DOJ Fraud Section Puts Boards of Directors on Notice Regarding “Conduct at the Top”

In February 2017, the U.S. Department of Justice (DOJ) Fraud Section published its latest guidance on corporate compliance programs with the release of the very useful document titled “Evaluation of Corporate Compliance Programs.”

While many legal and compliance scholars have rightly stated that this latest publication isn’t anything radically different than prior authoritative guidance issued by the DOJ and other organizations, what jumps out is the reframing of the well-worn expression, “tone at the top,” with the potentially more insightful, and arguably much scarier, “conduct at the top.” In a just-released Flash Report, we put forth questions and insights that illustrate the degree to which the DOJ is examining senior management and the board of directors while evaluating a corporate compliance program.

DOJ “Yates Memo” Reminds Us that People, Not Corporations, Commit Crimes

Scott Moritz - Protiviti NY 2013 (hi res)

 

Scott Moritz, Managing Director
Leader, Protiviti’s Fraud Risk Management Practice

 

On September 9, 2015, U.S. Department of Justice Deputy Attorney General Sally Quillian Yates distributed a memorandum across the Department of Justice, entitled “Individual Accountability for Corporate Wrongdoing,” that has far-reaching implications for government and private-sector investigations of corporate misconduct.

While the memorandum does not have the force of law, it nonetheless provides specific direction to every federal prosecutor to hold individuals accountable for corporate crimes and to make as a condition of an individual company’s cooperation the extent to which they “give up” the individuals responsible for the corporate crimes.

Holding individuals accountable for corporate crimes is a very effective way to change behaviors. While the U.S. Sarbanes-Oxley Act (SOX) has significantly changed the business landscape for U.S. publicly traded companies, perhaps its biggest effect was that by holding the CEO and CFO accountable for the accuracy of the quarterly and annual reports they sign, there have been a number of enduring changes in how these leaders behave.

First and foremost, before SOX, many internal investigations at public companies, large and small, never saw the light of day. “Big picture” issues often overrode what was right. With the CEO and CFO now held accountable, the default setting has shifted to performing internal investigations and then disclosing the results, to the extent that the findings suggest the need to do so. This is a direct result of the accountability component of SOX Section 302 and the upgrade that has occurred across audit committees in terms of financial aptitude since the inception of SOX.

The same sea change could result from the Yates memorandum, which sets out six steps that government attorneys should take to ensure individuals believed responsible for corporate crime are held accountable.

  1. Before being eligible for any cooperation credit, corporations must disclose all relevant facts about the individuals involved in corporate misconduct.

This step, perhaps more so than any other, could have the greatest long-term impact. Knowing this requirement, government investigations and internal investigations alike will have to be structured in such a way as to enable the ability to identify individual conduct. It also creates a financial incentive for companies to disclose the responsible parties within their organizations in order for them to be eligible for cooperation credit. This will, in all probability, cause individuals to “break ranks” earlier in the process and seek their own outside counsel, rather than wait for the company to deliver them on a silver platter to the government in an effort to obtain cooperation credit. It could also result in many more individuals seeking whistleblower status rather than trusting that their employers or former employers will be unbiased in their investigations.

  1. Both criminal and civil corporate investigations by DOJ attorneys should focus on individuals from the inception of the investigation.

This is really more of a reminder than it is anything radically new. By their nature, investigators must focus on the actions of individuals. What is important here is that the DOJ attorneys and investigators make it clear to companies once they know of the existence of the investigation that any internal investigation must provide meaningful information about the responsible individuals.

  1. Criminal and civil attorneys handling corporate investigations should be in routine communication with one another.

Coordination between the SEC and DOJ has improved quite significantly since 2008. That being said, civil and criminal investigations are fundamentally different and, historically, holding individuals accountable has fallen to the criminal investigators. What the Yates memorandum points out, though, is that sometimes civil investigations provide substantive information about criminal wrongdoing, and by being in routine communication with one another that information is less likely to fall through the cracks.

  1. Absent extraordinary circumstances, no corporate resolution will provide protection for any individuals from criminal or civil liability.

This step could also have long-term implications on the scope of investigations and the extent to which individuals will be held accountable for corporate crimes. By making it clear to government attorneys that corporate resolutions should not routinely provide individuals protections from criminal or civil liability, it puts the burden on individual government attorneys to make the internal argument that their proposed settlement agreement meets the criteria of “extraordinary circumstances,” increasing the likelihood that more individuals will be held accountable since the majority of such agreements will not inhibit the government’s ability to hold individuals accountable.

  1. Corporate cases should not be resolved without a clear plan to resolve individual cases before the statute of limitations expires, and declinations as to individuals in such cases must be memorialized.

This step is in recognition of the fact that individual cases often continue after the corporate cases have been settled. It will help ensure that appropriate forethought is given with regard to individuals who could be held accountable if not for mismanagement of the statute of limitations.

  1. Civil attorneys should consistently focus on individuals as well as the company and evaluate whether to bring suit against an individual based on considerations beyond that individual’s ability to pay.

This step, again, is a reminder of the different lenses through which civil enforcement attorneys and criminal prosecutors view their cases, as well as the importance of considering the totality of the facts regarding each individual in determining the appropriate means by which he/she is held accountable.

While each of these steps detailed in the Yates memo sends a clear message to the DOJ attorneys responsible for criminal and civil enforcement, in-house and outside counsel, chief compliance officers and senior executives should also take notice. As it has on a number of occasions since the Federal Sentencing Guidelines went into effect, the government is again putting corporations on notice that people, not companies, commit crimes.

Corporations are expected to focus their internal investigations in such a way as to identify the people responsible, not just scape goats, and that their ability to receive cooperation credit depends on it. As Ms. Yates stated in her public remarks about the memo: “We’re not going to be accepting a company’s cooperation when they just offer up the Vice President in Charge of going to jail.”

Difficult though it may be for companies to be completely transparent in their identification of the people responsible, no matter how senior and important to the company’s future they may be, management will be forced to make decisions for the good of the company that will very likely result in some of their former colleagues going to prison.

You Can’t Protect Intellectual Property and Sensitive Data Unless You Know What You are Trying to Protect

Scott Moritz - Protiviti NY 2013 (hi res)

by
Scott Moritz
Managing Director – Leader, Protiviti’s Investigations and Fraud Risk Management Practice

and

Rocco Grillo - Protiviti NY 2014 (hi res) (2)

Rocco Grillo
Managing Director – Leader, Protiviti’s Incident Response and Forensics Practice

 


In recognition of the Association of Certified Fraud Examiners and International Fraud Awareness Week, Protiviti, whose practitioners include over 100 members of the ACFE, is releasing a series of tips on fraud awareness to assist the ACFE in communicating the many ways that fraud can affect your organization. We also suggest proactive steps you can take to better position you and your organization in the ongoing fight against fraud.

________________________________________

Cyber-crime targeting of commercial enterprises and organizations is rampant. Increasingly sophisticated organized crime groups are gaining improper access to point-of-sale systems and corporate networks to steal credit card numbers, expiration dates, account holder names and CVV codes, intellectual property, as well as other sensitive data.

In addition, certain countries have historically utilized their intelligence agencies to use intelligence-gathering techniques to steal information such as computer source code, product formulas, and design information about new products or processes. These types of state-sponsored economic espionage often target technology-centric industries, including computer software and hardware, biotech, aerospace and defense, telecommunications, transportation and engine technology, automobiles, machine tools, energy, materials and coatings, and so on.

The high-tech sector is widely considered to be the most frequently targeted area for economic espionage, although any industry with information of possible use to foreign governments and their commercial sectors is at risk. Increasingly, these government intelligence agencies are using hacking techniques to gain access to commercial secrets.

Whether it is organized crime that is seeking to gain access to your network or a foreign government seeking to obtain the product formulation of the next wonder drug, companies’ most valuable information is stored electronically on their networks and individual computer workstations. While companies expend tremendous sums of money and resources securing their networks and testing their security, sometimes the issue is not knowing the universe of sensitive data that they possess, where and how it is stored, and who has access to it.

Knowing where your data resides is, in many instances, half the battle. Trying to identify an organization’s “crown jewels,” or key assets, is equally important. Boards of many major corporations are scrambling to implement security controls to processes in order to safeguard their organizations, but many also need to focus on risk management to identify their crown jewels when implementing these controls and safeguards.

Often, information about what valuable data the company has, where it is stored and who may have access to it is determined only after there has been a breach. As network security experts trace the activities of the hackers to see what systems and applications were accessed illicitly, they learn what information was stored and whether it was exfiltrated from those devices. Indeed, one of the most challenging issues for internal auditors as well as IT security professionals is, when assessing their company’s information security, not only understanding the systems and the security controls designed to monitor, detect and prevent data breaches, but also taking an inventory of the various categories of sensitive data stored electronically across the organization, identify where specifically it is located, and who has access to it.

Without this critically important information, internal auditors and others charged with the responsibility of assessing the effectiveness of network security and the extent to which the company’s most sensitive data may be exposed are severely restricted.

Some sensitive data is of obvious interest to hackers, and it is fairly straightforward to assess how it is collected, where it is stored and how it can be accessed. Knowing who and when data was accessed is equally, if not more, important. Being able to pinpoint who has accessed data is critical to any organization trying to protect its data. Logging and monitoring controls enable organizations to accomplish this.

During a forensics investigation, trying to find the source of a breach is like trying to find a needle in a haystack. And without logging and monitoring controls or limited controls, that needle in the haystack becomes a needle in an open field. Sensitive data includes customer information, credit card numbers, personnel records, and payroll and banking information, among other assets deemed to be the organization’s crown jewels. The challenge is in determining what other types of sensitive data may exist and where. Such sensitive information includes corporate development (M&A) information, prototypes, source code, customer lists, proprietary pricing information, legal files, human resources data, and other data that, were it to be released, would be commercially damaging to the company.

What steps should companies take to better understand where their valuable data is?

  • Before companies understand where it is, they need to understand what it is or what their crown jewels are.
  • Survey key business units and obtain a list of their most sensitive data and IP by category.
  • Determine what added security may be in place to protect that data.
  • Request information about where the data is stored, how it is secured and how access is controlled.
  • Integrate what is learned by this data gathering exercise into future IT security audits.

Beware of the Fake Presidents

Scott Moritz - Protiviti NY 2013 (hi res)

by Scott Moritz
Managing Director – Leader, Protiviti’s Investigations and Fraud Risk Management Practice

 

In recognition of the Association of Certified Fraud Examiners and International Fraud Awareness Week, Protiviti, whose practitioners include over 100 members of the ACFE, is releasing a series of tips on fraud awareness to assist the ACFE in communicating the many ways that fraud can affect your organization. We also suggest proactive steps you can take to better position you and your organization in the ongoing fight against fraud.

________________________________________

We have become aware of an ongoing fraud scheme that initially was targeting Western European companies but appears to have emerged in the United States. The scheme involves social engineering and email spoofing, wherein the fraudster assumes the identity of a senior company executive and targets an employee from that same company, often someone in accounting or accounts payable.

The victim employee initially receives an email from the “fake president” concerning a highly confidential transaction, sometimes related to an acquisition. The communications often stress both urgency and the need for confidentiality. Recipients of these emails may also be directed that subsequent communications be directed to the “president’s” personal email, that of the president’s attorney, or both. They subsequently receive instructions by telephone and/or email containing bank routing, account number and account holder information to which the fake president needs a wire transfer to be sent.

The schemes about which we are aware have each involved accounts in Hong Kong, but this scheme could involve accounts in any foreign jurisdiction. In some instances, these schemes involve a single fraudulent wire transfer, but in other instances they may keep it going until and unless the company realizes it has been defrauded.

These schemes are often effective as a result of the research that the fraudsters have done in advance to identify the company executives and operations, as well as to identify an employee to target. It is believed that the initial target pool centered on EU-based companies because there is detailed information available in the public domain that makes the identification of executives and lower-level accounting or finance employees relatively easy compared to companies that are based elsewhere.

That said, these schemes have characteristics in common with other known and highly successful fraud schemes being perpetrated by criminal organizations. These characteristics include use of spoofed emails, blocked or anonymous phone numbers, offshore bank accounts in less cooperative jurisdictions, and the targeting of wire transfers.

The use of flattery, urgency and confidentiality is also characteristic of such fraud schemes undertaken by organized groups. The fraudster may make statements to lead the targeted employee to believe that the fake president has carefully selected him or her as being worthy of the president’s trust, leading the victim to believe that he or she has the trust of a high-level executive. The resulting excitement may cause the victim employee to ignore any obvious red flags out of misplaced hope that if he or she successfully executes the instructions, it will result in a career boost.

Instilling a sense of urgency is another proven technique in fraud schemes (along with the sale of used cars and health club memberships). Applying time pressure, coupled with the fear of upsetting a very senior executive in connection with what has been described as a highly confidential matter, can cause people to disregard red flags had they taken the time to think about what is happening before it is too late.

What steps can be taken to reduce your organization’s susceptibility to fake president fraud?

  • Require telephonic and email confirmation to phone numbers and email addresses from the company directory – do not rely on the requestor’s email instructions.
  • Educate your employees about the prevalence of the various social engineering and email spoofing techniques being employed by fraudsters and the red flags to monitor, including non-standard transactions, urgency, confidentiality, offshore accounts and use of wire transfers, and use of personal emails.
  • Review fraud controls around wire transfer requests, ensure that those controls are being followed, and ensure that all approvers are aware of the prevalence of schemes targeting companies around fraudulent wire transfers.
  • Discuss fraud controls with your financial institutions to see if any enhancements can be made on their end to assist in protecting your organization against wire transfer fraud.

Beware of the Slippery Slope – When Gifts, Entertainment, Favors and Philanthropy Become Problematic

Scott Moritz - Protiviti NY 2013 (hi res)

by Scott Moritz
Managing Director – Leader, Protiviti’s Investigations and Fraud Risk Management Practice

 

In recognition of the Association of Certified Fraud Examiners and International Fraud Awareness Week, Protiviti, whose practitioners include over 100 members of the ACFE, is releasing a series of tips on fraud awareness to assist the ACFE in communicating the many ways that fraud can affect your organization. We also suggest proactive steps you can take to better position you and your organization in the ongoing fight against fraud.

________________________________________

Having just completed my holiday gift list – a list that is free from foreign officials, I should point out – I thought it would be useful to discuss the various ways in which gifts, entertainment, favors and charitable giving can lead to some pretty negative outcomes.

The key is knowing the individuals to whom we are providing these items of value: Are any of them in positions of influence to award business to your organization? Are they government officials or employees of state-owned companies? Are these individuals connected in any way with charities to which we are donating?

Generally speaking, it is acceptable to give gifts to customers and prospects, entertain them, extend certain professional courtesies to them, and consider support for their favorite causes. What’s key, though, is ensuring these important social norms are not distorted into thinly disguised bribes given in an effort to obtain some type of unfair business advantage.

Several things are critically important to work out in advance to ensure that items of value and charitable donations pass the reasonableness test. First and foremost, your organization’s policies and procedures need to provide clear guidance, limits and preapproval requirements surrounding gift-giving, entertainment, defining other things of value (a category into which favors would fit), and charitable donations. Those policies and procedures should not only provide guidance and examples of appropriate and inappropriate gifts, entertainment, other items of value, and charitable donations, but they also should require that certain categories of recipient be subject to heightened approvals and, in some instances, prior approval before the value is exchanged.

For example, clients before whom there is a pending proposal in response to a formal RFP, as well as any client or contact that is a government official or employee of a state-owned company, may warrant a pre-approval such that a second set of eyes can evaluate the compliance risk objectively and any appearance of impropriety with regard to the proposed gift or other item of value. Those pre-approvals should not only take place, but both the request and the approval (or rejection) should be formally documented.

Even if the decision-making and associated documentation are found to be incorrect by a regulatory body or law enforcement agency, it would be difficult for the agency to assert that the company didn’t have controls and place and that the transaction was not transparent.

Another critical success factor in limiting compliance risk in this area is whether the company has a formal mechanism to determine whether recipients of gifts or any items of value are governments, government-owned and/or legitimate charities free from conflicts. Equally important is to have complete transparency with regard to the identity of each gift recipient. This last point may seem obvious, but often in marketing promotions or holiday gift giving, blocks of gifts, gift cards, tickets to sporting events or other items are given to distributors, sales agents or other intermediaries, and the company risks losing sight of who the ultimate recipients are.

Amazingly, charitable giving and political donations have also been abused and distorted to disguise bribes or kickbacks to government officials as legitimate philanthropy or efforts to be a good corporate citizen by supporting local charities. Like the other areas described above, it is important to understand how the charitable donation or political contribution was first solicited and by whom. It is equally important to be able to demonstrate a good understanding of the purpose of these donation or contributions, the charities and political organizations themselves, along with some degree of negative assurance that these organizations are free from conflicts of interest. It is a sound business practice to have a policy that governs such giving to include a requirement that all financial support require written pre-approval.

The bottom line here is that generosity, relationship management, and political and social consciousness require more than just financial support. They require strong policies and procedures, along with a keen awareness of the potential risks and controls to provide reasonable assurance that all of the company’s activities in these categories are reasonable and are well aligned with your policies, procedures, and local laws and regulations.

Bogus Vendors are the Single Most Common Way Companies are Defrauded

Scott Moritz - Protiviti NY 2013 (hi res)

by Scott Moritz
Managing Director – Leader, Protiviti’s Investigations and Fraud Risk Management Practice

 

In recognition of the Association of Certified Fraud Examiners and International Fraud Awareness Week, Protiviti, whose practitioners include over 100 members of the ACFE, is releasing a series of tips on fraud awareness to assist the ACFE in communicating the many ways that fraud can affect your organization. We also suggest proactive steps you can take to better position you and your organization in the ongoing fight against fraud.

_______________________________

We perform many internal investigations for companies every year. In our experience, the most common fraud committed against a company relates to vendors that either don’t exist, are corrupt, or are secretly owned by a company insider who is directing business to them.

Let’s start with companies that don’t exist. Seems simple enough, and yet it may not be. It is very easy to register a legal entity in any of the 50 states. All you need is an address, a contact person to serve as registered agent to receive mail on behalf of the company, and the ability to pay the registration fee (which is usually around $200). It is even easier to register a fictitious name and get a business certificate in that name.

Most banks will permit you to open a commercial bank account using either a company registration or a business certificate evidencing your registration of a fictitious name. There are more controls around registering a legal entity than there are a fictitious name. In practice, you are not supposed to be able to register a name of a company that already exists, and your application is supposed to be compared to a database of known companies to prevent having more than one company by that name.

Fictitious name registrations are not quite as stringent – it is possible to register a fictitious name that closely matches that of a real and possibly well-known company.

More Guidance: Leveraging the Right Technology Tools to Manage Fraud Risk

Once you have registered your fake company and used it to create a real bank account, you’re more than halfway there. To perpetrate the fraud, you then need to create authentic-looking invoices from that company that would fit with the business to which the invoice is being submitted so that it does not stand out from the crowd of hundreds of other invoices being processed by the company. Ideally, the person that approves the invoice for payment is in on the scheme so they don’t scrutinize it too closely and simply send it along.

Often, once a manager with invoice approval authority has approved it, many companies simply process it for payment. Often, a fraudster submitting bogus invoices will start with one fake company and will periodically submit an invoice for payment. If the scheme goes undetected, two things tend to happen. The size and frequency of the invoices increase, and new bogus vendors are added. Before long, there may be dozens of bogus vendors for which checks are being issued, though no goods or services are exchanged. Schemes like this have been known to go on for many years.

Another form of vendor fraud involves actual vendors of the company who act in collusion with one or more company insiders. This can happen in a number of ways. Vendors can submit invoices for services not performed or goods not delivered. These vendors may also submit invoices at inflated prices. All that’s required is that the vendor and someone in the company agree in advance how much the invoice should be, how much each conspirator will receive from the proceeds of the payment of the bogus or inflated invoice, and how the vendor will deliver the money to the corrupt company insider.

Vendor companies that are secretly owned by company insiders work in a similar way. The only difference is that they don’t have to take the extra step of deciding who gets what percentage of the proceeds of the fraud because the corrupt employee, as owner of the fraudulent vendor company, keeps it all.

How Can You Avoid Being a Victim of Vendor Fraud?

Here are some tips:

  • Obtain and review vendor master files and sort by aggregate spend.
  • Review any vendor name receiving significant aggregate spend for which no one recognizes the company name or for which the vendor file has limited to no supporting documentation.
  • Perform periodic background investigations of new vendors and existing vendors above a certain aggregate spend threshold and compare results to information contained in human resource databases, most notably last names, addresses and phone numbers that employees have in common with any vendors.
  • Be alert for companies with very little information in the public domain, with addresses in common with employees or officers, and/or with dates of establishment that correspond to the approximate time frame when the vendor first started receiving payments from the company.
  • Look for trends or patterns associated with approved invoices that are suspect, including whether they are similar in appearance, have the same font, are in recurring or round dollar amounts, were approved by the same person, etc.

Vendor fraud is one of the most common fraud schemes perpetrated against companies. If you’ve never experienced a vendor fraud, do you think it’s because you’re just lucky, or is it that you’re not looking carefully enough?

Reshipping Schemes: Where Credit Card Thieves Get Help from the Lonely and the Unemployed

Scott Moritz - Protiviti NY 2013 (hi res)

 

by Scott Moritz
Managing Director – Leader, Protiviti’s Investigations and Fraud Risk Management Practice

In recognition of the Association of Certified Fraud Examiners and International Fraud Awareness Week, Protiviti, whose practitioners include over 100 members of the ACFE, is releasing a series of tips on fraud awareness to assist the ACFE in communicating the many ways that fraud can affect your organization. We also suggest proactive steps you can take to better position you and your organization in the ongoing fight against fraud.

_______________________________

Nigerian fraudsters are some of the most ingenious financial criminals in the world. “Nigerian Letter” or “419 Fraud” is arguably the longest running, most lucrative fraud scheme in existence.

You may not know them by these names, but over time, you undoubtedly have received dozens of emails from the heir of a recently deceased Nigerian government minister who has spirited away millions of dollars and wants to deposit the money in your checking account. Or maybe he wants to send you lottery winnings for a lottery you didn’t enter.

Indeed, the Great Barrier Reef is to great white sharks as Nigeria is to fraudsters. The latest highly successful scheme that comes to us from Nigeria is “the Reshipper Scheme.” Fraudsters either place employment ads online for people who want to work at home part-time or pretend to be looking for relationships on an online dating site. With the part-time ads, the fraudsters have job candidates complete applications that require them to provide their personal details, including name, social security number, date of birth and home address.

In the case of dating websites, the fraudsters establish fake profiles online and strike up conversations pretending to be potential matches. Over the course of one or more exchanges via a dating website’s chat, email or instant messaging function, they elicit personal information – most importantly, a home address. While they are cultivating these relationships, their co-conspirators are stealing credit card numbers and using them to buy products from online clothing, luxury goods or electronics retailers, and having them shipped to the addresses they recently elicited from the fake employment ads and from interacting with unwitting accomplices on online dating sites.

The fraudsters will contact the unwitting recipients of the stolen goods and either provide them with shipping labels or a stolen credit card number to use to reship the goods. Sometimes they are requested to ship directly to an address in Nigeria or somewhere in West Africa. Other times they are requested to send the package to a shipping company in a major city, which in turn will fill a container with the proceeds of multiple, smaller reshipments and ship it to Nigeria.

Another variation of this scheme also utilizes unwitting victims (who sometimes become witting accomplices). But instead of using stolen credit cards to purchase goods online, fraudsters instead email fraudulent purchase orders that appear to represent legitimate requests to buy products from wholesalers, but direct that the shipments be sent to an address that has nothing to do with the company whose name is on the fraudulent purchase order. Instead, the fraudulent purchase order directs that the goods be sent to the address of one of the unwitting accomplices, who either believe that this is part of their new work-at-home job or that they are doing a favor for their new friend whom they met on a dating site.

Individuals should be very wary of anyone they meet online via job advertisements or dating websites who request that they agree to receive deliveries to their home or place of business and then resend the merchandise to another location. This very likely is property that is either the proceeds of credit card, mail or wire fraud. It could result in you being held responsible for the value of the stolen goods and possibly held liable for the underlying criminal offense of receiving stolen property.

In addition, companies that ship goods via purchase order should consider taking a number of steps to verify the legitimacy of purchase orders received, including:

  • Contact the company directly (not utilizing the contact information on the purchase order) and seek to confirm the legitimacy of the purchase order (including the number on it) and the shipping address.
  • Research the names of the parties, phone numbers and “ship to” addresses to determine if they are identifiable with the company named on the purchase order and/or if the addresses, names or phone numbers are private homes, motels, known mail drops, or other locations that are unlikely shipping destinations.

Remember, if something sounds too good to be true, it probably is.

Editor’s Note: Scott Moritz and Protiviti Director Peter Grupe recently hosted a webinar titled “Internal Investigations for Non-Investigators.” You can view the webinar here.