Learning How to Manage Investigations
Conducting investigations within a security organization is very different than an episode of Miami Vice– from the timeframe to the interviews to, probably, the color of the investigator’s blazer. The process isn’t as thrilling as TV makes it out to be, but, as ACFE President and CEO James Ratley knows, that perception can work in your favor.
“TV interviews could not be further from the truth,” Ratley says. “The suspect expects you to behave like Law & Order, so surprise them by doing the opposite. You need an entirely different process to be successful.”
Ratley, who has been “interested in interviews and uncovering deception” for 30 years, has one top recommendation: “This is not a complex process as long as it’s planned.”
Joe Ford, CSO and Executive Vice President for Bank of the West, who manages security and investigations for the bank’s 600 branches and 800 offices in the U.S., is also a former associate deputy director of the FBI, and has a good sense of when something isn’t right.
According to Ford, fraud investigations have four clear steps:
1. Open the case:“When we learn about a fraud, external or internal, we start gathering information about timing and how it occurred.”
2. Analyze:“Start to get perspective on the sequence of events from the documents you’ve gathered.”
3. Interview:“Talk to the employees handling the transaction, the customer; Determine who benefitted and who the victim was.”
4. Move to law enforcement:“Bundle up your documents and interviews, get all your information in order and hand it over to law enforcement, but only after you fully understand the sequence of events first.”
One of the most common pitfalls, however, is taking the steps out of order – especially with conducting interviews before obtaining and understanding all of the documents.
“In investigations, knowledge is power,” Ratley says. “You have to have the documents to know what to ask even your third-party witnesses, much less your suspect.”
This can go hand-in-hand with uncovering the nature of the crime itself, as Ford knows.
“You’ll see warning signs, and you need to check the activity on the account in question,” he says. “Look past the suspicious behavior too – Get a good picture of the customer’s behavior patterns. We’re seeing more cyber fraud, more victims of account takeovers. Banks need to have a good sense of that customer’s electronic profile, like an IP address. There should be things that match outside of a sign-on to help stop identify fraud.”
When the time does come to interview witnesses, Ratley suggests asking short, open-ended questions, giving no reaction to what a suspect says (“All I am is a director of their oration,” he says).
But interviewing the suspect is a much more involved process.
Ratley arrives to an interrogation early in the morning, waiting to meet the suspect as they arrive at work. A room – not an office – would be set up, and both parties would turn off their cell phones in order to remove distractions. Ratley would leave, perhaps to get coffee or make a quick call, but not before saying: “I have something important to talk to you about. I’ll be right back.”
“With the alleged perpetrator, the fear of the unknown will help you,” Ratley says. “They want to learn what I know. The more knowledge they think I have, the more power I have over the interview.”
After returning to the room, Ratley would sit down and chat for another 15 minutes about anything other than the allegation, while the suspect ponders the topic the entire time. Finally, with a weighty but vague “I know what happened,” Ratley has primed the suspect for his questions.
“Ask questions in a manner that doesn’t give the interviewee any knowledge about what you don’t know,” Ratley says. “Let the suspect do all the talking.” Every excuse should be refuted by a document, which is not shown to the suspect until the excuse is aired. After each avenue of escape is cut off, the suspect should (hopefully) start to tell the true story.
The whole process, from beginning to end, can take upward of three hours.
But just because there is a process doesn’t mean things can’t go wrong.
According to Ford, showing unnecessary documents is almost as bad as going into an interview unprepared – it’s like showing your hand in a game of poker. And showing those documents is not just a pitfall during an interrogation.
“Do the best you can to keep your work confidential,” says Ratley. “You’re in their office. These people are desperate just to find out what you’ve got, so keep everything with you – take it everywhere. In the early stages, you can’t know who is involved, and the more knowledge they have, the more power they have to resist.”
He also mentions that if you need to ask those incendiary questions – Law & Order-style – that are bound to make your interviewee mad, be sure to ask them at the end so the suspect doesn’t just walk out.
And while involving law enforcement is often inevitable, Ford warns against involving them too soon, and also not cooperating well.
“The last thing you want is for law enforcement to find out the details of the case before you do, but you want them to say that the bank, in our case, cooperated with the investigation,” Ford says.
Then why not just leave the whole investigation to police? Simple – budget. According to Ford, if a fraud cost less than $50,000, it often goes uninvestigated.
“Police don’t have the resources for white collar crime,” he says. “Having anti-fraud professionals working in heavily regulated businesses is critical – they can report suspicious activity on a regular basis.”
This does not mean, however, that law enforcement should be an afterthought in an investigation. But when you manage a crisis or fraud in-house, at least to start with, you have more control, says Ratley.
“The average police officer is assigned 10 to 15 cases a day – your report might just disappear,” he says. “When you investigate internally, you can control the actions of the investigator, and you can control the information. If it’s held internally, the information from an investigation is not public record. If police have it, it is.”
And while law enforcement involvement is often a given, that isn’t the only department that should become involved. According to Ford, business partners should be aware of what’s going on within an organization, especially where anti-fraud controls are concerned. The security department should close investigations with root-case analyses of why the fraud occurred, following up with the risk team and legal department to cover all the bases.
PR or Customer Relations should also be involved in the event of a major breach of customer information or large victimization of the bank, but especially employee-involved fraud. In these events, it’s a matter of managing a reputational risk crisis, Ford says.
But, all-in-all, the key to these investigations is structure. Drilling worst-case scenarios with multiple departments, learning the most effective ways to collect information from both documents and people, building an investigative plan – as Ratley says: “Investigating and interviewing – it’s an art, but it’s a practiced art.”
No one starts out as an expert investigator, Ratley says. And “there is no class in the world to turn you into an expert interviewer.” However, there are still means to becoming one – it just might take some time.
Ratley recommends that new investigators take a solid, basic course in interviewing skills, and then add five years of investigative experience.
“Learn from your own mistakes, and don’t make the same mistake twice,” he says. “Continue to learn – read books, professional journals. Take responsibility for your own advancement.
“Also, pull skills from a mentor. Most seasoned investigators are happy to help you improve.”
Ford recommends signing up for classes from The Reid Technique of Interviewing and Interrogation, which teaches tips and tricks on interviewing, the signs of deception and how to prepare for an investigation.
Other organizations with councils, such as ASIS and ACFE, are good places to start. Ford recommends taking classes there, as well as using the meetings and shows as networking opportunities to find a mentor within your particular sector.
This article was originally published in the print magazine as "Interpreting the Art of Investigations."
Minimize Risk, Maximize Your Protection
By Shawn C. Clark
Conducting corporate security investigations is risky business. Investigations uncover millions of dollars in fraud, poor business practices and often result in employee terminations, severed customer or vendor business ties, civil suits or criminal prosecution. Litigation risk increases dramatically when any phase of the investigative process — preliminary investigation corroborating or repudiating the initial complaint, evidence collection, interviewing suspect(s) and writing the case report — is handled inconsistently or by an individual who is not qualified.
Don’t Impersonate a Security Professional
Managers that “handle” security issues independently immediately put themselves and the company at risk. Of course managers with something to hide are motivated to “handle” investigations independently, while others fail to report or address security issues out of fear that the illicit deeds may be a reflection of their performance. Some managers prefer the "witch-hunt" technique of targeting underperforming or disliked employees while granting a pass for employees they favor and in some cases, have an intimate relationship with. Finally, a few misguided managers incorporate a seniority theft matrix in which the tolerance for theft increases with each year of employment. Whatever the motive, whenever a manager lacking security acumen conducts an independent investigation, the litigation table is set for a race, age, religion, sex, or sexual orientation or harassment lawsuit.
To minimize these risks, companies must ensure employees understand that the security department is the objective investigative body of the company and determines if an investigation is warranted.
Communicate! Communicate! Communicate!
A company-wide security communication plan is a critical, proactive tool to promote consistency by clearly informing employees and managers the role of corporate security. That does not mean just create a website with a ‘contact us’ directory of security personnel’s phone numbers and email addresses. Security team members from the top down should make a conscious effort to meet regularly with co-workers, labor representatives and other stakeholders in a positive environment, not just out of necessity during the course of an investigation.
Offer training based on your case work – of course excluding the details to protect the guilty – and do it in person. Actually being there, in front of colleagues, co-workers and labor reps, sharing experiences promotes dialogue and thought. It takes time and effort, but the results are well worth it. Roles are reaffirmed, relationships are forged and communication is enhanced. Moreover, future investigations are conducted with less resistance and increased consistency when management, employees and labor reps know who you are, what your team does and more importantly, what their role is in the investigative process.
Maximize Your Protection through Technology
How a case originates is another area examined in a civil suit or criminal proceeding. The vast majority of a security department’s investigations begin as tips or complaints. However, electronic tips derived from fraud analytics – the proactive detection of fraud and unproductive business through the analysis of data – can offer companies greater protection from frivolous law suits.
The greatest benefit to deploying a fraud analytics strategy is that fraud profile results have no race, religion, age, sex or sexual orientation. Profile results do not identify if the employee is high or low on the seniority list or how well they perform their job functions. Fraud profile results create the ultimate objective, non-biased and non-discriminatory electronic tip, identifying fraudulent or speculative activity requiring additional investigative work. Cases originating from a fraud profile will not prevent a suit from occurring – after all, litigation risk exists anytime an employee is terminated. However, fraud profiles will put your company and investigative team in the most defensible position. I’ve been deposed and have yet to meet a judge that didn’t agree.
The aforementioned practices are just fragments of the intricate investigative processes and deviations corporate security practitioners deal with every day. When applied consistently, the investigative process protects assets, investigators, employees and corporate culture while minimizing risks. Deviating from the process can be very costly, devastating corporate culture. Productivity and morale is negatively affected when an employee, suspected of criminal activity, is back on the job. Investigative consistency doesn’t just happen; it must be guarded and nurtured through teamwork, constant oversight and communication. Security department, thank you for volunteering.
About the Author
Shawn C. Clark is President of Clark Consulting Grp., LLC. Clark’s experience stems from more than 20 years in the airline industry working in various capacities before serving as Director of Asset Protection and Global Security Operations at Continental and United Airlines. His deep understanding of enterprise business processes, award-winning security strategies and crisis management experience helps companies maximize value and minimize risk.