In the ever-changing sophisticated landscape of cyber-attacks you need to be prepared. In this episode on the Payments Podcast, we’re getting advice on how you should plan for the worst from BTVK Advisory’s Ben Hobby, who has extensive experience in accounting and fraud investigations for both private and public sector entities. This is an episode you can’t afford to miss.
Rich Williams: As much as any organisation would like to believe, none of us are immune to fraud. We're often told it's not a case of if but when, so what's most alarming is that 41% of UK financial decision-makers are unaware if they've already been a victim of fraud. So I ask you this: if the organisation that you own or work for fell victim to fraud, would you know what to do?
I'm Rich Williams, the host of 'The Payments Podcast', and this episode looks at what happens after fraudulent activity has been identified in an organisation. With me today is Ben Hobby, from BTVK Advisory, who has extensive experience in accounting and fraud investigations for both private and public sector entities. Hello Ben.
Ben Hobby: Hello everybody.
Rich Williams: Although I'm sure that every organisation hopes to never become a victim, what plans or actions should organisations have in place if they were to spot fraud?
Ben Hobby: Every business is going to have a disaster recovery or business continuity plan to deal with potential- Say fire events, for example, if their factory or offices burned down. Similarly, a business would hope to never use those.
So a fraud response plan is going to be absolutely critical for a business to make sure that the responsibilities are known for all of the key individuals in the business and that the key decisions are taken quickly by the right people.
Part of that plan, there needs to be a number of key strategic decisions that need to be made. The first of those is to consider the desired outcome. In any journey it's always important to know the destination, as that will allow you to determine the route that you should take. By the desired outcome, I mean the company should be considering whether they wish to go down the path of a criminal prosecution, a civil action, against the potential fraudsters, or if it is an employee that is involved, whether they wish to go down the route of staff dismissal.
A fraud always results in some sort of accounting black hole that exists, and therefore needs to be filled. So part of the fraud response plan should always be thinking about the recovery of those funds. That recovery needs to consider whether the company goes against the potential perpetrators and also whether there are other third parties that are involved as well, say professional advisers or contractors, that may also have had a role to play in the fraud itself.
Finally, the company may also have an insurance policy against commercial crime and may, therefore, be able to make recoveries against that particular policy.
Rich Williams: And will organisations need to have a plan in place to let any authorities know that they've been affected by fraud, and, if so, who should they be contacting?
Ben Hobby: Absolutely. There are a significant number of businesses that have some sort of external regulator, and with that comes a number of different reporting obligations. We're not just talking here about businesses that are, say, on the stock market or regulated by the FCA.
We conducted an investigation a few years ago for a housing association, which has their own separate regulator, again with reporting requirements there. So they need to be identified right at the outset so the responsibilities of the company are known as well.
It may also be the case that there are legal contracts with certain suppliers as well that also have a clause in there for mandating some sort of disclosure as well. There may also be reporting of obligations under any kind of commercial crime insurance policy as well.
With those reporting obligations, though, it increases the risk of the fraud actually then coming out into the public domain and being reported on by various media organisations. If that's the case, it's absolutely critical for the company to make sure they're trying to keep control of the message that is out in the public domain, and there may, therefore, be a need to bring in a crisis PR supplier to assist with this.
We've seen recently that a large fraud can certainly bring a company down, Patisserie Valerie being one of the more recent cases that have made the press. It's important in those circumstances for the business to actually keep trading. By using crisis PR, the business can help to keep confidence with third parties that will allow it to continue trading.
Rich Williams: So you mentioned earlier rather a touchy subject, which is a member of staff actually becoming involved in fraud as well, and we know that internal fraud is just as important to circumvent an external fraud. So let's look at the worst-case scenario and an organisation has spotted that they've fallen victim to a fraud which has come from inside their organisation, a member of staff siphoning off funds from payroll, for example. What should they do next?
Ben Hobby: Well, we've already discussed the importance of a company having a fraud response plan. So the first thing to do would be to invoke that particular plan itself. You've got the plan; you may as well use it.
That plan, though, should set out some of the key decisions that need to be made right at the outset, at the point of discovery, that will define the strategy of the investigation itself. So one of the first decisions that needs to be made is well, who is the fraud response team? The obvious people to be involved with that would be in-house counsel, certainly in the first couple of days, to make sure that legal privilege is maintained.
HR will likely need to be involved to make sure that employee law considerations are taken into account, and if there are any external court applications that need to be made, then external lawyers may also need to be involved.
Finally, that fraud response team will need to potentially include certain key directors to allow decisions to be made. It's important, though, to ensure that that team is kept as lean as possible and on a need-to-know basis, so that the investigation is as focused as possible.
We've discussed already the fact that the fraud response plan should also consider what the objectives of any investigation are, and because every fraud is different the objectives may change ever so slightly from case to case. So, again, one of the key decisions the fraud response team need to do early on is what are the objectives? Are they seeking recovery, are they seeking prosecution?
Also, there is a need to consider whether there are any other issues with procedures and controls elsewhere in the business that may lead to the fraud continuing and potentially worsening.
It's always important to remember that frauds are invariably worse than expected at the point of discovery. They need to be investigated properly as a consequence, but be aware, what you know at the point of discovery is invariably not everything relevant to the fraud itself.
Rich Williams: So should a suspect internally be identified, Ben, what's the best way to manage that process?
Ben Hobby: I think we have to remember that in this instance we're here within the first 24, 48 hours after discovery, so we're not yet in possession of all of the facts. Therefore, it's important to keep the suspect in place and to continue as normal. To engage in anything that may result in the employee's dismissal may at this stage potentially result in a wrongful dismissal claim against the company because we are not in possession of all of the facts.
That said, if there has been a potential fraud, we need to make sure that all of the relevant evidence is preserved and recovered so we can then review and investigate all of that information. Potentially, if the case is going to go to trial, for example if we're seeking a civil recovery or even a criminal case, we need to make sure the evidence is preserved so the case isn't compromised somewhere down the line.
Also, bear in mind, though, that the suspects, if they get any inkling that they may actually have been discovered, they may try and cover their tracks by destroying evidence as well. So there may be an argument to restrict the individual's access to certain buildings, systems or emails as well.
In these circumstances, it may be appropriate for the fraud response team to involve the head of IT to assist with making sure that that information is preserved as well.
In addition to liaising with IT, the fraud response team may also want to consider bringing in an external IT forensic company to make sure that the electronic information is preserved in such a way so that the evidence trail isn't compromised.
Rich Williams: And how about maintaining a level of confidentiality for the individual involved?
Ben Hobby: Well, that's absolutely critical because, as I've already said, we're still in the first 24, 48 hours of the investigation and we do have the principle of innocent until proven guilty. That said, it is critical to maintain absolute secrecy, and part of the means of doing that is to ensure that the fraud response team is as lean as possible in terms of the number of people who are part of that.
But something else the fraud team may wish to consider is potentially meeting off-site. Closed doors to offices around an organisation will usually start whispers and rumours around the organisation. By meeting off-site, it allows the fraud response team to not only discuss the case amongst themselves but also to meet with external advisers without necessarily setting hares running within the company itself.
Rich Williams: So I'm sure one of the natural reactions for an organisation when they spot a potential fraud is to hit panic mode, but what else should they not be doing?
Ben Hobby: You're absolutely right to emphasise the need to- Don't panic, much like the well-known character from 'Dad's Army'. I think the first thing to do is consider the discovery issue. Most frauds are brought to a company's attention by whistle-blowers, and it's incredibly important to not take those suspicions lightly.
I think there is a tendency to think that may be a disgruntled individual, but they have to be investigated properly because the consequences of not investigating a whistle-blower's allegations properly and then the whistle-blower later being proven to be correct, the ramifications for the company I know are potentially quite serious.
With a strategy, though, as well, there are a number of important don'ts there as well. Don't make rash decisions. We all say that in all aspects of our life. There will be decisions there that a company will later come to regret.
Also, don't take unplanned actions. The strategy defines the route that a company will wish to go down, and it's important not to go off on tangents that may ultimately compromise the investigation.
If you are going to bring in external advisers, make sure they have the right qualifications and the right skill sets to deal with the particular aspects of the investigation. Using unqualified advisers may increase the risk of the investigation becoming compromised.
Also, don't underestimate the wrongdoers themselves. The wrongdoers may be getting close to being discovered and may, therefore, feel threatened and may, therefore, take actions that can cause an issue, but also to prevent their discovery as well. So make sure that you have all of the information collated, certainly before you even consider interviewing a suspect.
Rich Williams: So with that being the case, when would be an appropriate time to bring a potential suspect in for interview?
Ben Hobby: Certainly not within the first 24, 48 hours, which is what we're considering here. We've already mentioned that fraud is going to be invariably worse than expected, so the actual circumstances and the facts need to be properly investigated and established so that you have what you consider to be the full story before you then sit down with a suspect.
If you have that full story, it's easier to ask the right questions because you're in possession, hopefully, of all of the facts. If you haven't got all of the facts, it's much easier for the suspect to potentially lead you as the investigator down a number of blind alleys.
Mentioned already don't underestimate the wrongdoers themselves. That's why it's important to have all of the facts together. By making sure you have all of the facts, that's part of the process of making sure that the investigation hits the right standards from a legal point of view so that you are then not compromised at any point further down the line if you are wanting to take legal action, either to recover the funds or to initiate a criminal prosecution or even to dismiss the employee as well.
Rich Williams: And, again, thinking about confidentiality, how should that be managed during this interview process?
Ben Hobby: The fraud response team need to always keep at the forefront of their mind a need-to-know attitude, in that only the core members of the team need to be aware of what's going on. By doing that, the risk of alerting the suspect is minimised. We always have to keep in mind the risk of tipping off the suspect, which is certainly a crime under UK law, and we always need to make sure we're taking every step to minimise that.
It's always important also for the fraud response team to not assume there's nobody listening in, hence the need to maintain off-site meetings, ideally in hotel conference rooms rather than necessarily in coffee bars.
Rich Williams: So what you've mentioned so far, Ben, gives us a lot of insight into how organisations and why organisations shouldn't just sit back and hope to never fall victim to a fraud, but instead to prepare in advance to minimise the damage if they do.
Now, as we know, no business is immune from this and no business is immune from being a potential target. So could we close with an example that you're able to share and just talk us through what went wrong for them?
Ben Hobby: Of course. The car company BMW, unfortunately, was the recent victim of fraud from an employee in finance, who had been diverting funds for supplier invoices into their own bank account. The total taken over a couple of years was the best part of £6m. The fraud was only uncovered during a routine supplier audit.
If we break the issues down into technology, process, and people, I think the first issue on the technology side is that BMW weren't using any kind of protective software to ensure that any payments into a new account or a change of account were detected. Or alternatively, payments going into an employee account when they're labeled as being for a supplier. There was no software in place to detect those kinds of anomalies.
From a process point of view, though, the payments were being made to- It was a legitimate supplier, but a supplier that hadn't been used for approximately 18 months. So from a process point of view, consideration would need to have been given to what steps BMW would have taken to make sure that only approved suppliers that were regularly still being used were allowed to be used by the organisation so that purchase orders could be issued to those companies.
Also, there's an exercise that finance can take as well by reviewing with each of the relevant cost centre managers the costs that are being recorded in that particular cost centre to make sure that they were legitimate. In this particular case, the costs were all being recorded as security. Given the amounts that we are talking about here, they ought to have been able to have been detected by some sort of regular cost centre review.
Finally, we need to consider people as well. The individual who conducted this fraud had a prior conviction, I think it was in the Netherlands, for employee fraud. Particularly where you have an employee coming into finance, it's obviously critical to make sure that one understands their background.
So there's a role to play there for HR in terms of performing all of the relevant background checks to make sure you're not recruiting somebody with something of a chequered past.
Rich Williams: That's very informative, Ben. Thank you. We often talk about how to prevent fraud before it takes place, but you've really shown us today how important it is to be prepared for that becoming a very real eventuality. So thank you once again for your time today.
Ben Hobby: Absolute please. Thank you very much.
PodcastFraud; Is Ignorance Really Bliss
Jack Gianella, Market Development Executive for Risk & Fraud at Bottomline discusses how organisations should be preparing for spot and stop fraud.
PodcastCompliance, Payment Fraud & Sanctions - The Trends of 2019
Bottomline's Head of Market Development for Risk and Fraud James Richardson talks about the statistics discovered in the 2019 Business Payments Barometer.
For Customer Support and Services click here.