Mon, Aug 22, 2016

Best Practices for Mitigating Insider Fraud Risks in China

No company in any industry is immune to insider fraud, which is perhaps one of the most insidious threats a company can face. However, in addition to dealing with the more common types of insider fraud, foreign companies operating in China are particularly vulnerable to frauds perpetrated by senior executives and managers in key functions, who are often entrusted with a great deal of discretion over operations due to the geographic distances, cultural differences and language barriers with home offices.

The following best practice tips are intended as food for thought to help companies deter and mitigate insider fraud risk and the potential damage to their bottom line and reputation that this may cause.

1. Robust, independent whistleblower program should be in place.

Based on our experience at Kroll, and that of leading professional organizations such as the Association of Certified Fraud Examiners (ACFE), a significant amount of insider fraud — over 40% — comes to light from whistleblower complaints. Fraudsters do not operate in a vacuum, and colleagues and business partners often have unique vantage points to be able to observe red flags, such as lifestyle changes and suspicious behavior. Even more problematic is when subordinates are asked to act in ways that are not compliant with company policies and procedures, or recruited outright to engage in fraud.

For companies to discover insider fraud early, it is therefore critical to have a strong whistleblower program that employees feel safe using and not fear retribution for making reports. In some cases that Kroll has investigated, employees are directed to report concerns to a supervisor level, but as this is often the very person involved in the fraud, a program structured this way will not be terribly effective and may not serve its intended purpose where fraud is being perpetrated by senior executives and managers. For a program to be most effective, whistleblower reports should be channeled to an independent party, such as the compliance officer or legal counsel.

2. Culture change needs to occur, where goals are realistic and KPIs reinforce ethical behavior.

While every company strives for outstanding financial performance, companies that seek to deter insider fraud must tie key performance indicators (KPIs) to “how” the results are achieved. Oftentimes, fraud perpetrators are those involved in the procurement or sales functions of the company, and may actually account for a great deal of the company’s revenue. For this reason, managers may not necessarily be inclined to examine too closely the manner in which such persons operate.

The flip side is when ostensibly high sales are not ultimately reflected in the company’s actual revenue (and hence profit). In many cases, Kroll has found sales personnel channeling transactions to sham accounts that will never pay for the supposed goods or services sold. In other cases, the salesperson sells the products or services at a reduced price to shell companies that he or she controls directly or through nominees, then turns around and resells the products or services at the higher market price to actual customers, thereby making illicit personal gains in the pricing difference. Adding insult to injury, in either case, the salesperson's bonus is often based on these dodgy transactions.

Companies suffer in three significant ways from this type of situation: mounting accounts receivables that cannot be recovered; shrinking profit margins; and poor morale in remaining employees whose lives may be impacted by the company’s potentially worsening financial situation or who see fraudsters operate with seeming impunity.
Therefore, companies should have a realistic view and solid understanding of their markets. This will aid in not setting overly aggressive or unattainable sales goals that can lead to fraud and unethical behavior. Companies must also institute a checks-and-balance relationship or link between KPIs — for example, sales figures should be confirmed by actual payments received. Lastly, managers must inquire into — and sales performers should expect to answer — how results are being achieved.

3. Implement a comprehensive due diligence system.

Companies should go the extra mile when performing background checks and investigations on potential new hires, especially for senior executives and employees in key positions. In fact, when Kroll is brought in by a client to investigate fraud, one of our standard operating procedures is to conduct retrospective background investigations on the suspected wrongdoer and when doing so it is not uncommon for us to find that an executive alleged of fraud is someone who had been terminated from a previous employer for unethical conduct.
Too often, we find that a company has brought a wolf into their midst. In one situation where fact is stranger than fiction, when Kroll was asked by three different companies over a number of years to investigate fraud in their operations, we found the very same individual in the center of the fraud. This individual had been terminated by his former employers after being implicated in fraud only to land even more senior positions with the subsequent victim companies.

A particularly dangerous development is when new executives or managers who have not been fully vetted bring along coworkers or colleagues who had helped them commit the fraud at the previous company. These managers will make a strong business case for hiring their old team, claiming they were instrumental in landing new accounts or retaining existing clients. In actuality, they are creating a clique in the organization whereby subordinates understand what is expected of them, and proceed to carry out fraudulent activities or engage in unethical behavior as they did at their old company, often enabling managers to “keep their hands clean.” This creates a treacherous blind spot for the company that is relying heavily on internal controls to prevent or uncover fraud. As internal controls often depend on other functions (such as legal and finance) to serve as a checks-and-balance for the sales department, for example, when individuals from multiple functions act in collusion, such internal controls may well be ineffective or less effective to mitigate the risk of fraud.

Accordingly, employers can effectively mitigate insider fraud risks by looking beyond the great performance that candidates claim on their resume, and making the time and effort to dig a little deeper into “how” these great achievements were obtained. The same level of scrutiny should apply to any coworkers or colleagues that the new hire makes a case for bringing along.

Another strategy is to periodically rotate people in roles with high fraud vulnerabilities — for example, a sales director or warehouse supervisor — to other regions. This practice can benefit the company in two ways. First, it can act as a fraud deterrent. Second, where fraud is entrenched, a new manager may be able to raise red flags or identify fraud as it is occurring.

4. Make it known to all employees that the company has zero tolerance for fraud.

Companies must not only say they have zero tolerance for fraud, they must also back it up with decisive action, no matter how difficult or time-consuming, when they become aware of fraud or unethical behavior by employees in the company, particularly by senior executives and managers in key functions.

In China, it is particularly difficult to terminate employees without very strong, incontrovertible proof that has been properly obtained, together with the right legal framework in terms of the company’s policies, employment contracts and employee handbook.

It takes time, money and resources to pursue the termination for cause of any employee, and because of this, companies will often either follow one of two courses of action:

  1. Ignore the problem. If a whistleblower complaint about fraud is received, or the company separately discovers or suspects that fraud has occurred, the company may be apt to ignore the problem if it deems the damage to be limited.
  2. Make the problem go away. The company may quietly encourage the perpetrator resign, especially if the company fears it may lose face with customers or competitors if the fraud becomes widely known.
    Both of these responses can result in significant complications for the company.
    Ignoring a problem, especially in its early stages, can allow it to fester and grow to the point where it is uncontrollable. In a similar fashion, by not holding the perpetrator accountable in some way, companies send a poor message to their remaining employees.

Similarly making the problem quietly go away also sends a poor message to remaining employees In addition, many companies do not even provide a bad reference for the perpetrating colleague to a future employer. So for remaining employees who have just seen a colleague reap what may often be substantial financial benefits from his or her fraud, with no criminal liability or other repercussions whatsoever, companies should think about what message this is sending and what impact this is having on the corporate culture.
What the company thinks may be a low-cost and low-key solution to its fraud problem may in actuality breed or encourage a corporate culture that essentially encourages fraud or at least makes it appear as a lucrative, low-risk proposition for employees.

If claims for zero tolerance are to be credible and have a positive effect on employee behavior, companies must deal with all instances of fraud decisively and relentlessly, despite the initial relatively high cost and organizational effort required. They should be prepared for knowledge of the fraud to go public, but rather than looking upon this as detrimental to the company’s reputation, this may well be an excellent opportunity to demonstrate to employees and the market that the company truly has zero tolerance for fraud.

Companies can also preempt the problem by hiring people with a confirmed track record for honest and ethical behavior. Additionally, conducting periodic reinvestigations or background checks will also act as a deterrent.

5. Establish effective employment policies and procedures.

In China, it is not easy for an employer to investigate employees or to terminate employment for cause. Having robust policies and procedures in place is absolutely critical for supporting the company’s efforts if an investigation, and potentially also subsequent termination of employment, is to be undertaken. It is critical to obtain local legal advice on the company’s local employment contracts, employee handbook and company policies, including its human resources policies, information technology policy, and social media policy to ensure they are robust enough should you need to conduct a fraud investigation and subsequently terminate employment or bring some form of other civil action. In addition, it is important to also understand and seek advice on local data privacy laws as well as local evidentiary requirements for the collection of information (which may well be required as evidence in any potential future labor dispute) for example, and to factor this into the company’s overall fraud investigation strategy.

While the topic of employment policies and procedures is covered more in-depth in an article that appears in Kroll’s 2015-2016 Global Fraud Report with co-author Dr. Isabelle Wan, leader of the IP and Employment Law practices with TransAsia Lawyers, the following are some of the key practices that companies with operations in China should implement to deal with insider fraud:

  • Clearly state — and have employees acknowledge in writing — that all information that resides on all company devices, to include desktops, laptops, tablets and smartphones, is owned by the company. A company that neglects to explicitly claim its rights is sure to run into a legal challenge in the event it tries to discipline or terminate an employee for mishandling company information.
  • Collect identifying information for all employees, to include their legal Chinese names, as well as addresses and detailed contact information for them and, if possible, for their immediate family members. Furthermore, the employee handbook should state — and the employee should acknowledge in writing — that the company has the right to use this information in the course of an investigation.

There are many cases where foreign-owned companies only know an employee by the English alias the employee uses to communicate with colleagues and clients. Not having the legal Chinese name presents a significant challenge in the event of an investigation.

Investigating conflicts of interest, sham vendor accounts, etc., is more efficient when one has identifying information, addresses and contact information for the employee and family members. For example, in one of our investigations, an employee used his spouse to skirt a prohibition against conflict of interest. Similarly, in a case where a whistleblower raised a red flag for an irregular vendor, we found that the registered address of the vendor matched that of an employee.

As mentioned at the start of this article, one of the most difficult challenges for companies with operations in China is the seniority of most perpetrators. We find that in other regions, the inside fraudster is frequently a junior employee, whose fraud is generally limited to a one-time event or to one specific area of the company.

In China, however, the perpetrator is frequently at the executive level, up to and including the CEO or CFO, with the potential to cause irreparable damage to a company’s reputation and bottom line. This is due to the longer time it can take to uncover fraud when it is being conducted and hidden by someone in power who cannot be supervised or monitored on a daily basis. Fraud that has been entrenched for years and years can be extremely challenging to resolve. The problem is compounded by the fact that virtually all of the business’s operations can be under the control of this individual and removing this individual can result in significant disruption to the business.
Having a robust employment contract, company policies and employee handbook that outline specific consequences and punishment for fraud or unethical behavior can provide some level of deterrence. However, once again, hiring the right individual from the start, and then following up with periodic reinvestigations and unannounced visits from headquarters, can go a long way toward minimizing and perhaps even preventing the risk of insider fraud.

This article was first shown in the March 2016 issue of China Business Law Journal and is reproduced with the kind permission of the editors.


Forensic Investigations and Intelligence

The Kroll Investigations, Diligence and Compliance teams consists of experts in forensic investigations and intelligence, delivering actionable data and insights that help clients worldwide make critical decisions and mitigate risk.