The Fraud Cast: Failure to Prevent Fraud and implementing the guidance
Failure to Prevent Fraud and implementing the guidance
Transcript
Steve Bewick: Hello and thank you for joining us today for our next webcast in our Fraud Cast series. My name is Steve Bewick and I lead PwC’s Cyber & Forensics practice. I’m delighted that I am joined on today’s Fraud Cast by a panel of experts who are going to be talking to us about the new Failure to Prevent Fraud offence which has been introduced as part of the Economic Crime and Corporate Transparency Act.
For our regular viewers, you will remember that we have had a previous webcast on the Economic Crime and Corporate Transparency Act which focused on the Failure to Prevent Fraud requirements and the impact that this will have on organisations going forward. If you haven’t had a chance to watch that webcast, you can access it via our Fraud Cast webhub.
We have also recently shared a blog focused on the Failure to Prevent Fraud guidance published by the Home Office and another blog which focuses on the role of technology in preventing and detecting fraud and ensuring that reasonable steps have been taken. Both blogs are well worth a read, but then we would say that as we wrote them!
In today’s webcast we will discuss the future legislative environment and enforcement and we will also take a look at some of the approaches companies are taking to implementing reasonable procedures and their views on the future landscape. During the webcast we are going to be using the Webex polling system, so you can share your thoughts as we go through the session. We’d also love to hear any questions you might have for the panel - we’ve got some time at the end to answer those. You can ask these by typing them into the box on the screen - please do engage with that. The Fraud Cast today is going to be recorded, so do take a look at the recording on our webhub after the session and please share the link with your colleagues if they couldn’t attend this live.
So with that, I am delighted to introduce you to our panel of experts today. I am joined by Paul, Laura and Jonathan and I’ll let the panel introduce themselves. So Paul, could I come to you first please?
Paul Duester: Thanks Steve, good morning, my name is Paul Duester, I am Associate General Counsel at the Serious Fraud Office. I am a barrister, I’ve been practising for about 15 years. I’ve spent the first half of my career at the independent bar in London and the second half at the SFO as a case team lawyer and now as Associate General Counsel, providing advice and guidance to various SFO case teams and leading on the Failure to Prevent Fraud offence.
Steve Bewick: Great, Laura, if I can come to you?
Laura Dunseath: Yes, thanks Steve, I am Laura Dunseath, I am Senior Legal Counsel for anti-bribery and corruption and anti-money laundering at Shell. I’ve been practicing in corporate crime and investigations for the past 23 years. Six and a half were at the SFO, so similar to Paul, but now I’m based in London and just advise Shell.
Steve Bewick: Great, and Jonathan?
Jonathan Holmes: Morning Steve, morning everybody. I’m Jonathan Holmes, Forensic partner, I’m in the same team as Steve but obviously a lot of our work recently has been in relation to the ECCTA and the Failure to Prevent Fraud offence and frankly I am really looking forward to learning from you guys as well, so really happy to be here.
Steve Bewick: Great, thank you very much. We are going to start off the session with a poll. This should be appearing on your screen shortly. The question is - “How prepared do you feel your organisation is for the Failure to Prevent Fraud offence”. The options are: “very prepared”; “somewhat prepared”; “not yet prepared”; “unaware” (which hopefully this will change if that is the case) or “not applicable” - so that should be appearing, if you can click on your answer and we will reveal the results shortly. That will be great.
Right, so I am going to bring us onto our first session which is the current and future legal and enforcement environment. So Paul, maybe if I can start with you. Obviously the enforcement date for the Failure to Prevent fraud offence is just after the summer - the start of September. Many of our clients will be wondering what enforcement is going to look like, so perhaps you can share some light on this?
Paul Duester: Sure, I suppose for a bit of context, looking at ECCTA in the round for a second, there are obviously two elements to the act which are particularly important in this face - there is the new expansion of corporate criminal liability which I know you will have spoken about before, and recognising that that is not a new area. It perhaps has been one that has been under utilised because of some issues with the previous test for attributing behaviour to a corporate entity, the “directing mind and will” test that has been replaced by ECCTA with a broader test - I think people would generally agree.
So that is one aspect to it, but then most significantly, as you said, the new offense for Failure to Prevent Fraud, that is genuinely new, it is not a re-tooling of something that already existed. It’s going to allow agencies such as the SFO to enter into a new area really. It will increase the opportunities for enforcement action and pursuing criminality against those that are committing offences and really I think the combination of the two of them significantly increases the enforcement capabilities of organisations such as the SFO and I would expect to see an increase in the number of actions taken against corporate bodies as a result.
That quite neatly ties in as well, in terms of timing, some of your viewers may have appreciated that the SFO has recently launched some new corporate guidance, entering into this sphere, which is built really on our experience over the past ten to twelve years, especially in the DPA context of bribery offences. It has condensed it all into new guidance and that’s going to be particularly relevant I think to some of your organisations, because there is a new emphasis in there, and it states for the first time that corporates that do self-report wrong doing and co-operate fully with an investigation, can expect to be invited into DPA negotiations rather than facing a prosecution. It also provides greater clarity on what we see as co-operation and so really I think this new environment that we are trying to feed into, you know engage with us, we will be entering this sphere and we are very keen, or at least the Director is very keen, for the SFO to be the first to prosecute the offence so you can definitely expect the SFO to be active in this area.
Steve Bewick: Okay, I am sure that it is very important that people hear that. Jonathan, perhaps if I can come to you next? I know that you have been doing a lot of work with our audit practice here at PwC as well as speaking to a lot of clients on this topic. How do Paul’s comments resonate with what you are hearing from clients and I would just be interested in your perspective?
Jonathan Holmes: I’m happy to give it - I’ll pick up on a couple of points you made there Paul. When you talk about the environment, I think that is really interesting. I think there is a broader set of stakeholders here that the act talks about and the guidance brings to life a little bit. But the clients that we have been speaking to, and we have been doing it ourselves, need to do some thinking around that. Employees for example, as you mentioned, the drop in the line, in the bar, of corporate attribution means that a broader view of employees might need to be taken and considered in that respect. I mean you can come onto the whistleblowing and what may or may not happen in relation to that too.
If we think about the supply chain, again you're back down the road of figuring out what you mean by associate and who it impacts and extra territorial impact and things like that. If we think about regulators, you have already mentioned because and I think it’s interesting, it’s definitely high on the SFO’s agenda, other regulators are obviously potentially involved, like the FCA, and I think talking about auditors, auditors have both the ISA 240 and the ISA 250 requirements as part of their audit - if Failure to Prevent applies to a corporate there is almost a 100% chance they are also getting audited. As a result, whilst an audit is absolutely not a defence from Failure to Prevent fraud and the guidance is very clear on that, but it is something that I think it is very likely the auditors will want to see and are probably going to be the first people to see it once the compliance teams and people like Laura have done the work and management have signed it off, I suspect auditors are the most likely people next in line to see this and to consider it as part of ISA 240, as part of ISA 250. I would echo where you are coming from from a regulatory response but I think there are going to be impacts from a variety of stakeholders in relation to this.
Steve Bewick: I think that is very interesting and maybe Laura if I can come to you as one of those important stakeholders and clearly working in the legal team at Shell, there are going to be a wide range of legal risks that you are going to be dealing with. I’d be interested in your perspectives on how you see ECCTA impacting your legal team and also how you see the risk of liability under this legislation compared to other legal risks that you are dealing with?
Laura Dunseath: In terms of impact, it is yet another risk that we have to manage on top of the existing workload of managing risks such as bribery risks, money laundering, facilitation, tax evasion. Those are the ones that my team specifically deals with but of course as a company we have to deal with many - you just have to look at any sort of international company’s code of conduct these days to see the massive shopping list of risks that we have to deal with on a day to day basis. In terms of impact, the Failure to Prevent Fraud offence, in terms of the conduct that could expose us to the risk of the offence, we already face liability for that conduct in terms of civil fraud. For example, at a divestment, if we made or our company made, as a seller, a material sort of false statement deliberately, the buyer obviously had an ability to take civil action in relation to that - we still have that liability but now we have an additional strand of liability in that we can face the civil action but now we can also face the criminal action.
In terms of penalty, if we compare it to the Failure to Prevent bribery offence, the penalty is the same, it is an unlimited fine - I imagine it will be calculated in the same sort of way. But the difference that I see, in relation to the Bribery Act and this new offence is that, in the Bribery Act there is a consent provision which means that the prosecution cannot be taken without the consent of the Director of Public Prosecutions or the Director of the Serious Fraud Office - there is no consent provision within ECCTA that I can see, so that means that private prosecutors could also take that, so there is a further exposure in relation to that for companies.
Steve Bewick: That is really interesting, there is possibly more that could be coming down the track in terms of prosecutions - that’s very interesting. I’m going to bring us onto our next poll question now, this should be appearing on your screen shortly. The second question is, “What has been the most significant challenge your organisation has faced when implementing procedures to comply with the Failure to Prevent Fraud offence”. The options on this are: “conducting a comprehensive Fraud Risk Assessment”; “updating internal policies and controls”; “raising awareness and driving cultural change”; “managing resource constraints”; “aligning with global compliance obligations” and then “other”. If you could please respond to that poll that would be great.
We have actually had the results of the first poll which has just popped up on the screen here. As a reminder, this was “How prepared do you feel your organisation is for the Failure to Prevent Fraud offence” and by far the biggest response was “somewhat prepared” - 74%. 16% - “not yet prepared”, 10% - “very prepared” and nobody was unaware or thought it didn’t apply so that’s good. (To Paul) I am sure you are pleased that that is the case. So clearly there are a lot of organisations that have started, but there is more to do so I think that is quite interesting, particularly as it comes into force in September - some work to do there.
Right, I’m going to bring us onto our second topic now, which is all about the challenges of implementing ECCTA and Failure to Prevent Fraud. Laura, perhaps if I can come to you first on this one. I’d be interested in how you have been planning to prepare for the Failure to Prevent Fraud offence - in particular, what are some of the challenges that you have experienced as an organisation in the legal team in trying to prepare for it?
Laura Dunseath: That’s a good question, there have been four key challenges in our preparation, in any company's preparation, the first is defining what fraud means for the purposes of the offence, so we have the English definition of fraud. But when we look at the Bribery Act, the Bribery Act actually defines fraud under ECCTA for the purposes of this offence. Fraud is defined as four specific offences which includes: cheating the public revenue, obtaining services by deception, it includes fraudulent training - you know there is a wide range of different offences. As a lawyer, my job is obviously to explain the law to my lay client in simple terms and in plain English. That is your first challenge - to distill from all of those different offences what fraud means for the purposes of this offence so that I can explain it in staff training and in the code of conduct.
The second challenge is the scope of this offence, so again if we look at bribery, generally you can identify the different categories of employees who can commit bribery on behalf of your organisation. They will generally be people who are winning business or dealing with governments or other key decision makers where they could actually have a motive or an opportunity to bribe somebody and they also have to have financial autonomy in that they can offer some hospitality or that they can sign off to pay for consultancy fees or commissions or things like that. In relation to this offence, nearly any employee could make a false statement on behalf of the company so it is a much wider scope and it really can affect many more areas of the business.
The third challenge is the fact that this offence is very novel and groundbreaking. I am not aware of any offence in the rest of the world which is similar to this Failure to Prevent Fraud offence. When the Bribery Act was introduced, we were fortunate, we could look to America, we could look to the FCPA, the enforcement actions and the guidance given by the DoJ to start the ball rolling in terms of compliance programmes and what to look out for. With this offence, we don’t have any guidance like that and also, traditionally, until this point, how companies have looked at fraud is through the lens of employees committing fraud or anybody committing fraud against the company or using the company to commit fraud against others so hacking in and getting customer data, that type of thing. We’ve never really looked through the lens of the company being the perpetrator of a fraud for its own behalf, so basically it takes the legal team and compliance team back to the drawing board and really invent the procedures and policies from scratch.
The fourth challenge is the existing workload, this is one of many priorities that any sort of international business has and we have to balance that against the commercial pressures as well as the risk pressures in any sort of business and we were only given just less than ten months to implement this offence so it is quite a challenge to be able to manage that. I’m fortunate in that I am supported by a really excellent and experienced risk team, legal team, compliance team and a compliance programme team but I am sure that there are many companies that probably aren’t as well supported and are struggling to meet that deadline right now.
Steve Bewick: It’s quite evident that it is not straightforward. I guess maybe flipping things, and clearly you’ve talked through the challenges, I’d be interested in some of the lessons learnt or maybe the success factors that you can share with others who are maybe starting slightly earlier on this journey?
Laura Dunseath: Well one of the lessons learnt, and I think is a success we have experienced, is not being afraid to go back to the drawing board. Obviously your starting point, I think all of the guidance points to, is leveraging off your existing anti-bribery or fraud frameworks and so that is obviously where we started from, like every other business - but you can find that some of those don’t actually work. For example, we tried to use the same method for our risk assessment for the Failure to Prevent Fraud offence as we did for anti-bribery and for our money laundering and we found that that didn’t really fit quite as well. Principally because of the scope of the offence, it is different categories of employees you are really looking at and different sorts of conduct, so we went down that path and then we realised that this isn’t working and took ourselves back and re-evaluated it and now we have completely changed that design. I think it is the importance of just not being afraid to do that - you know that’s a bit of wasted work but it actually ended up with better success later on. We are happy with the direction we have gone in.
Steve Bewick: Okay - well that is really interesting. Maybe Jonathan, if I can come to you next. I know from the discussions you have been having with our clients that a lot of the challenges that Laura has outlined there will resonate. I would just be interested in your perspectives on that and maybe some of the things that you have heard have worked well or pitfalls or any general reactions to what Laura has just outlined?
Jonathan Holmes: (To Laura) Your four I thought were excellent. You’re right, the survey has 74% of people as somewhat ready and I think that is where a lot of people are at - has everybody looked at the offence and the schedule 13 - the definition of fraud point you made earlier - yes, nine times out of ten. Have people then looked at the guidance and thought how does this apply to me - I think yes. The next stage is that readiness assessment I think we would call it - understanding what other compliance activities you have and how this would fit in amongst them. To what extent can you use what you have already got, but still keep in mind that this has its own perimeter, this has its own definitions and things like that. Naturally what comes from there is - okay, let’s have a policy, let’s understand the governance around this of what we are going to do.
The rubber really hits the road with the Fraud Risk Assessment I think and a couple of pitfalls if I can call it - one is, don’t underestimate the time it takes to bring all of the right people into the room to have the debate and the discussion because it is broader than your financial controls. You’re not going to cover it all if you have just spoken to the finance team and it is obvious, but it does take time and it takes effort to schedule and arrange that. The other thing, and you’ve mentioned this already Laura, you’ve got to get everyone to think like a fraudster. You’ve got to get them to turn their minds from the company being a victim to the company being a perpetrator. Now I would say this, but it is quite fun, but it does take a bit of a mental shift and that is how you get to a really good result. Now, that’s great, but you end up with an awful lot of risks and then you’ve got to draw the line on proportionality. You’ve got to decide, which ones of these are my biggest risks. Where do I draw the line in terms of controls? Again, we have worked with a lot of clients, going through that journey with them and a lot of people are quite reasonably well advanced on that.
The next piece - once I have decided what the controls are, is how do I test them? Do I have to create some controls or can I lean on my J-SOX controls or my SOX controls, but knowing that that is absolutely not going to be the full population of controls that you’re going to need. That’s quite an interesting dynamic because a lot of companies you mentioned have their own internal control teams and how does it all fit together and how do we make it work going forward. Again, and I know we have said it a lot of times already and I know it came up on the last Fraud Cast that we did, it’s not enough to have the control, you’ve got to test it - you’ve got to stress test it and then you want to put in into an ongoing monitoring situation. Lots of companies who have absolutely done the starter for ten stuff, looked at the guidance, came up with a policy, put the governance around it. Lots of companies are working through the Fraud Risk Assessment - there is still a bit of work to do at that tail end to get the controls in place, to test them and to be comfortable with them. There is lots you can do, one of the interesting things with a couple of clients we have seen is, when they have started to do that, they’ve seen a gap and thought you know what, there is a technology here that can actually cover this gap for me and deal with something else, modernise another part of my compliance activities - so it is quite good, to your point, if you’re going to bring it back to the blank sheet of paper, there is some good optionality around what is available to help at the moment.
Steve Bewick: Yes, and interestingly we have had the second poll results in which is all about the challenges and it very much aligns with some of the things that you were saying there Laura and Jonathan - “What has been the most significant challenge your organisation has faced when implementing procedures to comply with the Failure to Prevent Fraud offence”. So, the highest response is, and there is a bit more of a spread here, is “raising awareness and driving cultural change”. Second one being, “conducting a comprehensive fraud risk assessment” and the third “managing resource constraints” and then the others are slightly lower down the line. I think that clearly some of the things we have been talking about resonated with the viewers as well.
Okay, great. Paul, if I can come to you for another perspective from the SFO - can you shed any light on what type of evidence or documents you’d expect to see us providing in defence under the legislation?
Paul Duester: Sure, obviously we need to bear in mind that the requirement under the legislation is to show that you have got reasonable procedures in place to prevent fraud, or demonstrate that it wasn’t reasonable, although I suspect that the latter is going to be slightly less relevant for many of the people who are watching. The starting point is that we are going to want to see those procedures themselves in order to make our own evaluation of them.
Beyond that, it is hard to be too prescriptive. So much is going to depend upon the facts and circumstances and the areas of risk that are relevant to the company in question, because as I think Laura has alluded to, they are vast potentially, and each organisation is going to have slightly different risks in different areas and so I can’t sit here and say we are always going to want to see this document or that document. Fortunately, I think the Home Office guidance is quite good on this point - it has been published and I am sure many people have seen it or read it. Go away and look at that and you can draw out the documents from it - the full prevention plan, that is the key document that it talks about; training programmes; risk assessments - we’ve talked about - and not just the original risk assessments, the continuing risk assessments, obviously acknowledging the fact that this is not a “one and done” - this is a continuous process that companies are going to be expected to do and how those have changed over time, that is arguably going to be important. Due diligence reports, monitoring processes - all of those things are what we are going to want to look at when we get into the real world and are faced with a situation where we are making an assessment of whether the procedures in place are actually accurate. Trying to work out that difference between what is said on the paper, compared to what is actually operating in practice. That is the key of what we are focusing on.
Steve Bewick: That’s really good - I’m sure it is really useful for all of our viewers to hear. Right, I think we now have some time for questions from the audience. I can see we have had some questions coming in, so the first question: “With not long left now until the enforcement date, what are your top tips in terms of immediate next steps to take?” Anybody want to take that one?
Jonathan Holmes: Well it sort of depends on what stage you are at, I mean I think the rubber hits the road with the Fraud Risk Assessment. I think if you’re not actually trying to get your arms around what are the full remit of risks, and therefore what matters, what is proportionate in terms of having controls around those, you’re never going to get to reasonable procedures unless you have managed to understand what fraud risks you have faced. So if you haven’t already started the journey on your Fraud Risk Assessment then I would put that top of the list.
Steve Bewick: Yes, plenty of agreement with that. Okay - “Any tips on how we can address the challenge of raising awareness and driving cultural change with Failure to Prevent fraud?” Laura, I might put that one to you.
Laura Dunseath: Sure, so in Shell, we are fortunate in that it hasn’t really been a cultural shift. Our code of conduct and every message to employees is really clear that we always do business with honesty and integrity - they are two of our three corporate values. I would imagine that most UK companies are similar, any code of conduct that I have looked at, any client I have advised in the past, it is similar, so it shouldn’t really be too much of a cultural shift. Obviously there are going to be revisions to really bring out fraud in some of those policies and self-awareness, but there shouldn’t be too much of a cultural shift particularly with regulated companies, if you think about that, they already have to have fraud controls.
But raising awareness, what we have done to raise awareness is we already have regular E&C (ethics & compliance) communications and moments, so in every senior management meeting or just management meetings, they have regular ethics and compliance updates. For the last two years, since we knew this offence would be coming in, since ECCTA has been passed, we have been just raising awareness that this offence is coming - this is what we are doing, updating people each time on how we are getting along with it. We’ve already been raising awareness in that sort of way - E&C newsletters and things like that that we do - I think those are the best ways to raise awareness internally so people are forearmed and this isn’t going to surprise them.
Steve Bewick: Okay that’s great. I think we have probably got time for one more question - “Should we be actively discussing ECCTA and Failure to Prevent Fraud with our auditors now ” - I’m happy to take that one. I always think that engaging early with auditors is a good idea - you’d want to make sure that you’ve got a good story to tell in terms of talking about the steps that your organisation is taking to make sure that you are prepared.
Right, before I bring us to a close - I think that has been a really interesting discussion - I’m going to come to the panel for brief final remarks. Maybe Paul, if I start with you?
Paul Duester: Sure, I mentioned earlier about the new SFO corporate guidance and one thing I didn’t say about it was obviously, what we are hoping is that this is going to produce an added incentive for companies to come forward and self-report. I think clearly there is going to be an opportunity out there for some companies in some circumstances where this is going to be a live issue for them and so we would encourage them to read the guidance and come forward when they feel that there have been problems in the organisation and they need to report to us.
Steve Bewick: Okay - Laura?
Laura Dunseath: I would like to point out something that I think Paul and Jonathan have both covered - which is, remember your compliance programme is an evolving beast, it is a living set of policies and procedures. So what we have now shouldn’t be what it is going to be forever. Your assurance, your audit results and things like that will tell what’s working and what is not working. Enforcement actions will also tell us where other companies have gone wrong or positive things they have got credit for. So we should always be remembering that what we have now might be our starter for ten, but we will mature as the offence has been in existence for longer.
Steve Bewick: Yes, okay. Jonathan?
Jonathan Holmes: A couple of thoughts I guess, I would echo what the panel has just said as well. Firstly, there is some work to do if it hasn’t been started and I get Laura’s point around priorities as well. But it does take a bit of thinking about and a bit of consideration in the mix of everything else. I guess I would say this, but it is a bit of an opportunity as well - for compliance functions and teams - it will involve them potentially dealing with parts of the business that they didn’t spend as much time with - whether it is things around the ESG agenda, whether it is around the company secretarial and things like that - investor relations. It is a bit of an opportunity I think - really there is a lot of technology out there as well that can really help shift the dial on this. I mean I would say this, it is quite exciting.
Steve Bewick: Very good - right, we are pretty much at time so I’m going to close off. So firstly, a huge thank you to our panelists for taking us through those insights. I think it has been a really interesting discussion and I have certainly learnt something and thank you to all of you for joining us. Please do be sure to visit the Fraud Cast webhub where you will be able to find links to the previous webcasts in the series. Don’t forget to keep an eye out for future Fraud Cast sessions. Please do let us know if there would be any other topics you’d be particularly interested in - we want to make sure that these are as relevant as possible. So thank you very much, and we look forward to seeing you all again soon.
