Guarding Against Fraud in a Global Economy
The world is getting smaller, and corruption is no longer contained in a single location. It transcends boundaries, impacting people and businesses at multiple global touchpoints. According to Transparency International’s corruption index, 68 percent of countries have a serious corruption problem, including half of the G20. Countries are participating in initiatives such as the United Nations Convention Against Corruption and OECD’s Anti-Bribery Convention, and they are joining forces across borders to aggressively prosecute companies committing bribery and fraud. Steve Spiegelhalter, Prinicipal in EY’s Fraud Investigation & Dispute Services Practice, explains how government collaboration will impact businesses operating locally and abroad, and more.
How will new anti-corruption regulations affect companies operating abroad?
The world’s community of prosecutors is becoming more integrated and more unified in its approach to corruption. There are multiple trends going on at once. First, more and more countries are more aggressively enforcing their anti-corruption statutes or adding statutes that make companies liable for bribery where they hadn’t been before. Second, various countries are also stepping up the sophistication of their enforcement regimes. Among other things, they are starting to develop and use cooperating witnesses in the way that the U.S. long has. A number of legal regimes don’t make that possible; because plea bargaining outside the U.S. is often much different than it is here, where a cooperating witness can receive preferential treatment. But some jurisdictions are starting to induce cooperation in much the same way we did at the Department of Justice. That carries a lot of risk for companies operating abroad. Third, governments are starting to pay attention to company efforts to mitigate risk, especially through strong compliance programs and rigorous internal controls. The Department of Justice and Securities & Exchange Commission in the United States have really stepped up their rhetoric on the importance of compliance programs. The Department of Justice recently hired a very strong former compliance professional (and prosecutor) to advise their corporate prosecution program. Other countries have issued guidance similar to what was issued by the Department of Justice and SEC in 2012. For instance, Spain just announced its own compliance guidelines last month. Companies will undoubtedly be measured against the goalposts that the Department of Justice and other regulators have set up. Fourth, aside from new laws and regulations, governments are just starting to cooperate more seamlessly than they did in the past.
In most organizations, who’s responsible for mitigating fraud and corruption and why?
Any compliance professional will tell you that every employee is responsible for mitigating fraud and corruption risk. As a line employee, if you see something, you have to say something. One step up, managers really need to make sure that they take their part in executing the company’s controls seriously. And one step above that, you need a positive tone at the top that prioritizes compliance. All that said, some functions are more important than others. Clearly, the accounting, finance, internal audit and compliance functions are on the front lines of mitigating risk by ensuring that a company’s internal controls will detect and prevent efforts to use company money or assets to pay bribes or otherwise be used for the wrong purpose. From a U.S. perspective, those controls duties include implementing the required system of internal controls and then maintaining that system of internal controls.
What do enterprise security executives need to know about new tools for prosecution, including the practical effect of whistleblower laws in the U.S.?
Everyone should be aware that prosecutors in the U.S. and abroad are starting to use organized-crime prosecution techniques in fraud and corruption investigations. In an investigation of a West African mining deal that I led, we used the first ever wiretap in an FCPA case. We used body wires on cooperating witnesses in the same case. In a recently litigated case, the Department of Justice had a company lawyer wear a wire in a meeting with his CEO. Those techniques are effective, and they’re here to stay. The SEC has also made full use of its whistleblower program. It has paid bounties to company insiders who share information with the SEC about perceived wrongdoing. Some of those who received bounties were compliance professionals. And the SEC is going out of its way to ensure that no one interferes with potential whistleblowers, including fining companies that the SEC perceives as putting up roadblocks to those who want to share information with the government. In a very basic way, the techniques the government is using make every employee a potential witness, and securities executives should behave accordingly.
How will compliance training change?
In my view, compliance training has to make this personal for every employee. While it is sometimes necessary to do training by conference call, that’s not the most effective way to train employees. One individual that I prosecuted for circumventing his company’s internal controls later remarked publicly that no one pays attention to mass training conference calls. In my experience, training that is interactive and personalized to the employees you’re addressing is much more effective. If something happens within the company or at a competitor, and you can sensibly discuss it with your other employees, it’s good to give your employees real life examples of compliance issues. I have trained employees on nearly every continent, and I always tried to point out to employees that they have skin in the game. You can do that by adapting your training to the local environment, perhaps by discussing the international perspective on corruption in their country. You can also adapt training to the function you are addressing. For instance, international sales people have to recognize that if they are paying bribes, they are increasingly being targeted for prosecution. U.S. regulators have also been very public about their intent to target corporate executives. That’s a message worth relaying.
What unified, global internal controls can help companies stay compliant with all government regulations, both foreign and domestic?
Control over cash is key. When it comes to preventing bribery, the most important controls are those that prevent employees from taking money or assets out of the company except for legitimate reasons authorized by management. That probably seems like a basic concept, but every corporate case I prosecuted came back to that single flaw: it was too easy to get money or goods out of the company that could be traded for an official favor. In almost every case, that meant that the responsible employees were ripping off the company at the same time that they were violating corruption laws. To be most effective, regardless of jurisdiction, the controls in this area really need to meet a global baseline that your company sets that is geared toward your industry, global footprint and overall risk. From there, you might ratchet up in certain jurisdictions. For instance, you may have petty cash accounts in the United States, but not in China. You also need a unified system of ensuring that the controls are honored. If you are a multinational company and your employees can shop expenditure decisions to multiple jurisdictions until they get a green light to expend money, you have a weakness that can be exploited. No control is perfect in the sense that it will defeat every scheme to circumvent it, but I like to think that a control is well designed when a successful circumvention occurs only with “doubly concerted” effort, using both meanings of “concerted” – that is, beating the control was hard and could only be done with the cooperation of multiple employees with controls responsibility. Ideally, such a control would never be circumvented. But such circumventions will certainly be rarer than with weaker controls.