Category Archives: theinnerauditor Blog

The Versatile Microcap

A microcap is a publicly traded company whose stock might be worth only pennies, which causes its price to be volatile and thus easier for fraudsters to manipulate. Although CFEs like our Central Virginia Chapter members might not regularly come across microcap stock manipulation, it’s important for all of us to be aware of the methods and motivations behind this significant criminal activity. In this scheme, promoters and insiders, after cheaply purchasing a stock, typically pump up its value through embellished or entirely false news. However, as reported recently in the trade press, other fraudsters have successfully employed much more creative strategies in exploiting microcaps. Several articles and books have told of the involvement of organized crime, especially throughout the ’00s and ’10s, in this highly profitable illegal business.

Basic pump and dump schemes, also known as hype and dump manipulation, involve the touting of a company’s stock (typically micro-cap companies) through false or misleading statements to the marketplace. After pumping up the stock, scam artists make huge profits by selling or dumping their cheap stock onto the market. Today, pump and dump schemes have been updated and most frequently occur over the Internet, where it is common to see e-mail and other messages posted that urge consumers to buy a stock quickly or to sell their stocks before the price goes down. In some cases, a spam-call telemarketer contacts potential investors using the same sort of pitch. Often the promoters claim to have inside information about an impending development, or to have employed an infallible combination of economic and stock market data to pick stocks. In reality, they may be company insiders or paid promoters who stand to gain by selling their shares after the stock price is pumped up by the buying frenzy they create. Once these fraudulent promoters dump their shares and stop hyping the stock, the price typically falls and investors lose their money.

In another recent but simple form of the micro-cap scheme, a caller leaves a message on a potential victim’s voice mail under the guise of someone who dialed the wrong number. Sounding as if they didn’t realize they had misdialed, the message contains a hot investment tip for a friend. However, the caller is actually a spammer, someone being paid to tout this stock on hundreds of cell phones. Those behind the scheme generally own some of the stock and hope to profit by pumping up the share price and selling off their investments.

Pump-and-dump schemes can be as relatively simple as the one above, or such as an individual or small group releasing false information in a chat room or insiders publishing inflated company information. Sometimes the business owners themselves are complicit, especially with shell corporations that have little actual operations or value. Occasionally, scammers dupe business owners into participating in schemes through promises of investment support and/or related marketing help. Or fraudsters, unbeknownst to the victim company, hijack their target company’s stock and falsely hype it, which often causes irreparable damage to the owners’ and to their business’ reputations. CFEs whose clients include small or new venture businesses should be especially cautious of unsolicited offers made to their clients to receive loans or to raise capital through microcap stock offerings. Criminals commonly target businesses in the pharmaceutical, energy or technology sectors, attempting to use their names and initial offerings to manipulate stock for profit.

More complex microcap stock manipulation schemes involving organized crime typically employ a number of persons who are instructed to buy in at various points that coincide with a series of false press releases and concurrent investor forum-controlled chat and spam emails. This orchestrated activity provides the illusion of stock movement resulting from large investor interest thus drawing in the required funds of outsider victims. The actual manipulation often resembles a series of smaller pumps and dumps instead of one large event. So the fraudsters can use the same stock over and over with less chance of detection by regulatory authorities. More refined players also employ foreign or off-shore brokerage accounts as a further veil over their illegal activities.

When the organized manipulation plan succeeds, the ringleaders will permit the accomplices to sell and obtain their related profit depending on their hierarchy in the organization. However, the end process is often far from perfect. Occasionally, accomplices don’t follow instructions, at their significant personal risk, and sell too early or late. Even if the manipulation isn’t always successful, organized crime members who have invested in the process expect and demand a certain profit, which places additional pressure on participants who might find they have debt on their hands because of their failures.

Occasionally, outsiders also take large positions either profiting from or destroying the momentum of the criminal group. In the 1990s, when trades were completed through actual brokers, criminals could use threats or actual violence to control such unwanted participants. However, technological trading platforms have made this more difficult.

A less common, yet also profitable, technique is to put downward pressure on a stock (or cause the price to decrease) after buying the equity on loan through a contract, or option, with the hopes of buying the stock or settling the contract once the stock has dropped in price. Fraudsters can initiate this manipulation technique, commonly known as ‘short and distort,’ by promoting rumors such as a bad quarter or failed new drug test.

The ability to manipulate microcap stocks with relative ease also makes the activity an ideal tool to hide payments between parties and launder money. Instead of paying cash or wiring funds to settle a drug debt, one can simply provide a tip relating to a microcap stock that’s about to be manipulated. The party who’s owed the debt then only has to buy the stock cheaply and await for the pump to make the sale and generate the profit.

Perpetrators also have used the same process to offer bribes to public servants. Troublesome envelopes or bags of cash aren’t required. The profit appears as a simple lucky or astute stock pick, and culprits can even report them as capital gains thus removing the risk of highly feared and powerful tax investigators becoming involved in a possible money-laundering investigation. Police and securities regulatory authorities have observed and reported such suspicious activity. However, it’s often difficult to link those who profit from the manipulation with the culpable manipulators. Also, considering that organized crime elements employ microcap manipulation for debt payments and as profitable crimes, it’s again challenging for authorities to identify the exact goals of their participation without some inside knowledge. Proving all the elements of the crime is nearly impossible without wire taps or a co-conspirator witness.

With all this said, it’s ironic, yet not surprising, that more than one organized-crime figure has said they don’t invest their own criminal earnings in microcap stocks because they deem such markets to be too risky and plagued by manipulators.

So, in summary, if you, as a CFE, come across information relating to a microcap investment involving a case you’re working, you might want to take a closer look.

With regard to preventing investment fraud schemes in general … caution your clients:

• to not invest in anything based upon appearances. Just because an individual or company has a flashy website doesn’t mean it is legitimate. Websites can be created in a matter of hours and taken down even faster. After a short period of taking money, a site can vanish without a trace.
• to not invest in anything about which they are not absolutely sure. Do homework on an investment to ensure it is legitimate.
• to thoroughly investigate the offering individual or company to ensure legitimacy.
• to check out other websites regarding this person or company.
• to be cautious when responding to special investment offers (especially through unsolicited e-mail) by fast talking telemarketers. Know with whom you are dealing!
• to inquire about all the terms and conditions involved with the investors and the investment.
• Rule of thumb: If it sounds too good to be true, it probably is.

Your Friendly Pharmacy

The tragic consequences of the currently raging opioid epidemic are splashed across the headlines and vividly displayed in television documentaries every day and yet, unless they specialize in the healthcare sector, I’ve found that most CFEs and forensic accountants are relatively unfamiliar with the mechanics of prescription drug and pharmacy fraud.

The reality is that, in many communities across America today, obtaining illegal prescriptions and the related controlled drugs of choice can be as easy as ordering a sandwich. Licensed physicians in every part of the country are daily arrested for on-demand prescribing of Oxycontin, Vicodin and Xanax. The resulting grand jury indictments usually feature some version of charges related to ‘prescribing drugs outside the usual course of professional practice and without a legitimate medical purpose’.

According to the Centers for Disease Control and Prevention (CDC), U.S. non-medical use of prescription painkillers results in more than $72.5 billion annually in direct healthcare costs and identifies prescription drugs as the second most-abused category of drugs after marijuana. In addition, the U.S. Department of Justice Office of Inspector General (OIG) has released several reports on prescription drug fraud in the Medicaid and Medicare Part D populations.

This epidemic has not only led to an increase in prescription drug fatalities, it’s also fueled opportunities for a host of ethically challenged individuals. This category of fraudsters has many faces: patients, patients’ family members, prescribers, pharmacy staff, medical employees, service contractors, recruiters and countless others are continuously involved in ever-mutating prescription drug fraud schemes.

Patients who commit prescription fraud often do so to acquire drugs to support their own addictions. But prescription drugs are a commodity with a high resale value, so fraudsters also divert prescription drugs for profit. Fraudsters illegally sell Oxycontin for $1 to $2 per milligram on the street. Some retirees on fixed incomes visit physicians complaining of phantom pain just so they can receive prescriptions for controlled drugs to re-sell for additional income.

Sometimes medical services’ employees, patients, family members, family friends and others fraudulently acquire prescription pads. In a recently reported case, owners of a professional cleaning service stole prescription pads and an ink signature pad from a doctor’s office they were hired to clean.

Some bypass obtaining prescriptions entirely by stealing controlled substances directly from pharmacies. Many pharmacies in hard hit areas no longer carry selected drugs or have increased their security.

Here are other common examples of the various ways individuals have chosen to defraud the system:
• Doctor shopping: visiting multiple doctors in search of prescriptions.
• Pharmacy shopping: filling prescriptions at multiple pharmacies to avoid being denied service.
• Prescription alteration: increasing dosage, quantity or refills on existing prescriptions.
• Washed prescriptions: washing ink off written prescriptions to create blanks and re-writing new fraudulent prescriptions.
• Forged prescriptions: using copy machines or computers to create fake prescriptions.
• Fax and phone prescriptions: faxing fraudulent prescriptions to pharmacies or phoning pharmacies to call in and/or verify prescriptions.
• Illegal market: acquiring drugs from illegal sources.

Regarding providers, some medical providers have turned to selling prescriptions to patients or anyone willing to pay their fees, even when there’s no medical justification for the drug therapies; this activity might or might not take place in the prescribers’ place of business.

As the ACFE indicates, prescribers of large volumes of pain drugs risk being identified as “pill mill” operators. Pain clinics, legitimate and otherwise, often prescribe large volumes of controlled pain drugs. In typically reported cases, patients line up outside the pain clinics prior to their opening because they know they can easily obtain prescriptions for controlled drugs.

Prescribers who knowingly commit prescription fraud have turned to some of the following schemes to defraud the system:

• Medically unnecessary prescribing.
• Internet prescribing.
• Self-prescribing.
• Diversion.
• Collusion.

Like enterprising patients and prescribers, pharmacies that participate in fraud schemes often do so for enhanced profit. In a recent case which received enhanced media coverage, a pharmacist, a doctor and others were among the a number arrested for “prescription harvesting”. The accused fraudsters stole patients’ identities to bill Medicare and Medicaid for $18 million in illegitimate prescriptions. Approximately $7.3 million in taxpayer dollars was lost in this scheme.

Other prosecuted pharmacy schemes have included:

• False claims: submitting claims for payment for which no prescription or authorization exists.
• Buy-backs: buying back prescriptions from patients – often at a discount.
• Kickbacks: receiving or providing monetary incentive for selling certain prescriptions.
• Shell or vanishing pharmacies: operating pharmacies in name only – or operating pharmacies just long enough to submit false claims for profit.
• Shell ownership: masking pharmacies’ ownership to hide identities of the true owners.
• Online pharmacies: selling controlled substances illegally with relative anonymity.
• Counterfeit products: knowingly dispensing counterfeit drugs.

Recruiters are intermediaries who engage partners to carry out fraudulent activity. In most cases, recruiters conspire with prescribers and/or pharmacies to enlist patients to carry out their fraudulent billings and/or diversion schemes. Documented cases show that patients, prescribers, pharmacies and recruiters have conspired to submit false claims, and to support buy-backs, kickbacks and diversions.

More than 80 pharmacists, physicians and others in a large metropolitan area conspired to establish a network of pill mills that issued prescriptions, many for controlled drugs such as hydrocodone and oxycodone, to patients without a legitimate need. The patients used Medicaid, Medicare or private insurance coverage to pay for the drugs. The principal pharmacist owned and operated 26 different pharmacies; following prosecution, he was sentenced to 17 years in prison.

Many U.S. federal, state and private organizations are now vigorously data mining prescription activity to detect fraud at all levels. Federal examples include the Drug Enforcement Agency, the DOJ OIG and routine Federal analysis of vendor contracts. Each U.S. state (except Missouri) now has a Prescription Drug Monitoring Program, which receives all information on prescription drug activity for controlled substances from both cash and insurance provider imbursed prescription transactions. Also, state law enforcement and vendors provide detection activities. Health care entities in the private sector, such as health plans and other payers, sometimes perform the data mining themselves or work with vendors. Private citizens frequently act as whistleblowers to expose fraudsters.

The entities charged with exposing schemers now use numerous methods to detect fraud and are developing new approaches every day just to keep up with all the evolving scenarios. Audits can be an effective detection method when conducted by trained, knowledgeable staff. Those who are called upon to perform desk and onsite audits must be cognizant of current activities and patterns and ensure that involved investigative groups are working together so leads from these audits can be directed to the appropriate law enforcement entities.

To identify aberrant behaviors, investigators utilize a number of different detection processes including:

• Sending confirmation letters to patients or prescribers to validate services received or rendered.
•Analyzing patient, prescriber, pharmacy and drug activities to identify aberrant utilization, prescribing, dispensation and/or processing patterns.
• Analyzing drug utilization by therapy classification and/or risk category.
• Reviewing prescribers by medical specialty to identify individuals prescribing outside the normal scope of their specialties.
• Focusing on geographic areas where fraud is an issue.
• Applying geospatial analyses to determine distances traveled by patients and to identify clusters.
• Searching for historical and current patterns to anticipate future fraudulent behaviors.
• Expert fraud examiners can assist in many ways in the performance of different types of analytics on prescription claim data. They use public and private data sources and sophisticated algorithms for retrospective, predictive and geospatial analyses.

Prescription drug fraud goes far beyond the headlines about controlled drugs. The ACFE reports that fraudsters also target high-dollar retail drugs of all kinds. These medications are used for the treatment of HIV, mental health issues, diabetes and cancer and can all command high fees from desperate patients.

It’s imperative for CFEs, forensic accountants and other assurance professionals to be aware of past and present drug diversion schemes and mindful of the changing health care environment and its associated vulnerabilities no just to keep pace with fraudsters but, more importantly to more effectively support the law enforcement professionals who rely on us for the high quality investigative materials so vital to successful prosecutions.

Then & Now

I was chatting over lunch last week at the John Marshal Hotel here in Richmond with a former officer of our Chapter when the subject of interviewing came up; interviewing generally, but also viewed in the context of the challenges and obstacles that fraud examiners of the next generation will face as they increasingly confront their peers, the present and future fraudsters of the Millennial and Z generations.

Joseph Wells says somewhere, in one of his excellent writings, that skill as an interviewer is one of the most important attributes that a CFE or forensic accountant can possess and probably the one of all our skills most worthy of on-going cultivation. But, as with any other professional craft, there are common pitfalls of which newer professionals especially need to be aware to increase their chances of successfully achieving their interviewing objectives.

Failure to plan sufficiently is without a doubt, the primary error interviewers make. It seems that the more experience an interviewer has, the less he or she prepares. Whether because of busyness or overconfidence, this pitfall spells disaster. Not only does efficiency suffer because the interviewer might have to schedule another interview, but effectiveness suffers because the interviewer might never discover needed information. Fraudsters often take time before interviews to prepare answers to anticipated questions. The ACFE reports having briefed career criminals on their tactics, thoughts and behaviors about interviews, and they typically respond, “I had my routines that I was going to run down on them” and “I always had my story made up”.

During his or her planning for an interview, the CFE must carefully consider the interviewee’s role in the fraud and his or her relationship to the fraudster (if the interviewee isn’t the fraudster), available information, desired outcomes from the interview and primary interview strategy plus alternate, viable strategies. The success or failure of the interview is determined prior to the time the interviewer walks into the room. Either the interviewer is part of his or her own plan or she is part of someone else’s. The CFE, not the interviewee, has to control the interview.

An interviewer whose mind is made up before an interview even begins is courting danger. Confirmation bias (also known as confirmatory bias or myside bias) greatly decreases the likelihood that an interviewer dismisses, ignores or filters any contradictory information during an interview, whether the interviewee expresses it verbally or non-verbally. Thus, interviewers might not even be aware that they’re missing important information that could increase the examination’s effectiveness.

How many times have experienced practitioners been told by colleagues that they believed that particular interviewees were guilty only to later discover they were actually innocent? If such practitioners hadn’t been aware that their colleagues could have caused them to have confirmation bias, they might have dismissed contradictory interviewee behaviors during subsequent interviews as minor aberrations. It’s imperative that the interviewer maintain an open mind, which isn’t so much a skill set as an attitude. The effective interviewer gives the interviewee a chance by looking at all the data, listening to others and theorizing a hypothesis without precluding anything. Also, the ACFE tells us, if the interviewer maintains an open mind, the interviewee will perceive it and be more cooperative.

A guiding principle should be, the interview is not about the CFE; the CFE is conducting the interview. The interview is a professional encounter. If you don’t conduct the interview, someone else can conduct it, but the interviewee remains the same. Interviewers are replaceable; interviewees aren’t. Never lose sight of this foundational truth. If the interviewer personalizes the interview process s/he will focus on his or her inward emotions rather than on the interviewee’s verbal and non-verbal behavior. An interviewer’s unfettered emotions will have a debilitating impact on a number of levels.

If the interviewer becomes personally involved in an interview, the interviewer becomes the interviewee and the interviewee becomes the interviewer. Most of us want to search for connections to others. But if we connect too strongly, we will become so similar (at least in our own minds) to interviewees that we might have difficulty believing the interviewee is guilty or is providing inaccurate information. Once that occurs, the interviewer probably wont obtain necessary evidence or could discount incriminating evidence.

Before each interview, remind yourself that your objective is to collect evidence in a dispassionate manner; you won’t become emotionally involved. Focus on the overall objective of the interview so that you won’t be caught up in details that could connect you too closely with the interviewee. If, for example, you discover that the interviewee is from the same part of the country you’re from, remind yourself of the many persons you know who also are from that area so you’ll dilute the influence that this information could have on your interview.

With regard to interviewing members of the present and up-and-coming generation, a majority of our youngest future citizens spend an inordinate amount of time looking at plastic screens as a significant mode for learning, communicating, being entertained and experiencing the world instead of interacting directly with others in the same space and time. This places novice CFE interviewers at a disadvantage because they have been formally trained that much of the communication between an interviewer and an interviewee takes place non-verbally. Concurrently, the verbal aspects of communication are replete with meta-messages. For example, what kind of impression does an individual make whose voice inflection rises or falls at the end of a sentence? Can this inflection be as adequately and consistently communicated via a text message compared to in-person communication? This example (and there are many more) contains the essence of the interviewing process. Unfortunately, nuances, interpersonal communication subtleties and appropriate responses that were previously thought to be integral parts of the social modeling process aren’t as readily available to the current generation of interviewers and interviewees as they were to previous generations. Research has shown that electronic devices, such as tablets, cellphones and laptops shorten attention spans. Web surfers usually spend no more than 10 to 20 seconds on a page before ads or links distract them and they move on to burrow down into succeeding rabbit holes.

A great deal of communication now takes place via 244-character communication snippets on Twitter. The average person checks his or her phone once every six minutes. Psychologists have recently coined the term ‘nomophobia’, the fear of being out of cellphone contact; shortened from ‘no-mobile-phone-phobia. A 2015 global study reported that students’ ‘addiction’ to media is similar to drug cravings.

The attention span of the average adult is believed to have fallen from 12 minutes in 1998 to five minutes in 2014. If interviewees’ attentive capacities are just five minutes, or less, then after that point interviews provide diminishing returns. Our attention deficits probably result from a lack of self-discipline and the delusional belief that we can cognitively multi-task. We can’t do anything about our natural limitations, but we can discipline ourselves to pay attention. We can also plan and conduct our interviews with few distractions. Interviewers new and experienced should require that all participants turn off their cellphones and, when possible, interviewers should try to ask questions in an unpredictable order.

So, we can expect that a new generation of fraud examiners will soon be interviewing individuals for extended periods of time who have as much of a dearth of direct, face-to-face interpersonal communication as they do. At the extreme, we can envision two or more uncomfortable people in an interview room. All of whom can only remain in the moment for five minutes or less and are fidgety because they need plastic-screen fixes.

An additional challenge will be that CFEs of the Millennial and Z generations will soon be spending hours interviewing older interviewees who are more familiar, explicitly and implicitly, with the subtleties of interpersonal communication. These are people who have spent significantly more time in direct, face-to-face communication. The interpersonal communication-challenged interviewer will be at a significant disadvantage when interviewing guilty, guilty-knowledge, deceptive and/or antagonistic interviewees. As my lunch companion pointed out, many experienced fraudsters are master manipulators of inexperienced interviewers.

It is urgent that younger fraud examiners and forensic accountants be instructed in the strongest terms to put down their plastic screens and practice engagement with others in direct communication, with friends, family and those who cross their paths in the normal flow of life. As a lead CFE examiner or supervisor, encourage your younger employee-colleagues to write down their communication goals for each day. Suggest they read all they can on face-to face interviewing and questioning plus verbal and non-verbal behaviors. They can take interviewing and public-speaking classes or join a toastmasters group. Anything to get them to converse and observe body language and expressions.

Interviewing techniques are the vehicles that ride up and down the road of interpersonal communication. If that road isn’t adequate, then drivers can’t maneuver their vehicles. Your younger employees are the only persons who can bring themselves up to the necessary interpersonal speed limit to make their one-on-one interviews successful.

Whistle & Fish

Every CFE and forensic accountant in practice encounters companies that operate outside accounting rules and tax laws. Blowing the whistle on such companies can be risky for the employee whistleblower; we all know that doing so often results in tipsters losing their jobs and reputations and facing limited future career prospects. Yet, on every side such employees are exhorted to offer the information they do to uncover fraud.

The whistleblower programs set up by U.S. government agencies are of particular interest to our Chapter members, practicing as they do in such close proximity to Washington D.C., and to those practicing in and around Richmond, the seat of government of the Commonwealth of Virginia. State and Federal entities encourage these tips by offering hot-lines and whistleblower awards programs that pay monetary awards to tipsters if their information leads to successful enforcement and to collection of money from a violator.

The two most important of these programs likely to be encountered by our Central Virginia Chapter members are the whistleblower rewards programs of the Internal Revenue Service (IRS) and the Security and Exchange Commission (SEC). The IRS program, which began 140 years ago, authorizes the Department of the Treasury to pay amounts to individuals who provide information that allow the IRS to detect, bring to trial and punish those guilty of violating internal revenue laws. A 2006 amendment created the current IRS whistleblower program, which mandates that the government pay whistleblowers awards based on the size of the taxes collected as a result of their tips.

The seminal U.S. Federal Claims Act, enacted in 1863, allows whistleblowers a portion of reclaimed money when defendants are found guilty of defrauding the federal government. The Commodities Futures Trading Commission has also recently established a whistleblower program. As I’m sure most of you remember, in 2010, the Dodd-Frank Wall Street Reform and Consumer Protection Act established the SEC’S whistleblower awards program. The program seeks to encourage high-quality tips about securities violations with its monetary awards supplemented by protections from retaliation.

The IRS created the whistleblower awards program, codified in IRC 7623(a), to close the tax gap and fight tax fraud more aggressively. In this original program, the maximum award was 15 percent of collected taxes, penalties and other amounts not to exceed $10 million, but the decision whether to make an award at all was wholly within the IRS’ discretion. When the courts considered attempts to challenge award decisions under this law, they uniformly found that the discretion to make or not make an award is essentially not reviewable. In other words, the courts decided the IRS has the right to make an award or not, and the whistleblower can’t appeal that decision.

The Tax Relief and Health Care Act of 2006, which made major changes to the IRS awards program, mandated that the IRS pay out a substantial award whenever a whistleblower’s information leads to the collection of tax, interest and penalties based on disputes in excess of $2 million. The new section, IRC 7623(b), was intended to create strong incentives to bolster insider reporting of tax violations for claims enacted after Dec. 20, 2006. The awards are now mandatory rather than discretionary; and they range from 15 percent to 30 percent of monies collected with no cap on the dollar amount of the award. With some exceptions, a whistleblower may collect an award even if convicted of a felony.

Whistleblowers are eligible for awards based on additions to tax, penalties, interest, and other amounts collected as a result of any administrative or judicial action resulting from the information provided. The 2006 amendment added whistleblower appeal rights to the U.S. Tax Court. To implement the law, the IRS was also required to create a Whistleblower Office that reports to the IRS commissioner. Submissions that don’t qualify under the new section IRC 7623(b) (usually because the disputes are for less than $2 million) are processed under the original IRC 7623(a). The IRS will continue to consider these cases, but the award is at the discretion of the agency, and there’s no requirement that an award be issued. These whistleblowers have no minimum statutory award percentage and no appeal provision.

The Dodd-Frank bill was partly a response to financial debacles such as the Madoff fraud and widespread mortgage frauds. Many criticized the SEC for its inaction to the causative circumstances that led to the Great Recession, although it definitely wasn’t alone in its failure to uncover and stop massive frauds. The SEC had an awards program before Dodd-Frank, but it wasn’t particularly effective, and it focused solely on insider trading. The new whistleblower awards program, which is much broader, encourages tips related to all kinds of securities violations from financial statement fraud to alleged Ponzi schemes.

The Dodd-Frank whistleblower program stipulates that as long as collected monetary sanctions exceed $1 million, awards are 10 percent to 30 percent of that amount. Awards are paid to individuals who voluntarily provide original information that leads to successful SEC enforcement. The award percentage is increased or decreased based on several factors including the extent of the whistleblower’s assistance.

Section 924(d) of the Dodd-Frank Act required the SEC to create a separate office within the agency to enforce the new regulation. In May 2011, the SEC adopted the Final Rules, Regulation 21F, which included prohibitions against retaliation, defined terms and established policies for submitting tips, applying for awards and filing appeals on award decisions.

In the IRS program, a whistleblower must be a “natural person”, in other words, not a corporation or other business organization. Because the claim form must be signed under penalty of perjury, the whistleblower can’t be anonymous, nor can the claim come from a representative of the whistleblower. Multiple whistleblowers can submit a joint claim, but each must sign under penalty of perjury. Similarly, in the SEC program the whistleblower must be a natural person or persons. However, the SEC whistleblower can be anonymous up to the point that the award is paid out, and he or she can be represented by an attorney or other person. IRS whistleblowers can’t be taxpayer’s representatives, employees of the Treasury Department, or employees of federal, state or local governments if they learned of the information as part of their job duties. The SEC whistleblower can’t be an auditor who learned of the issue as part of his or her duties during an audit or other engagement. The SEC whistleblower also must provide the information “voluntarily’ which means that the whistleblower can’t provide it in response to a request from regulators or law enforcement.

IRS claims must include the tax violator’s name and address, date of birth, Social Security number and the specific nature of the violation. If possible, it should also include the tax year(s), the dollar amounts of unreported income or erroneous deductions and supporting documentation. SEC claims must be original information about possible securities laws violations not already known to the SEC and not derived from publicly available sources. Even though the whistleblower employee might have first reported the information to his or her company’s internal hotline process, the SEC will still consider the information to be original. The content of this required information isn’t as clearly specified as in the IRS program, but it must cause the SEC to open (or expand) an investigation and bring a successful enforcement action.

The IRS protects the whistleblower’s identity as far as possible. If the whistleblower is needed as a witness in a court case, the IRS will notify the whistleblower who can then decide whether or not to proceed. The legislation that established the IRS program failed to include any protection for the whistleblower from possible retaliation. However, the alleged tax violator’s information is strictly protected, so that the whistleblower can only be told whether the case is open or closed. If the case is closed, the IRS can reveal to the whistleblower if his or her claim is payable, the amount of a payment or if a payment has been denied.

The SEC can’t disclose information that could reasonably be expected to reveal the identity of a whistleblower except if it needs to comply with law enforcement proceedings or protect investors by notifying another authority. For example, the SEC might need to notify the U.S. Department of Justice or a state attorney general or even foreign law enforcement if a criminal investigation should be opened as a result of the whistleblower’s allegations. The SEC informant must file through an attorney to remain anonymous during the process. After the SEC presents the award to the whistleblower, it will release the whistleblower’s name. Federal laws state that the whistleblower’s company can’t retaliate against the employee.

The IRS pays its awards when the proceeds are collected, and the appeals period for the taxpayer has expired. Many have said that the IRS program process is lengthy and slow. Claimants can generally expect to wait five to seven years to receive an award. While a whistleblower can’t appeal the award amount for IRC 7623(a) through the Tax Court, awards filed under the newer IRC 7623(b) are subject to appeal in the Tax Court.

The SEC will pay after the time has expired for the violator to file an appeal or after any appeals have been concluded. Then it evaluates all claims. The SEC must collect all sanctions from the violator before the SEC pays the award. A whistleblower can’t appeal an award amount but can appeal a denial.

In summary, we CFEs should inform our clients, individual and corporate, that whistleblowers can expect a long and bumpy ride to the chance, but not the promise, of monetary reward.

Needles & Haystacks

A long-time acquaintance of mine told me recently that, fresh out of the University of Virginia and new to forensic accounting, his first assignment consisted in searching, at the height of summer, through two unairconditioned trailers full of thousands of savings and loan records for what turned out to be just two documents critical to proving a loan fraud. He told me that he thought then that his job would always consist of finding needles in haystacks. Our profession and our tools have, thankfully, come a long way since then!

Today, digital analysis techniques afford the forensic investigator the ability to perform cost-effective financial forensic investigations. This is achieved through the following:

— The ability to test or analyze 100 percent of a data set, rather than merely sampling the data set.
–Massive amounts of data can be imported into working files, which allows for the processing of complex transactions and the profiling of certain case-specific characteristics.
–Anomalies within databases can be quickly identified, thereby reducing the number of transactions that require review and analysis.
–Digital analysis can be easily customized to address the scope of the engagement.

Overall, digital analysis can streamline investigations that involve a large number of transactions, often turning a needle-in-the-haystack search into a refined and efficient investigation. Digital analysis is not designed to replace the pick-and-shovel aspect of an investigation. However, the proper application of digital analysis will permit the forensic operator to efficiently identify those specific transactions that require further investigation or follow up.

As every CFE knows, there are an ever-growing number of software applications that can assist the forensic investigator with digital analysis. A few such examples are CaseWare International Inc.’s IDEA, ACL Services Ltd.’s ACL Desktop Edition, and the ActiveData plug-in, which can be added to Excel.

So, whether using the Internet in an investigation or using software to analyze data, fraud examiners can today rely heavily on technology to aid them in almost any investigation. More data is stored electronically than ever before; financial data, marketing data, customer data, vendor listings, sales transactions, email correspondence, and more, and evidence of fraud can be located within that data. Unfortunately, fraudulent data often looks like legitimate data when viewed in the raw. Taking a sample and testing it might or might not uncover evidence of fraudulent activity. Fortunately, fraud examiners now have the ability to sort through piles of information by using special software and data analysis techniques. These methods can identify future trends within a certain industry, and they can be configured to identify breaks in audit control programs and anomalies in accounting records.

In general, fraud examiners perform two primary functions to explore and analyze large amounts of data: data mining and data analysis. Data mining is the science of searching large volumes of data for patterns. Data analysis refers to any statistical process used to analyze data and draw conclusions from the findings. These terms are often used interchangeably.

If properly used, data analysis processes and techniques are powerful resources. They can systematically identify red flags and perform predictive modeling, detecting a fraudulent situation long before many traditional fraud investigation techniques would be able to do so.

Big data is now a buzzword in the worlds of business, audit, and fraud investigation. Big data are high volume, high velocity, and/or high variety information assets that require new forms of processing to enable enhanced decision making, insight discovery, and process optimization. Simply put, big data is information of extreme size, diversity, and complexity.

In addition to thinking of big data as a single set of data, fraud investigators should think about the way data grow when different data sets are connected together that might not normally be connected. Big data represents the continuous expansion of data sets, the size, variety, and speed of generation of which makes it difficult to manage and analyze.

Big data can be instrumental to fact gathering during an investigation. Distilled down to its core, how do fraud examiners gather data in an investigation? We look at documents and financial or operational data, and we interview people. The challenge is that people often gravitate to the areas with which they are most comfortable. Attorneys will look at documents and email messages and then interview individuals. Forensic accounting professionals will look at the accounting and financial data (structured data). Some people are strong interviewers. The key is to consider all three data sources in unison. Big data helps to make it all work together to tell the complete picture. With the ever-increasing size of data sets, data analytics has never been more important or useful. Big data requires the use of creative and well-planned analytics due to its size and complexity. One of the main advantages of using data analytics in a big data environment is, as indicated above, that it allows the investigator to analyze an entire population of data rather than having to choose a sample and risk drawing conclusions in the event of a sampling error.

To conduct an effective data analysis, a fraud examiner must take a comprehensive approach. Any direction can (and should) be taken when applying analytical tests to available data. The more creative fraudsters get in hiding their schemes, the more creative the fraud examiner must become in analyzing data to detect these schemes. For this reason, it is essential that fraud investigators consider both structured and unstructured data when planning their engagements.
Data are either structured or unstructured. Structured data is the type of data found in a database, consisting of recognizable and predictable structures. Examples of structured data include sales records, payment or expense details, and financial reports.

Unstructured data, by contrast, is data not found in a traditional spreadsheet or database. Examples of unstructured data include vendor invoices, email and user documents, human resources files, social media activity, corporate document repositories, and news feeds.

When using data analysis to conduct a fraud examination, the fraud examiner might use structured data, unstructured data, or a combination of the two. For example, conducting an analysis on email correspondence (unstructured data) among employees might turn up suspicious activity in the purchasing department. Upon closer inspection of the inventory records (structured data), the fraud examiner might uncover that an employee has been stealing inventory and covering her tracks in the records.

Data mining has roots in statistics, machine learning, data management and databases, pattern recognition, and artificial intelligence. All of these are concerned with certain aspects of data analysis, so they have much in common; yet they each have a distinct and individual flavor, emphasizing particular problems and types of solutions.

Although data mining technologies provide key advantages to marketing and business activities, they can also manipulate financial data that was previously hidden within a company’s database, enabling fraud examiners to detect potential fraud.

Data mining software provides an easy to use process that gives the fraud examiner the ability to get to data at a required level of detail. Data mining combines several different techniques essential to detecting fraud, including the streamlining of raw data into understandable patterns.

Data mining can also help prevent fraud before it happens. For example, computer manufacturers report that some of their customers use data mining tools and applications to develop anti-fraud models that score transactions in real-time. The scoring is customized for each business, involving factors such as locale and frequency of the order, and payment history, among others. Once a transaction is assigned a high-risk score, the merchant can decide whether to accept the transaction, deny it, or investigate further.

Often, companies use data warehouses to manage data for analysis. Data warehouses are repositories of a company’s electronic data designed to facilitate reporting and analysis. By storing data in a data warehouse, data users can query and analyze relevant data stored in a single location. Thus, a company with a data warehouse can perform various types of analytic operations (e.g., identifying red flags, transaction trends, patterns, or anomalies) to assist management with its decision making responsibilities.

In conclusion, after the fraud examiner has identified the data sources, s/he should identify how the information is stored by reviewing the database schema and technical documentation. Fraud examiners must be ready to face a number of pitfalls when attempting to identify how information is stored, from weak or nonexistent documentation to limited collaboration from the IT department.

Moreover, once collected, it’s critical to ensure that the data is complete and appropriate for the analysis to be performed. Depending on how the data was collected and processed, it could require some manual work to make it usable for analysis purposes; it might be necessary to modify certain field formats (e.g., date, time, or currency) to make the information usable.

Authority Figures

As fraud examiners and forensic accountants intimately concerned with the on-going state of health of our client’s fraud management programs, we find ourselves constantly looking at the integrity of the critical data that’s truly (as much as financial capital) the life blood of today’s organizations. We’re constantly evaluating the network of anti-fraud controls we hope will help keep those pesky, uncontrolled, random data driven vulnerabilities to fraud to a minimum. Every little bit of critical financial information that gets mishandled or falls through the cracks, every transaction that doesn’t get recorded, every anti-fraud policy or procedure that’s misapplied has some effect on the client’s overall fraud management picture and on our challenge.

When it comes to managing its client, financial and payment data, almost every small to medium sized organization has a Sandy. Sandy’s the person to whom everyone goes to get the answers about data, and the state of system(s) that process it; quick answers that no one else ever seems to have. That’s because Sandy is an exceptional employee with years of detailed hands-on-experience in daily financial system operations and maintenance. Sandy is also an example of the extraordinary level of dependence that many organizations have today on a small handful of their key employees. The now unlamented great recession, during which enterprises relied on retaining the experienced employees they had rather than on traditional hiring and cross-training practices, only exacerbated an existing, ever growing trend. The very real threat to the Enterprise Fraud Management system that the Sandy’s of the corporate data world pose is not so much that they will commit fraud themselves (although that’s an ever-present possibility) but that they will retire or get another job across town or out of state, taking their vital knowledge of company systems and data with them.

The day after Sandy’s retirement party and, to an increasing degree thereafter, it will dawn on Sandy’s management that it’s lost a large amount of information about the true state of its data and financial processing system(s). Management will also become aware, if it isn’t already, of its lack of a large amount of system critical data documentation that’s been carried around nowhere else but in Sandy’s head. The point is that, for some smaller organizations, their reliance on a few key employees for day to day, operationally related information goes well beyond what’s appropriate and constitutes an unacceptable level of risk to their entire fraud prevention programs. Today’s newspapers and the internet are full of stories about hacking and large-scale data breeches, that only reinforce the importance of vulnerable data and of the completeness of its documentation to the on-going operational viability of our client organizations.

Anyone whose investigated frauds involving large scale financial systems (insurance claims, bank records, client payment information) is painfully aware that when the composition of data changes (field definitions or content) surprisingly little of change related information is formally documented. Most of the information is stored in the heads of some key employees, and those key employees aren’t necessarily involved in everyday, routine data management projects. There’s always a significant level of detail that’s gone undocumented, left out or to chance, and it becomes up to the analyst of the data (be s/he an auditor, a management scientist, a fraud examiner or other assurance professional) to find the anomalies and question them. The anomalies might be in the form of missing data, changes in data field definitions, or changes in the content of the fields; the possibilities are endless. Without proper, formal documentation, the immediate or future significance of these types of anomalies for the fraud management system and for the overall fraud risk assessment process itself become almost impossible to determine.

If our auditor or fraud examiner, operating under today’s typical budget or time constraints, is not very thorough and misses the identification of some of these anomalies, they can end up never being addressed. How many times as an analyst have we all tried to explain something (like apparently duplicate transactions) about the financial system that just doesn’t look right only to be told, “Oh, yeah. Sandy made that change back in February before she retired; we don’t have too many details on it.” In other words, undocumented changes to transactions and data, details of which are now only existent in Sandy’s no longer available head. When a data driven system is built on incomplete information, the system can be said to have failed in its role as a component of the origination’s fraud prevention program. The cycle of incomplete information gets propagated to future decisions, and the cost of the missing or inadequately explained data can be high. What can’t be seen, can’t ever be managed or even explained.

In summary, it’s a truly humbling to experience to be confronted with how much critical financial information resides in the fading (or absent) memories of past or present key employees; what the ACFE calls authority figures. As fraud examiners we should attempt to foster a culture among our clients supportive of the development of concurrent systems of transaction related documentation and the sharing of knowledge on a consistent basis about all systems but especially regarding the recording of changes to critical financial systems. One nice benefit of this approach, which I brought to the attention of one of my audit clients not too long ago, would be to free up the time of one of these key employees to work on more productive fraud control projects rather than serving as the encyclopedia for the rest of the operational staff.

Regulators & Silos

I was reading last week on LinkedIn about a large, highly regulated, financial institution that was defrauded over a long period of time by two different companies, both of which where its suppliers. To add insult to injury, subsequent investigation by a CFE revealed that the two vendors were subsidiaries of a third, which proved also to be a supplier of the victim concern; all three cooperated in the fraud and our victim was completely unaware prior to the investigation of any relationship between them; the kind of ignorance that can draw intense regulatory attention.

This is not as uncommon an occurrence as many might think but it is illustrative of the fact that today’s companies are increasingly forced to expend resources simply trying to understand and manage the complex web of relationships that exist between them and the organizations and people with which they deal; that is, if they want to avoid falling victim to frauds running the whole gamut from the simple to the complex. Such efforts involve gaining perspective on individual vendors and customers but extend far beyond that to include sorting through and classifying corporate hierarchies and complex business-to-business relationships involving partners, suppliers, distributors, resellers, contacts, regulators and employees.

These complex, sometimes overlapping, relationships are only exacerbated by dynamic geographic and cross-channel coordination requirements, and multiple products and customer accounts (our victim financial organization operates in three countries and has over 4,000 employees and hundreds of vendors). No fraud prevention program can be immune in the face of these challenges.

Financial companies that want to securely deliver the best experience to their stakeholders within intensified regulatory constraints need to provide themselves with a complete picture of all the critical parties in their relationships at the various points of service in the on-going process of company operations. The ability to do this requires that organizations have a better understanding of the complicated hierarchies and relationships that exist between them and their stakeholders. You cannot manage what you cannot see and you certainly cannot adequately protect it against fraud, waste and abuse.

The active study of organizational hierarchies and relationships (and their related fraud vulnerabilities) is a way of developing an integrated view of the relationship of risk among cooperating entities such as our CFE client companies between their affiliates, customers and partners, across multiple channels, geographies or applications. The identification of organizational relationships can help our client companies clearly and consistently understand how each of their affiliates, business divisions and contacts within a single multi-national enterprise fit within a broader, multidimensional context. Advanced organizational management approaches can help organizations track when key people change jobs within and between their related affiliates, vendors and companies. Advanced systems can also identify these individuals’ replacements feeding a database of who is where, vital to shifting patterns of enterprise risk.

Our client financial companies that take the time to identify and document their organizational relationships and place stakeholders into a wider hierarchical context realize a broad range of fraud, waste and abuse prevention related benefits, including:

• Enhanced ability to document regulatory compliance;
• More secure financial customer experiences, leading to enhanced reputation, increased loyalty and top-line growth;
• More confident financial reporting and more accurate revenue tracking;
• Reduction of over-all enterprise fraud risk;
• More accurate vetting of potential vendors and suppliers;
• More secure sales territory and partner program management;
• Improved security program compliance management;
• More accurate and effective fraud risk evaluation and mitigation.

The ability to place stakeholders within hierarchical context is invaluable to helping companies optimize business processes, enhance customer relationships and achieve enterprise-wide objectives like fraud prevention and mitigation. Organizations armed with the understanding provided by documented relationship contexts can improve revenues, decrease costs, meet compliance requirements, mitigate risk while realizing many other benefits.

As with our victimized financial enterprise, a company without relational data regarding vendors and other stakeholders can be unknowingly dealing with multiple suppliers who are, in fact, subsidiaries of the same enterprise, causing the company to not only inadvertently misrepresent its vendor base but, even more importantly, increase its vulnerability to fraud. Understanding the true relational context of an individual supplier may allow a company to identify areas of that vendor’s organization that represents enhanced internal control weakness or fraud risk. Conversely, an organization may fail to treat certain weakly controlled stakeholders strategically because the organization is unaware of just how much business it is doing with that stakeholder and its related subsidiaries and divisions.

Risk management has always been a core competency for organizations in general and for financial institutions in particular. However, integrated enterprise risk management (ERM) practices and corporate governance disciplines are now a regulatory imperative. Any institution that views corporate governance as merely a compliance exercise is missing the mark. Regulatory compliance is synonymous with the quality of the integrated ERM framework. Risk and control are virtually inseparable, like two sides of a coin, meaning that risks first must be identified and assessed, and then managed and mitigated by the implementation of a strong system of internal control. Accurate stake holder relational data is, therefore, critical to the effectiveness of the overall ERM process.

In today’s environment, the compliance onus rests with the regulated. In a regulatory environment where client enterprise ignorance of the situation in the client’s own overall enterprise is no longer a defense, responsibility for compliance now rests with the board and senior management to satisfy regulators that they have implemented a mature fraud prevention framework throughout the organization, effectively managing risk from the mailroom to the boardroom.

An integrated control framework with more integrated risk measures, both across risk types and economic and regulatory capital calculations, is warranted. Increased demands for self-attestation require elimination of fragmentation and silos in business and corporate governance, risk management, and compliance.

Compliance needs to be integrated into the organization’s ERM base fraud prevention framework, thereby making the management of regulatory risk a key part of effective overall compliance. Compliance needs to be seen as less of a function and more as an institutional state of mind, helping organizations to anticipate risk as well as to avoid it. Embedding compliance as a corporate discipline ensures that fraud prevention controls are entrenched in people’s roles and responsibilities more effectively than external regulations. The risk management function must not only address the compliance requirements of the organization but must also serve as an agent for improved decision making, loss reduction and competitive advantage within the marketplace.

Organizations can approach investments in corporate governance, relationship identification, risk management practices and regulatory compliance initiatives as one-off, isolated activities, or they can use these investments as an opportunity to strengthen and unify their risk culture, aligning best practices to protect and enhance stakeholder value. A silo-based approach to fraud prevention will not only be insufficient but will also result in compliance processes layered one upon the other, adding cost and duplication, and reducing the overall agility of our client’s business; in effect, increasing risk. This piecemeal reactive approach also leaves a gap between the processes designed to keep the organization in line with its regulatory obligations and the policies needed to protect and improve the franchise. Organizations are only as strong as their weakest components, like the links in a chain.

The ACFE tells us that people tend to identify with their positions, focusing more on what they do rather than on the purpose of it. This leads to narrowed vision on the job, resulting in a myopic sense of responsibility for the results produced when all positions interact. ln the event of risk management breakdowns or when results are below expectations, it is difficult for people to look beyond their silo. The enemy is out there syndrome, a byproduct of seeing only one’s own position, results in people quickly blaming someone or something outside themselves, including regulators, when negative events like long running frauds are revealed and retreating within the perceived safety of their fortress silo. This learning disability makes it almost impossible to detect the leverage that can be used on issues like fraud prevention and response that straddle the boundary between ‘us’ and ‘them’.

However, it is particularly disconcerting that the weakest numbers by industry sector, including financial services, occur in the ACFE studies measuring organization wide accountability and people’s understanding of their accountability. My personal feeling is that much of the reason for this low score is the perpetuation of organizational silos resulting from management’s failure to adequately identify and document all of its stakeholders’ cross-organizational relationships.

Trust but Check

The community support for a business, and business in general, depends on the credibility that stakeholders place in corporate commitments, the company’s reputation, and the strength of its competitive advantage. All of these depend on the trust that stakeholders place in a company’s activities. Trust, in turn, depends on the values underlying corporate activities. Off-shore accounts, manipulation of shell corporations to evade taxes, loan fraud and management self-dealing are just a few instances of the moral cancer that, drop by drop, erodes trust until the point where the free enterprise systems of democratic nations are replaced by naked oligarchy, kleptocracy and cultures of corruption.

If the interests of all stakeholders are systematically not respected, then action that continues to be often painful to shareholders, officers, and directors usually occurs. In fact, it is unlikely that businesses or professions can achieve their long-run strategic objectives without the support of key stakeholders, such as shareholders, employees, customers, creditors, suppliers, governments, and host communities.

A constant theme and trend (as echoed in the trade press) has become increasingly more evident since the turn of the century. The judgment and moral character of executives, owners, boards of directors, and auditors has been often insufficient, on their own, to prevent increasingly severe corporate, ethical, and governance scandals. Governments and regulators world-wide have been required to constantly tighten guidelines and governance regulations to assure the protection of the public. The self-interested lure of greed has proven to be too strong for many to resist, and they have succumbed to conflicts of interest when left too much on their own. Corporations that were once able to shift jurisdictions to avoid new regulations regarding tax and other matters now are facing global measures designed to expose and control questionable ethics and governance practices. Assurance professionals themselves, of all types, are also facing international standards of behavior.

These changes have come about because of the pressures brought to bear on corporations and management by the reporting of scandals and abuses by a still potent free press and by suits by activist investors and other involved stakeholders. But changes in laws, regulations, and standards are only part of what stakeholders have contributed. The expectations for good ethical behavior and good governance practices have changed. Failure to comply with these expectations now impacts reputations, profits, and careers even if the behavior is strictly within legal boundaries.

As ACFE training tells us, it’s become increasingly evident to most executives, owners, and auditors that their individual success is directly related to their ability to develop and maintain a corporate culture of integrity. They cannot afford the loss of reputation, revenue, reliability, and credibility as a result of a loss of integrity. It is no longer an effective, sustainable, or medium or long-term strategy to project or practice questionable ethics. ACFE training goes on to indicate a number of causes, or signs, of ethical problems within any given corporation:

— Pressure to meet goals, especially financial ones, at any cost;
–A culture that does not foster open and candid conversation and discussion;
–A CEO who is surrounded by people who will agree and flatter the CEO, as well as a CEO whose reputation is ‘beyond criticism’;
–Weak boards that do not exercise their fiduciary responsibilities with diligence;
–An organization that promotes people on the basis of nepotism and favoritism;
–Hubris. The arrogant belief that rules are for other people, but not for us;
–A flawed cost/benefit attitude that suggests that poor ethical behavior in one area can be offset by good ethical behavior in another area.

The LIBOR rate scandal of 2012 is an almost perfect example of ethical collapse and manifests a majority of the red flags enumerated above. The scandal featured the systematic manipulation of a benchmark interest rate, supported by a culture of fraud in the world’s biggest banks, in an environment where little or no regulation prevailed. After decades of abuse that enriched the big banks, their shareholders, executives and traders, at the expense of others, investigations and lawsuits were finally undertaken resulting in prosecutions and huge penalties for the banks and the individual traders involved.

The London Interbank Offered Rate (LIBOR) rate is a rate of interest, first computed in 1985 by the British Banking Association (BBA), the Bank of England and others, to serve as a readily available reference or benchmark rate for many financial contracts and arrangements. Prior to its creation, contracts utilized many privately negotiated rates, which were difficult to verify, and not necessarily related to the market rate for the security in question. The LIBOR rate, which is the average interest rate estimated by leading banks that they would be charged if they were to borrow from other banks, provided a simple alternative that came to be widely used.

At the time of the LIBOR scandal, 18 of the largest banks in the world provided their estimates of the costs they would have had to pay for a variety of interbank loans (loans from other banks) just prior to 11:00 a.m. on the submission day. These estimates were submitted to Reuters news agency (who acted for the BBA) for calculation of the average, and its publication, and dissemination. Reuters set aside the four highest and four lowest estimates and averaged the remaining ten.

So huge were the investments affected that a small manipulation in the LIBOR rate could have a very significant impact on the profit of the banks and of the traders involved in the manipulation.

Insiders to the banking system knew about the manipulation of LIBOR rate submissions for decades, but changes were not made until the public became aware of the problem, and until the U.S. Department of Justice (DOJ) forced the U.K. government to act. The president of the New York Federal Reserve Bank (Fed), at that time emailed the governor of the Bank of England in June 2008, suggesting ways to “enhance” LIBOR. Although ensuing emails report agreement on the suggestions, and articles appeared in the trade press from 2008 to 2011, serious changes were not applied until October 2012 when the U.K. government accepted the recommendations of the Wheatley Review of Libor. This Review by Martin Wheatley, managing director of British Financial Services Authority, was commissioned in June 2012 in view of investigations, charges and settlements that were raising public awareness of LIBOR deficiencies.

One of the motivations for creating the Wheatley Review involved the prosecution of a former UBS and later Citigroup Inc. trader, on criminal fraud charges for manipulating the LIBOR rates. The trader, known to insiders as the “Rain Man” for his abilities and demeanor, allegedly sought his superiors approval before attempting to influence the LIBOR rates, an act that some observers thought at the time would provide a strong defense against conviction.

Insiders who knew of LIBOR manipulations were generally reluctant to take a public stand for earlier change. However, on July 27, 2012, a former trader for Morgan Stanley in London, published an article that told of his earlier attempts to bring LIBOR rate manipulations to the attention of authorities, but without success. In his article, he indicated how he learned as a new trader in 1991 that the banks manipulated their rate submissions to make profit on specific contracts, and to mask liquidity problems such as during the subprime lending crisis of 2008. For example, if the LIBOR rate submissions were misstated to be low, the discounted valuation of related assets would be raised, thus providing misleadingly higher levels of short-term, near-cash assets than should have been reported.

Numerous studies since the scandal have detailed the effects of unethical LIBOR manipulation. Just two examples of such manipulation. At the time of the scandal many home owners borrowed their mortgage loans on a variable- or adjustable-rate basis, rather than a fixed-rate basis. Consequently, many of these borrowers received a new rate at the first of every month based on the LIBOR rate. A study prepared for a class action lawsuit has shown that on the first of each month for the period 2007-2009, the LIBOR rate rose more than 7.5 basis points on average. As a consequence, one observer estimated that each LIBOR submitting bank may be liable for as much as $2.3 billion.

Municipalities raise funds through the issue of bonds, and many were encouraged to issue variable-rate, rather than fixed-rate, bonds to take advantage of lower interest payments. For example, the saving could be as much as $1 million on a $100 million bond. After issue, the municipalities were encouraged to buy interest rate swaps from their investment banks to hedge their risk of volatility in the variable rates by converting or swapping into a fixed rate arrangement. The seller of the swap agrees to pay the municipality for any requirement to pay interest at more than the fixed rate agreed if interest rates rise, but if interest rates fall the swap seller buys the bonds at the lower variable interest rate. However, the variable rate was linked to the LIBOR rate, which was artificially depressed, thus costing U.S. municipalities as much as $10 billion. Class action suits were eventually launched to recover these losses, which cost municipalities, hospitals, and other non-profits as much as $600 million a year.

At the end of the day, trust in each other and in our counter-parties is all we really have as economic actors; CFE’s and forensic accountants thus have a vital role to play in investigating, documenting and assisting in the identification and possible prosecution of those who, like the LIBOR manipulators, knowingly collude in making the choice to violate that trust.

Targeting the Blockchain

Both the blockchain and its digital engineering support structures underlying the digital currencies that are fast becoming the financial and transactional media of choice for the nefarious, are now increasingly finding themselves under various modes of fraudster attack.

Bitcoins, the most familiar blockchain application, were invented in 2009 by a mysterious person (or group of people) using the alias Satoshi Nakamoto, and the coins are created or ‘mined’ by solving increasingly difficult mathematical equations, requiring extensive computing power. The system is designed to ensure no more than twenty-one million Bitcoins are ever generated, thereby preventing a central authority from flooding the market with new Bitcoins. Most Bitcoins are purchased on third-party exchanges with traditional currencies, such as dollars or euros, or with credit cards. The exchange rates against the dollar for Bitcoin fluctuate wildly and have ranged from fifty cents per coin around the time of its introduction to over $1,240 in 2013 to around $600 today.

The whole point of using a blockchain is to let people, in particular, people who don’t trust one another, share valuable data in a secure, tamper-proof way. That’s because blockchains store data using sophisticated math and innovative software rules that are extremely difficult for attackers to manipulate. But as cases like the Mount Gox Bitcoin hack demonstrate, the security of even the best designed blockchain and associated support systems can fail in places where the fancy math and software rules come into contact with humans; humans who are skilled fraudsters, in the real world, where things quickly get messy. For CFEs to understand why, start with what makes blockchains “secure” in principle. Bitcoin is a good example. In Bitcoin’s blockchain, the shared data is the history of every Bitcoin transaction ever made: it’s a plain old accounting ledger. The ledger is stored in multiple copies on a network of computers, called “nodes:’ Each time someone submits a transaction to the ledger, the nodes check to make sure the transaction is valid, that whoever spent a bitcoin had a bitcoin to spend. A subset of the nodes competes to package valid transactions into “blocks” and add them to a chain of previous blocks. The owners of these nodes are called miners. Miners who successfully add new blocks to the chain earn bitcoins as a reward.

What makes this system theoretically tamperproof is two things: a cryptographic fingerprint unique to each block, and a consensus protocol, the process by which the nodes in the network agree on a shared history. The fingerprint, called a hash, takes a lot of computing time and energy to generate initially. It thus serves as proof that the miner who added the block to the blockchain did the computational work to earn a bitcoin reward (for this reason, Bitcoin is said to employ a proof-of-work protocol). It also serves as a kind of seal, since altering the block would require generating a new hash. Verifying whether or not the hash matches its block, however, is easy, and once the nodes have done so they update their respective copies of the blockchain with the new block. This is the consensus protocol.

The final security element is that the hashes also serve as the links in the blockchain: each block includes the previous block’s unique hash. So, if you want to change an entry in the ledger retroactively, you have to calculate a new hash not only for the block it’s in but also for every subsequent block. And you have to do this faster than the other nodes can add new blocks to the chain. Consequently, unless you have computers that are more powerful than the rest of the nodes combined (and even then, success isn’t guaranteed), any blocks you add will conflict with existing ones, and the other nodes will automatically reject your alterations. This is what makes the blockchain tamperproof, or immutable.

The reality, as experts are increasingly pointing out, is that implementing blockchain theory in actual practice is difficult. The mere fact that a system works like Bitcoin, as many copycat cryptocurrencies do, doesn’t mean it’s just as secure as Bitcoin. Even when developers use tried and true cryptographic tools, it’s easy to accidentally put them together in ways that are not secure. Bitcoin has been around the longest, so it’s just the most thoroughly battle-tested.

As the ACFE and others have indicated, fraudsters have also found creative ways to cheat. Its been shown that there is a way to subvert a blockchain even if you have less than half the mining power of the other miners. The details are somewhat technical, but essentially a “selfish miner” can gain an unfair advantage by fooling other nodes into wasting time on already-solved crypto-puzzles.

The point is that no matter how tamperproof a blockchain protocol is, it does not exist in a vacuum. The cryptocurrency hacks driving recent headlines are usually failures at places where blockchain systems connect with the real world, for example, in software clients and third-party applications. Hackers can, for instance, break into hot wallets, internet-connected applications for storing the private cryptographic keys that anyone who owns cryptocurrency requires in order to spend it. Wallets owned by online cryptocurrency exchanges have become prime targets. Many exchanges claim they keep most of their users’ money in cold hardware wallets, storage devices disconnected from the internet. But as the recent heist of more than $500 million worth of cryptocurrency from a Japan based exchange showed, that’s not always the case.

Perhaps the most complicated touchpoints between blockchains and the real world are smart contracts, which are computer programs stored in certain kinds of blockchain that can automate financial and other contract related business transactions. Several years ago, hackers exploited an unforeseen quirk in a smart contract written on Ethereum’s blockchain to steal 3.6 million Ether, worth around $80 million at the time from a new kind of blockchain-based investment fund. Since the investment fund’s code lived on the blockchain, the Ethereum community had to push a controversial software upgrade called a hard fork to get the money back, essentially creating a new version of history in which the money was never stolen. According to a number of experts, researchers are scrambling to develop other methods for ensuring that smart contracts won’t malfunction.

An important supposed security guarantee of a blockchain system is decentralization. If copies of the blockchain are kept on a large and widely distributed network of nodes, there’s no one weak point to attack, and it’s hard for anyone to build up enough computing power to subvert the network. But recent reports in the trade press indicate that neither Bitcoin nor Ethereum is as decentralized as the public has been led to believe. The reports indicate that the top four bitcoin-mining operations had more than 53 percent of the system’s average mining capacity per week. By the same measure, three Ethereum miners accounted for 61 percent of Ethereum transactions.

Some experts say alternative consensus protocols, perhaps ones that don’t rely on mining, could be more secure. But this hypothesis hasn’t been tested at a large scale, and new protocols would likely have their own security problems. Others see potential in blockchains that require permission to join, unlike in Bitcoin’s case, where anyone who downloads the software can join the network.

Such consensus systems are anathema to the antihierarchical ethos of cryptocurrencies, but the approach appeals to financial and other institutions looking to exploit the advantages of a shared cryptographic database. Permissioned systems, however, raise their own questions. Who has the authority to grant permission? How will the system ensure that the validators are who they say they are? A permissioned system may make its owners feel more secure, but it really just gives them more control, which means they can make changes whether or not other network participants agree, something true believers would see as violating the very idea of blockchain.

So, in the end, for CFEs, the word ‘secure’ ends up being very hard to define in the context of blockchains. Secure from whom? Secure for what?

A final thought for CFEs and forensic accountants. There are no real names stored on the Bitcoin blockchain, but it records every transaction made by your user client; every time the currency is used the user risks exposing information that can tie his or her identity to those actions. It is known from documents leaked by Edward Snowden that the US National Security Agency has sought ways of connecting activity on the Bitcoin blockchain to people in the physical world. Should governments seek to create and enforce blacklists, they will find that the power to decide which transactions to honor may lie in the hands of just a few Bitcoin miners.

#We Too

The #Me Too phenomenon is just one of the latest instances of a type of fraud featuring a betrayal of trust by a fellow community member which is as old as humanity itself. The ACFE calls it affinity fraud, and it is one of the most common instances of fraud with which any CFE or forensic account is ever called upon to deal. The poster boy for affinity frauds in our time is, of course, Bernard L. Madoff, whose affinity fraud and Ponzi scheme ended with his arrest in 2008. The Madoff scandal is considered an affinity fraud because the vast majority of his clientele shared Madoff’s religion, Judaism. Over the years, Madoff’s clientele grew to include prominent persons in the entertainment industry, including Steven Spielberg and Larry King. This particular affinity fraud was unprecedented because it was perpetrated by Madoff over several decades, and his investment customers were defrauded of approximately twenty billion dollars.

But not all targets of affinity fraud are wealthy investors; such scams touch all genders, religions, age groups, races, statuses, and educational levels. One of the saddest are affinity frauds targeting children and the elderly.

Con artists prey on vulnerable underage targets by luring them to especially designed websites and phone Aps and then collecting their personal information. TRUSTe, an Internet privacy seal program, is a safe harbor program under the terms of the Children’s Online Privacy Protection Act (COPPA) administered by the U.S. Federal Trade Commission. This was the third safe harbor application approved by the Commission. Safe harbor Aps and programs are submitted by the Children’s Advertising Review Unit (CARL) of the Council of Better Business Bureaus, an arm of the advertising industry’s self-regulatory program, and the Entertainment Software Rating Board (ESRB), which were both previously approved as COPPA safe harbors. Sadly, in spite of all this effort, data collection abuses by websites and Aps targeting children continue to increase apace to this day.

Then there’s the elderly. It’s an unfortunate fact that elderly individuals are the most frequent targets of con artists implementing all types of affinity frauds. Con artists target the elderly, since they may be lonely, are usually willing to listen, and are thought to be more trusting that younger individuals. Many of these schemes are performed over the telephone, door-to-door, or through advertisements. The elderly are especially vulnerable targets for schemes related to credit cards, sweepstakes or contests, charities, health products, magazines, home improvements, equity skimming, investments, banking or wire transfers, and insurance.

Fraudsters will use different tactics to get the elderly to cooperate in their schemes. They can be friendly, sympathetic, and willing to help in some cases, and use fear tactics in others. The precise tactics used are generally tailored to the type of individual situation the con artist finds herself in in relation to the mark.

Ethically challenged fraud practitioners frequently focus on home ownership related schemes to take advantage of the vulnerable elderly. The scammer will recommend a “friend” that can perform necessary home repairs at a reasonable price. This friend may require the mark to sign a document upon completion confirming that the repairs have been completed. In some cases, the elderly victim later learns that s/he signed the title of his house over to the repairman. In other cases, not only is the person overcharged for the work, but the work is not performed properly or at all.

Another frequent scheme targeting the elderly involves sweepstakes or prizes. The fraudster continues to influence the elderly victim over a period of time with the hope that the victim will eventually win the “grand prize” if they will just send in another fee or buy a few more magazines.

Fraudsters also frequently solicit the elderly with “great” investment opportunities in precious metals, artwork, securities, prime bank guarantees, futures, exotics, micro-cap stocks, penny stocks, promissory notes, pyramid and Ponzi schemes, insurance, and real estate. Other common scams involve equity skimming programs, debt consolidation offers, or other debt relief services which only result in the loss of the home used as collateral if the victimized debtor misses a payment.

The societal effects of affinity fraud are not limited solely to the amount of funds lost by investors, churches, the elderly or by other types of victims. Once these frauds are uncovered, investor confidence can diminish the financial and other legitimate markets, and a general level of distrust can decrease the government’s ability to provide protection. Loss of confidence manifested itself after the Madoff fiasco with such negative effects evident throughout the economy. Unfortunately, affinity fraud erodes the trust needed for legitimate investments to occur and grow our economy. Essentially, affinity fraud victims of all types become less likely to trust any future monetary request and honest charitable organizations suffer from a loss of endowments. Subsequent to a large affinity fraud being discovered, time is spent by regulators and law enforcement not only prosecuting these cases but also in the expenditure of endless taxpayer dollars assessing what went wrong. Time consuming, expensive investigations generally also include implementation of regulatory changes in an attempt to assist in detection of these frauds in the future, another costly burden on taxpayers.

Once affinity fraud offenders have targeted a community or group, they seek out respected community leaders to vouch for them to potential victims. By having an esteemed figurehead who appears to be knowledgeable about the investment or other opportunity and endorses it, the offender creates legitimacy for the con. Additionally, others in the community are less likely to ask questions about a venture or investment if a community leader recommends or endorses the fraudster. In the Madoff case, Madoff himself was a highly esteemed member of the community he victimized.

Experts tells us that projection bias is one reason why affinity fraudsters are able to continually perpetrate these types of crimes. Psychological projection is a concept introduced by Freud to explain the unconscious transference of a person’s own characteristics onto another person. The victims in affinity fraud cases project their own morals onto the fraudsters, presuming that the criminals are honest and trustworthy. However, the similarities are almost certainly the reason why the fraudster targeted the victims in the first place. In some cases when victims are interviewed after the fact, they indicate to law enforcement that they trusted the fraudster as if they were a family member because they believed that they both shared the same value system.

Because victims in affinity frauds are less likely to question or go outside of their group for assistance, information or tips regarding the fraud may not ever reach regulators or law enforcement. In religion related cases, there is often an unwritten rule that what happens in church stays there, with disputes handled by the church elders or the minister. Once the victims place their trust in the fraudster, they are less likely to even believe they have been defrauded and also unlikely to investigate the con.

The ACFE tells us that in order to stop affinity frauds from occurring in the first place, one of the best fraud prevention tools is the implementation of increased educational efforts. Education is especially important in geographical areas where tight-knit cultural communities reside who are particularly vulnerable to these frauds. By reaching out to the same cultural or religious leaders that fraudsters often target in their schemes, law enforcement could launch collaborative relationships with these groups in their educational efforts.

In summary, frauds like Madoff’s occur daily on a much smaller scale in communities across the United States. The effects of these affinity frauds are widespread, and the emotional consequences experienced by the victims of these scams cannot be overstated. CFEs, assurance professionals, regulators and law enforcement and investigative personnel need to assess the harm caused by affinity fraud and continue to determine what steps need to be taken to effectively confront these types of scams. State and Federal laws should be reviewed and amended where necessary to ensure appropriate enhanced sentencing is enforced for all egregious crimes involving affinity fraud. Regulators and law enforcement should approach fraud cases from different angles in an attempt to determine if new methods may be more effective in their prosecution.

Additionally, anti-fraud education as provided by the ACFE is needed for both the general and investing publics and for regulators and law enforcement personnel to ensure that they all have the proper knowledge and tools to be able to understand, detect, stop, and prevent these types of scenarios. Affinity frauds are not easily anticipated by the victims because people are not naturally inclined to think that one of their own is going to cheat them. Affinity frauds can, therefore, only be most effectively curtailed by the very communities who are their victims.