Too many firms think an anti-fraud policy is optional. It’s not. Let Neill Blundell, head of fraud at law firm Eversheds, scare the life out of you. “Business must implement anti-corruption measures in order to be able to show a defence of ‘adequate procedures’ under section 7 of the Bribery Act 2010,” he says.
“All businesses should be aware that David Green QC, who is the director of the Serious Fraud Office, is currently lobbying to have a section 7-type offence extended for any type of any fraud-related matter. This would mean that a company would need to have a fully implemented anti-fraud programme in order to avoid liability in circumstances where an employee or a third party commits frauds on its behalf. This would mean any type of fraud offence and not just bribery.”
So what should this policy state? And how should it be implemented? After all, you don’t want your wonderful document rotting in the bottom of a draw.
The tough news is that there’s no template. You can’t download one of these things. Bill Trueman, managing director of consultancy UK Fraud and co-founder of Association of Independent Risk and Fraud Advisors, says: “All businesses are different, as well as all business risks.” As for the concept of a regular health check: “I am afraid I do not know what one of these is and I go into a lot of businesses, many of them high-street names, to help them with challenges and address issues.”
You need a unique, personalised plan. Fortunately, there is a consensus on how this should be drafted. Hitesh Patel, head of forensic fraud at KMPG, says the trick is to chop the problem into three. “Your policy needs a preventative part, to stop fraud happening to you; a detection part, so you notice when fraud has been committed; and a response strategy. There will be many sub-components, but those are the key three ingredients.”
The prevention section starts by listing all the ways your firm could be compromised. For example, telecoms giant Telefonica explores the dangers of physical break-ins, of staff being duped, of digital penetration by hackers and shortcomings in the way it might hold sensitive data. The list includes a provision for “new” threats, which haven’t yet emerged.
IT partners will routinely offer help identifying these threats and drafting responses. For example, if you take online payments, then partners such as SagePay and WorldPay provide advice on how fraudsters operate, and how they can be combated by simple methods such as IP address flagging.
Next, establish a strategy for detection. Fraudsters are incentivised to be as unobtrusive as possible. So how will you know you’ve been hit?
The obvious methods are stock checks and data security patrols. There are some pretty clever additional tools. Phil Beckett, managing director of corporate forensic firm Proven Legal Technologies, says: “You can analyse payments leaving an organisation looking for unusual transactions or patterns of transactions. These can include relatively straightforward tests, such as duplicate and round-sum analysis, as well as more complex measures using tests such as Benford’s Law, standard deviation and regression analysis.” Benford’s Law states that the number one occurs 30 per cent of the time in financial data – it’s a golden clue for fraud identification.
Your policy needs a preventative part, a detection part and a response strategy
Santander Bank is experimenting with voice recognition software, provided by Fonetic, which hunts for patterns and key words in conversations. During the Libor scandal, the traders were using code words. Fonetic claims to be able to tally words with transactions to flag up these misdeeds.
Third your policy needs a list of responses. If you lose data what will you do? If your bank account is drained of cash, who will you call? A detailed response strategy will help you respond fast to catastrophes when they strike.
But that’s not quite the end. You need an enforcement policy too. Your anti-fraud strategy needs to be implemented companywide. KMPG’s Mr Patel says this starts in the boardroom. “You need a champion at board level. They should make statements to be distributed throughout the organisation,” he says.
Lessons in fraud may need to be annual, in the case of anti-bribery legislation, or more frequent. For technical stuff, shorter lessons are advisable. Sophos Anti-Virus’s head of security James Lyne warns: “Box-check exercises get ignored.” He suggests: “Regular bite-sized video training and regular live tests to ensure staff know how to behave.” Pharmaceutical firm Astellas took three years of lessons to drive home anti-bribery legislation requirements.
A common defect in implementation is staff resistance. Either staff are afraid to air confusion with policy or worried about whistleblowing. Corporate knowledge sharing body CEB suggests creating a Speak Up channel, available 24/7, via a number of routes from e-mail and voice to intranet and in-person. Importantly: “The two most common reasons that employees fail to use the Speak Up route are fear of retaliation and a belief that no action will result from a report,” according to CEB.
A strong anti-fraud policy won’t mean you are totally secure. No one can guarantee that. But it can mean you are legally in the clear and can react to threats with the minimal damage, which ought to mean you sleep a little easier.