Tag Archives: fraud examination

Regulating the Financial Data Breach

During several years of my early career, I was employed as a Manager of Operations Research by a mid-sized bank holding company. My small staff and I would endlessly discuss issues related to fraud prevention and develop techniques to keep our customer’s checking and savings accounts safe, secure and private. A never ending battle!

It was a simpler time back then technically but since a large proportion of fraud committed against banks and financial institutions today still involves the illegal use of stolen customer or bank data, some of the newest and most important laws and regulations that management assurance professionals, like CFEs, must be aware of in our practice, and with which our client banks must comply, relate to the safeguarding of confidential data both from internal theft and from breaches of the bank’s information security defenses by outside criminals.

As the ACFE tells us, there is no silver bullet for fully protecting any organization from the ever growing threat of information theft. Yet full implementation of the measures specified by required provisions of now in place federal banking regulators can at least lower the risk of a costly breach occurring. This is particularly true since the size of recent data breaches across all industries have forced Federal enforcement agencies to become increasingly active in monitoring compliance with the critical rules governing the safeguarding of customer credit card data, bank account information, Social Security numbers, and other personal identifying information. Among these key rules are the Federal Reserve Board’s Interagency Guidelines Establishing Information Security Standards, which define customer information as any record containing nonpublic personal information about an individual who has obtained a financial product or service from an institution that is to be used primarily for personal, family, or household purposes and who has an ongoing relationship with the institution.

Its important to realize that, under the Interagency Guidelines, customer information refers not only to information pertaining to people who do business with the bank (i.e., consumers); it also encompasses, for example, information about (1) an individual who applies for but does not obtain a loan; (2) an individual who guarantees a loan; (3) an employee; or (4) a prospective employee. A financial institution must also require, by contract, its own service providers who have access to consumer information to develop appropriate measures for the proper disposal of the information.

The FRB’s Guidelines are to a large extent drawn from the information protection provisions of the Gramm Leach Bliley Act (GLBA) of 1999, which repealed the Depression-era Glass-Steagall Act that substantially restricted banking activities. However, GLBA is best known for its formalization of legal standards for the protection of private customer information and for rules and requirements for organizations to safeguard such information. Since its enactment, numerous additional rules and standards have been put into place to fine-tune the measures that banks and other organizations must take to protect consumers from the identity-related crimes to which information theft inevitably leads.

Among GLBA’s most important information security provisions affecting financial institutions is the so-called Financial Privacy Rule. It requires banks to provide consumers with a privacy notice at the time the consumer relationship is established and every year thereafter.

The notice must provide details collected about the consumer, where that information is shared, how that information is used, and how it is protected. Each time the privacy notice is renewed, the consumer must be given the choice to opt out of the organization’s right to share the information with third-party entities. That means that if bank customers do not want their information sold to another company, which will in all likelihood use it for marketing purposes, they must indicate that preference to the financial institution.

CFEs should note , that most pro-privacy advocacy groups strongly object to this and other privacy related elements of GLBA because, in their view, these provisions do not provide substantive protection of consumer privacy. One major advocacy group has stated that GLBA does not protect consumers because it unfairly places the burden on the individual to protect privacy with an opt-out standard. By placing the burden on the customer to protect his or her data, GLBA weakens customer power to control their financial information. The agreement’s opt-out provisions do not require institutions to provide a standard of protection for their customers regardless of whether they opt-out of the agreement. This provision is based on the assumption that financial companies will share information unless expressly told not to do so by their customers and, if customers neglect to respond, it gives institutions the freedom to disclose customer nonpublic personal information.

CFEs need to be aware, however, that for bank clients, regardless of how effective, or not, GLBA may be in protecting customer information, noncompliance with the Act itself is not an option. Because of the current explosion in breaches of bank information security systems, the privacy issue has to some degree been overshadowed by the urgency to physically protect customer data; for that reason, compliance with the Interagency Guidelines concerning information security is more critical than ever. The basic elements partially overlap with the preventive measures against internal bank employee abuse of the bank’s computer systems. However, they go quite a bit further by requiring banks to:

—Design an information security program to control the risks identified through a security risk assessment, commensurate with the sensitivity of the information and the complexity and scope of its activities.
—Evaluate a variety of policies, procedures, and technical controls and adopt those measures that are found to most effectively minimize the identified risks.
—Application and enforcement of access controls on customer information systems, including controls to authenticate and permit access only to authorized individuals and to prevent employees from providing customer information to unauthorized individuals who may seek to obtain this information through fraudulent means.
—Access restrictions at physical locations containing customer information, such as buildings, computer facilities, and records storage facilities to permit access only to authorized individuals.
—Encryption of electronic customer information, including while in transit or in storage on networks or systems to which unauthorized individuals may gain access.
—Procedures designed to ensure that customer information system modifications are consistent with the institution’s information security program.
—Dual control procedures, segregation of duties, and employee background checks for employees with responsibilities for or access to customer information.
—Monitoring systems and procedures to detect actual and attempted attacks on or intrusions into customer information systems.
—Response programs that specify actions to be taken when the institution suspects or detects that unauthorized individuals have gained access to customer information systems, including appropriate reports to regulatory and law enforcement agencies.
—Measures to protect against destruction, loss, or damage of customer information due to potential environmental hazards, such as fire and water damage or technological failures.

The Interagency Guidelines require a financial institution to determine whether to adopt controls to authenticate and permit only authorized individuals access to certain forms of customer information. Under this control, a financial institution also should consider the need for a firewall to safeguard confidential electronic records. If the institution maintains Internet or other external connectivity, its systems may require multiple firewalls with adequate capacity, proper placement, and appropriate configurations.

Similarly, the institution must consider whether its risk assessment warrants encryption of electronic customer information. If it does, the institution must adopt necessary encryption measures that protect information in transit, in storage, or both. The Interagency Guidelines do not impose specific authentication or encryption standards, so it is advisable for CFEs to consult outside experts on the technical details applicable to your client institution’s security requirements especially when conducting after the fact fraud examinations.

The financial institution also must consider the use of an intrusion detection system to alert it to attacks on computer systems that store customer information. In assessing the need for such a system, the institution should evaluate the ability, or lack thereof, of its staff to rapidly and accurately identify an intrusion. It also should assess the damage that could occur between the time an intrusion occurs and the time the intrusion is recognized and action is taken.

The regulatory agencies have also provided our clients with requirements for responding to information breaches. These are contained in a related document entitled Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice (Incident Response Guidance). According to the Incident Response Guidance, a financial institution should develop and implement a response program as part of its information security program. The response program should address unauthorized access to or use of customer information that could result in substantial harm or inconvenience to a customer.

Finally, the Interagency Guidelines require financial institutions to train staff to prepare and implement their information security programs. The institution should consider providing specialized training to ensure that personnel sufficiently protect customer information in accordance with its information security program.

For example, an institution should:

—Train staff to recognize and respond to schemes to commit fraud or identity theft, such as guarding against pretext spam calling.
—Provide staff members responsible for building or maintaining computer systems and local and wide area networks with adequate training, including instruction about computer security.
—Train staff to properly dispose of customer information.

An Ancient Skill

I remember Professor Jerome Taylor in his graduate class at the University of Chicago introducing us to the complexities of what the ancients called the trivium. Because the setting for the process of fraud examination is so often fraught with emotion and confusion, even a beginning fraud examiner quickly realizes that presenting evidence collected during examination fieldwork merely as a succession of facts often isn’t enough to fully convince clients and to adequately address their many concerns (many of which always seem to emerge all at once). To capture stakeholders’ attention, and to elicit a satisfactory response, CFEs need to possess some degree of rhetorical skill.

Rhetoric refers to the use of language to persuade and instruct. Throughout the Middle Ages, European universities taught rhetoric to beginning students as one of three foundational topics composing what was known as the trivium. Logic and grammar, the other two foundational topics, refer to the mechanics of thought and analysis, and to the mechanics of language, respectively. We CFEs and forensic accountants essentially follow the trivium in our work, whether we realize it or not. After gathering evidence through fieldwork, we apply logic to analyze that evidence and to present our vision of the facts to our client organizations in our final reports. We also use grammatical rules to structure text within our reports and memorandum.

Applying the trivium requires a balanced approach; too much focus on any one of the three components to the exclusion of the others can lead to ineffective communication. Fraud examiners need to consider all three trivium components evenly and avoid the common trap of collecting too much evidence or performing too much analysis in the belief that such concentrations will help strengthen our final reports.

The ancient Greeks defined three key components of rhetoric, the speech itself (text), the speaker delivering the speech (author), and those who listen to the speech (audience). Collectively, these components form what’s called the rhetorical triangle. For CFEs, the triangle’s three points equate to the final report or memorandum, the CFE him or herself, and our clients or stakeholders. All three of the rhetorical triangle components are interrelated, and they are each essential to the success of all investigative and/or assurance work. Each should be considered before any engagement and kept in mind throughout the engagement life cycle but especially during the report writing and presentation process.

Although the investigative team lead would be considered the primary author, each of the engagement team members plays a supporting role by authoring observations and preliminary findings that are then compiled into an integrated report. The person performing the important task of draft reviewer also has a role to play, ensuring that the final report meets ACFE and other applicable standards and fulfills the overall purpose defined in the planning document.

The character of the intended audience should be considered with each engagement. Audience members are not homogeneous; each may have different perspectives and expectations. For this reason, CFEs need to consult with them and consider their perspectives even before the engagement begins to the extent feasible.

Once engagement fieldwork has been completed, the authors compose a written report containing the results of the investigative field work. The report represents perhaps the most important outcome communication from the examination process, and the best chance to focus the client’s attention.

When crafting the final report, three separate but interrelated components, designated ‘appeals’, need to be considered and applied: ethos, logos, and pathos.

Ethos is an appeal to the audience’s perception of the honesty, authority, and expertise of the report’s author. Closely related to reputation, ethos is established when the audience determines that the author is qualified, trustworthy, and believable. Because the term ethics derives from ethos, adhering to ACFEs standards and Code of Ethics supports this appeal.

Some helpful formulations, in the form of questions, to keep in mind regarding the ethos component when formulating your report are:

–What assumptions does your audience likely make about you and the investigative process, what you produce, and the level of service you and your team provide?
–Is there a way to take advantage of their positive assumptions to improve the fraud investigation process for the future?
–What can you do to overcome their negative assumptions, if any?
–Do you create the expectation that what you produce and the level of service you provide will be above average or even exceptional?
–Are you using all the available channels to create an impression of excellence?

For CFEs with an on-going or long-term employment or other relationship with the client, the need to consider ethos begins long before the start of any particular engagement. Ethos is supported by the structure and governance of the fraud examination or forensic accounting function as well as by the selection of team members, including alignment between the type of engagements to be performed and the team’s qualifications, education, and training. The ethos appeal is also established by choosing to comply with examination and audit standards and with other professional requirements to demonstrate a high level of credibility, build trust, and gain a favorable reputation over time.

Logos appeals to the audience’s sense of logic, encompassing factors such as the reason and analysis used, the underlying meaning communicated, and the supporting facts and figures presented. The written document’s visual appeal, diagrams, charts, and other elements, as well as how the information is organized, presented, and structured, also factor into logos. Story conveys meaning. From the time we’re born we learn about the world around us through narratives. This aspect of logos continues to be important throughout our lives. We experience the world through our senses, particularly our eyes. Design and visual attractiveness are key to engaging an audience made up of the visual animals we are.

–Is what you are presenting easy to understand?
–Is your presentation design simple and pleasing to the eye?

Investigators need for logos is addressed by their written report’s executive summary; detailed observations, and findings as well as appendices with secondary information that can be used to further instruct the audience. The report describes the origin, drivers and overall purpose of the engagement, its findings, and conclusions. Ultimately, from a rhetorical standpoint, examiners try to tell a convincing, self-contained short story that conveys key messages to the audience. The structure and format of the report, together with its textual content and visual elements, also support the logos appeal.

Like ethos, the logos appeal is fulfilled long before an individual engagement begins. It starts with the rational, periodic assessment and identification of business processes at high-risk for fraud; areas requiring management’s attention, resulting in the development and implementation of effective anti-fraud controls. CFEs are then prepared to undertake engagements, executing steps to collect valid and relevant evidence to justify conclusions and to guide and support the client’s initiation of successful prosecutions.

Pathos is an appeal to the audience’s emotions, either positive (joy, excitement, hopefulness) or negative (anger, sadness). It is used to establish compassion or empathy. Unlike logos, pathos focuses on the audience’s irrational modes of response. The Greeks maintained that pathos was the strongest and most reliable form of persuasion. Pathos can be especially powerful when it is used well and connects with the audience’s underlying values and perspective. Used incorrectly, however, pathos can distort or detract from the impact of actual factual evidence.

Examiners should strive to walk a mile in someone else’s shoes and look for ways to better understand the client/audience’s perspective. Attention to pathos can help support not only examination objectives, but the overarching goal of creating a satisfactory investigative outcome. CFEs should also be mindful of their overall tone and word selection, and ensure they balance negative and positive comments giving credit to individuals and circumstances where credit is due.

To some extent, pathos is interdependent with ethos and logos: The sting of negative results can be reduced somewhat by the positive effect of the other two appeals. For example, clients/audience members are more likely to accept bad news from someone they trust and respect, and who they know has followed a rational, structured approach to the engagement. But at the same time, ethos and logos can be offset by negative pathos. Preferred practice generally consists of holding regular meetings with corporate counsel and/or other critical stakeholders over the course of the investigation, maintaining transparency, and providing stakeholders with an opportunity to address investigative findings or provide evidence that counters or clarifies the CFEs observations.

In summary, while all three elements of rhetorical appeal play an important role in communication and while none should be neglected, CFEs and forensic accountants should pay particular attention to pathos. The dominance of feelings over reason is part of human nature, and examiners should consider this powerful element when planning and executing engagements and reporting the results. By doing so, certified investigators can help ensure audiences accept our message and make informed judgements related to fraud recovery, prosecution and possible restitution.

The Versatile Microcap

A microcap is a publicly traded company whose stock might be worth only pennies, which causes its price to be volatile and thus easier for fraudsters to manipulate. Although CFEs like our Central Virginia Chapter members might not regularly come across microcap stock manipulation, it’s important for all of us to be aware of the methods and motivations behind this significant criminal activity. In this scheme, promoters and insiders, after cheaply purchasing a stock, typically pump up its value through embellished or entirely false news. However, as reported recently in the trade press, other fraudsters have successfully employed much more creative strategies in exploiting microcaps. Several articles and books have told of the involvement of organized crime, especially throughout the ’00s and ’10s, in this highly profitable illegal business.

Basic pump and dump schemes, also known as hype and dump manipulation, involve the touting of a company’s stock (typically micro-cap companies) through false or misleading statements to the marketplace. After pumping up the stock, scam artists make huge profits by selling or dumping their cheap stock onto the market. Today, pump and dump schemes have been updated and most frequently occur over the Internet, where it is common to see e-mail and other messages posted that urge consumers to buy a stock quickly or to sell their stocks before the price goes down. In some cases, a spam-call telemarketer contacts potential investors using the same sort of pitch. Often the promoters claim to have inside information about an impending development, or to have employed an infallible combination of economic and stock market data to pick stocks. In reality, they may be company insiders or paid promoters who stand to gain by selling their shares after the stock price is pumped up by the buying frenzy they create. Once these fraudulent promoters dump their shares and stop hyping the stock, the price typically falls and investors lose their money.

In another recent but simple form of the micro-cap scheme, a caller leaves a message on a potential victim’s voice mail under the guise of someone who dialed the wrong number. Sounding as if they didn’t realize they had misdialed, the message contains a hot investment tip for a friend. However, the caller is actually a spammer, someone being paid to tout this stock on hundreds of cell phones. Those behind the scheme generally own some of the stock and hope to profit by pumping up the share price and selling off their investments.

Pump-and-dump schemes can be as relatively simple as the one above, or such as an individual or small group releasing false information in a chat room or insiders publishing inflated company information. Sometimes the business owners themselves are complicit, especially with shell corporations that have little actual operations or value. Occasionally, scammers dupe business owners into participating in schemes through promises of investment support and/or related marketing help. Or fraudsters, unbeknownst to the victim company, hijack their target company’s stock and falsely hype it, which often causes irreparable damage to the owners’ and to their business’ reputations. CFEs whose clients include small or new venture businesses should be especially cautious of unsolicited offers made to their clients to receive loans or to raise capital through microcap stock offerings. Criminals commonly target businesses in the pharmaceutical, energy or technology sectors, attempting to use their names and initial offerings to manipulate stock for profit.

More complex microcap stock manipulation schemes involving organized crime typically employ a number of persons who are instructed to buy in at various points that coincide with a series of false press releases and concurrent investor forum-controlled chat and spam emails. This orchestrated activity provides the illusion of stock movement resulting from large investor interest thus drawing in the required funds of outsider victims. The actual manipulation often resembles a series of smaller pumps and dumps instead of one large event. So the fraudsters can use the same stock over and over with less chance of detection by regulatory authorities. More refined players also employ foreign or off-shore brokerage accounts as a further veil over their illegal activities.

When the organized manipulation plan succeeds, the ringleaders will permit the accomplices to sell and obtain their related profit depending on their hierarchy in the organization. However, the end process is often far from perfect. Occasionally, accomplices don’t follow instructions, at their significant personal risk, and sell too early or late. Even if the manipulation isn’t always successful, organized crime members who have invested in the process expect and demand a certain profit, which places additional pressure on participants who might find they have debt on their hands because of their failures.

Occasionally, outsiders also take large positions either profiting from or destroying the momentum of the criminal group. In the 1990s, when trades were completed through actual brokers, criminals could use threats or actual violence to control such unwanted participants. However, technological trading platforms have made this more difficult.

A less common, yet also profitable, technique is to put downward pressure on a stock (or cause the price to decrease) after buying the equity on loan through a contract, or option, with the hopes of buying the stock or settling the contract once the stock has dropped in price. Fraudsters can initiate this manipulation technique, commonly known as ‘short and distort,’ by promoting rumors such as a bad quarter or failed new drug test.

The ability to manipulate microcap stocks with relative ease also makes the activity an ideal tool to hide payments between parties and launder money. Instead of paying cash or wiring funds to settle a drug debt, one can simply provide a tip relating to a microcap stock that’s about to be manipulated. The party who’s owed the debt then only has to buy the stock cheaply and await for the pump to make the sale and generate the profit.

Perpetrators also have used the same process to offer bribes to public servants. Troublesome envelopes or bags of cash aren’t required. The profit appears as a simple lucky or astute stock pick, and culprits can even report them as capital gains thus removing the risk of highly feared and powerful tax investigators becoming involved in a possible money-laundering investigation. Police and securities regulatory authorities have observed and reported such suspicious activity. However, it’s often difficult to link those who profit from the manipulation with the culpable manipulators. Also, considering that organized crime elements employ microcap manipulation for debt payments and as profitable crimes, it’s again challenging for authorities to identify the exact goals of their participation without some inside knowledge. Proving all the elements of the crime is nearly impossible without wire taps or a co-conspirator witness.

With all this said, it’s ironic, yet not surprising, that more than one organized-crime figure has said they don’t invest their own criminal earnings in microcap stocks because they deem such markets to be too risky and plagued by manipulators.

So, in summary, if you, as a CFE, come across information relating to a microcap investment involving a case you’re working, you might want to take a closer look.

With regard to preventing investment fraud schemes in general … caution your clients:

• to not invest in anything based upon appearances. Just because an individual or company has a flashy website doesn’t mean it is legitimate. Websites can be created in a matter of hours and taken down even faster. After a short period of taking money, a site can vanish without a trace.
• to not invest in anything about which they are not absolutely sure. Do homework on an investment to ensure it is legitimate.
• to thoroughly investigate the offering individual or company to ensure legitimacy.
• to check out other websites regarding this person or company.
• to be cautious when responding to special investment offers (especially through unsolicited e-mail) by fast talking telemarketers. Know with whom you are dealing!
• to inquire about all the terms and conditions involved with the investors and the investment.
• Rule of thumb: If it sounds too good to be true, it probably is.

Your Friendly Pharmacy

The tragic consequences of the currently raging opioid epidemic are splashed across the headlines and vividly displayed in television documentaries every day and yet, unless they specialize in the healthcare sector, I’ve found that most CFEs and forensic accountants are relatively unfamiliar with the mechanics of prescription drug and pharmacy fraud.

The reality is that, in many communities across America today, obtaining illegal prescriptions and the related controlled drugs of choice can be as easy as ordering a sandwich. Licensed physicians in every part of the country are daily arrested for on-demand prescribing of Oxycontin, Vicodin and Xanax. The resulting grand jury indictments usually feature some version of charges related to ‘prescribing drugs outside the usual course of professional practice and without a legitimate medical purpose’.

According to the Centers for Disease Control and Prevention (CDC), U.S. non-medical use of prescription painkillers results in more than $72.5 billion annually in direct healthcare costs and identifies prescription drugs as the second most-abused category of drugs after marijuana. In addition, the U.S. Department of Justice Office of Inspector General (OIG) has released several reports on prescription drug fraud in the Medicaid and Medicare Part D populations.

This epidemic has not only led to an increase in prescription drug fatalities, it’s also fueled opportunities for a host of ethically challenged individuals. This category of fraudsters has many faces: patients, patients’ family members, prescribers, pharmacy staff, medical employees, service contractors, recruiters and countless others are continuously involved in ever-mutating prescription drug fraud schemes.

Patients who commit prescription fraud often do so to acquire drugs to support their own addictions. But prescription drugs are a commodity with a high resale value, so fraudsters also divert prescription drugs for profit. Fraudsters illegally sell Oxycontin for $1 to $2 per milligram on the street. Some retirees on fixed incomes visit physicians complaining of phantom pain just so they can receive prescriptions for controlled drugs to re-sell for additional income.

Sometimes medical services’ employees, patients, family members, family friends and others fraudulently acquire prescription pads. In a recently reported case, owners of a professional cleaning service stole prescription pads and an ink signature pad from a doctor’s office they were hired to clean.

Some bypass obtaining prescriptions entirely by stealing controlled substances directly from pharmacies. Many pharmacies in hard hit areas no longer carry selected drugs or have increased their security.

Here are other common examples of the various ways individuals have chosen to defraud the system:
• Doctor shopping: visiting multiple doctors in search of prescriptions.
• Pharmacy shopping: filling prescriptions at multiple pharmacies to avoid being denied service.
• Prescription alteration: increasing dosage, quantity or refills on existing prescriptions.
• Washed prescriptions: washing ink off written prescriptions to create blanks and re-writing new fraudulent prescriptions.
• Forged prescriptions: using copy machines or computers to create fake prescriptions.
• Fax and phone prescriptions: faxing fraudulent prescriptions to pharmacies or phoning pharmacies to call in and/or verify prescriptions.
• Illegal market: acquiring drugs from illegal sources.

Regarding providers, some medical providers have turned to selling prescriptions to patients or anyone willing to pay their fees, even when there’s no medical justification for the drug therapies; this activity might or might not take place in the prescribers’ place of business.

As the ACFE indicates, prescribers of large volumes of pain drugs risk being identified as “pill mill” operators. Pain clinics, legitimate and otherwise, often prescribe large volumes of controlled pain drugs. In typically reported cases, patients line up outside the pain clinics prior to their opening because they know they can easily obtain prescriptions for controlled drugs.

Prescribers who knowingly commit prescription fraud have turned to some of the following schemes to defraud the system:

• Medically unnecessary prescribing.
• Internet prescribing.
• Self-prescribing.
• Diversion.
• Collusion.

Like enterprising patients and prescribers, pharmacies that participate in fraud schemes often do so for enhanced profit. In a recent case which received enhanced media coverage, a pharmacist, a doctor and others were among the a number arrested for “prescription harvesting”. The accused fraudsters stole patients’ identities to bill Medicare and Medicaid for $18 million in illegitimate prescriptions. Approximately $7.3 million in taxpayer dollars was lost in this scheme.

Other prosecuted pharmacy schemes have included:

• False claims: submitting claims for payment for which no prescription or authorization exists.
• Buy-backs: buying back prescriptions from patients – often at a discount.
• Kickbacks: receiving or providing monetary incentive for selling certain prescriptions.
• Shell or vanishing pharmacies: operating pharmacies in name only – or operating pharmacies just long enough to submit false claims for profit.
• Shell ownership: masking pharmacies’ ownership to hide identities of the true owners.
• Online pharmacies: selling controlled substances illegally with relative anonymity.
• Counterfeit products: knowingly dispensing counterfeit drugs.

Recruiters are intermediaries who engage partners to carry out fraudulent activity. In most cases, recruiters conspire with prescribers and/or pharmacies to enlist patients to carry out their fraudulent billings and/or diversion schemes. Documented cases show that patients, prescribers, pharmacies and recruiters have conspired to submit false claims, and to support buy-backs, kickbacks and diversions.

More than 80 pharmacists, physicians and others in a large metropolitan area conspired to establish a network of pill mills that issued prescriptions, many for controlled drugs such as hydrocodone and oxycodone, to patients without a legitimate need. The patients used Medicaid, Medicare or private insurance coverage to pay for the drugs. The principal pharmacist owned and operated 26 different pharmacies; following prosecution, he was sentenced to 17 years in prison.

Many U.S. federal, state and private organizations are now vigorously data mining prescription activity to detect fraud at all levels. Federal examples include the Drug Enforcement Agency, the DOJ OIG and routine Federal analysis of vendor contracts. Each U.S. state (except Missouri) now has a Prescription Drug Monitoring Program, which receives all information on prescription drug activity for controlled substances from both cash and insurance provider imbursed prescription transactions. Also, state law enforcement and vendors provide detection activities. Health care entities in the private sector, such as health plans and other payers, sometimes perform the data mining themselves or work with vendors. Private citizens frequently act as whistleblowers to expose fraudsters.

The entities charged with exposing schemers now use numerous methods to detect fraud and are developing new approaches every day just to keep up with all the evolving scenarios. Audits can be an effective detection method when conducted by trained, knowledgeable staff. Those who are called upon to perform desk and onsite audits must be cognizant of current activities and patterns and ensure that involved investigative groups are working together so leads from these audits can be directed to the appropriate law enforcement entities.

To identify aberrant behaviors, investigators utilize a number of different detection processes including:

• Sending confirmation letters to patients or prescribers to validate services received or rendered.
•Analyzing patient, prescriber, pharmacy and drug activities to identify aberrant utilization, prescribing, dispensation and/or processing patterns.
• Analyzing drug utilization by therapy classification and/or risk category.
• Reviewing prescribers by medical specialty to identify individuals prescribing outside the normal scope of their specialties.
• Focusing on geographic areas where fraud is an issue.
• Applying geospatial analyses to determine distances traveled by patients and to identify clusters.
• Searching for historical and current patterns to anticipate future fraudulent behaviors.
• Expert fraud examiners can assist in many ways in the performance of different types of analytics on prescription claim data. They use public and private data sources and sophisticated algorithms for retrospective, predictive and geospatial analyses.

Prescription drug fraud goes far beyond the headlines about controlled drugs. The ACFE reports that fraudsters also target high-dollar retail drugs of all kinds. These medications are used for the treatment of HIV, mental health issues, diabetes and cancer and can all command high fees from desperate patients.

It’s imperative for CFEs, forensic accountants and other assurance professionals to be aware of past and present drug diversion schemes and mindful of the changing health care environment and its associated vulnerabilities no just to keep pace with fraudsters but, more importantly to more effectively support the law enforcement professionals who rely on us for the high quality investigative materials so vital to successful prosecutions.

Then & Now

I was chatting over lunch last week at the John Marshal Hotel here in Richmond with a former officer of our Chapter when the subject of interviewing came up; interviewing generally, but also viewed in the context of the challenges and obstacles that fraud examiners of the next generation will face as they increasingly confront their peers, the present and future fraudsters of the Millennial and Z generations.

Joseph Wells says somewhere, in one of his excellent writings, that skill as an interviewer is one of the most important attributes that a CFE or forensic accountant can possess and probably the one of all our skills most worthy of on-going cultivation. But, as with any other professional craft, there are common pitfalls of which newer professionals especially need to be aware to increase their chances of successfully achieving their interviewing objectives.

Failure to plan sufficiently is without a doubt, the primary error interviewers make. It seems that the more experience an interviewer has, the less he or she prepares. Whether because of busyness or overconfidence, this pitfall spells disaster. Not only does efficiency suffer because the interviewer might have to schedule another interview, but effectiveness suffers because the interviewer might never discover needed information. Fraudsters often take time before interviews to prepare answers to anticipated questions. The ACFE reports having briefed career criminals on their tactics, thoughts and behaviors about interviews, and they typically respond, “I had my routines that I was going to run down on them” and “I always had my story made up”.

During his or her planning for an interview, the CFE must carefully consider the interviewee’s role in the fraud and his or her relationship to the fraudster (if the interviewee isn’t the fraudster), available information, desired outcomes from the interview and primary interview strategy plus alternate, viable strategies. The success or failure of the interview is determined prior to the time the interviewer walks into the room. Either the interviewer is part of his or her own plan or she is part of someone else’s. The CFE, not the interviewee, has to control the interview.

An interviewer whose mind is made up before an interview even begins is courting danger. Confirmation bias (also known as confirmatory bias or myside bias) greatly decreases the likelihood that an interviewer dismisses, ignores or filters any contradictory information during an interview, whether the interviewee expresses it verbally or non-verbally. Thus, interviewers might not even be aware that they’re missing important information that could increase the examination’s effectiveness.

How many times have experienced practitioners been told by colleagues that they believed that particular interviewees were guilty only to later discover they were actually innocent? If such practitioners hadn’t been aware that their colleagues could have caused them to have confirmation bias, they might have dismissed contradictory interviewee behaviors during subsequent interviews as minor aberrations. It’s imperative that the interviewer maintain an open mind, which isn’t so much a skill set as an attitude. The effective interviewer gives the interviewee a chance by looking at all the data, listening to others and theorizing a hypothesis without precluding anything. Also, the ACFE tells us, if the interviewer maintains an open mind, the interviewee will perceive it and be more cooperative.

A guiding principle should be, the interview is not about the CFE; the CFE is conducting the interview. The interview is a professional encounter. If you don’t conduct the interview, someone else can conduct it, but the interviewee remains the same. Interviewers are replaceable; interviewees aren’t. Never lose sight of this foundational truth. If the interviewer personalizes the interview process s/he will focus on his or her inward emotions rather than on the interviewee’s verbal and non-verbal behavior. An interviewer’s unfettered emotions will have a debilitating impact on a number of levels.

If the interviewer becomes personally involved in an interview, the interviewer becomes the interviewee and the interviewee becomes the interviewer. Most of us want to search for connections to others. But if we connect too strongly, we will become so similar (at least in our own minds) to interviewees that we might have difficulty believing the interviewee is guilty or is providing inaccurate information. Once that occurs, the interviewer probably wont obtain necessary evidence or could discount incriminating evidence.

Before each interview, remind yourself that your objective is to collect evidence in a dispassionate manner; you won’t become emotionally involved. Focus on the overall objective of the interview so that you won’t be caught up in details that could connect you too closely with the interviewee. If, for example, you discover that the interviewee is from the same part of the country you’re from, remind yourself of the many persons you know who also are from that area so you’ll dilute the influence that this information could have on your interview.

With regard to interviewing members of the present and up-and-coming generation, a majority of our youngest future citizens spend an inordinate amount of time looking at plastic screens as a significant mode for learning, communicating, being entertained and experiencing the world instead of interacting directly with others in the same space and time. This places novice CFE interviewers at a disadvantage because they have been formally trained that much of the communication between an interviewer and an interviewee takes place non-verbally. Concurrently, the verbal aspects of communication are replete with meta-messages. For example, what kind of impression does an individual make whose voice inflection rises or falls at the end of a sentence? Can this inflection be as adequately and consistently communicated via a text message compared to in-person communication? This example (and there are many more) contains the essence of the interviewing process. Unfortunately, nuances, interpersonal communication subtleties and appropriate responses that were previously thought to be integral parts of the social modeling process aren’t as readily available to the current generation of interviewers and interviewees as they were to previous generations. Research has shown that electronic devices, such as tablets, cellphones and laptops shorten attention spans. Web surfers usually spend no more than 10 to 20 seconds on a page before ads or links distract them and they move on to burrow down into succeeding rabbit holes.

A great deal of communication now takes place via 244-character communication snippets on Twitter. The average person checks his or her phone once every six minutes. Psychologists have recently coined the term ‘nomophobia’, the fear of being out of cellphone contact; shortened from ‘no-mobile-phone-phobia. A 2015 global study reported that students’ ‘addiction’ to media is similar to drug cravings.

The attention span of the average adult is believed to have fallen from 12 minutes in 1998 to five minutes in 2014. If interviewees’ attentive capacities are just five minutes, or less, then after that point interviews provide diminishing returns. Our attention deficits probably result from a lack of self-discipline and the delusional belief that we can cognitively multi-task. We can’t do anything about our natural limitations, but we can discipline ourselves to pay attention. We can also plan and conduct our interviews with few distractions. Interviewers new and experienced should require that all participants turn off their cellphones and, when possible, interviewers should try to ask questions in an unpredictable order.

So, we can expect that a new generation of fraud examiners will soon be interviewing individuals for extended periods of time who have as much of a dearth of direct, face-to-face interpersonal communication as they do. At the extreme, we can envision two or more uncomfortable people in an interview room. All of whom can only remain in the moment for five minutes or less and are fidgety because they need plastic-screen fixes.

An additional challenge will be that CFEs of the Millennial and Z generations will soon be spending hours interviewing older interviewees who are more familiar, explicitly and implicitly, with the subtleties of interpersonal communication. These are people who have spent significantly more time in direct, face-to-face communication. The interpersonal communication-challenged interviewer will be at a significant disadvantage when interviewing guilty, guilty-knowledge, deceptive and/or antagonistic interviewees. As my lunch companion pointed out, many experienced fraudsters are master manipulators of inexperienced interviewers.

It is urgent that younger fraud examiners and forensic accountants be instructed in the strongest terms to put down their plastic screens and practice engagement with others in direct communication, with friends, family and those who cross their paths in the normal flow of life. As a lead CFE examiner or supervisor, encourage your younger employee-colleagues to write down their communication goals for each day. Suggest they read all they can on face-to face interviewing and questioning plus verbal and non-verbal behaviors. They can take interviewing and public-speaking classes or join a toastmasters group. Anything to get them to converse and observe body language and expressions.

Interviewing techniques are the vehicles that ride up and down the road of interpersonal communication. If that road isn’t adequate, then drivers can’t maneuver their vehicles. Your younger employees are the only persons who can bring themselves up to the necessary interpersonal speed limit to make their one-on-one interviews successful.

Whistle & Fish

Every CFE and forensic accountant in practice encounters companies that operate outside accounting rules and tax laws. Blowing the whistle on such companies can be risky for the employee whistleblower; we all know that doing so often results in tipsters losing their jobs and reputations and facing limited future career prospects. Yet, on every side such employees are exhorted to offer the information they do to uncover fraud.

The whistleblower programs set up by U.S. government agencies are of particular interest to our Chapter members, practicing as they do in such close proximity to Washington D.C., and to those practicing in and around Richmond, the seat of government of the Commonwealth of Virginia. State and Federal entities encourage these tips by offering hot-lines and whistleblower awards programs that pay monetary awards to tipsters if their information leads to successful enforcement and to collection of money from a violator.

The two most important of these programs likely to be encountered by our Central Virginia Chapter members are the whistleblower rewards programs of the Internal Revenue Service (IRS) and the Security and Exchange Commission (SEC). The IRS program, which began 140 years ago, authorizes the Department of the Treasury to pay amounts to individuals who provide information that allow the IRS to detect, bring to trial and punish those guilty of violating internal revenue laws. A 2006 amendment created the current IRS whistleblower program, which mandates that the government pay whistleblowers awards based on the size of the taxes collected as a result of their tips.

The seminal U.S. Federal Claims Act, enacted in 1863, allows whistleblowers a portion of reclaimed money when defendants are found guilty of defrauding the federal government. The Commodities Futures Trading Commission has also recently established a whistleblower program. As I’m sure most of you remember, in 2010, the Dodd-Frank Wall Street Reform and Consumer Protection Act established the SEC’S whistleblower awards program. The program seeks to encourage high-quality tips about securities violations with its monetary awards supplemented by protections from retaliation.

The IRS created the whistleblower awards program, codified in IRC 7623(a), to close the tax gap and fight tax fraud more aggressively. In this original program, the maximum award was 15 percent of collected taxes, penalties and other amounts not to exceed $10 million, but the decision whether to make an award at all was wholly within the IRS’ discretion. When the courts considered attempts to challenge award decisions under this law, they uniformly found that the discretion to make or not make an award is essentially not reviewable. In other words, the courts decided the IRS has the right to make an award or not, and the whistleblower can’t appeal that decision.

The Tax Relief and Health Care Act of 2006, which made major changes to the IRS awards program, mandated that the IRS pay out a substantial award whenever a whistleblower’s information leads to the collection of tax, interest and penalties based on disputes in excess of $2 million. The new section, IRC 7623(b), was intended to create strong incentives to bolster insider reporting of tax violations for claims enacted after Dec. 20, 2006. The awards are now mandatory rather than discretionary; and they range from 15 percent to 30 percent of monies collected with no cap on the dollar amount of the award. With some exceptions, a whistleblower may collect an award even if convicted of a felony.

Whistleblowers are eligible for awards based on additions to tax, penalties, interest, and other amounts collected as a result of any administrative or judicial action resulting from the information provided. The 2006 amendment added whistleblower appeal rights to the U.S. Tax Court. To implement the law, the IRS was also required to create a Whistleblower Office that reports to the IRS commissioner. Submissions that don’t qualify under the new section IRC 7623(b) (usually because the disputes are for less than $2 million) are processed under the original IRC 7623(a). The IRS will continue to consider these cases, but the award is at the discretion of the agency, and there’s no requirement that an award be issued. These whistleblowers have no minimum statutory award percentage and no appeal provision.

The Dodd-Frank bill was partly a response to financial debacles such as the Madoff fraud and widespread mortgage frauds. Many criticized the SEC for its inaction to the causative circumstances that led to the Great Recession, although it definitely wasn’t alone in its failure to uncover and stop massive frauds. The SEC had an awards program before Dodd-Frank, but it wasn’t particularly effective, and it focused solely on insider trading. The new whistleblower awards program, which is much broader, encourages tips related to all kinds of securities violations from financial statement fraud to alleged Ponzi schemes.

The Dodd-Frank whistleblower program stipulates that as long as collected monetary sanctions exceed $1 million, awards are 10 percent to 30 percent of that amount. Awards are paid to individuals who voluntarily provide original information that leads to successful SEC enforcement. The award percentage is increased or decreased based on several factors including the extent of the whistleblower’s assistance.

Section 924(d) of the Dodd-Frank Act required the SEC to create a separate office within the agency to enforce the new regulation. In May 2011, the SEC adopted the Final Rules, Regulation 21F, which included prohibitions against retaliation, defined terms and established policies for submitting tips, applying for awards and filing appeals on award decisions.

In the IRS program, a whistleblower must be a “natural person”, in other words, not a corporation or other business organization. Because the claim form must be signed under penalty of perjury, the whistleblower can’t be anonymous, nor can the claim come from a representative of the whistleblower. Multiple whistleblowers can submit a joint claim, but each must sign under penalty of perjury. Similarly, in the SEC program the whistleblower must be a natural person or persons. However, the SEC whistleblower can be anonymous up to the point that the award is paid out, and he or she can be represented by an attorney or other person. IRS whistleblowers can’t be taxpayer’s representatives, employees of the Treasury Department, or employees of federal, state or local governments if they learned of the information as part of their job duties. The SEC whistleblower can’t be an auditor who learned of the issue as part of his or her duties during an audit or other engagement. The SEC whistleblower also must provide the information “voluntarily’ which means that the whistleblower can’t provide it in response to a request from regulators or law enforcement.

IRS claims must include the tax violator’s name and address, date of birth, Social Security number and the specific nature of the violation. If possible, it should also include the tax year(s), the dollar amounts of unreported income or erroneous deductions and supporting documentation. SEC claims must be original information about possible securities laws violations not already known to the SEC and not derived from publicly available sources. Even though the whistleblower employee might have first reported the information to his or her company’s internal hotline process, the SEC will still consider the information to be original. The content of this required information isn’t as clearly specified as in the IRS program, but it must cause the SEC to open (or expand) an investigation and bring a successful enforcement action.

The IRS protects the whistleblower’s identity as far as possible. If the whistleblower is needed as a witness in a court case, the IRS will notify the whistleblower who can then decide whether or not to proceed. The legislation that established the IRS program failed to include any protection for the whistleblower from possible retaliation. However, the alleged tax violator’s information is strictly protected, so that the whistleblower can only be told whether the case is open or closed. If the case is closed, the IRS can reveal to the whistleblower if his or her claim is payable, the amount of a payment or if a payment has been denied.

The SEC can’t disclose information that could reasonably be expected to reveal the identity of a whistleblower except if it needs to comply with law enforcement proceedings or protect investors by notifying another authority. For example, the SEC might need to notify the U.S. Department of Justice or a state attorney general or even foreign law enforcement if a criminal investigation should be opened as a result of the whistleblower’s allegations. The SEC informant must file through an attorney to remain anonymous during the process. After the SEC presents the award to the whistleblower, it will release the whistleblower’s name. Federal laws state that the whistleblower’s company can’t retaliate against the employee.

The IRS pays its awards when the proceeds are collected, and the appeals period for the taxpayer has expired. Many have said that the IRS program process is lengthy and slow. Claimants can generally expect to wait five to seven years to receive an award. While a whistleblower can’t appeal the award amount for IRC 7623(a) through the Tax Court, awards filed under the newer IRC 7623(b) are subject to appeal in the Tax Court.

The SEC will pay after the time has expired for the violator to file an appeal or after any appeals have been concluded. Then it evaluates all claims. The SEC must collect all sanctions from the violator before the SEC pays the award. A whistleblower can’t appeal an award amount but can appeal a denial.

In summary, we CFEs should inform our clients, individual and corporate, that whistleblowers can expect a long and bumpy ride to the chance, but not the promise, of monetary reward.

Needles & Haystacks

A long-time acquaintance of mine told me recently that, fresh out of the University of Virginia and new to forensic accounting, his first assignment consisted in searching, at the height of summer, through two unairconditioned trailers full of thousands of savings and loan records for what turned out to be just two documents critical to proving a loan fraud. He told me that he thought then that his job would always consist of finding needles in haystacks. Our profession and our tools have, thankfully, come a long way since then!

Today, digital analysis techniques afford the forensic investigator the ability to perform cost-effective financial forensic investigations. This is achieved through the following:

— The ability to test or analyze 100 percent of a data set, rather than merely sampling the data set.
–Massive amounts of data can be imported into working files, which allows for the processing of complex transactions and the profiling of certain case-specific characteristics.
–Anomalies within databases can be quickly identified, thereby reducing the number of transactions that require review and analysis.
–Digital analysis can be easily customized to address the scope of the engagement.

Overall, digital analysis can streamline investigations that involve a large number of transactions, often turning a needle-in-the-haystack search into a refined and efficient investigation. Digital analysis is not designed to replace the pick-and-shovel aspect of an investigation. However, the proper application of digital analysis will permit the forensic operator to efficiently identify those specific transactions that require further investigation or follow up.

As every CFE knows, there are an ever-growing number of software applications that can assist the forensic investigator with digital analysis. A few such examples are CaseWare International Inc.’s IDEA, ACL Services Ltd.’s ACL Desktop Edition, and the ActiveData plug-in, which can be added to Excel.

So, whether using the Internet in an investigation or using software to analyze data, fraud examiners can today rely heavily on technology to aid them in almost any investigation. More data is stored electronically than ever before; financial data, marketing data, customer data, vendor listings, sales transactions, email correspondence, and more, and evidence of fraud can be located within that data. Unfortunately, fraudulent data often looks like legitimate data when viewed in the raw. Taking a sample and testing it might or might not uncover evidence of fraudulent activity. Fortunately, fraud examiners now have the ability to sort through piles of information by using special software and data analysis techniques. These methods can identify future trends within a certain industry, and they can be configured to identify breaks in audit control programs and anomalies in accounting records.

In general, fraud examiners perform two primary functions to explore and analyze large amounts of data: data mining and data analysis. Data mining is the science of searching large volumes of data for patterns. Data analysis refers to any statistical process used to analyze data and draw conclusions from the findings. These terms are often used interchangeably.

If properly used, data analysis processes and techniques are powerful resources. They can systematically identify red flags and perform predictive modeling, detecting a fraudulent situation long before many traditional fraud investigation techniques would be able to do so.

Big data is now a buzzword in the worlds of business, audit, and fraud investigation. Big data are high volume, high velocity, and/or high variety information assets that require new forms of processing to enable enhanced decision making, insight discovery, and process optimization. Simply put, big data is information of extreme size, diversity, and complexity.

In addition to thinking of big data as a single set of data, fraud investigators should think about the way data grow when different data sets are connected together that might not normally be connected. Big data represents the continuous expansion of data sets, the size, variety, and speed of generation of which makes it difficult to manage and analyze.

Big data can be instrumental to fact gathering during an investigation. Distilled down to its core, how do fraud examiners gather data in an investigation? We look at documents and financial or operational data, and we interview people. The challenge is that people often gravitate to the areas with which they are most comfortable. Attorneys will look at documents and email messages and then interview individuals. Forensic accounting professionals will look at the accounting and financial data (structured data). Some people are strong interviewers. The key is to consider all three data sources in unison. Big data helps to make it all work together to tell the complete picture. With the ever-increasing size of data sets, data analytics has never been more important or useful. Big data requires the use of creative and well-planned analytics due to its size and complexity. One of the main advantages of using data analytics in a big data environment is, as indicated above, that it allows the investigator to analyze an entire population of data rather than having to choose a sample and risk drawing conclusions in the event of a sampling error.

To conduct an effective data analysis, a fraud examiner must take a comprehensive approach. Any direction can (and should) be taken when applying analytical tests to available data. The more creative fraudsters get in hiding their schemes, the more creative the fraud examiner must become in analyzing data to detect these schemes. For this reason, it is essential that fraud investigators consider both structured and unstructured data when planning their engagements.
Data are either structured or unstructured. Structured data is the type of data found in a database, consisting of recognizable and predictable structures. Examples of structured data include sales records, payment or expense details, and financial reports.

Unstructured data, by contrast, is data not found in a traditional spreadsheet or database. Examples of unstructured data include vendor invoices, email and user documents, human resources files, social media activity, corporate document repositories, and news feeds.

When using data analysis to conduct a fraud examination, the fraud examiner might use structured data, unstructured data, or a combination of the two. For example, conducting an analysis on email correspondence (unstructured data) among employees might turn up suspicious activity in the purchasing department. Upon closer inspection of the inventory records (structured data), the fraud examiner might uncover that an employee has been stealing inventory and covering her tracks in the records.

Data mining has roots in statistics, machine learning, data management and databases, pattern recognition, and artificial intelligence. All of these are concerned with certain aspects of data analysis, so they have much in common; yet they each have a distinct and individual flavor, emphasizing particular problems and types of solutions.

Although data mining technologies provide key advantages to marketing and business activities, they can also manipulate financial data that was previously hidden within a company’s database, enabling fraud examiners to detect potential fraud.

Data mining software provides an easy to use process that gives the fraud examiner the ability to get to data at a required level of detail. Data mining combines several different techniques essential to detecting fraud, including the streamlining of raw data into understandable patterns.

Data mining can also help prevent fraud before it happens. For example, computer manufacturers report that some of their customers use data mining tools and applications to develop anti-fraud models that score transactions in real-time. The scoring is customized for each business, involving factors such as locale and frequency of the order, and payment history, among others. Once a transaction is assigned a high-risk score, the merchant can decide whether to accept the transaction, deny it, or investigate further.

Often, companies use data warehouses to manage data for analysis. Data warehouses are repositories of a company’s electronic data designed to facilitate reporting and analysis. By storing data in a data warehouse, data users can query and analyze relevant data stored in a single location. Thus, a company with a data warehouse can perform various types of analytic operations (e.g., identifying red flags, transaction trends, patterns, or anomalies) to assist management with its decision making responsibilities.

In conclusion, after the fraud examiner has identified the data sources, s/he should identify how the information is stored by reviewing the database schema and technical documentation. Fraud examiners must be ready to face a number of pitfalls when attempting to identify how information is stored, from weak or nonexistent documentation to limited collaboration from the IT department.

Moreover, once collected, it’s critical to ensure that the data is complete and appropriate for the analysis to be performed. Depending on how the data was collected and processed, it could require some manual work to make it usable for analysis purposes; it might be necessary to modify certain field formats (e.g., date, time, or currency) to make the information usable.

Authority Figures

As fraud examiners and forensic accountants intimately concerned with the on-going state of health of our client’s fraud management programs, we find ourselves constantly looking at the integrity of the critical data that’s truly (as much as financial capital) the life blood of today’s organizations. We’re constantly evaluating the network of anti-fraud controls we hope will help keep those pesky, uncontrolled, random data driven vulnerabilities to fraud to a minimum. Every little bit of critical financial information that gets mishandled or falls through the cracks, every transaction that doesn’t get recorded, every anti-fraud policy or procedure that’s misapplied has some effect on the client’s overall fraud management picture and on our challenge.

When it comes to managing its client, financial and payment data, almost every small to medium sized organization has a Sandy. Sandy’s the person to whom everyone goes to get the answers about data, and the state of system(s) that process it; quick answers that no one else ever seems to have. That’s because Sandy is an exceptional employee with years of detailed hands-on-experience in daily financial system operations and maintenance. Sandy is also an example of the extraordinary level of dependence that many organizations have today on a small handful of their key employees. The now unlamented great recession, during which enterprises relied on retaining the experienced employees they had rather than on traditional hiring and cross-training practices, only exacerbated an existing, ever growing trend. The very real threat to the Enterprise Fraud Management system that the Sandy’s of the corporate data world pose is not so much that they will commit fraud themselves (although that’s an ever-present possibility) but that they will retire or get another job across town or out of state, taking their vital knowledge of company systems and data with them.

The day after Sandy’s retirement party and, to an increasing degree thereafter, it will dawn on Sandy’s management that it’s lost a large amount of information about the true state of its data and financial processing system(s). Management will also become aware, if it isn’t already, of its lack of a large amount of system critical data documentation that’s been carried around nowhere else but in Sandy’s head. The point is that, for some smaller organizations, their reliance on a few key employees for day to day, operationally related information goes well beyond what’s appropriate and constitutes an unacceptable level of risk to their entire fraud prevention programs. Today’s newspapers and the internet are full of stories about hacking and large-scale data breeches, that only reinforce the importance of vulnerable data and of the completeness of its documentation to the on-going operational viability of our client organizations.

Anyone whose investigated frauds involving large scale financial systems (insurance claims, bank records, client payment information) is painfully aware that when the composition of data changes (field definitions or content) surprisingly little of change related information is formally documented. Most of the information is stored in the heads of some key employees, and those key employees aren’t necessarily involved in everyday, routine data management projects. There’s always a significant level of detail that’s gone undocumented, left out or to chance, and it becomes up to the analyst of the data (be s/he an auditor, a management scientist, a fraud examiner or other assurance professional) to find the anomalies and question them. The anomalies might be in the form of missing data, changes in data field definitions, or changes in the content of the fields; the possibilities are endless. Without proper, formal documentation, the immediate or future significance of these types of anomalies for the fraud management system and for the overall fraud risk assessment process itself become almost impossible to determine.

If our auditor or fraud examiner, operating under today’s typical budget or time constraints, is not very thorough and misses the identification of some of these anomalies, they can end up never being addressed. How many times as an analyst have we all tried to explain something (like apparently duplicate transactions) about the financial system that just doesn’t look right only to be told, “Oh, yeah. Sandy made that change back in February before she retired; we don’t have too many details on it.” In other words, undocumented changes to transactions and data, details of which are now only existent in Sandy’s no longer available head. When a data driven system is built on incomplete information, the system can be said to have failed in its role as a component of the origination’s fraud prevention program. The cycle of incomplete information gets propagated to future decisions, and the cost of the missing or inadequately explained data can be high. What can’t be seen, can’t ever be managed or even explained.

In summary, it’s a truly humbling to experience to be confronted with how much critical financial information resides in the fading (or absent) memories of past or present key employees; what the ACFE calls authority figures. As fraud examiners we should attempt to foster a culture among our clients supportive of the development of concurrent systems of transaction related documentation and the sharing of knowledge on a consistent basis about all systems but especially regarding the recording of changes to critical financial systems. One nice benefit of this approach, which I brought to the attention of one of my audit clients not too long ago, would be to free up the time of one of these key employees to work on more productive fraud control projects rather than serving as the encyclopedia for the rest of the operational staff.

Regulators & Silos

I was reading last week on LinkedIn about a large, highly regulated, financial institution that was defrauded over a long period of time by two different companies, both of which where its suppliers. To add insult to injury, subsequent investigation by a CFE revealed that the two vendors were subsidiaries of a third, which proved also to be a supplier of the victim concern; all three cooperated in the fraud and our victim was completely unaware prior to the investigation of any relationship between them; the kind of ignorance that can draw intense regulatory attention.

This is not as uncommon an occurrence as many might think but it is illustrative of the fact that today’s companies are increasingly forced to expend resources simply trying to understand and manage the complex web of relationships that exist between them and the organizations and people with which they deal; that is, if they want to avoid falling victim to frauds running the whole gamut from the simple to the complex. Such efforts involve gaining perspective on individual vendors and customers but extend far beyond that to include sorting through and classifying corporate hierarchies and complex business-to-business relationships involving partners, suppliers, distributors, resellers, contacts, regulators and employees.

These complex, sometimes overlapping, relationships are only exacerbated by dynamic geographic and cross-channel coordination requirements, and multiple products and customer accounts (our victim financial organization operates in three countries and has over 4,000 employees and hundreds of vendors). No fraud prevention program can be immune in the face of these challenges.

Financial companies that want to securely deliver the best experience to their stakeholders within intensified regulatory constraints need to provide themselves with a complete picture of all the critical parties in their relationships at the various points of service in the on-going process of company operations. The ability to do this requires that organizations have a better understanding of the complicated hierarchies and relationships that exist between them and their stakeholders. You cannot manage what you cannot see and you certainly cannot adequately protect it against fraud, waste and abuse.

The active study of organizational hierarchies and relationships (and their related fraud vulnerabilities) is a way of developing an integrated view of the relationship of risk among cooperating entities such as our CFE client companies between their affiliates, customers and partners, across multiple channels, geographies or applications. The identification of organizational relationships can help our client companies clearly and consistently understand how each of their affiliates, business divisions and contacts within a single multi-national enterprise fit within a broader, multidimensional context. Advanced organizational management approaches can help organizations track when key people change jobs within and between their related affiliates, vendors and companies. Advanced systems can also identify these individuals’ replacements feeding a database of who is where, vital to shifting patterns of enterprise risk.

Our client financial companies that take the time to identify and document their organizational relationships and place stakeholders into a wider hierarchical context realize a broad range of fraud, waste and abuse prevention related benefits, including:

• Enhanced ability to document regulatory compliance;
• More secure financial customer experiences, leading to enhanced reputation, increased loyalty and top-line growth;
• More confident financial reporting and more accurate revenue tracking;
• Reduction of over-all enterprise fraud risk;
• More accurate vetting of potential vendors and suppliers;
• More secure sales territory and partner program management;
• Improved security program compliance management;
• More accurate and effective fraud risk evaluation and mitigation.

The ability to place stakeholders within hierarchical context is invaluable to helping companies optimize business processes, enhance customer relationships and achieve enterprise-wide objectives like fraud prevention and mitigation. Organizations armed with the understanding provided by documented relationship contexts can improve revenues, decrease costs, meet compliance requirements, mitigate risk while realizing many other benefits.

As with our victimized financial enterprise, a company without relational data regarding vendors and other stakeholders can be unknowingly dealing with multiple suppliers who are, in fact, subsidiaries of the same enterprise, causing the company to not only inadvertently misrepresent its vendor base but, even more importantly, increase its vulnerability to fraud. Understanding the true relational context of an individual supplier may allow a company to identify areas of that vendor’s organization that represents enhanced internal control weakness or fraud risk. Conversely, an organization may fail to treat certain weakly controlled stakeholders strategically because the organization is unaware of just how much business it is doing with that stakeholder and its related subsidiaries and divisions.

Risk management has always been a core competency for organizations in general and for financial institutions in particular. However, integrated enterprise risk management (ERM) practices and corporate governance disciplines are now a regulatory imperative. Any institution that views corporate governance as merely a compliance exercise is missing the mark. Regulatory compliance is synonymous with the quality of the integrated ERM framework. Risk and control are virtually inseparable, like two sides of a coin, meaning that risks first must be identified and assessed, and then managed and mitigated by the implementation of a strong system of internal control. Accurate stake holder relational data is, therefore, critical to the effectiveness of the overall ERM process.

In today’s environment, the compliance onus rests with the regulated. In a regulatory environment where client enterprise ignorance of the situation in the client’s own overall enterprise is no longer a defense, responsibility for compliance now rests with the board and senior management to satisfy regulators that they have implemented a mature fraud prevention framework throughout the organization, effectively managing risk from the mailroom to the boardroom.

An integrated control framework with more integrated risk measures, both across risk types and economic and regulatory capital calculations, is warranted. Increased demands for self-attestation require elimination of fragmentation and silos in business and corporate governance, risk management, and compliance.

Compliance needs to be integrated into the organization’s ERM base fraud prevention framework, thereby making the management of regulatory risk a key part of effective overall compliance. Compliance needs to be seen as less of a function and more as an institutional state of mind, helping organizations to anticipate risk as well as to avoid it. Embedding compliance as a corporate discipline ensures that fraud prevention controls are entrenched in people’s roles and responsibilities more effectively than external regulations. The risk management function must not only address the compliance requirements of the organization but must also serve as an agent for improved decision making, loss reduction and competitive advantage within the marketplace.

Organizations can approach investments in corporate governance, relationship identification, risk management practices and regulatory compliance initiatives as one-off, isolated activities, or they can use these investments as an opportunity to strengthen and unify their risk culture, aligning best practices to protect and enhance stakeholder value. A silo-based approach to fraud prevention will not only be insufficient but will also result in compliance processes layered one upon the other, adding cost and duplication, and reducing the overall agility of our client’s business; in effect, increasing risk. This piecemeal reactive approach also leaves a gap between the processes designed to keep the organization in line with its regulatory obligations and the policies needed to protect and improve the franchise. Organizations are only as strong as their weakest components, like the links in a chain.

The ACFE tells us that people tend to identify with their positions, focusing more on what they do rather than on the purpose of it. This leads to narrowed vision on the job, resulting in a myopic sense of responsibility for the results produced when all positions interact. ln the event of risk management breakdowns or when results are below expectations, it is difficult for people to look beyond their silo. The enemy is out there syndrome, a byproduct of seeing only one’s own position, results in people quickly blaming someone or something outside themselves, including regulators, when negative events like long running frauds are revealed and retreating within the perceived safety of their fortress silo. This learning disability makes it almost impossible to detect the leverage that can be used on issues like fraud prevention and response that straddle the boundary between ‘us’ and ‘them’.

However, it is particularly disconcerting that the weakest numbers by industry sector, including financial services, occur in the ACFE studies measuring organization wide accountability and people’s understanding of their accountability. My personal feeling is that much of the reason for this low score is the perpetuation of organizational silos resulting from management’s failure to adequately identify and document all of its stakeholders’ cross-organizational relationships.

Trust but Check

The community support for a business, and business in general, depends on the credibility that stakeholders place in corporate commitments, the company’s reputation, and the strength of its competitive advantage. All of these depend on the trust that stakeholders place in a company’s activities. Trust, in turn, depends on the values underlying corporate activities. Off-shore accounts, manipulation of shell corporations to evade taxes, loan fraud and management self-dealing are just a few instances of the moral cancer that, drop by drop, erodes trust until the point where the free enterprise systems of democratic nations are replaced by naked oligarchy, kleptocracy and cultures of corruption.

If the interests of all stakeholders are systematically not respected, then action that continues to be often painful to shareholders, officers, and directors usually occurs. In fact, it is unlikely that businesses or professions can achieve their long-run strategic objectives without the support of key stakeholders, such as shareholders, employees, customers, creditors, suppliers, governments, and host communities.

A constant theme and trend (as echoed in the trade press) has become increasingly more evident since the turn of the century. The judgment and moral character of executives, owners, boards of directors, and auditors has been often insufficient, on their own, to prevent increasingly severe corporate, ethical, and governance scandals. Governments and regulators world-wide have been required to constantly tighten guidelines and governance regulations to assure the protection of the public. The self-interested lure of greed has proven to be too strong for many to resist, and they have succumbed to conflicts of interest when left too much on their own. Corporations that were once able to shift jurisdictions to avoid new regulations regarding tax and other matters now are facing global measures designed to expose and control questionable ethics and governance practices. Assurance professionals themselves, of all types, are also facing international standards of behavior.

These changes have come about because of the pressures brought to bear on corporations and management by the reporting of scandals and abuses by a still potent free press and by suits by activist investors and other involved stakeholders. But changes in laws, regulations, and standards are only part of what stakeholders have contributed. The expectations for good ethical behavior and good governance practices have changed. Failure to comply with these expectations now impacts reputations, profits, and careers even if the behavior is strictly within legal boundaries.

As ACFE training tells us, it’s become increasingly evident to most executives, owners, and auditors that their individual success is directly related to their ability to develop and maintain a corporate culture of integrity. They cannot afford the loss of reputation, revenue, reliability, and credibility as a result of a loss of integrity. It is no longer an effective, sustainable, or medium or long-term strategy to project or practice questionable ethics. ACFE training goes on to indicate a number of causes, or signs, of ethical problems within any given corporation:

— Pressure to meet goals, especially financial ones, at any cost;
–A culture that does not foster open and candid conversation and discussion;
–A CEO who is surrounded by people who will agree and flatter the CEO, as well as a CEO whose reputation is ‘beyond criticism’;
–Weak boards that do not exercise their fiduciary responsibilities with diligence;
–An organization that promotes people on the basis of nepotism and favoritism;
–Hubris. The arrogant belief that rules are for other people, but not for us;
–A flawed cost/benefit attitude that suggests that poor ethical behavior in one area can be offset by good ethical behavior in another area.

The LIBOR rate scandal of 2012 is an almost perfect example of ethical collapse and manifests a majority of the red flags enumerated above. The scandal featured the systematic manipulation of a benchmark interest rate, supported by a culture of fraud in the world’s biggest banks, in an environment where little or no regulation prevailed. After decades of abuse that enriched the big banks, their shareholders, executives and traders, at the expense of others, investigations and lawsuits were finally undertaken resulting in prosecutions and huge penalties for the banks and the individual traders involved.

The London Interbank Offered Rate (LIBOR) rate is a rate of interest, first computed in 1985 by the British Banking Association (BBA), the Bank of England and others, to serve as a readily available reference or benchmark rate for many financial contracts and arrangements. Prior to its creation, contracts utilized many privately negotiated rates, which were difficult to verify, and not necessarily related to the market rate for the security in question. The LIBOR rate, which is the average interest rate estimated by leading banks that they would be charged if they were to borrow from other banks, provided a simple alternative that came to be widely used.

At the time of the LIBOR scandal, 18 of the largest banks in the world provided their estimates of the costs they would have had to pay for a variety of interbank loans (loans from other banks) just prior to 11:00 a.m. on the submission day. These estimates were submitted to Reuters news agency (who acted for the BBA) for calculation of the average, and its publication, and dissemination. Reuters set aside the four highest and four lowest estimates and averaged the remaining ten.

So huge were the investments affected that a small manipulation in the LIBOR rate could have a very significant impact on the profit of the banks and of the traders involved in the manipulation.

Insiders to the banking system knew about the manipulation of LIBOR rate submissions for decades, but changes were not made until the public became aware of the problem, and until the U.S. Department of Justice (DOJ) forced the U.K. government to act. The president of the New York Federal Reserve Bank (Fed), at that time emailed the governor of the Bank of England in June 2008, suggesting ways to “enhance” LIBOR. Although ensuing emails report agreement on the suggestions, and articles appeared in the trade press from 2008 to 2011, serious changes were not applied until October 2012 when the U.K. government accepted the recommendations of the Wheatley Review of Libor. This Review by Martin Wheatley, managing director of British Financial Services Authority, was commissioned in June 2012 in view of investigations, charges and settlements that were raising public awareness of LIBOR deficiencies.

One of the motivations for creating the Wheatley Review involved the prosecution of a former UBS and later Citigroup Inc. trader, on criminal fraud charges for manipulating the LIBOR rates. The trader, known to insiders as the “Rain Man” for his abilities and demeanor, allegedly sought his superiors approval before attempting to influence the LIBOR rates, an act that some observers thought at the time would provide a strong defense against conviction.

Insiders who knew of LIBOR manipulations were generally reluctant to take a public stand for earlier change. However, on July 27, 2012, a former trader for Morgan Stanley in London, published an article that told of his earlier attempts to bring LIBOR rate manipulations to the attention of authorities, but without success. In his article, he indicated how he learned as a new trader in 1991 that the banks manipulated their rate submissions to make profit on specific contracts, and to mask liquidity problems such as during the subprime lending crisis of 2008. For example, if the LIBOR rate submissions were misstated to be low, the discounted valuation of related assets would be raised, thus providing misleadingly higher levels of short-term, near-cash assets than should have been reported.

Numerous studies since the scandal have detailed the effects of unethical LIBOR manipulation. Just two examples of such manipulation. At the time of the scandal many home owners borrowed their mortgage loans on a variable- or adjustable-rate basis, rather than a fixed-rate basis. Consequently, many of these borrowers received a new rate at the first of every month based on the LIBOR rate. A study prepared for a class action lawsuit has shown that on the first of each month for the period 2007-2009, the LIBOR rate rose more than 7.5 basis points on average. As a consequence, one observer estimated that each LIBOR submitting bank may be liable for as much as $2.3 billion.

Municipalities raise funds through the issue of bonds, and many were encouraged to issue variable-rate, rather than fixed-rate, bonds to take advantage of lower interest payments. For example, the saving could be as much as $1 million on a $100 million bond. After issue, the municipalities were encouraged to buy interest rate swaps from their investment banks to hedge their risk of volatility in the variable rates by converting or swapping into a fixed rate arrangement. The seller of the swap agrees to pay the municipality for any requirement to pay interest at more than the fixed rate agreed if interest rates rise, but if interest rates fall the swap seller buys the bonds at the lower variable interest rate. However, the variable rate was linked to the LIBOR rate, which was artificially depressed, thus costing U.S. municipalities as much as $10 billion. Class action suits were eventually launched to recover these losses, which cost municipalities, hospitals, and other non-profits as much as $600 million a year.

At the end of the day, trust in each other and in our counter-parties is all we really have as economic actors; CFE’s and forensic accountants thus have a vital role to play in investigating, documenting and assisting in the identification and possible prosecution of those who, like the LIBOR manipulators, knowingly collude in making the choice to violate that trust.