fuller picture of

the applicant and find out whether they are truly who they say they are … before making any decisions as to whether or not to offer them employment.

Theft by Staff Members Of course no organisation can fully protect themselves from insider threats by simply introducing a robust screening process at application stage. CIFAS research has highlighted that the average length of service before a fraud was discovered was six and a half years. This closely matches KPMG’s finding of 41 per cent of internal fraud committed by those who were in the organisation for more than six years. The large proportions of these frauds include dishonest actions such as theft/deception (e.g. stealing cash from customers, or submitting false expenses). It is not only the theft of cash that organisations must consider when looking at their internal fraud prevention strategy. The theft of data is a very serious threat that has direct parallels to the external risks many organisations are already tackling. The external threat of organised criminals to an organisation’s data is easily appreciated and most organisations have long been putting counter fraud measures in place to stop a remote attack. But what about when these gangs approach members of staff, offering payment in exchange for customer data? Or when someone is planted inside an organisation purely to commit such frauds? What steps are in place to stop these individuals downloading customers’ details and passing them on for use in identity fraud? While the number of cases of data theft has always been proportionally smaller (compared with other internal frauds), when you consider that just one instance can involve thousands of customer records, the impact becomes obvious. Over 60 per cent of fraud filed to the CIFAS National

crigroup.com | 9

Fraud Database was a data driven identity crime in 2013, and the National Fraud Authority reported the cost of identity fraud in the UK as £3.3 billion. How much of this therefore was enabled by data obtained from inside an organisation? Once again, when viewed in a larger picture, the threat and need for proper internal controls becomes even clearer.

size of the initial fraud the true cost can be (on average) up to four times higher. A full copy of the report can be found on the CIFAS website (www.CIFAS.org.uk).

Prevention Is the First and Best Step

No organisation can successfully promote safe practice to its customers without taking the threat of internal fraud seriThe True Costs ously. Fraud is fraud, A common factor whether it is comin all internal fraud mitted by an insider is that the cost or an outsider. While will always exceed eliminating the any initial amount risk is impossible, stolen. The cost putting measures in of investigation, place to prevent it legal fees, possible and project a clear fines, compensaof fraudsters are employed message of zero tion to customers by the victim organisation tolerance is not. have to be taken The Internal Fraud Source: KPMG’s Global Profile of the Fraudster into consideration Database can add to and then there are this effort by makthe unquantifiable ing vetting process extras: morale, damage to an organisation’s more robust, and providing a real deterreputation and so on. Research conducted rent through filing confirmed fraud cases. last year by CIFAS and the University of By ensuring that all organisations adhere Portsmouth looked into the true cost of to data protection laws, CIFAS insists that insider fraud and found that whatever the the use of the database is openly communicated both to current and potential staff. Costs of This not only adds to the deterrent effect, Investigation Staff Sickness/ but also helps to underline the message Intangible Suspension Costs Costs that every effort is being made to protect the honest majority of staff from working Fraud Losses alongside fraudsters, and that the protecInternal Disciplinary Misc. Costs tion of customers’ details and an organisaCosts tion’s assets (including its staff ) are of the highest importance.

61%

Staff Replacement Costs

External Sanction Costs

Figure 1: Cost elements incurred by insider fraud (The True Cost of Insider Fraud, CIFAS, November 2013)

10 | fraud360 | ISSUE 3 2014

about the author Sophie Keen is Internal Fraud Recruitment Manager at CIFAS – The UK’s Fraud Prevention Service. She can be reached at Internal.fraud.@cifas.org.uk.

foreign corrupt practices act

Anti-Corruption

Compliance

Mitigating Risks of ThirdParty Misconduct BY KEITH KORENCHUK MARCUS ASNER SAMUEL WITTEN

N

early every multi-national company does business using a combination of its own employees and third parties it hires to help perform essential tasks. Companies routinely engage third party agents to assist in winning government contracts or to obtain permits to do business and perform services. Third-party agents also help companies comply with local law and regulations, and with the tasks

of moving personnel and goods across borders. But while third parties often can serve key roles in a company’s business, in today’s environment of heightened enforcement of anticorruption laws they may expose a company to major liabilities if those third parties act corruptly in violation of applicable law. Under the U.S. Foreign Corrupt Practices Act1 (FCPA), the UK Bribery Act2 and many other anticorruption laws, a company can

Reproduced with permission from Securities Regulation & Law Report, 45 SRLR 1839, 10/07/2013. © 2013 by The Bureau of National Affairs, Inc. (800-372-1033) www.bna.com

crigroup.com | 11

be held liable not only for the corrupt actions of its employees, but also a third party’s actions when that third party acts on its behalf. The FCPA, for example, prohibits offering or paying a bribe or something of value to a foreign government official ‘‘for the purpose of obtaining or retaining business for or with, or directing business to, any person,’’ including where the bribe or offer is made indirectly through a third party.3 U.S. criminal law has an expansive view of corporate criminality, under which an agent’s criminal acts may lead to a corporate criminal conviction.4 The UK traditionally has had a much more narrow concept of corporate criminality, but vastly expanded criminal liability in Section 7 of the Bribery Act so that a corporation may be held responsible criminally if it fails to have adequate procedures to prevent a third party agent from bribing. To reduce the risk of liability, companies need to be vigilant in selecting and monitoring the third parties that act on their behalf. To meet the expectations of governments worldwide, this means developing and implementing a rigorous third-party due diligence procedure to properly identify, mitigate and respond to the specific risks associated with the use of third parties. Effective due diligence will help a company guard against having a third party acting corruptly, but it also will help mitigate any exposure if the third party nevertheless acts corruptly, contrary to the company’s wishes. This article outlines the key legal considerations and practical steps companies can take to protect themselves from undue risks in working with third parties.

Overview of Legal Framework There are many types of third-party actions that regularly implicate anti-corruption laws such as the FCPA or the Bribery Act. For example, in the area of government procurement, third parties might seek

12 | fraud360 | ISSUE 3 2014

to obtain lucrative contracts by offering bribes to government officials with decision-making authority on issues ranging from the structure of the contract bidding or procurement process to the selection of the winner and the administration of the contract. Outside of procurement, many other third parties interact on behalf of companies with government officials: regulatory agents (such as vehicle licensing agents and visa processors), shipping agents (such as customs brokers and freight forwarders), and professional services providers (such as lawyers, accountants, regulatory consultants, travel agencies interacting with government officials, and lobbyists) regularly deal with government authorities. Significantly, a bribe for purposes of the FCPA can include not only money but ‘‘anything of value,’’5 which could include, for example, gifts, meals, entertainment and travel. In a large number of settled cases, companies have been held liable for the conduct of third parties operating on their behalf.6 For example, on 29 May 2013, Total S.A. (Total), a French oil and gas company whose securities trade on the New York Stock Exchange, resolved parallel enforcement actions brought by the Justice Department and the Securities and Exchange Commission based on allegations that the company violated the FCPA by paying over US$60 million in bribes to intermediaries of an Iranian official as part of a scheme to obtain and retain oil rights in Iran.7 On 22 April 2013, Ralph Lauren Corporation (Ralph Lauren) resolved parallel FCPA investigations actions through a non-prosecution agreement (NPA) with the SEC — the Commission’s first-ever NPA in a matter involving the FCPA — and a separate NPA with the DOJ. The SEC and DOJ investigations stemmed from bribes allegedly paid by Ralph Lauren’s subsidiary in Argentina (RLC Argentina) to government officials.

According to the SEC’s NPA, between 2005 and 2009 the General Manager and other employees of RLC Argentina approved approximately US$568,000 in payments to a customs broker to bribe Argentine customs officials in order to secure the importation of Ralph Lauren products into Argentina.8 The corrupt payments included agreements with consultants to pay bribes

worse, an individual company employee also can be held criminally responsible for the agent’s crimes if the employee knew of the agent’s deed or if she was aware of a ‘‘high probability’’ that the agent was bribing someone (unless the employee actually believed that the agent was not paying bribes).9 Thus, both the company itself and its individual employees who are

To reduce the risk of liability, companies need to be vigilant in selecting and monitoring the third parties that act on their behalf.

in exchange for contracts and nonpublic information regarding tenders, as well as payments to consultants who never performed work for the company. U.S. regulators have vigorously enforced cases involving third parties and DOJ has made clear in its recent series of deferred prosecution agreements under the FCPA that companies must develop and implement robust anti-corruption compliance programmes to guard against corrupt payments by third parties. U.S. corporate criminal law is especially onerous. Under U.S. law, companies technically can be liable if the agent pays a bribe to help the company obtain or retain business, even if the bribed was not approved by a company employee. To make matters

supervising third parties will be well served to provide oversight of the conduct of their agents to ensure their activities are lawful. Conducting appropriate due diligence as part of a robust compliance programme also helps a company if a third-party agent, despite the company’s due diligence, nevertheless violates the anti-corruption laws. Under the U.S. Attorney Manual, federal prosecutors will consider the existence and effectiveness of the company’s compliance programme when deciding whether to charge the company criminally.10 Moreover, if a corporation is criminally charged, the fact that it has an effective compliance programme can help mitigate the penalty under the United States Sentencing Guidelines.11 The UK Bribery Act takes things a

crigroup.com | 13

step further. Under the Bribery Act, having an effective compliance programme can serve as an affirmative defence, absolving the corporation of any criminal liability.12 Third party liability is of particular concern under the FCPA and other anti-corruption laws because third parties conducting business in other countries often operate under different cultural norms and expectations, and some third parties may view illicit actions as consistent with, and even necessary for success, in local markets.13 The following steps provide a roadmap, based on our experience in assisting companies worldwide in designing, implementing, and operating third-party due diligence procedures, combined with our analysis of language on third-party reviews in recent FCPA deferred prosecution agreements.14

Implementing an Appropriate ThirdParty Due Diligence Procedure As detailed below, a properly designed third-party, anti-corruption due diligence procedure will have a number of essential elements, all of which should be implemented for the effort to be effective. • The framework should be based upon a risk assessment of how the company conducts business, how, when, where and why it uses third parties, and how it supervises the work of those third parties. • The diligence procedures should be formalised in writing as a policy or procedure, and should be supported by a clear top-down instruction about the importance of following those procedures (the ‘‘tone at the top’’ must be clear). • Third parties who are ‘‘in scope’’ for the review need to be determined; for example, third parties that interact with government officials15 in known risk areas and/or working in high-risk locations for corruption typically would be good candidates for due diligence.

14 | fraud360 | ISSUE 3 2014

• The nature of the review should be risk-based, varying by the nature of the anticipated interaction with the governments. • The company should use contractual clauses and certifications from the third parties to formalise the commitment to compliance, employ mechanisms to provide effective oversight of third-party conduct, and in appropriate cases, train third-party agents on company policies and procedures. • The company should monitor and audit the company’s payment to third parties, including in many cases the payments made by the third parties, to ensure that the third party’s actions comply with the company’s policies and relevant anticorruption laws. • All due diligence of third parties should be documented to ensure that there is a record of consideration of risks and appropriate supporting documentation should be retained in an easily accessible database. • Finally, the company should consider who should actually conduct and oversee the review procedure, as every company should organise its compliance framework to meet its particular needs with decisions being made at the appropriate local, regional and global levels. To facilitate implementing these programme elements, the following analytical framework is suggested. 1. Risk Assessment The first step to implementing any due diligence review is a well considered cost/benefit analysis and risk assessment of the hiring, retention, and oversight of third parties.16 Every company will have a different assessment process depending on a number of factors, such as the types of business in which

the company is engaged, actions contemplated can be handled ‘‘in house.’’ the markets in which it Performing a function in operates, the contemplated house frequently brings interactions with governThe nature of the with it better oversight, ment officials, the types of third parties typically used review should be more accountability and potentially significant costfor such interactions, the risk-based, savings. Because a compaway the company is govvarying by the ny generally has less conerned, and the company’s trol over third parties than anticipated growth and nature of the it would over its own interbusiness plan. A risk assessanticipated nal operations, a company ment identifies key types of should consider whether interaction with interactions creating risk, potential liability the types and locations of the governments. the engendered by the use of third parties who perform third parties is appropriate work on behalf of the comand worth the risk in each pany and the frequency of particular situation. those interactions. A comprehensive risk assessment serves as the 2. Clearly Articulated Written cornerstone of the design and operation of Policies and Procedures Once a company the third-party due diligence review proconducts its assessment and confirms the cedure, as it informs such key programme necessity of using third parties for particudesign questions such as the scope, intenlar tasks, the next step is to develop and sity, resources, organisation and controls implement clear anti-corruption policies in the review. It need not be a lengthy or and procedures detailing the third-party complex process. review. These policies and procedures In terms of assessing risk another task is must be known to all company directors, to evaluate certain functions of employees officers, and employees as well as to actual (and the third parties they supervise) that and potential third parties.17 These written by their nature create incentives for the use materials should: of bribery. For example, if compensation • Provide a framework for identifying, for a particular employee is based on obreporting and resolving warning signs of taining regulatory approvals, the employee corruption arising out of the third-party might have incentives to bribe to ensure review. that such approvals are forthcoming, and • Minimise actual corruption risks. may hire regulatory agents who might be prone to doing the same. In other words, if • Ensure the company is partnering with the employees have incentives, those same appropriately qualified third parties for incentives will exist for the third parties, proper business purposes. but the company may have less control The risk assessment and the written over the third party, making the risk of corpolicies and procedures the company creates will drive the questions asked in the ruption greater. A key threshold question is whether actual review process outlined below. the use of any particular third party is Most importantly, the written policies necessary to achieve the company’s and procedures cannot be simply anbusiness objectives or whether the nounced on paper — they must be

crigroup.com | 15

accompanied by clear support from the top of the company that the compliance framework in general and the review of third parties in particular are essential and non-discretionary, and that there are substantial consequences for failing to follow the review procedure. In some circumstances, third parties interacting with government employees should themselves receive training directly from the company to help ensure that they understand the policies and procedures and the consequences of non-compliance.

the third party is not in scope (e.g., it is not expected to have dealings with foreign governmental authorities on behalf of the company or otherwise not subject to additional scrutiny), then companies may choose to limit or adapt the due diligence described below or may decide it is ultimately unnecessary.18

4. Heightened Review for Third Parties In Scope For those third parties in scope, a review should follow, both in vetting for suitability and risk signs and in overseeing their work 3. Which Third for the company. The Parties Are ‘In Scope’? type, scope and control/ The first level of review decision-making strucis to determine which ture of such a review third parties are ‘‘in will be a highly indiscope,’’ and thus subvidualised decision for ject to heightened due each company, based diligence review. In this Accountability of those on important issues of respect, all third parties timing, manner and the conducting the review that deal with foreign depth of review of existfor the company is government officials ing third parties and on behalf of a company essential for success. new third parties. Howpresent corruption risks ever, there are some and should therefore common elements that be presumptively in should be present in scope. Because each company will need to any effective procedure: develop its risk analysis based on its own • After the initial determination of which circumstances, it may decide that certain third parties are in scope, the company third parties are automatically in scope should ask those parties preliminary if they have contracts with the company questions on a variety of relevant issues, over a certain monetary threshold. Comincluding, but not limited to, qualificapanies may also want to consider the tion to perform the work, staffing, level type of government interactions likely to of experience, references and company be pursued by third parties and also the history. These responses are typically country or countries in which the third provided by the third party in a written party operates. For example, because of questionnaire. endemic corruption risks in a particular • The company should also conduct refercountry, a company may decide that all ence checks with other parties with third parties operating in that country are whom the third party conducts business, in scope, even if their primary responsibilibut should not include any references ties do not include significant government who may receive compensation from interactions on behalf of the company. If

16 | fraud360 | ISSUE 3 2014

the third party under review. The results of these inquiries should be thoroughly documented. • A background search for news concerning the third party’s prior conduct — as well as the conduct of the third party’s owners, officers, directors, senior management, and those executives who are principally involved in the relationship with the company — is also an essential part of the review. These searches will also assist in identifying any connections or relationships with government officials. Options for conducting these types of searches include commercial databases, the Internet, local news sources, the local U.S. or other relevant embassy, or a combination of these resources. • During any review, company personnel should be alert for the classic warning signs of corruption, such as excessive requests for compensation, substantial amounts sought in advance, payments going to third-party subcontractors, payment only upon ‘‘success,’’ or involvement of government officials in the company or its operations. If there are still questions or unresolved warning signs, the company should always leave open the option of a further review with additional follow up questions and due diligence review relating to actual or possible problems, which could involve further questions, a background search and/or a site visit. The situation may also require the hiring of an outside expert to conduct a more detailed diligence review. • In the course of conducting the due diligence review, if warning signs cannot be resolved, the company may decline to begin a relationship with a new third party or terminate its relationship with an existing third party. Companies may seek to address potential warning signs — if possible and prudent — through

enhanced reporting, more training, a more robust compliance programme for the third party, anti-corruption contract clauses, more auditing, ongoing monitoring and/or other risk mitigation strategies. • Once a third party completes the review, the company should establish a policy on how often a third party should be subject to a new review. Many companies will elect to review each third party relationship at set periods, for example, every two to three years, or sooner if there is a fundamental change in the relationship. 5. Tools A Company May Use To Mitigate Corruption Risks with Third Parties Companies should have available a number of tools to mitigate third-party corruption risks. The finance function at the company should conduct an independent review of any expenses and reimbursement requests sought by the third party prior to authorisation of payment. This might include checking claims for payment against the obligations under the contract, ensuring adequate supporting documentation exists, and generally being alert for warning signs of corruption. The company should also require annual compliance certifications. Finally, companies should include standard anti-corruption provisions in third-party contracts. Depending on the circumstances, and as noted very clearly by the DOJ in recent deferred prosecution agreements, these contractual clauses could include: a. anti-corruption representations and undertakings relating to compliance with the anti-corruption laws; b. rights to conduct audits of the books and records of the agent or business partner [third party] to ensure compliance with the foregoing; and »» continued on page 33

crigroup.com | 17

CORRUPTION PERCEPTIONS INDEX 2013

VERY CLEAN rk enma 91 D 91 New Ze aland

SCORE

90-100

SCORE

Netherlands

d

78 G

in dK

s

ado Barb

e nc

e

Fra

es

Bahamas

Chil

ta t

y

in

Ca

pe

Lithuania

SCORE

lta

a nd

a

a

50

eri

a

Jam

Lib ea

n

ria

me

SCORE Very Clean

Corrupt

nis

0-9

tan

10-19

20-29 30-39 40-49

50-59

60-69

70-79

80-89

90-100

No da

tan kis

South Suda

SUB-SAHARAN AFRICA 90% score below 50

50 Highly

Syria Tur k

11

Top: Denmark Bottom: Greece

Yemen

10-19

be

(N ort h) Afgha nistan 8

CORRUPTION PERCEPTIONS INDEX 2013

EU & WESTERN EUROPE 23% score below 50

Top: Botswana Bottom: Somalia

Haiti

Uz

Ko rea

sau

Bis

ea-

in Gu

SCORE

Libya

18 | fraud360 | ISSUE 3 2014

0-9

50

lG

had 19 C

ua to Eq

ire

an

ican al Afr

vo

Iraq

Centr

h

Sud

Repu blic Cameroon

Iran

ria

ine

ua

na ya Gu ya Ken s dura Hon hstan Kazak

Uganda

Laos

Pa p

des

SCORE

8

Top: Turkey Bottom: Turkmenistan, Uzbekistan

The perceived levels of public sector corruption in 177 countries/territories 50 around the world.

uin

n

gla

d´I

EASTERN EUROPE & CENTRAL ASIA 95% score below 50

Top: United Arab Emirates Bottom: Sudan

sia

Ban te

enia

go

MIDDLE EAST & NORTH AFRICA 84% score below 50

bia Gam non Leba ascar Madag

Rus

Nig e

aic

El Sa

lvad

or

a Faso

39 Swaziland

Panam a Moldova

Bo livi Arg a ent ina Tha iland

bia lom Co uti bo Dji India pines Philip Suriname

Domin ican R epubli Gua c tem a la Tog o Az erb aij an

nin

Nicaragua

Cô

a

ria

Arm

Be

Ecuador

29 Belarus

Brazil

Serb ia e & Prin cipe

Sao Tom

Sri Lank

Pakista

alia

idad Trin ia a Z mb

Alge

ros

20-29

ba & To

Morocco

Mali

Som

eru

Malawi

ia Ethiop r Nige o xic e M n bo Ga

SCORE

y Paragua n yzsta g r y K nea i u G ne rai Uk

a

oli

ng

Mo

SCORE

mo

Angola

Gu

Burkin

Latv

Costa Rica

ia

49 G Les eorgia oth o hr ain Rw a

Ba ria

a

lga

m

fric

50

30-39

Kosovo

Co

c

Ne w

30 Timor-Leste Leone Sierra

ique

tna

ia

th A

)

Top: New Zealand Bottom: Afghanistan, Korea (North)

P

Tanzania

Congo Republi

HIGHLY CORRUPT

amb

Moz

Vie

tan

uri

Ma

ela 20 Venezu ea Eritr

e

bw

a

ba

i bod

Zim

Cam

ma r Bu run di Tajik ista n DR of the Co ngo

uth

(So

y

Sau di A rabia Jor Ne d pa Ma an l Alb ce a n do ia nia Indo n esia (FY R) Egypt

gro ne nte Mo y Ital ait Kuw ia Roman a Bosnia & Herzegovin

Bu

rea

gar

Seychelles

Hun

Slovakia Cuba Ghana

SCORE

50

ASIA PACIFIC 64% score below 50

a c ati ubli Cro h Rep c e z C ibia Nam Oman

40-49

Top: Canada Bottom: Haiti

Ma Ko

M

AMERICAS 66% score below 50

Slovenia

tius

i aur

an

inica

50-59

sia

Gree

rd Ve

Dom

Malay

My

Countries and territories in the Corruption Perceptions Index are scored and ranked. The colour indicates the level of perceived corruption and the size of the circle shows the percentage of countries that fall within the score range. Countries are listed in order of rank going clockwise.

e

59

al tug

irates

wana Bots

Cyprus

tar Qa

Por

b Em

ia

Turkey 50

Sou

How to read the infographic

Highly Corrupt

Spa

on

Bhutan

Pu

d Ara

Est

o

ic oR

ert

ce 40 a Chin isia n u l T ga ne Se

20-29

0-9

Unite

es

St V

30-39

69 Austria

60-69

adin

ren

Scoring less than 50 out of 100, almost 70 per cent of countries are perceived to have a serious corruption problem. No country achieves a perfect score. How corrupt is your country?

40-49

10-19 SCORE

Israel

&G

50-59

dS it e Un

Taiwan

Ireland

0

nei

nt ince

60-69

Kong

an

d6

Bru

Belgium

Jap ua Urug

lan

71

We all know corruption is a problem, but how bad is it? For the Corruption Perceptions Index 2013, we ranked 177 countries and territories around the world on their perceived levels of public sector corruption. Here are the results.

70-79

Hong

SCORE

Sain

Po

80-89

ite

Un

70-79 cia t Lu

90-100

om

gd

Ice

Can ada Australia

Swed en No rw ay

re po ga Sin nd zerla Swit

rg

ou

mb

xe

Lu

80

erma

80-89

Very Clean

ny

89 Finland

lan

SCORE

RANK COUNTRY/TERRITORY SCORE

21

Ireland

72

RANK COUNTRY/TERRIT

1

Denmark

41

Cape Verde

1

New Zealand

91

22

Chile

71

41

Dominica

3

Finland

89

22

France

71

43

Lithuania

3

Sweden

89

22

Saint Lucia

71

43

Slovenia

5

Norway

86

26

Austria

69

45

Malta

5

Singapore

86

26

United Arab

69

46

Korea (South)

91 71 BahamasAll rights reserved. © 2013 Transparency 22 International.

Corruption Perceptions Index Released Transparency International’s Corruption Perceptions Index 2013 offers a warning that the abuse of power, secret dealings and bribery continue to ravage societies around the world. More than two thirds of the 177 countries in the 2013 index score below 50, on a scale from 0 (perceived to be highly corrupt) to 100 (perceived to be very clean). “The Corruption Perceptions Index 2013 demonstrates that all countries still face the threat of corruption at all levels of government, from the issuing of local permits to the enforcement of laws and

capture, campaign finance and the oversight of big public contracts which remain major corruption risks.” The Corruption Perceptions Index is based on experts’ opinions of public sector corruption. Countries’ scores can be helped by strong access to information systems and rules governing the behaviour of those in public positions, while a lack of accountability across the public sector coupled with ineffective public institutions hurts these perceptions. The For perceived of public sector more levels information, corruption in 177 countries/territories visit transparency.org/cpi. around the world.

regulations,” said Huguette Labelle, Chair of Transparency International.

Corruption Perceptions Index 2013: The Results In the Corruption Perceptions Index 2013, Denmark and New Zealand tie for first place with scores of 91. Afghanistan, North Korea and Somalia this year make up the worst performers, scoring just 8 points each. “The top performers clearly reveal how transparency supports accountability and can stop corruption,” said Labelle. “Still, the better performers face issues like state

CORRUPTION PERCEPTIONS INDEX 2013 SCORE Highly Corrupt

Ve C 0-9

RANK COUNTRY/TERRITORY SCORE

CORRUPTION PERCEPTIONS INDEX 2013

Oman

Cuba

Ghana

Jordan

Suriname

36

140

Kazakhstan

102

Ecuador

35

119

Timor-Leste

30

140

46

82

Swaziland

39

102

Moldova

35

123

Belarus

29

140

123

29

123

Dominican Republic Guatemala

29

144

123

Togo

29

144

127

Azerbaijan

28

144

127

Comoros

28

144

127

Gambia

28

144

127

Lebanon

28

150

127

Madagascar

28

150

127

Mali

28

150

127

Nicaragua

28

153

127

Pakistan

28

154

127

Russia

28

136

Bangladesh

27

136

Côte d´Ivoire

27

154

136

Guyana

27

157

136

Kenya

27

157

140

Honduras

26

20 26 Laos 160 Cambodia RANK COUNTRY/TERRITORY SCORE 21 Ireland 20 26 Uganda 160 Eritrea 91 Denmark Bahamas 20 1 22 25 Cameroon 160 Venezuela 91 New Zealand Chile 1 African 22 19 Chad 25 Central 163 Republic 89 Finland France 3 22 Guinea 19 163 Equatorial Iran 3 89 Sweden 25 Saint Lucia 22 19 163 Guinea-Bissau Nigeria 86 Norway 25 Austria 19 5 163 Haiti 26 Papua Guinea 25 86 United Arab 5 NewSingapore 26 18 167 Yemen Emirates 25 Ukraine 85 Switzerland 7 168 Syria28 Estonia 17 24 Guinea 83 Netherlands 8 17 168 Turkmenistan Qatar 28 Kyrgyzstan 81 Australia 24 9 17 168 Uzbekistan Botswana 30 24 Paraguay 81 Canada 9 16 171 Iraq 31 Bhutan 23 Angola 80 Luxembourg 11 15 172 Libya31 Cyprus Congo 78 Germany 22 12 Republic 14 Sudan 173 South Portugal 33 22 Democratic 78 12 ofIceland 11 Republic the 174 Sudan Puerto Rico 33 76 Congo United Kingdom 14 8 and 175 Afghanistan Saint Vincent 33 Tajikistan 75 Barbados22 the Grenadines 15 8 175 Korea (North) Burundi 75 Israel Belgium 21 36 15 8 175 Somalia 21 Myanmar 75 Taiwan Hong Kong 36 15

157

83

Burkina Faso

38

102

Panama

35

46

83

El Salvador

38

102

Thailand

35

45

83

Jamaica

38

106

Argentina

34

38

106

Bolivia

34

106

Gabon

34

106

Mexico

34

106

Niger

34

44

83

44

83

Mongolia

38

43

83

Peru

38

43

83

38

83

Trinidad and Tobago Zambia

38

111

Ethiopia

33

91

Malawi

37

111

Kosovo

33

Morocco

37

111

Tanzania

33

Egypt

32

43

Bosnia and Herzegovina Brazil

42

Sao Tome and Principe Serbia

South Africa

Bulgaria

114 sector The42perceived levels of37public Sri Lanka 91 114 Indonesia 36 Algeria 94 corruption in 177 countries/territories 42 116 Albania 36 Armenia 94 42 116 Nepal around the world. 36 Benin 94 41 42

Senegal

91

41

Tunisia

41

China ata

40

32 31 31

94

Colombia

36

116

Vietnam

31

94

Djibouti

36

119

Mauritania

30

94

India

36

119

Mozambique

30

94

Philippines

36

119

Sierra Leone

30

144

154

21 Zimbabwe Japan 18 United States 19

19

SCORE

TORY SCORE

HighlyOman Corrupt Slovakia Cuba0-9

RANK COUNTRY/TERRITORY SCORE

61

47

58

61

58

63

Greece 20-29 30-39Swaziland 40-49 50-59 46 82

57

63

57 56 55

40

47

80

Ghana

46

83

Burkina Faso

38

63

Saudi Arabia

46

83

El Salvador

38

66

Jordan

45

83

Jamaica

38

10-19

RANKMacedonia COUNTRY/TERRITORY Ireland Liberia (FYR) 44 SCORE 83 21 67

60-69 39

38

94

Suriname

Ecuador 70-79 Moldova 80-89 90-100 102 102 Panama 102

Very 36 Clean 35

Timor-Leste

data Belarus 35 No123 35

102

Thailand

35

106

Argentina

34

Uruguay

RANK COUNTRY/TERRITORY SCORE 119 123 123

Dominican Republic Guatemala

123 Togo RANK COUNTRY/TERRITORY SCORE 34 106 72Bolivia

26

61

80-89

90-100

RANK COUNTRY/TERRITORY SCORE

94

Montenegro

Romania

70-79

40

Macedonia (FYR)

Kuwait

60-69

Greece

Liberia

Italy

50-59

80

46

Saudi Arabia

RANK COUNTRY/TERRITORY SCORE

20-29 30-39 40-49

47

47

Slovakia

10-19

72

RANK COUNT

71

41

Cape

71

41

Domi

71

43

Lithua

71

43

Slove

69

45

Malta

69

46

Korea

47

Hung

47

Seych

49

Costa

49

Latvia

49

Rwan

52

Maur

53

Malay

53

Turke

55

Georg

61

55

Lesot

61

57

Bahra

68 68 64 63 63 62 62 62

74

38

Brunei

60

57

Croat

73

38

Poland

60

57

Czec

73

40

Spain

59

57

Nami

#stopthecorrupt RANK COUNTRY/TERRITORY 26 www.transparency.org/cpi 140 Kazakhstan

SCORE

20 26 160 Cambodia 140 Laos © 2013 International. 26 All rights 29 Transparency 20 Eritrea 160reserved. 140 Uganda 29 20 25 160 Venezuela 144 Cameroon 19 Chad 25 Central African 163 144 29 crigroup.com | 1919 Republic Equatorial Guinea 163 29 Iran RANK25 COUNTRY/TERRITORY SCORE 1994 47 Oman 144 163 Guinea-Bissau 30

HOW TO COMBAT

MANAGEMENT

FRAUD A critical analysis to setting the tone at the top

By Zafar I. Anjum, CFE, CIS, MICA, Int. Dip. (Fin. Crime), MBCI, CII, MIPI Group Chief Executive Officer Corporate Research and Investigations LLC

The recent financial crisis suffered on a European-wide level has focused a lot of attention on fraud, as well as unethical business activities. The apparent lack of regulations and the consequential financial mismanagement it provokes has brought to light a number of cases of fraud and contract fraud. This has particularly been the case in the context of large corporations and fraud of corporate managers. The recently-revealed ‘bonus culture’ highlights a central cause of perhaps the most major instances of fraud that pose a risk to organisations. Corporate management more often than not focuses its attention on being awarded huge bonuses rather than effectively managing organisations.

This has resulted in shareholder deception and highlights the need for greater attention to be attached to external mechanisms in combatting fraud. The public has become recently aware of huge bonuses that have been rewarded to directors, causing outrage most prominently when compared to the huge losses that have been experienced by consumers and shareholders. The recent crisis has ultimately unveiled huge inconsistencies and a prominent lack of efficiency in external legal mechanisms and regulations, which seek to monitor and prevent fraud and contract fraud.

It can be concluded that the UK’s response to fraud within an organisational context consists of a broad number of legal and regulatory mechanisms. This has resulted in fraud being potentially dealt with through civil, company and criminal law, as well as external and internal methods of combatting fraud. A comparison of the existing mechanisms suggests that perhaps a more concentrated approach is necessary which retains both internal and external methods of combatting fraud, but which also avoids the confusion that often a arises as a result of a mixed civil/criminal/ company law approach. However, it is similarly

crigroup.com | 21

The FSA, for example, was unable to effectively regulate and monitor Northern Rock, which resulted in its

hugely damaging

collapse. important to point out that organisations concern many broad principles and concepts, and that a single approach to combatting fraud would perhaps not be suitable or practical. For example, it is evident that the issue of directors’ duties is a vast and important issue which is relevant to fraud but which also concerns other important topics that are not restricted to fraud. Therefore, its implementation through the Companies Act 2006 as a separate field is both realistic and suitable. However, the overall attempt to combat fraud within the UK is clearly

22 | fraud360 | ISSUE 3 2014

lacking, and it is evident that looking towards examples from other jurisdictions could prove helpful. The criminal nature of fraud suggests that it should be kept within the criminal law realm in the UK, though this does not eradicate the potential for special regulatory bodies to be formed solely for the purpose of combatting fraud. For example, the U.S.’s Security and Exchange Commission (SEC) has proven to be a powerful body in the attempt to combat fraud. The SEC takes an active role in the fight against fraud within an organisational context,

responding harshly to instances of fraud in recognition of the devastating consequences that it can have. In the UK, such harsh responses to fraud are few and far between, which leads one to suggest that if anti-fraud legal mechanisms were to be more closely related to criminal law, then their deterrent effects could contribute greatly to reducing instances of fraud. Existing regulatory bodies in the UK such as the Financial Services Authority are not adequately able to regulate corporate activities. The FSA, for example, was unable to effectively regulate and monitor

Northern Rock, which resulted in its hugely damaging collapse. Such examples demonstrate that liability needs to be assigned to those responsible and that greater effort needs to be invested in the prevention of fraud. This ultimately requires more stringent, enforceable regulations, which are intrusive and hence preventative rather than responsive to huge and devastating instances of fraud. Such mechanisms are of course primarily external, and it is recognised that implementation problems could arise as a result of the need for complex provisions, which may be difficult to apply in practice due to the vast nature of business practices. The question as to whether internal mechanisms would prove suitable in the attempt to combat fraud is similarly important. Although the Code on Corporate Governance is a useful tool in guiding organisations as to the standards they should aspire to, self-regulatory mechanisms struggle when the management of organisations harbors fraudulent intentions. Selfregulation ultimately undermines efforts to combat fraud because a fraudulent management, particularly due to its powerful

position in the organisation, can utilise such regulations to conceal its fraudulent activities. It is generally recognised that “corporations governed by a rational profit-maximizing goal … are inherently disposed to malpractice”. Internal and self-regulatory mechanisms are severely limited in their ability to combat management fraud because blame is difficult to attach to certain individuals. Management decisions are also generally made by a group of individuals, which leads some to conclude that the criminal concept of fraud is difficult to apply to the organisational context because “corporate activities do not fit that paradigm”. Yet this does not mean that company or civil law may be better-equipped to combat fraud. Rather, it seems that the problem is one of complexity and rigidity, despite the fact that some claim that such characteristics can cause legislation to become “impenetrable and ambiguous”. There is however potential for both internal and external mechanisms to be better-formulated to combat fraud. Fraud risk management can form part of an overall programme designed to manage and combat fraud. This could

be implemented through a committee designed to formally oversee and regulate the management of organisations. The committee could be given extensive powers of review and regulation of important decisions, though such powers could be limited to applications made by concerned non-executive directors. It could be funded by the taxpayer in order to ensure that it remains independent. Such funding could be justified because its existence ultimately aids the taxpayer. The members of the committee could be required to have a certain degree of experience in certain fields, which ensures that the expertise of the committee is varied yet competent. No members of the committee should, however, be a member of an existing company, or have been a member for the past ten years for example, in order to prevent corruption. It could also be possible to base the powers of such a committee in legislation. Fraud risk management from an internal point of view should be more closely instilled into the overall objectives of the management board. It is proposed that fraud risk management, if it is implemented as a primary objective of both the management

crigroup.com | 23

board and a regulatory committee, can effectively manage and combat fraud. This draws upon principles of both corporate governance and directors’ duties. Yet internal mechanisms can only go so far in combatting fraud, precisely because the powerful position of the management can enable it to conceal and conduct fraud on a massive scale. External controls in this respect are hence vital, and while they may be more suitable for punishing fraud once it has occurred, the deterrent qualities of harsh criminal punishment should not be understated. Hence, principles of corporate governance, criminal law and directors’ duties combine to provide us with an overall potentially effective response to fraud. This approach is both internal in that it instills a culture of fraud management within the organisational structure, and external in that it provides suitable penal responses to individuals who attempt to take advantage of their powerful position. Corporate governance regulations should therefore attach greater importance to fraud risk management, imposing upon the entirety of the organisational structure

24 | fraud360 | ISSUE 3 2014

certain requirements that are designed to prevent and monitor fraud risks. From a legal point of view, it is clear that directors’ duties contained in the Companies Act 2006 function as far as possible to prevent fraud. Section 172 for example has been

Yet internal mechanisms can only go so far in combatting fraud... described as providing for “greater judicial intervention in corporate decisionmaking” than ever before. It can therefore be concluded that, although the risk of management fraud for organisations is considerably high, there are a number of mechanisms that can be adopted and applied to reduce such a risk. The combined approach which promotes both internal and external risk management mechanisms has the potential to be extremely useful although it is clear that a fraud risk management culture must be developed. This can be achieved through more rigorous principles and requirements

set out by corporate governance; particularly the Code on Good Corporate Governance. The Code and the directors’ duties contained in the Companies Act 2006 have the potential to instill such a culture although the code should be made binding. Fraud cannot, however, be completely eradicated and it is hence necessary for penal responses to be better-refined when applying to the organisational context. Despite criticisms, a criminal law response is perhaps the most suitable, particularly in terms of deterring fraudulent behaviour. Overall, this combined approach to managing the risk of fraud within the organisational context has the greatest potential to combat fraud. ABOUT THE AUTHOR Zafar I. Anjum, CFE, CIS, MICA, Int. Dip. (Fin. Crime), MBCI is Chief Executive Officer of CRI Group, a global supplier of investigative, forensic accounting, business due diligence and employee background screening services for some of the world’s leading business organisations. CRI Group safeguards businesses by establishing the legal compliance, financial viability, and integrity levels of outside partners, suppliers and customers seeking to affiliate with your business. CRI Group maintains offices in the UAE, Pakistan, Qatar, Hong Kong, Malaysia, Singapore, London and New York.

Global Review EU Makes Pledge Against Corruption The 2013 EU anti-corruption report demonstrated corruption is a persistent problem across the 28 member states of the European Union and that urgent action is needed. Just last month, Transparency International EU’s assessment of corruption risks in EU institutions unearthed major flaws including the absence of mandatory lobbying rules and the growing trend of EU institutions to negotiate laws behind closed doors. Corruption damages society and the economy and creates an uncompetitive environment for business. It wastes public money and degrades public institutions. We need to be able to rely on the EU and its institutions to help stamp out corruption.

A good starting point is to gain commitments from Members of the European Parliament (MEPs), who are up for election this month. We will hear much rhetoric in the campaign about how the EU institutions are wasteful, and how the European Commission lets other countries get away with poor behaviour while Britain faithfully implements all the Brussels directives. Those messages from MEPs and political parties will have much more credibility if they commit to doing something about it.

Across Europe, TI chapters have written to the political parties whose candidates are standing for election to the European Parliament this month. We have asked them to sign a simple AntiCorruption Pledge, whose full text you can read online at anticorruptionpledge.eu/static/pledge. pdf. In summary, we are asking each party to ensure its MEPs work to achieve the following aims: 1. The governance and law-making of EU institutions will become

Index Names Top 10 Highest Risk Countries for Corruption 1

AFGHANISTAN

6

GUINEA-BISSAU

2

IRAN

7

HAITI

3

CAMBODIA

8

MALI

4

TAJIKISTAN

9

SWAZILAND

5

IRAQ

10

MOZAMBIQUE

Risk index: 8.55 Risk index: 8.48

Risk index: 8.35

Risk index: 8.27

Risk index: 8.19

Risk index: 8.17 Risk index: 8.09

Risk index: 7.95

Risk index: 7.90

The Basel AML Index is a country risk ranking to measure the risk of money laundering/ terrorist financing and other relevant aspects, such as financial standards and public transparency. The Basel AML Index aggregates third party data from sources such as the FATF, World Bank and the World Economic Forum to assess a country’s overall money laundering risk. For information and the full index, visit http://tinyurl.com/m67pomx.

Risk index: 7.90

crigroup.com | 25

a global model of transparency, accountability and integrity, establishing the highest standards. 2. The EU will promote greater integrity and transparency in public spending. 3. The EU will promote initiatives and legislation that will provide effective protection to whistleblowers in the public, private and non-profit sectors. The letter has been sent to the Conservative Party, Green Party, Labour Party, Liberal Democrats and UKIP. We will publish details on our website of the parties that have, and have not, signed the AntiCorruption Pledge, and be speaking to the media about the importance of combating corruption in the EU and its institutions. After the election, we will hope to arrange a meeting with MEPs to discuss in more detail how the pledge commitments can be implemented and, where necessary, to provide further information on corruption in the EU and its institutions. — By Robert Barrington, Transparency International

26 | fraud360 | ISSUE 3 2014

Global Cybercrime

Dominated by 50 Core Groups Cybercrime in 2013 was dominated by a core of around 50 active groups, including Russian and Chinese ‘threat actors’ whose activities are only now coming to light, a report from monitoring firm CrowdStrike has found. Using an approach that foregrounds the ‘threat actors’ above the malware itself, the firm divides groups according to whether they are deemed to be motivated primarily by national, political and purely commercial motives At first, the categorisation system looks more like a blizzard of inscrutable names, with major cyber-groups including ‘Numbered Panda’, ‘Magic Kitten’, ‘Energetic Bear’ and Deadeye Jackal. But the underlying system explains things a little clearer — nationstate groups from China are always ‘pandas’, groups tied to politics rather than nation are ‘jackals’ and professional cybercriminals are always ‘Spiders’. The most active groups included the Syrian Electronic Army (SEA) and a range of Chinese groups but this much was already known. More interesting, CrowdStrike thinks it has discovered a few that are

less well documented, including ‘Emissary Panda’ and ‘Energetic Bear’, as their codenames would suggest the first being a Chinese group the second Russian. Emissary Panda appears to be a recently formed group that goes after the hightech sector, defence firms and embassies in a clutch of targets countries. More significant perhaps is Energetic Bear, which has been going after energy-sector firms. Beyond energy firms, targets have included European governments and defence sector firms, engineering firms, and European, U.S. and Asian academics. Its clear to say that cybercrime is becoming a global phenomenon with many more countries likely to see activity from local groups acting as proxies for state subversion in the next year. — By Fraud360 Staff

FATCA Implementation:

What You Need to Know

1 July 2014

$100 billion Estimated revenue lost in 2008 as a result of tax evasion aided by offshore bank accounts.

“

— The U.S. Department of Homeland Security

While complaints about the unilateralism and extraterritoriality of FATCA are not without merit, FATCA has enhanced multilateral cooperation in combating tax evasion, and it has spawned similar legislation and treaties in other jurisdictions.

“

The Foreign Account Tax Compliance Act (FATCA) is a U.S. law aimed at foreign financial institutions (FFIs) and other financial intermediaries to prevent tax evasion by U.S. citizens and residents through use of offshore accounts. The FATCA provisions were included in the HIRE Act, which was signed into U.S. law on 18 March 2010. FATCA will have a farreaching impact on U.S.based companies as well as foreign companies with U.S. assets or clients. Under the new provisions, a FFI may enter into an agreement with U.S. tax authorities (the Internal Revenue Service, or IRS) requiring it, among other things, to report information on the FFI’s U.S. accounts. A FFI that enters into such an agreement becomes a “participating FFI.” If a FFI does not enter into an agreement with the IRS, all relevant U.S.sourced payments, such as dividends and interest paid by U.S. corporations, will be subject to a 30 percent withholding tax. The same 30 per cent withholding tax will also apply to gross sale proceeds from the sale of relevant U.S. property.

FATCA Key Dates

— Law professors Joshua Blank and Ruth Mason

All FFIs must comply with FATCA or be subject to withholding. Given the significant lead times large companies may need to comply with FATCA requirements — particularly for IT system changes — financial leaders are strongly encouraged to act now. — By Fraud360 Staff

• Requirement to implement new individual account onboarding procedures for U.S. Withholding Agents, Participating FFIs, and Registered Deemed-Compliant FFIs • FATCA withholding on Fixed, Determinable, Annual, Periodical (FDAP) income payments to non-participating FFIs, noncompliant NFFEs, and recalcitrant account holders begins • Last date for obligations to be outstanding to qualify as grandfathered obligations and exempt from FATCA withholding (still subject to reporting)

31 December 2014 • U.S. Withholding Agents, Participating FFIs and Registered Deemed-Compliant FFIs must document preexisting entity accounts identified as Prima Facie FFIs. If the FFI signed an agreement after 1 July 2014, the deadline is six months from the effective date of the FFI agreement.

1 January 2015 • Withhold on FDAP payments to undocumented pre-existing NPFFIs (prima facie FFIs) • WAs, USWAs and PFFIs must begin treating undocumented pre-existing prima facie FFIs as NPFFIs after the 31 December 2014 due diligence deadline (or, for PFFIs, six months after the effective date of the FFI agreement, if later) passes until the date the withholding agent obtains documentation sufficient to establish a different Chapter 4 status for the payee. Therefore, all withholding agents must withhold on withholdable payments made to these NPFFIs.

crigroup.com | 27

Survey Finds Economic Crime Rising Globally All Business Sectors, Regions Suffer from Impact of Fraud By FRAUD360 STAFF

E

conomic crime against businesses and other organisations continues to rise around the world. Some 37% of respondents, a 3% rise since 2011, say they have been victims of economic crime, according to PwC’s 2014 Global Economic Crime Survey. And, about 25% say they have been victims of cybercrime, as fraudsters increasingly turn to technology as their main crime tool. PwC’s global survey, the most extensive on the subject, found that theft remains the most common form of economic crime, reported by 69% of respondents. It is followed by procurement fraud, 29%, bribery and corruption, 27%, cybercrime, 24%, and

28 | fraud360 | ISSUE 3 2014

accounting fraud, 22%. Other reported crimes include human resources fraud, money laundering, intellectual property or data theft, mortgage fraud and tax fraud. The exact direct loss associated with economic crime is difficult to assess. Among crime victims, a total of 20% place the financial impact of economic crime on their organisation at more than US$1 million; and 2% of victims — representing 30 organisations — put the impact at more than US$100 million each. For the first time this year, the survey measures procurement fraud, reported by nearly 30% of respondents. Procurement fraud is seen as a double threat,

victimising businesses both in their acquiRespondents from 65 countries and sition of goods and services and in their territories reported that they have expeefforts to compete for new opportunities. rienced economic crime. South African Respondents also report significant colrespondents report the highest level, 69%, lateral damage in such areas as employee up from 60% in 2011. Crime is also growmorale, cited by 31%, and in corporate ing rapidly in the Ukraine, 63% up from reputation and business relationships, 36% three years ago, Russia, 60% vs. 37% in both reported by 17%. Despite the finan2011, and Australia, 57% vs. 47% in 2011. cial and collateral effects of crime, just 3% The survey identified eight emerging of respondents said incidents of fraud have economies — Brazil, Russia, India, China, impacted their company’s share price. South Africa, Turkey, Mexico and Indo“Like a stubborn virus, economic crime nesia — where 40% of total respondents persists despite ongoing efforts to combat said they have experienced economic it. No organisation of any size anywhere crime, reflecting in part a shift in wealth to in the world is immune to the impact of those countries. fraud and other crimes,” said Steven Skalak, PwC Which Industries are Forensic Services partner Most Affected? of and lead editor of the By industry, economic respondents survey. “Those commitcrime is most common said they were ting economic crime in the financial services, succeed by adapting to retail and consumer and victims of fraud shifting global conditions communications sectors. like reliance on technolNearly 50% of responreport ogy and the expansion of dents in each said they cybercrimes emerging economies.” have been crime victims. “Even worse than the Financial services ordirect financial impact ganisations are victims of economic crime is its threat to a wide of high levels of cybercrime and money range of business systems that are the lifelaundering, while retail and consumer and blood of corporate operations. Economic communications companies have sufcrime damages internal processes, erodes fered from most from theft. Hospitality and the integrity of employees and tarnishes leisure, and government both 41%, also reputation,” he added. report high crime levels.

Nearly 40%

25%

Where Does Economic Crime Occur?

Who commits fraud?

Economic crime is a pervasive, global threat. Regionally, economic crime is most prevalent in Africa, where 50% of respondents say they have been victims, though down from 59% in 2011. It is followed by North America, 41%, Eastern Europe, 39%, Latin America and Western Europe, each 35%, Asia Pacific, 32%, and the Middle East, 21%.

Typically economic crime is committed when three conditions are present: life pressure, opportunity and personal rationalisation for the crime. According to the survey, 56% of economic crime is committed by someone inside the company, while 40% is external. There are wide variances by industry, however. In financial services, for example, nearly 60% of crime

crigroup.com | 29

comes from outside the company, while 36% is internal. Globally, a fifth of economic crime is committed by those in senior management, 42% by middle managers and 34% by junior staff. The profile of the typical fraudster is middle-aged males with a college degree

37%

economic crime; 50% said ‘lack of trust’ was a key issue in the marketplace, a sharp increase from 37% a year ago. Bribery and corruption also are ranked among CEOs’ top concerns. For more information and to download the full report, visit www.pwc.com/ crimesurvey.

One in three organisations reports being hit by economic crime in 2014

or higher level of education who have been with their organisation for a substantial period. Globally, almost half of all frauds are committed by employees with six or more years of experience and almost a third are committed by employees with three to five years of experience.

Editor’s note: The 2014 Global Economic crime Survey was completed by 5,128 respondents from 95 countries between August and October 2013. Of the respondents, 50% were senior executives, 35% represented publicly listed companies, and 54% were from organisations with more than 1,000 employees.

Advertise With Us

How is Fraud Found? The survey found that 55% of economic crime is discovered through corporate controls such as reporting of suspicious transactions, internal audit, or fraud risk management. Whistle-blowing systems or tips offs uncover about a quarter of reported crimes, and about one-fifth is uncovered by other means such as law enforcement, the media, or by accident. The survey finds that respondents expect economic crime will continue to increase in the future among nearly all categories. This result was also found in PwC’s 17th Annual CEO Survey. CEOs globally also recognise the impact of

30 | fraud360 | ISSUE 3 2014

To advertise with us, please send an email to pr@CRIGroup.com.

Space is available for Fraud360 magazine as well as our monthly email newsletter, Fraud360 News Brief International. Contact us today for more information.

Organisation Profile The Society of Corporate Compliance and Ethics (SCCE) The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, memberbased professional association. SCCE supports their members’ work with education, news and discussion forums. SCCE is a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions to which CRI is one of those members. Roy Snell is the CEO of SCCE as well as the Health Care Compliance Association (HCCA). Snell was a co-founder and SCCE’s first president. CRI Group had the pleasure of speaking with him at a compliance conference in New York City. CRI: What’s integrity mean to you? RS: Telling the truth. Every time. CRI: To what extent are boards and senior executives in your region taking proactive steps to reduce incidences of fraud and corruption from surfacing within their company? RS: In the U.S. there is a very strong movement to move beyond “talking about doing the right thing” to auditing, investigating and taking disciplinary action when necessary. Companies are implementing compliance and ethics programmes. The enforcement community previously concentrated on holding a company responsible for regulatory infractions and fining that company. The enforcement community has not seen the reaction they were looking for and believe companies are

www.scce.org

too willing to pay a fine and consider it a cost of doing business. Now they are now holding individuals and boards accountable. As a result, senior executives and boards are taking this more seriously and implementing compliance programmes to

prevent find and fix ethical and regulatory problems. The U.S. is moving beyond just telling people to do the right thing — they are enforcing it. CRI: Have there been any significant legal and regulatory developments relevant to corporate fraud and corruption in your region over the past 12-18 months? RS: The most visible regulatory developments have been in the area of antibribery. There have been many large settlements. There are more settlements to come. Some involve companies based outside the U.S. that do business in the U.S. These settlements are so large that it has become “profitable” for the government to invest in more enforcement. There is a positive return on investment. We will see a continued enforcement and regulatory effort involving all regulations. More importantly, many believe that to become an effective player in the global economy your country needs to have a trusted economic environment to conduct business in. The only way for a country to become trusted is to have the rule of law and

crigroup.com | 31

enforce it. Countries that achieve that trust are going to prosper in the global economy. Most countries that have no enforcement are suffering economically. Those in the middle or those that make a half-hearted effort will be less effective and less prosperous in the global economy. CRI: When suspicions of Lara A. Jezeph BSc, CIPR, CMI, CRI Group Marketing & PR Manager – EMEA, interviews fraud or corruption arise Roy Snell, CEO of SCCE, at the Compliance and Ethics Conference in New York. within a firm, what steps Europe that are leading the way in taking should be taken to evalua balanced approach. The rest of the world ate and resolve the potential problem? has yet to appreciate that we must proRS: People need to stay calm and have a tect the whistleblower and the accused. process in place. They need to rely on that Reputations of innocent people are often process. That process should be free of dragged down the street and ruined only conflict of interest so that an independent to find out later that they are innocent. This investigation can take place. I would start can have a harmful effect on the organisawith finding an outside expert who has tions culture and the ability to attract and handled many cases just like the case you retain great employees. are investigating. Not just any expert but rather a very experienced specialist. That CRI: Could you outline the main fraud expert will help you with all of the other and corruption risks that can emerge many details that must be considered such from third-party and counterparty relaas record retention, conflicts of interest, tionships? In your opinion, do firms pay information gathering, interviews, the posufficient attention to due diligence at the tential need for disclosure, etc. outset of a new business relationship? RS: There are too many laws and ethical CRI: How has the renewed focus on enexpectations to mention. However, the couraging and protecting whistleblowappreciation for the compliance and ethers changed the way companies manics efforts of business partners and the age and respond to reports of potential consideration of compliance and ethics in wrongdoing? acquisition and mergers is changing before RS: The “protect the whistleblower� moveour very eyes. A few years ago third-party ment is staggering. The pendulum has compliance was not considered much at all. swung from cases of retaliation to an Many wise organisations have developed all-out war on the accused. There are two policies and procedures. They have compliways this can go badly, not listening or ance and ethics expectation not only for retaliating against the whistleblower to their own company but expectations of stunning damage to the life and career of their partners. Many organisations now the falsely accused. There are countries in

32 | fraud360 | ISSUE 3 2014

consider compliance and ethics an important aspect of mergers and acquisitions. In the past a company may have looked the other way when a partner got into trouble. Now they are more likely to sever ties with that organisation. Many organisations have come to the realization that the smallest of acquisitions can result in tremendous pain if shortly after the acquisition the acquired entity runs into trouble. The ultimate regret occurs when a small acquisition results in an investigation that then spreads to the entire organisation. CRI: What is the most important skill of a compliance officer? RS: Influence. CRI: What advice can you offer to companies on implementing and maintaining a robust fraud and corruption risk assessment process, with appropriate internal controls? RS: The most important thing to understand in implementing a compliance risk programme is the difference between risk to the company (insurance, investments, etc.) vs. risk the company causes others such as not following the rule of law. Most all risk assessments in the past were assessments of risks to the company. A compliance and ethics risk assessment is very different. It is often watered down with a focus on risks to the company. If you have the people in charge of risk assessments that have traditionally focused on risks to the company you are likely to come up way short on your compliance and ethics risk assessment. This is easily solved if you separate the compliance and ethics risk assessment out and have it conducted by an experience compliance and ethics professional. CRI: Name a person with integrity? RS: No one is perfect. All we can do is get in the ballpark. My father.

»» Anti-Corruption Compliance, continued from page 17

c. rights to terminate an agent or business partner as a result of any breach of anti-corruption laws, and regulations or representations and undertakings related to such matters.19 6. Monitoring and Auditing An important aspect of implementing a third-party due diligence procedure is including a systematic and consistent way to monitor, audit and review third-party relationships. Monitoring may be built into a company’s internal controls through its finance function (i.e., a reconciliation of expenses and reimbursement claims against contractually required documentation and supporting documentation). In addition to the finance check, another control that many companies use is to identify a person within the company who is designated as the point of contact with the third party and manages the relationship between the company and the third party. This lead point of contact should have actual and ongoing knowledge of all relevant activities of the third party on behalf of the company. Companies also should establish a written audit plan that is based on a reasonable sample of third parties, that considers the nature of the third parties’ activities, and the risks inherent in specific countries or regions where corruption risks with the use of third parties are greater. This determination of the sample size and third parties selected should be based on assumptions that are articulated in the audit plan. The auditing function may already exist as a discreet function in a company, and if so, auditing should be integrated with that existing function. No matter the type and extent of the monitoring and auditing, the company should be sure to document its oversight

crigroup.com | 33

so that this monitoring and auditing process itself can be reviewed periodically to ensure effective operation. 7. Oversight and Administration of Due Diligence Programme A successful third-party due diligence procedure needs staff and resources to conduct the review and oversight. Each company should consider a number of factors in deciding who actually conducts the review and administers the overall procedure, and each organisation will have its own approach on these issues. Relevant considerations include: • The type of business involved and how it operates, with considerations including size, complexity, lines of business and decision makers. • The extent to which a company is decentralised or centralised and the roles to be undertaken by headquarters versus regional and local operations. • The role of the legal department at various phases of the development and oversight of third-party relationships. • Whether the due diligence relating to third parties should be conducted internally or externally, and if externally, at what point these external reviewers are involved in the process. Company personnel who actually conduct this due diligence review must understand the level of risk of relevant third parties, be specifically trained to address this risk, and understand how to raise concerns within the company when they arise. It is also clear that, to be effective, a review procedure must have built-in mechanisms to ensure consistency of review across the company, a mechanism to create and maintain a complete review ‘‘file’’ to document the work undertaken and resolution of any warning signs, and appropriate

34 | fraud360 | ISSUE 3 2014

oversight of programme operation by senior management regardless of how decentralised a review procedure operates. Accountability of those conducting the review for the company is also essential for programme success.

Conclusion Governments have made clear in recent guidance and settlements that they expect a robust review of third parties as part of an overall effective anti-corruption compliance programme. Companies that implement a third-party anti-corruption due diligence procedure will minimise the risks that arise when working with third parties. While the principles stated provide guideposts and checklists, the nature of a review must be individually tailored to particular company risks, needs, capabilities and markets. In this era of heightened enforcement of anti-corruption laws, inaction or a failure to properly oversee the actions of one’s third parties is simply not an option. about the authors Marcus Asner, a partner at Arnold & Porter LLP, has extensive experience with investigations and prosecutions under the Foreign Corrupt Practices Act. Previously, Asner was an Assistant U.S. Attorney in New York for nine years, where he served as Chief of Major Crimes and in the Public Corruption unit. Keith Korenchuk, also a partner at Arnold & Porter, counsels companies on regulatory and compliance matters worldwide, focusing on compliance programme effectiveness, implementation and operations and related regulatory counseling. Samuel Witten, counsel at Arnold & Porter, is a member of the firm’s international practice and was formerly Deputy Legal Adviser at the U.S. Department of State. 1 The FCPA prohibits a broad range of persons and businesses, including U.S. and foreign issuers of securities registered in the U.S., from making a corrupt payment to a foreign official for the purpose of obtaining or retaining business for or with, or directing business to, any person. These provisions also apply to foreign persons and companies that take any act in furtherance of such a corrupt payment while in the U.S. The FCPA also requires companies with securities listed in the U.S. to meet its provisions on recordkeeping

and internal accounting controls. These accounting provisions were designed to operate in tandem with the anti-bribery provisions of the FCPA and require companies covered by the law to make and keep books and records that accurately and fairly reflect the transactions of the company and to devise and maintain an adequate system of internal accounting controls. 2 2010 UK Bribery Act, available at http:// www.legislation.gov. uk/ukpga/2010/23/pdfs/ukpga_20100023_ en.pdf. For a detailed analysis of the law, see Arnold & Porter, UK Bribery Act 2010: An In-Depth Analysis (May 2010) available at http://www.arnoldporter. com/public_document.cfm? id=15833&key=23D1. 3

15 U.S.C. §§ 78dd-1, et seq. (1977).

A corporation can be held liable for the actions of its agents, even where the agent may have acted for mixed motives, so long as one motivation of its agent is to benefit the corporation. See United States v. Potter, 463 F.3d 9, 25 (1st Cir. 2006) (stating that the test to determine whether an agent is acting within the scope of employment is ‘‘whether the agent is performing acts of the kind which he is authorized to perform, and those acts are motivated, at least in part, by an intent to benefit the corporation’’). 4

5

15 U.S.C. §§ 78dd-1(a).

For example, in the recent non-prosecution agreement involving Ralph Lauren, the Justice Department determined that corrupt payments were being made to Argentine customs officials by a customs clearance company hired by Ralph Lauren’s Argentine subsidiary. See http://www.justice.gov/opa/pr/2013/ April/13crm-456.html. 6

7 See Press Release, Justice Dep’t, French Oil and Gas Company, Total, S.A., Charged in the United States and France in Connection with an International Bribery Scheme (May 29, 2013), available at http://www.justice.gov/opa/pr/2013/ May/ 13-crm-613.html; Press Release, SEC, SEC Charges Total S.A. for Illegal Payments to Iranian Official (May 29, 2013), available at http://www.sec.gov/news/ press/2013/2013-94.htm.

the use of agents and business partners [third parties] is permitted at all by [the company], it will institute appropriate due diligence and compliance requirements pertaining to the retention and oversight of all agents and business partners, including: . . . Properly documented risk-based due diligence pertaining to the hiring and appropriate and regular oversight of all agents and business partners’’). The DOJ has required in connection with settling FCPA matters that companies inform all third parties of the company’s ‘‘commitment to abiding by laws on the prohibitions against foreign bribery, and of [the company’s] ethics and compliance standards and procedures and other measures for preventing and detecting such bribery.’’ See, e.g., Deferred Prosecution Agreement, United States v. Total S.A., Crim. No. 1:13CR00239 (E.D. Va. May 29, 2013), Dkt. Entry No. 2, at Attachment C-5, available at http://www.justice. gov/iso/opa/ resources/9392013529103746998524.pdf. 17

Of course, simply because a third party is not ‘‘in scope’’ for the heightened due diligence review, the company should not ignore the possibility of corruption issues and may want to take additional steps to ensure compliance with these or other laws, including appropriate reviews and certifications. 18

19 See, e.g., Deferred Prosecution Agreement, United States v. Total S.A., Crim. No. 1:13CR00239 (E.D. Va. May 29, 2013), Dkt. Entry No. 2, at Attachment C-5-6, available at http:// www.justice.gov/iso/ opa/resources/ 9392013529103746998524.pdf.

Advertise With Us

8 SEC Non-Prosecution Agreement with Ralph Lauren Corporation (Apr. 18, 2013) at Ex. A, Statement of Facts ¶¶ 5, 7, available at http://www.sec.gov/news/press/2013/2013-65- npa.pdf. 9

15 U.S.C. §§ 78dd-1 (f )(2)(B).

10

U.S.A.M. §§ 9-28.300, .800.

11

U.S.S.G. § 8C2.5(f ).

12

Bribery Act § 7(2).

The UK Bribery Act is likely to be interpreted even more widely in scope than the FCPA, prohibiting bribes not just to foreign officials but to commercial parties as well. The Bribery Act was enacted on April 8, 2010 and came into force on July 1, 2011. 13

14 Keith M. Korenchuk, Samuel M. Witten, & Dawn Y. Yamane Hewett, Advisory: Building an Effective Anti-Corruption Compliance Program: Lessons Learned from the Recent Deferred Prosecution Agreements in Panalpina, Alcatel-Lucent, and Tyson Foods, March 2011, available at http:// www.arnoldporter.com/resources/documents/Advisory- Building_an_Effective_Anti-Corruption_Compliance_ Program_Lessons_Learned_031611.pdf.

While the Bribery Act prohibits commercial bribery as well, for most companies the greater risk will be where third parties interact with government officials. 15

16 See, e.g., Deferred Prosecution Agreement, United States v. Total S.A., Crim. No. 1:13CR00239 (E.D. Va. May 29, 2013), Dkt. Entry No. 2, at Attachment C-5, available at http:// www.justice.gov/iso/ opa/resources/ 9392013529103746998524.pdf (‘‘To the extent that

To advertise with us, please send an email to pr@CRIGroup.com.

Space is available for Fraud360 magazine as well as our monthly email newsletter, Fraud360 News Brief International. Contact us today for more information.

crigroup.com | 35

You Know the Language.

But Do You Know the Culture?

Taking your business across international borders presents new opportunities — along with some serious challenges. Before taking a leap, make sure you have the right experts conduct due diligence and evaluate any risks to your company, both seen and unseen. Experts who understand the culture and business practices within the countries where you seek to grow.

Local Knowledge. International Scope. CRI Group can help. We are a global supplier of investigative, forensic accounting, business due diligence and employee background screening services for some of the world’s leading business organisations. CRI Group’s experts can help protect your organisation from fraud and other serious risk factors. Our services include: • Fraud Risk Investigations

• Business Intelligence

• FCPA Due Diligence

• 3PRM: Third-Party Risk Management

• Background Checks

Contact us today CRIGroup.com

• Conflict of Interest Investigations

• ...and more

london@CRIGroup.com / +44 207 038 8023

United Kingdom / USA / Singapore / Hong Kong / Malaysia / Pakistan / Qatar / UAE