fraud360 issue 1 2016

Is Technology a Double-edged Sword? PG. 25

Digging Deeper: The Importance of Vetting Third-Party Partners PG. 31

Case Studies: Forged Documents, Due Diligence and Health Insurance Fraud PG. 28

Pre- or Post-employment Screening: Which is More Critical? PG. 14

ISSUE 1 2016 CRIGROUP.COM

Published by

Fraud and White-Collar Crime Investigations | Background Investigations | Business Intelligence | Corporate Security | Forensic Accounting | Investigative Due Diligence

SPECIAL MIDDLE EAST EDITION

CROSS BORDER BEST PRACTICES FOR

INVESTIGATIONSPG. 18

Fraud 360 issue 5.indd 1 2/9/16 9:43 PM

2 | FRAUD360 | ISSUE 1 2016

When it Comes to Fraud Risk, Think Global

Welcome to the latest edition of Fraud360. Once again, we present you with articles that examine best practices, resources and tech-niques aimed at helping you prevent and detect fraud.

First, I am proud to announce that CRI Group is a platinum sponsor for the first-ever 2016 ACFE Middle East Fraud Conference, being held this month in Dubai. CRI Group is a natural fit for the conference as we have our headquarters here in Dubai, and if you are in attendance I invite you to meet us at the conference. You can read more about this exciting event on page 6.

Our cover story, “Best Practices for Cross-Border Investigations,” provides an expert’s view at navigating the challenging waters of international fraud prevention. Drawing on scholarly articles from various studies on fraud, we’ve identified five best practices to help your company remain FCPA compliant and reduce risk when conducting business across borders.

What does background screening mean to you? Does your company conduct checks, and if so, are they pre- or post-employment, or both? Check out “Pre- or Post-employment Screening: Which is More Critical?” for some insight into this critical tool for fraud risk management.

Technology: We need it, we use it, and it has changed our lives and the way we do business. But like many things, it has a dark side. In “Is Technology a Double-edged sword?” we examine how companies are scrambling to improve their information security, and how businesses that fail to do so risk losing their customers’ trust, and face harm to their reputation.

We also present case studies, the latest fraud news and other engaging articles to help you stay informed and educated on the anti-fraud front.

As always, I invite you to reach out to us and tell us about the issues that are important to you. Just send us an email at [email protected]. Fraud360 is your magazine. I hope you enjoy this edition, and thank you for reading.

Zafar I. Anjum, CFE, CIS, MICA, Int. Dip. (Fin. Crime), MBCI Chief Executive Officer of CRI Group

Letter from the CEO


CRIGROUP.COM | 3

Spotlights & FeaturesFraud360 | Issue 1 | 2016

14Pre- or Post-employment Screening: Which is More Critical?

25Is Technology a Double- edged Sword?

28Case Studies: Review of Conflicts of Interest, Pre-employment Screening and Due Diligence

31Digging Deeper: The Importance of Vetting Third-Party PartnersAn Interview with Zafar I. Anjum, CEO of CRI Group

18Best Practices for Cross Border InvestigationsPreparedness for investigations and management of vulnerabilities is critical for organizations seeking to maintain a global competitive ad-vantage. Learn five best practices for risk management, investigations and FCPA compliance.

14

25

18

SPECIAL MIDDLE EAST EDITION


4 | FRAUD360 | ISSUE 1 2016

Fraud360 is created for business leaders, directors, investors and professionals who need the latest informa-tion and best practices for protecting their assets from fraud. Presenting practical tools, case studies, and articles focused on fraud prevention and detection, Fraud360 provides an insightful look at the issues impacting businesses worldwide.

Fraud360 is published by Corporate Research and Investigations, LLC. (CRI Group).

MIDDLE EAST & NORTH AFRICADubaiCRI Group Corporate HeadquartersLevel 9, #917, Liberty House, DIFCP.O. Box 111794Dubai, UAETel: +971-4-3589884Fax: +971 4 3589094Email: [email protected]: CRIGroup.com

Abu DhabiOffice No: 3509, 35th FloorAl Maqam Tower, ADGM Square Al Maryah Island,Abu Dhabi, UAE Tel: +971 2 4187568 Email: [email protected]

QatarQFC BranchOffice No. 130, 1st FloorAl – Jaidah Square, 63 Airport RoadP.O. Box 24369Doha, QatarMobile: +974 7406 6572Tel: +974 4426 7339Email: [email protected]

EUROPELondonEMEA Head OfficeLevel 371 Canada SquareLondon E14 5AA, United KingdomTel: +44 207 712 1626or +44 203 4782449Email: [email protected]

NORTH AMERICANew York 445 Park Avenue9th Floor – Suite 957New York, NY 10022United States of AmericaTel: +1 (212) 745-1148 Email: [email protected]

ASIAPakistanLevel 12, #1210, 121155-B, Islamabad Stock Exchange (ISE) TowersJinnah Avenue, Blue AreaIslamabad, PakistanTel: +92 51 111 888 400Toll Free: 0800 00 CRI (274)Email: [email protected]

Singapore1 Raffles Place, #19-61, Tower 2One Raffles PlaceSingapore 048616Tel: +65 6808 5634(35)(36) Email: [email protected]

Hong KongRooms 05-15, 13A/F, South Tower World Finance Centre, Harbour City 17 Canton Road Tsim Sha Tsui Kowloon, Hong Kong Tel: 852-2208-6064 Email : [email protected]

MalaysiaLot 2-2, Level 2, Tower B,The Troika, 19 Persiaran KLCC,M50450 Kuala Lumpur, Malaysia

WORLDWIDE LOCATIONS

SUBSCRIPTIONS

To subscribe to Fraud360, please email us at [email protected]. Or contact one of our worldwide locations directly.

To advertise with us, please send an email to [email protected]. Space is available for our printed maga-zine as well as our email newsletter, Fraud360 News Brief International. Con-tact us today for more information.

For editorial inquiries, questions and comments, please email us at [email protected].

Fraud360 is published by Corporate Research and Investigations LLC:

Global HeadquartersLevel 9, #917, Liberty HouseDIFC, P.O. Box 111794Dubai, UAETel: +971-4-3589884Fax: +971 4 3589094

© 2016 Corporate Research and Inves-tigations, LLC. Copyright is reserved throughout. Although Fraud360 may be quoted with proper attribution, no part of this publication may be re-produced without the express written permission of the publisher. Contri-butions are invited but copies of all work should be kept as Fraud360 can accept no responsibility for loss. The views expressed in Fraud360 are those of the authors and might not reflect the official policies of CRI Group.

ADVERTISE WITH US

EDITORIAL


CRIGROUP.COM | 5

SUBSCRIPTIONS

About CRI GroupCorporate Research and Investigations, LLC (CRI Group) is a global supplier of investigative, forensic accounting, business due diligence and employee background screening services for some of the world’s leading business organizations. A licensed and incorporated entity of the Dubai International Financial Centre (DIFC), CRI safeguards businesses by estab-lishing the legal compliance, financial viability, and integrity levels of outside partners, suppliers and customers seeking to affiliate with your business.

Connect with us on the web via your mobile device or social media.

LinkedIn

Facebook

Twitter

Blog: FraudInsider.com

ADVERTISE WITH US

EDITORIAL

Certifications


6 | FRAUD360 | ISSUE 1 2016

News & Media

CRI Group is proud to be a Platinum Spon-sor of the upcoming 2016 ACFE Middle East Fraud Conference, Feb. 14-15, 2016 in Dubai. More than 300 anti-fraud profes-sionals will gather under the kind patron-age of His Highness Sheikh Maktoum Bin Mohammed Bin Rashid Al Maktoum, the Deputy Ruler of Dubai and Chairman of FAD, at the conference hosted by the Financial Audit Department of Dubai.

The event will be held at Atlantis, the Palm in Dubai. Attendees to the Middle East Fraud Conference will:

• Learn the latest trends in fraud preven-tion, detection and deterrence during in-teractive sessions, educational workshops and an informative panel discussion

• Meet with high-ranking and reputable speakers from leading organizations in the Middle East

• Gain insights to best practices and learn about cutting-edge tools and techniques to detect fraud

• Forge strong alliances with new and existing contacts who share similar challenges and goals

Featured speakers include Bruce Dor-ris, J.D., CFE, CVA , vice president and program director for the Association of

Certified Fraud Examiners (ACFE); Prof. Dr. Marco Gercke, director, Cybercrime Re-search Institute; Jeffrey Robinson, author and international expert on organized crime and fraud; and Hamed Kazim, CEO, HK Consulting (United Arab Emirates).

CRI Group’s CEO Zafar I. Anjum, CFE, said that his company eagerly embraced the opportunity to be a Platinum Spon-sor at the Middle East Fraud Conference. CRI Group’s world headquarters is located in Dubai.

“This opportunity for training and sharing best practices for fighting fraud is unmatched in the Middle East,” Anjum said. “We look forward to meeting at-tendees personally at the conference, discussing their challenges and how we can work together to prevent and detect more fraud — not just in the Middle East, but around the world.”

The host of the conference, the FAD, conducts regular financial audits, infor-mation systems audits and performance audits for ascertaining the extent of legality, adequacy of financial prudency and management of financial opera-tions. The objectives include reviewing of efficiency, effectiveness and economy in planning, directing, execution, control-ling and monitoring of operations.

Upcoming EventsFind CRI Group at the following events around the globe in 2016:

CRI Group is Platinum Sponsor of the 2016 ACFE Middle East Fraud Conference this February in Dubai

2016 ACFE Middle East Fraud ConferencePlatinum SponsorAtlantis, the PalmDubai | February 14-15, 2016

27th Annual ACFE Global Fraud ConferenceGold SponsorARIALas Vegas, NV | June 12-17, 2016


CRIGROUP.COM | 7

CRI Group has become the first investigative re-search company in the Middle East to receive the BS 7858:2012 certifi-cation for security checks from interna-tionally recognized training and certifi-cation body BSI.

The certifica-tion recognizes CRI Group’s expertise in screening services including identity checks, financial checks, employ-ment checks and criminal records checks, as follows:

• Identity checks. ID confirmation, five years address history, right to work check, char-acter references, SIA (UK)/Relevant Licence check (if applicable).

• Financial checks. Bankruptcy / Insolvency / IVA, CCJ (Up to £10,000) for UK, Regional Trial Courts (outside UK), credit score.

• Employment checks. Five or 10 years employment history, gap referencing (more in-depth and extended to 31 days).

• Criminal records. Basic disclosure, local trial court record.

Founded in 1901, BSI (also known as Brit-ish Standards Institution) is the UK national standards body that works with thousands of organizations in more than 150 coun-tries. BSI is accredited by 20 local and inter-national bodies.

BSI’s security checks certification recognizes CRI Group’s capabilities “regarding the back-ground screening (vetting) of individuals em-ployed in an environment where the security

and safety of people, goods or property is a

requirement of the employing organization’s

operations, or where such security screening

is in the public interest.” The certification pro-

cess includes a rigorous audit and inspection

of CRI Group’s quality management systems.

Zafar I. Anjum, CRI Group’s president and

CEO, said that the being the first investigative

firm in the Middle East to earn BS 7858:2012

is a point of pride for the company. The

certification demonstrates the firm’s commit-

ment to “providing the highest standards and

delivery of professional background screen-

ing services.”

“CRI Group has always provided the high-

est level of professional security checks, and

we frequently conduct background screen-

ing investigations in geographic regions not

serviced or accessible by larger investigative

firms,” Zafar said. “Conducting thorough secu-

rity checks is an important proactive measure

to help keep any business safe.”

CRI Group Earns BSI Certification for Security Checks

Zafar I. Anjum, CRI Group’s president and CEO, receives the official BSI certification from Mr. Ahmad Al Khatib, General Manager for Assurance and Testing.


8 | FRAUD360 | ISSUE 1 2016

Is Sentiment Analysis Helping in the Fight Against Fraud?

The way we write says a lot about our inten-tions. “Sentiment analysis” is predicated on the idea that writing — whether in an email, text or memo to a colleague, for example — can be generally defined in one of three ways: positive, negative or neutral. It uses algorithms that can scan large amounts of text, looking for keywords and measuring tone much more quickly, and efficiently, than could a person.

The applications for this kind of technol-ogy are nearly endless. Companies can scan social media messages to learn what about their business or prod-ucts is trending, whether it be in a negative or positive way. Marketers can measure keywords to discover buying tendencies and analyze their audience demographic.

Sentiment Analysis for Internal UseEmployers can (and have) used it to monitor employees, including one case (cited by an article in Harvard Business Review) in which “semantic analysis identified a small team of salespeople in the middle of negotiating their defection to a competitor. The senti-ment analytics software had identified both atypical frequency and vocabulary between the sales people and — more provocatively — radically different exchanges between the sales people and key accounts.”

That last example should spark a light bulb in every fraud investigator’s head. When analyzing employees’ communication, there are keywords and language that can tip companies off that their employers are en-gaging in fraud. It can be an invaluable tool

that raises red flags, hopefully before a fraud scheme is so far developed that it is costly and crippling to the company.

History of Sentiment AnalysisThe concept isn’t all that new: The New York Times reported in 2009 on sentiment analysis and its potential. In “Mining the Web for Feel-ings, Not Facts,” Alex Wright explained:

An emerging field known as sentiment analysis is taking shape around one of the com-puter world’s unexplored frontiers: translating the vagaries of human emotion into hard data.

This is more than just an interesting pro-gramming exercise. For many businesses,

online opinion has turned into a kind of virtual currency that can make or

break a product in the marketplace.Yet many companies struggle

to make sense of the caterwaul of complaints and compliments that now

swirl around their products online. As sentiment analysis tools begin to take shape, they could not only help businesses improve their bottom lines, but also eventually trans-form the experience of searching for informa-tion online.

Even back then, as the NYT reported, an industry was emerging and several compa-nies were already offering subscription ser-vices to provide sentiment analysis – though it was geared chiefly toward companies measuring sentiment among buyers, not their own employees.

Test Case: EnronHowever, researchers have already been able to test sentiment analysis within the fraud realm in a backward-looking way. Using En-ron emails (that were made public during the scandal), sentiment analysis revealed a series of red flags throughout the lifetime of the

Fraud News Brief


CRIGROUP.COM | 9

fraud: “the red marks flag emails where the sender’s sentiment suddenly turned sharply negative (and would therefore be a good place to start looking for evidence).”

Right now, sentiment analysis still seems to be used only on a limited basis. How-ever, we may one day see a time when it is a standard internal control, and a part of most fraud prevention strategies. Sentiment analy-sis won’t prevent every fraud, nor help close every case. But it can provide a good starting point to knowing that something is amiss.

When Gifts in Business are Tools of Corruption

In many cultures, we celebrate giving gifts during the holiday season. In the business world, however, sometimes gift-giving is a year-round occurrence … and it can take the form of corruption.

World Bank’s Enterprise Surveys provide detailed statistics on where this type of corruption, which encompasses bribes and “illegal gratuities,” is most rampant. BusinessTech, a South African based-site for business and technology news, recently provided an analysis of World Bank’s findings and distilled the results in “The biggest corruption problems in the world — and where they happen most.”

Among its conclusions, BusinessTech found that “the most corrupt region in the world is South Asia, which includes countries such as India, Pakistan, Afghanistan, Ban-gladesh and Sri Lanka.” Not too far behind is Africa: “The data shows that the Sub-Saharan Africa region is far above the global average when it comes to incidences of corruption experienced by global enterprises.”

It is unfortunate when more than a quar-ter of firms surveyed in those regions expect to give gifts to public officials in order to “get

things done,” a matter-of-fact way of “greas-ing the wheels,” as one might say. As the article states:

According to the survey findings, the most prominent form of corruption around the world involves giving gifts to governments to secure contracts. 27.1% of enterprises, globally, have indicated having been expected to do this.

In U.S. law, an illegal gratuity is defined as the following:

Illegal gratuity is something of value that a person gives, offers or promises for the purpose of influencing the action of an official in the discharge of his or her public or legal duties. For example, it is an offence to improperly in-fluence judges or other judicial officers, mem-bers and officers of public bodies, or voters at public elections.

There are plenty of case studies in which contractors, government officials, or even business executives have been on one side or the other of bribery or illegal gratuities. TheCGP.org provides two cautionary tales on

their website:On April 25, 2013, the U.S. Depart-

ment of Justice issued a press release announcing that a Bureau of Prisons (BOP) employee had pled guilty to a charge of receiving unlawful gratu-

ities. The BOP employee, a supervisory traffic management specialist in the BOP

Relocation Services section, was responsible for giving relocating BOP employees a list of ap-proved movers and then referring their move to agents of the chosen carrier. While performing these duties the employee received spa and sa-lon gift cards in the amount of $1,007 and $790 from one carrier’s agent, as well as free mov-ing services from moving companies. The BOP employee was subsequently assessed a fine of $1,500 and placed on probation for 18 months.

And:On June 5, 2013, the Washington Post

reported that the Internal Revenue Service (IRS) had placed two managers on administrative leave for accepting free food and other gifts


10 | FRAUD360 | ISSUE 1 2016

in violation of government ethics rules. These violations were discovered during an audit of a years-old conference, at which the manag-ers “allegedly held an after-hours party in their private hotel suites.” It apparently was not clear who gave the managers the food, worth $1,162. Acting Commissioner Danny Werfel said in a statement to the Post that the IRS has started the process of firing the managers.

Gift-giving — to loved ones, friends, and even colleagues — can be a fulfilling and wonderful endeavor. In business, however, it can sometimes take the form of corrup-tion. Businesses should be quick to adopt a no-tolerance policy for bribery and illegal gratuities, and make sure it is communicated across the entire organization.

Is a Tidal Wave of Online Credit Card Fraud on the Horizon?

The U.S. has a serious credit card fraud prob-lem. In fact, a Nilson report (as cited by the Wall Street Journal) estimated that for every $100 spent using a credit card, 13 cents is lost to fraud. That may not sound like much, but when multiple by thousands of such transactions and spread across millions (or billions) of dollars, the impact is significant. But here’s the kicker: outside of the U.S., only 4 cents is claimed to fraud (three times less than in the U.S.).

The difference has generally been attributed to less secure credit cards in the States. Until this year, banks were resistant to using chip and pin technology, which pro-vides more protection (and has been the standard in Europe for over 10 years). Now, the U.S. is going part way, at least: the new-est cards are embedded with chip technol-ogy (but are without PIN, notably). This is expected to help decrease fraud in the States and bring the number back closer to the rest of the world.

However, some experts see a new wrinkle

in the changeover. Chip technology only

makes “card present” transactions more

secure. Naturally, since a merchant’s card

reader needs the actual credit card to read

the chip, that’s the only way they can control

fraud from a point-of-sale transaction. The

problem, critics say, is what happens during

“card-not-present” transactions.

In a commentary piece for DarkRead-

ing.com, Ben Jackson writes that a “fraud

tsunami” is headed to the shared economy

— via “card-not-present fraud.” As head of

risk management and fraud prevention for

PromisePay, Jackson warns that due to the

clampdown on fraud through chip technol-

ogy, fraudsters are likely to simply take more

of their business online:

Fraud in the online world is about to in-

crease dramatically over the next 12 months.

With the introduction of Europay, MasterCard,

Visa (EMV) chip technology in the United

States, card-not-present fraud (CNP) will show

a substantial increase, and if the results of

EMV adoption in the UK and Australia are any

indication, CNP fraud could rise anywhere

between 10- to 20%. A recent LexisNexis report

outlines how merchants are left liable

to online fraudulent activity — with

them paying out $3.08 for each dol-

lar lost to fraud.

Jackson follows that up with an

illustrative comparison:

Think of fraud as water running downhill

— it will always follow the path that allows it to

flow in the easiest way possible.

This could mean big trouble for banks,

who are already inundated with fraud claims

and subsequent investigations, and also mer-

chants who now bear a greater share of risk

overall in credit card transactions.


CRIGROUP.COM | 11

So what can your clients do to be better protected as fraudsters shift gears and take more of their business to the Internet? Five things, according Jackson:

• Educate. “Knowledge is power. Learning about the latest fraud trends is essential.”

• Verify data. “This can incorporate IP identifi-cation and proxy piercing, device fingerprint-ing, and more basic level user data such as email/mobile/social media.”

• Employ a rules engine. “The rules engine is a middleware application that allows you to create rules when tracking and managing fraud. You can perform pre- and post-authorization tests and rules, as well as rules to handle the return results from authorization. This is a must-have for any medium- to large-sized merchant.”

• Use chargeback reporting. The final rung of the ladder against fraud is at the chargebacks layer. It is commonly accepted that up to 1 out of every 100 transactions will result in a chargeback, and 86 percent of these chargebacks are fraudulent. It is also accepted that there is a 1 in 10 chance of the merchant winning the chargebacks — clearly a costly situation for the merchant. Charge-back reporting is so important because they show the merchant what they’ve missed, and allow them to analyze the event, and so bet-ter protect against it in the future by imple-menting risk-based controls.”

The idea that fraud may become worse after new protection methods are employed is not what anyone (other than fraudsters) wants to hear. But as every fraud investigator knows, con artists and other criminals adapt to 1) follow the money, and 2) find the path of least resistance. Right now, the Internet provides both of those elements. It is up to businesses and their security personnel to find a way to thwart them.

Mafia, Hells Angels: Extreme Construction Fraud in Quebec

The construction industry is susceptible to corruption on many levels. Bid rigging, procurement fraud, overbilling, just to name a few of the types of schemes — with each different layer and a variety of contractors involved, the risk of fraud is high. While government regulations and industry best practices have evolved to help mitigate the risk of fraud, there are many opportunities to work outside of those guidelines to gain an unfair advantage.

In Quebec, fraud in the corruption indus-try has recently been revealed to be

widespread and extreme. So wide-spread and extreme, in fact, that the Mafia and the Hells Angels are alleged to be deeply entrenched in

the industry, according to Superior Court Justice France Charbonneau.

As reported in the Toronto Star:“This investigation confirmed that there was

a real problem in Quebec and that it was far more widespread than we originally believed,” Charbonneau said.

She said that the Mafia and Hells Angels worked their way deep into the industry, gain-ing access to public and private contracts and worker’s pension funds.

“A culture of impunity developed,” Charbon-neau said, reading from a prepared statement.

The commission heard of bribes, kick-backs, assaults and even murder.

Charbonneau addressed the corruption problem during the release of her highly anticipated report on corruption in the prov-ince. Conclusions on the state of the prob-lem were drawn from the testimony of 300 witnesses since the opening of an inquiry three years ago.

“Contractors revealed that they were the victims of threats, intimidation and assault,” she said. “Their testimony took us to the heart of our mandate.”


12 | FRAUD360 | ISSUE 1 2016

The problem is not limited to Quebec. Construction fraud is on the rise, experts say, fueled by economic pressures, tight credit, subpar controls and a lack of whistleblower protections. An article in Construction Busi-ness Owner offers the following tips for spot-ting irregularities:

• Schedule out the subcontractor pay applications.

• Compare actual to budget on a line-item basis.

• Reconcile the payments to the pay applications.

• Reconcile the pay applications to the underlying cost records.

• Track changes in the SOV.

• Track changes in the contingency account.

• Compare change order signature dates to the actual time the work was completed.

• Inventory the lien waivers.

• Make a list of purchased equipment, and inventory the remainder.

• Conduct supplier confirmations.

• Prove reimbursable charges.

• Tie subcontractor bills to the payment applications.

• Compare drawing/spec material volumes to claimed actual volumes.

• Review the subcontractor bid selection process and selection documentation.

Fraud and corruption in the construction industry isn’t going away any time soon. But companies at each level of the process can reduce risk by implementing the proper controls. By following anti-fraud policies and being attuned to red flags of fraud, business leaders can help protect themselves, and their clients, from serious financial loss.

Background Checks: BMW Case is a Cautionary Tale

Pre-employment screening can provide a critical level of protection for organizations. Obviously, any business owner wants to weed out potential “bad actors” before they end up on their staff roster. When it comes to screening existing employees, however, there are important considerations and legal implications that need to be addressed. It is a lesson that revered German automaker BMW is learning the hard way, and other business leaders should be aware of the consequences.

BMW finds itself having to pay a $1.6 million settlement in a race discrimi-

nation suit that stems from perform-ing background checks on current (at the time) employees. As detailed

in Human Resource Executive On-line, here is what happened:

In the summer of 2008, BMW switched contractors handling the company’s logistics at its Spartanburg, S.C., production facility, and required the new contractor to perform criminal background checks on all existing lo-gistics employees who re-applied to keep their jobs. At the time, BMW’s guidelines regarding criminal convictions excluded individuals with convictions in certain categories of crime from employment, regardless of how old the con-viction, or whether it was classified as a felony or misdemeanor.

So, the reader might wonder, where was the fault in their process? The article goes on to explain the point at which things became problematic:

In the suit, the EEOC alleged that BMW discriminated against a group of African-Amer-ican logistics workers when the new contractor excluded these employees at a disproportion-ate rate after performing criminal background checks and learning that roughly 100 of these incumbent workers did not pass the screen.


CRIGROUP.COM | 13

According to the EEOC, 80 percent of the exist-ing employees who were subsequently disquali-fied from employment — some of whom had worked there for several years — were black.

By implementing their screening, and then sticking firm to employment policies with either an ignorance or a disregard for what could appear to be racial profiling, BMW opened itself to the lawsuit that led to the $1.6 million settlement. While $1.6 mil-lion won’t break the bank, by any means, for a large automaker, it probably more than offsets any trivial gain BMW hoped to achieve by protecting itself from potential worker misconduct or potential fraud, whichever may be the case.

As the article notes:As evidenced by this settlement, conduct-

ing criminal background screens on existing employees seems to be a risky and potentially costly proposition.

The BMW case shows this to be true, but even more so, the decisions made based upon the information provided from back-ground checks are where the risk and cost ultimately lay. At CRI Group, we excel at pro-viding every level of background screening in all parts of the world. Our screening agents are in countries and locations that other net-works don’t reach.

The reason? Business leaders need infor-mation in order to make the right decisions — about their businesses, their employees and their partners. However, after receiving information from background screening, ex-ecutives and human resources professionals must make reasoned and careful decisions on personnel rather than following strict, sweeping policies.

If the BMW employees had been reviewed on a case-by-case basis, it stands to reason that many of them would be seen as valuable in their jobs, and without conduct violations or any recent legal problems, there would

be little risk — and more reward — in keep-ing them in their positions. One should not seek to remove skilled and qualified workers based on inflexible policies that don’t serve the company.

The message from the BMW case should not be, “avoid performing background checks on current employees.” Instead, it should be emphasized that background screening is important, and should be used as part of an overall review process that weighs an em-ployee’s performance, conduct, trustworthi-ness and tenure at the company.

If BMW had followed such a reasonable path, they would be able to keep the $1.6 million … and some longtime employees.

— By Kanwal Zafar General Manager, CRI Group

Advertise With Us

To advertise with us, please send an email to [email protected].

Space is available for Fraud360 magazine as well as our monthly email newsletter, Fraud360 News Brief International.

Contact us today for more information.


14 | FRAUD360 | ISSUE 1 2016

ost of us are familiar with the AXACT diploma mill/fake degrees case that came to

light in May 2015 through an exposé by

the New York Times. Following this breaking news, investigators descended on Axact, a company based in Karachi, Pakistan that mysteriously provided phone numbers

BY JAVERIA ADEEL

M

Pre- or Post-employment Screening: Which is More Critical?


CRIGROUP.COM | 15

for dozens of fake online programs and had stacks of diplomas from these schools in their headquarters. The fake colleges had American-sounding names, like Newford, Rochville and Drumount University.

Axact is just one example, as there are many such fake degrees available online. The problem of fake degrees is nothing new, but the Internet has made it easier than ever to obtain a bogus qualification. With competition still fierce in the jobs market, some people are tempted to beef up their résumé by buying a fake degree.

The institutions that sell these fake qualifications are known as either diploma mills or degree mills. Diploma mills issue fraudulent diplomas supposedly granted by real universities, while degree mills pose as real universities. Setting up a degree mill is simply a matter of creating a website that looks like it belongs to a genuine university. The website includes a method for custom-ers to pay for their qualifications online and a place for prospective employers to con-tact to verify the degree is genuine.

Some degree mills award degrees on the basis of the buyer’s supposed “life experience,” while others require a small amount of coursework. One degree mill re-quired about a week’s worth of coursework to earn a masters degree.

As detailed by CNN, George Gollin, a board member of the U.S.-based Council for Higher Education Accreditation, esti-mates that more than 100,000 fake de-grees are sold each year in the U.S. alone. Of those, around one third are postgradu-ate degrees. He added that a bogus degree will typically cost $1,000.

While some people might be duped into believing they are obtaining a legiti-mate qualification, almost everyone buy-ing from a degree mill knows they are get-ting a fake. But for some, knowingly buying a fake degree is an easy way of improving their job prospects. Generally, fake degrees

are bought for economic advantage for people who are seeking promotion or seeking to get jobs where the employer wants them to have a degree.

If it’s difficult for the authorities to keep tabs on the degree mills, it can be even harder for employers to spot if a potential employee has fake qualifications. But there are steps that employers can take to guard against fraudsters. Many countries have government-run websites through which one can easily check if a university is offi-cially accredited. But because diploma mills offer fake degrees from real universities, it is essential that employers also check with someone at the university to confirm that the degree was actually issued.

If someone claims to have an advanced degree for which they should have written a thesis, they should be able to produce a copy of that thesis. If they can’t provide contact details for their graduate studies advisor, be suspicious, because that should raise a red flag. But separating the real from the fake becomes even more complicated if a job candidate has a qualification obtained overseas. It can be increasingly difficult to verify that a foreign university is genuine.

This discussion raises one important question in regards to which is more criti-cal: pre-employment or post-employment screening?

Let’s first understand what pre-employ-ment screening is. Basically, pre-employ-ment screening refers to the process of investigating the backgrounds of potential employees, and is commonly used to verify the accuracy of an applicant’s claims as well as to discover any possible criminal history, workers compensation claims, or employer sanctions.

Some employers do provide pre-em-ployment screening — whereas post- employment screening is totally ignored by most employers. Even some employers are more likely to screen entry-level


16 | FRAUD360 | ISSUE 1 2016

employees than senior executives, but which type of employee could do more damage to the company’s assets, brand and reputation? Organizations who give the C-level a pass on the most thorough background checks leave a glaring gap in their protection that could have cata-strophic consequences. Several CEOs of some of America’s largest companies have been caught lying about their qualifica-tions or fudging their résumés. It is equally, if not more important to thoroughly screen all C-level and senior executive hires.

Fourty-four percent of employers review the screening results for workers who are hired by a staffing agency. Of the remaining employers, 35 percent stipulate compliance in the staffing agency’s contract terms, and 8 percent conduct periodic audits. What is most concerning, however, is that 13 per-cent of human resources professionals are unaware of whether the staffing agencies they work with even perform background checks. This is absolutely one area where employers must not drop the ball. Every employee should be thoroughly screened regardless of whether they were hired di-rectly by HR or through a staffing agency.

The optimal solution is for employers to run their own background checks on any workers supplied by a staffing agency. If an employer opts to review the screen-ing results instead of conducting their own thorough and up-to-date check, then they should first check that the staffing agency is permitted to share the results by both the Consumer Reporting Agency (CRA) and the candidate. Secondly, even if the employer is only reviewing previously completed background checks, they may be subject to consult with counsel before viewing such reports.

Post-Hire Screening & Employee MonitoringApproximately two thirds of organiza-tions fail to conduct any sort of post-hire

screening or employee monitoring. Just because an employee’s criminal history was clean when they were hired doesn’t mean that it will always stay that way. A criminal records check depicts a moment in time and becomes outdated almost instantly. The solution to closing this gap is either through post-hire screening, which can be conducted at specified intervals (i.e. annual re-checks), or employee monitor-ing, which alerts employers when one of their employees has been arrested. The most recent tragedy occurred in Roanoke, Virginia, where a disgruntled and termi-nated employee allegedly murdered two journalists on live TV. All three had worked at local TV station WDBJ. Reports have surfaced that Vester Flanagan, the alleged shooter, had a history of mental instability.

The question arose: Why didn’t the employer in this case perform due dili-gence in regards to the employee’s previ-ous records, plus provide post-employ-ment screening?

44+35+13+8+CHiring by staffing agency

Staffing contracting term

Periodic audit

HR unaware of background checks

Figure 1: Percentage of hiring


CRIGROUP.COM | 17

While pre-employment screening plays a critical role in helping to protect compa-nies from dishonest employees, too few realize that post-employment screening, conducted at regular intervals throughout an employee’s term of tenure, is equally as important in protecting company assets. However, post-employment screening al-lows employers to quantify the risk to which they are exposed, and then to manage that risk. Regular credit checks, sudden judg-ments, criminal convictions — these are all developments which a responsible employ-er should be aware of in their workforce.

Post-employment screening can be applied differently according to job level status — or put more bluntly, at what po-tential level of risk the employee carries for the company. A cleaner, for example, will be less of a risk than a buyer, and a cashier more of a risk than a switchboard operator. A company carrying out post-employment screening must prioritize how far they wish to take such checking. This is where using an outside third party, whose specialist skills and core function it is to asses such potential risk, can be of great benefit.

If an employer carefully observes his employees, the first sign to watch out for is a change in lifestyle of the employee concerned. This can be either an upgrade in lifestyle, such as the acquisition of material goods — a new, flashy car for example; but also a downgrade in lifestyle. Such signs can be displayed in terms of physical ap-pearance, punctuality, work levels and de-clining productivity, which are often signs of either substance abuse, domestic crises or other personal problems of some sort.

It is not only permanent staff who need regular screening — outsourced staff, or sub-contracted companies, also need to agree to independent third-party screen-ing. Cleaners, security guards and all per-sonnel who come onto a company’s prem-

ises, in the same way that permanent staff do, are subject to the same opportunities, stresses and social issues, and therefore need to be treated accordingly.

Post-employment screening therefore takes on a wider scope than pre-employ-ment screening. It will deliver to the em-ployer vital information on lifestyles and social issues, apart from the more conven-tional driver’s license, educational qualifi-cation, credit and criminal record checks.

While pre-employment screening will help companies identify problem areas be-fore they start, post-employment screen-ing will ensure that companies can mini-mize the risk to which they are exposed over the long term.

CRI Group’s background screening and post-employment screening services expose vulnerabilities and threats within your organization and can significantly re-duce the potential of business and finan-cial crime, fraud and malpractice from oc-curring within your workplace. CRI Group provides a host of professional services to HR managers representing major corpo-rations worldwide, including: Managing employee background screenings across borders; employee monitoring and risk management; data protection compli-ance; employee testing and confidential-ity; employee risk management; back-ground information on former employers; analytic research of credential breaches and bankruptcy, civil litigation, criminal record history, credit and financial regula-tory checks. For a full list of services, visit CRIGroup.com.

ABOUT THE AUTHOR Javeria Adeel is a Media Researcher and Fraud360 Correspondent for CRI Group. She can be reached at [email protected]. CRI Group maintains offices in the UAE, Pakistan, Qatar, Hong Kong, Malaysia, Singapore, London and New York.


5 BEST PRACTICES FOR PROACTIVE FCPA COMPLIANCE

BY ZAFAR I. ANJUM , MSC, CFE, CIS, MICA, INT. DIP. (FIN. CRIME), CII, MIPIRESEARCHER PROFESSIONAL DOCTORATE IN CRIMINAL JUSTICE (DCRIMJ)

CROSS BORDER BEST PRACTICES FOR

INVESTIGATIONS


CRIGROUP.COM | 19

he U.S. Department of Justice (DOJ) acknowledges

that the Foreign Cor-rupt Practices Act (FCPA)

of 1977 was “enacted for the purpose of making it unlawful for certain classes of persons and entities to make payments to foreign government officials to as-sist in obtaining or retain-ing businesses.” Although simplified to a form of anti-bribery or anti-corruption initiative, the FCPA plays a critical role in corporate governance, accounting best practices, auditing, and cross-border negotia-tions. As a direct result of legislative oversight, and in an effort to systemati-cally reduce the frequency and limit the effects of cross-border deficiencies and liabilities, corporations have undertaken to define, embrace and implement

a compendium of institu-tional best practices.

This article identifies and discusses a variety of best practices for managing and mitigating the effects of cross-border investigations. By highlighting potential benefits and implications of effective, high-performing standards in corporate preparedness, this analysis demonstrates opportunity costs and benefits of effec-tive investigatory protocol in identifying and resolving FCPA concerns.

A Delimitation of Best PracticesIn spite of auspicious and aspirational foundations, Ashcroft and Ratcliffe’s “The Recent and Unusual Evolution of an Expanding FCPA” (Notre Dame Journal of Law, Ethics, and Public Policy, 2012) suggests that over its first several decades of existence, the

‘FCPA remained a largely unenforced and nearly dormant piece of legisla-tion.’ In the wake of a ro-bust information economy, the prevalence of financial conflicts and uncertainty, and robust corporate governance standards, settlements and corporate penalties related to viola-tions of the FCPA have increased significantly over the past decade. In fact, Fraedrich, Ritcey-Donohue and Schafer’s “Foreign Cor-rupt Practices Act Convic-tion of Lindsey Manufac-turing May Embolden U.S. Authorities, but Should it?” (Global Trade and Customs Journal, 2011) noted that while in 2002 just two claims were successfully prosecuted, by 2011, this figure had increased to more than 20 claims for fi-nancial penalties in excess of $3.4 billion.

Preparedness for investigations and management of threats and vulnerabilities is critical for organizations seeking to maintain competitive advantage and global positions.

T


20 | FRAUD360 | ISSUE 1 2016

More recent statistics from E. Silverstein’s “FCPA Penalties Relatively High During 2014” (FC&S Legal, 2015) reflect that the aver-age FCPA claim in 2014 was more than $156 million, as punitive penalties are de-signed to discourage and prevent future replication of corrupt business practic-es. As a result, the financial and reputational conse-quences for FCPA indict-ments and violations can have significant impacts on corporate performance. It is for this reason that corporations must adopt and sustain anti-corruption policies and strategies, internal assessment and investigation resources and third party audit ca-pabilities in order to make a significant impact on vulnerability and exposure to FCPA prosecution.

Best Practice #1: Have a Plan, Define Policies and Actions and Ensure Consis-tent Implementation

Perhaps the most criti-cal best practice in FCPA investigation management is corporate preparedness. Emphasizing the role of internal investigations in FCPA enforcement efforts, Carberry and Deane’s “Corporate Internal Inves-tigations: Best Practices, Pitfalls to Avoid” (Jones

Day, 2013) proposes that preparedness including the structuring and stra-tegic anticipation of interviewing process-es is critical to revela-tory objectives. By failing to anticipate potential findings, investigators are not only likely to overlook critical connections and evidence, but may ultimately be-come vulnerable to legal or institutional defenses that inhibit a comprehen-sive assessment.

Highlighting the need for anticipatory investiga-tive practices in the recent case of AstraZeneca, R. L. Cassin’s 2015 FCPA Blog piece “Two AstraZeneca Whistleblowers Share $1.4 Million in FCA Settlement” observed that whilst compensatory settlement payments in excess of $7.9 million were agreed to in bribery and false claims allegations, the failure to establish legal liability significantly reduced the consequences of the legal process. In spite of whistle-blower evidence and a verified, informal agree-ment between AstraZen-eca and Medco, internal information controls and proprietary information management rights were used to not only impede investigator interventions,

but to protect the organi-zation and its managers from legal prosecution.

Best Practice #2: Be Prepared and Actively Control the Flow of Informa-tion and Evidence

Anticipation of investiga-tor objectives in relation to FCPA violations may provide corporations with a strategic advantage, allowing internal assess-ments to focus on a more comprehensive and stra-tegic range of evidence. In an effort to systema-tise this protocol, Baker and McKenzie propose in 2014’s “Responding to Misconduct” five core steps to corporate responses to misconduct including:

1. Receiving the allegations

2. Preliminary assessment

3. Initial planning and preparation

4. Developing an investigative plan

5. Analysis and resolution

This framework reflects a pro-active, anticipatory ap-proach that may be used to not only identify the underlying costs and risks associated with a federal investigation, but could

1

2


CRIGROUP.COM | 21

allow the determination of an effective remediation plan that can be used to mitigate losses once the process has commenced.

Best Practice #3: Anticipate Investigator Objectives and Evaluate Cost/

Benefit Formula to Maxi-mize Corporate Benefits Under Best, Medium, and Worst Case OutcomesAt the root of an FCPA in-vestigation is the attempt by officials and agents to determine whether intra-organizational relation-ships were in violation of corruption and bribery laws. Originating from a recent case of FCPA pros-ecution against Lindsey Manufacturing and Comis-ión Federal de Electricidad (CFE), efforts to affect and influence government officials both directly and indirectly may ultimately result in a violation and significant penalties (Frae-drich et al., 2011). Yet such influence extends beyond more overt bribery/influ-ence cases such as BNY Mellon, recently pros-ecuted by the SEC for high profile appointments and internships to relatives of key foreign officials in an effort to secure status and international position-ing. According to FCPA

Blog’s October 2012 article “Barclays FCPA disclosure,” the Barclays PLC case, its post-stock market crash fi-nancial hedging strategies and its partnership with Qatar Holdings are indica-tions of how third party collaboration and collusion can expose organizations to unwanted scrutiny and investigation. As reported in the Wall Street Jour-nal’s “Barclay’s Faces FCPA Probe,” however, it is only through collaboration between Barclays and Qatar Holdings that the inquisition itself has been fundamentally constrained to causal analyses of mis-

conduct and purposive corruption.

Exemplifying the need for a functional and collab-orative response, the forth-coming internal reports and feedback from both organizations have served as a buffer mechanism to reduce the relative and immediate implications of this investigation. Such joint defence initiatives, as idealized by Carberry and Deane, reflect a foundation of confidentiality that is reciprocated across part-ners in an effort to reduce the long term costs and consequences of an FCPA investigation.

3

Perhaps the most critical best practice in FCPA investigation management is corporate preparedness.


22 | FRAUD360 | ISSUE 1 2016

Best Practice #4: Col-laborate and Coordi-nate (Joint Defense Agreements) to Pre-vent Agency Conflicts and Uncertainty

A challenge in internation-al commerce, translational and cultural differences may ultimately lead firms to experience vulnerability and disclosure risks during an FCPA investigation, ac-cording Senn and Albert’s “Internal Investigations: How to Conduct an Anti-corruption Investigation: Developing and Imple-menting the Investigation Plan (Part Two of Two),” (FCPA Report, 2014). In an effort to comply with domestic legal and labor requirements, organiza-tions are compelled to make strategic decisions that require both legal and experienced insights and recommendations.

By preparing for potential security risks (e.g. non-disclosure agreements), securing local counsel, and pre-paring for potential local enforcement initiatives and controls, Senn and Albert suggest that firms will mitigate the broader spectrum of international pitfalls that emerge during extended multinational commercial activities. In “Senn on 10 Best Practices in a Cross-Border Investiga-tion — Part II” (FCPA

Compliance Report, 2015), T. R. Fox refers to this pro-cess as “putting form in na-tive translations,” creating legal and conceptual align-ments and understandings that transcend the for-eignness of international partnerships. Such vulner-abilities in labor agree-ments are indicative in the recent Walid Hatoum/PBSJ Corporation case investi-gated by the SEC in which foreign officials were pro-vided privileged employ-ment posts and corporate membership in exchange for government contracts. Alternative agreements and positioning could have ultimately been used to not only eliminate the risks associated with such part-nerships, but to protect the conglomerate from any adverse activities.

Best Practice #5: Evaluate Efficacy and ResultsAfter the afore-mentioned best

practices have been imple-mented, it is not enough to simply move on and let them do their work. Con-trols must be monitored for effectiveness, with a regular review process to measure their success. Industry best practices dictate that ideally, these measurements and review should be conducted by an organization’s security

professionals, and a sum-mary of the results with all supporting documenta-tion should be provided to the board of directors. It is only through this process that internal controls can be refined and adjust-ments made, as needed. It is also important to stay in-formed of any governance changes that might affect FCPA compliance, or might otherwise require changes in the organization’s anti-corruption controls. Review and measurement of internal controls should be conducted quarterly, if possible (and no less than on an annual basis). The review process is even more effective when conducted by a third party that specializes in FCPA compliance (this removes bias — even where unin-tentional — from the pro-cess, providing a clearer picture of the results).

Conclusion The risks associated with FCPA investigations are significant, and as the financial and reputational costs of indictment and prosecution continue to balloon, the need for ef-fective and pro-active best practices is imperative. This report has identified five leading best practices that are indicative of industry-observed needs, expecta-tions, and opportunities.

5

4


CRIGROUP.COM | 23

This was the Irish Re-publican Army’s (IRA) statement soon after the Brighton hotel bomb-ing that attempted to kill Prime Minister Mar-garet Thatcher and her Cabinet in 1984. Twenty years after, the shape and authors of terrorist threats in Europe may have changed, but the threat still exists. And with two series of terror-ist attacks in France in 2015, it seems that luck has deserted. It is time to think about how we can be more efficient, togeth-er, to fight back.

The recent events that occurred in Paris showed that the terrorists are starting to work mul-tilaterally. The terrorist attacks of French publica-tion Charlie Hebdo and a Jewish supermarket in January 2015 were perpe-trated by French citizens who acquired firearms in Belgium. The attacks of last November were

perpetrated by French citizens who had trav-elled from Syria through several European coun-tries. What if business in-telligence agencies had been working closely to assist government authorities in tracking these bad actors from the beginning? Would it have been possible to avoid those murders? If wishes were horses then beggars would ride, but it is clear that the lack of share in business intelligence between governments serves as a benefit to the terrorists and buys them time and opportunities. Criminali-ty doesn’t know borders. Investigators and prose-cutors among neighbor-ing countries should be on the same page.

In the 1970s, French police partnered with their American coun-terparts to stop the French Connection, a large heroin smuggling

operation, and likewise partnered with the Spanish in the 1990s to pursue Basque ter-rorists. Europol, the European Police Office, contributes to more than 18,000 cross-bor-der investigations each year, and according to Europol Director Rob Wainwright, there are approximately 3,600 internationally active organized crime gangs operating just in Europe. But coordination still requires loads of prepa-ration through formal channels, according to the United Nations Of-fice on Drugs and Crime (UNODC). Operational problems include “lack of commons standards and accepted practices, the actual supervision of the investigation, the prevention of intel-ligence leaks and the absence of mechanisms for quickly solving these problems,” according

Borderless Business Intelligence Required

“Today we were unlucky, but remember we only have to be lucky once — you will have to be lucky always.”

“Criminality doesn’t know borders. Investigators and prosecutors among neighboring countries should be on the same page.”

» continued on next page


24 | FRAUD360 | ISSUE 1 2016

to the UNODC. Cross-border investigations must be carefully framed and processed to be really efficient.

Cross-border inves-tigation is a reality and requires a global mindset and a legal framework, including laws and regu-lations, but it must also account for cultural simi-larities or differences. It is about providing national agencies with the intel-ligence and processes to make it easier and faster

for them to go after the right people. Between 2011 and 2013, the num-ber of terrorists or combat-ants from Western Europe ranged from 400 to 2000, with most recruits from France, Britain, Germany and Belgium, and traveling across several European Union member states. Al-lowing ongoing exchanges of information and intel-ligence would permit investigators to have more accurate data and identify general trends. Determin-

ing who should be noti-fied, identifying who will oversee and conduct investigations and then harmonizing procedures would permit authorities to act quickly and co-ordinate actions. If the information is available, there is no excuse for fail-ing to share it or act on it. Through these measures, terrorist will no longer be able to bet on luck.

— By Anne-Solene Spido Research Analyst, CRI Group, London Office

Based upon a cost-benefit trade off and core strate-gies of preparedness and proactivity, corporations operating in international markets must not only recognise the risks of FCPA violations, but take steps and implement policies to reduce and minimize the consequences of an investigation.

By planning for FCPA investigations, identifying and controlling internal sources of information and evidence, creating a cost/benefit profile for violation settlements, partnering with international orga-nizations and allies and reviewing and measuring results, firms will not only navigate such investiga-tions more effectively, but may mitigate or eliminate

their consequences al-together. The testament of firms currently being confronted with high costs and punitive injunctions following recent investiga-tions is a foundation for developing and imple-menting a more pro-active management strategy. However, given the highly competitive nature of international commerce, the variability of contracts and positioning initiatives, and the intensified de-mands of growth-centred corporations, it is evident that ethical decisions must be made strategically and judiciously.

In this way, the cost-benefit trade-off of in-ternational partnerships and positioning initiatives has a direct effect on the

planning and positioning of firms within foreign en-vironments. As a result of domestic responsibilities, the cultural and economic values of one government or business environment may not translate directly into actionable and ethical behaviors within a U.S.-based context. Accord-ingly, preparedness for investigations and man-agement of threats and vulnerabilities is critical for firms seeking to maintain competitive advantage and global positions.

ABOUT THE AUTHOR Zafar I. Anjum, CFE, CIS, MICA, Int. Dip. (Fin. Crime), MBCI is Chief Executive Officer of CRI Group. He can be reached at [email protected]. CRI Group maintains offices in the UAE, Paki-stan, Qatar, Hong Kong, Malaysia, Singapore, London and New York.


CRIGROUP.COM | 25

he power of technology offers businesses many new opportuni-ties that were not available just

a few years ago. Unfortunately, this same technology has also cleared the way for countless online scams and fraud. Cyber criminals steals billions of dollars every year from small and big businesses, in addition to causing financial losses that

result from security breaches. But the risk of a damaged reputation, and the safety of your customers’ information, are major concerns for any business, as well.

Online business fraudOnline fraud takes many forms and faces, and it is not always clear that fraudulent activity is taking place until it is too late.

BY JAVERIA ADEEL

Is Technology a Double-edged Sword?

T


26 | FRAUD360 | ISSUE 1 2016

Fraud may target a business and its em-ployees directly, or it may target the cus-tomers. The only way to be protected from the threat of cybercrime is by effectively securing your company’s network.

The most recent Global Fraud Study conducted by the Association of Cer-tified Fraud Examiners (ACFE) determined that businesses can lose, on average, 5 per-cent of revenue each year to fraud, which amounts to nearly $3.7 trillion across the globe. Massive data breaches have caused serious damage, including a $146 million loss for Target Corp. and an estimated $200 million for Sony. Although high-profile technology breaches of consumer data dominate the news, your company’s financial data and assets could also be at risk. The recent climate of fraud begs the question: What can we expect in 2016?

Technology is getting more sophisti-cated day-by-day, and so is cybercrime. Our life is becoming increasingly techno-friendly. We pay our electricity bill online, we buy groceries and do other shopping online, we conduct bank transactions online — so much of our lives are online, even our personal lives are not so personal these days. Everyone, no matter what age, use social media: We share our life events and pictures, and we even check-in to dif-ferent locations on social media. We have solutions for all types of different problems through just one click of an app. And this just refers to personal use.

These days, most companies conduct business online. Business transactions are conducted online. Sounds familiar, right? Internet technology is so prevalent in our lives that we can’t hardly function without technology these days. Just think of one day at work without the Internet or tech-nology — it’s difficult to imagine!

As technology becomes more ad-vanced, fraudulent schemes will become more complex, while more sophisticated fraud solutions will be developed to

combat hackers’ best efforts. As the land-scape of fraud continues to shift, business leaders must be aware of trends and pre-dictions that will allow them to implement internal/external controls and systems to

help reduce the risk of fraud and keep them from becoming another victim of fraud.

The double-edged sword of technology gets sharperIt has been estimated that nine out of 10 breaches can be described by nine basic patterns. However, as technology advanc-es, we are seeing a distinct proliferation of more complex fraud schemes. At the same time, we are seeing more breakthroughs in the use of technology to detect fraud. Strategies that we’ve used in just the past few years will become completely outdat-ed, as a fresh set of tactics will debut.

As money becomes more digital, there is increasing concern surrounding the vul-nerability of cloud-based applications. The cloud is not going to stop growing. It is go-ing to continue to evolve and become the norm because the business and personal benefits are far too strong. Any centraliza-tion of data without the right protocols can become a target, but banks and credit cards are even bigger targets, and they’ve been around for a while.

Improving information security will be a major priorityThe recent data breaches in large corpora-tions have exposed vulnerabilities in the way personal information is maintained

FACT: Business fraud cases have more than doubled in past years.

Source: Gulf News


CRIGROUP.COM | 27

and stored. Because of this, we are expect-ing more massive data breaches through-out 2015, which makes improving informa-tion security a top priority. We will likely see more IP addresses, with bigger sites getting better at the game.

Employee theft and fraud will continue to be a serious threatAccording to the U.S. Chamber of Com-merce, 75 percent of all employees steal at least once, and half of these individuals steal repeatedly. Even the most trustwor-thy employees will go to desperate mea-sures, giving way to employee theft and fraud. Even the most steadfast employees, who would normally never think of com-

mitting fraud against their employers, are more willing to take unlawful risks in order to have some extra money in their pockets.

Most organizations place their anti-fraud emphasis on external fraud and security. Ironically, somewhere between 50 percent and 75 percent of the financial losses due to computer incidents result from inside threats, according to the FBI and Computer Security Institute. Com-bating fraud requires businesses to place equal value on the detection of internal and external fraud, developing necessary strategies to address both.

To minimize the potential damage of fraud, companies need to invest not just in more advanced technology but in people and policies for detecting attacks

as quickly as possible. While networks are just too large to prevent every attack from occurring, detection is crucial. Most com-panies do not have adequate protocols and staff in place to deal with incidents of fraud. While advanced technology serves as a great tool to combat fraud, the issue should be viewed as more than just an IT problem and looked at as a business prob-lem. Here are some steps to take:

• Identify all devices and network connections.

• Put a clear focus on segregation of du-ties (spread and rotate financial respon-sibilities, control who views sensitive documents).

• Set boundaries between your network, the internet and other networks.

• Enforce controls and policies that pre-vent misuse, unauthorized access and denial and services.

• Enforce a strong password policy.

• Offer internal and external audits (monthly profit and loss reviews, monthly balance sheet reviews).

• Develop protocols for electronic banking transactions (e.g., limiting access, verbally confirming requests, two-step authenti-cation process, safeguard data).

By taking these actions, companies can begin building a culture of system-wide accountability rooted in honesty, integrity and transparency. Remember, the cost of trying to prevent fraud is far less expensive to a business than the cost of fraud com-mitted on a business.

ABOUT THE AUTHOR Javeria Adeel is a Media Researcher and Fraud360 Correspondent for CRI Group. She can be reached at [email protected]. CRI Group maintains offices in the UAE, Pakistan, Qatar, Hong Kong, Malaysia, Singapore, London and New York.

FACT: The majority of UAE online fraud victims are unable to recover their losses.

Source: Gulf News


28 | FRAUD360 | ISSUE 1 2016

CASE STUDY: Lack of Due Diligence Leaves Office Supply Company’s Bill Unpaid

A professional office supply company enlisted CRI Group to conduct a potential fraud investigation regarding one of their customers. The office supply company had provided this new customer with products valued at $15,000 — all on a credit basis, after negotiating payment terms with them. However, no formal credit check or standard due diligence measures were performed.

The office supply company invoiced their client, but no payment was sent and there was no indication that a payment was forthcoming, even after extensive requests and inquiries. To add to their suspicions, the office supply company’s financial team no-ticed that the client company’s website was down, emails were bouncing and its tele-phone numbers were no longer in service.

CRI Group’s local investigators went to work, beginning with an on-site visit to the physical address that had been provided by the customer. However, when they

examined the location, it was obvious that no such business existed at the address and it was simply a “virtual” business front.

When investigators checked local court records, they found that the client compa-ny had four civil court judgments against them within the space of one week. Fur-ther checking of media resources led to the discovery that the client company had been labelled a “scammer” on an Internet forum; had registered its website domain to a “Mr. J. Smith” (with no further physical location or contact details); and the do-main for the website that was eventually used to help trick the office supply com-pany had been registered only two weeks before the order was placed.

Finally, our investigators discovered through corporate record resources that the client company had only been incorporated for six weeks. It was clearly obvious that the fake company was set up as a means to com-mit fraud. The lesson learned is that there is no replacement for due diligence: When dealing with a new customer, especially one making a substantive order, requests to pay on credit should raise a red flag. Such an arrangement should only be made after a proper credit check and verification that the client is a legitimate business.

TWO CASE STUDIES: Fake, Bogus or Forged Documents

Case Studies


CRIGROUP.COM | 29

There are fake educational documents for sale at cheap rates. But for those who have bought them, now is the time to pitch them in the trash — or risk getting caught. Busi-nesses, government agencies and other or-ganizations take it seriously when it comes to whom they are hiring. Those that want the best protection will conduct thorough background investigations to check the credentials presented by any employee. CRI Group’s investigators have a long, success-ful track record in uncovering such cases in which fake educational documents were presented. The following are two examples of such cases. As disclosure of names is not possible, we will refer to the prospective employee as a POI (Person of Interest).

Case OneThe POI presented educational docu-ments that appeared to be issued by a well-known university in Pakistan. They closely resembled the university’s official documents, and each and every detail was faked with tremendous precision. Yet one major piece was missing that cannot be faked: the information about the supposed degrees was not reflected in the universi-ty’s own files. Using the university’s pre-scribed process for verifying information, CRI Group opened an inquiry, and soon confirmed through the university that no such degree was issued, and no such can-didate was registered under the provided registration number. In conclusion, CRI Group informed the client that the POI’s documents were fake, bogus or forged.

Case TwoIn the second case, the fraud committed by the POI went even further. As in the previ-ous case, the POI presented documents that were very precise imposters compared to the originals. But while conducting an investigation, CRI Group’s investigators revealed how much trickery can be done with just some time spent on a computer using some basic software, and how easy

it is to buy or forge a fake degree. Using standard procedures to verify the docu-ments, CRI Group contacted the university in question and provided them with the necessary information to check their valid-ity. The results were amazing: the regis-tration number for the POI had no such authenticity; but in addition to that, even the name of the person who was the issu-ing authority at that particular university had been substituted. When the name of the person listed on POI’s documents was checked, it was discovered that no per-son by that name had ever worked at the university. This just further confirmed that the documents presented by the POI were fake, bogus or forged.

CASE STUDY: Health Insurance Fraud

One of CRI Group’s prestigious internation-al clients requested an investigation of a health insurance claim filed by one of their employees, “Mr. ABC.” Mr. ABC claimed per billing invoices (which the client shared with CRI Group’s investigators) that while he was on an official visit to UAE from the U.S., while traveling on a plane, he felt sudden abdominal pain with nausea and vomiting lasting 18 hours. He was admit-ted to a clinic and stayed under observa-tion for two days, which cost him around $4,000 (US).


30 | FRAUD360 | ISSUE 1 2016

Mr. ABC was discharged from the clinic, but then felt the return of his sickness, so he was admitted to another clinic for two more days. During this time, he was kept under observation. For this second clinic visit, he was charged nearly $1000.

As part of CRI Group’s “boots on the ground” approach, a local agent visited both of the clinics involved in the claim. One clinic was located in Dubai, while the other was in Abu Dhabi. When he arrived at the Dubai clinic, CRI Group’s local agent immediately learned that the clinic deals specifically in cosmetic surgery for women. In fact, as advertised on the outside of the clinic, its services are only for women. But CRI Group’s agent wanted to get solid proof to for the clients. When the clinic’s recep-tionist was asked to verify the bill, she noti-fied an administrator — who told CRI Group that the clinic does not treat that kind of illness. Furthermore, the administrator con-firmed that the clinic is only in the business of providing cosmetic surgery for women.

CRI Group’s local agent then visited the clinic in Abu Dhabi. This clinic also ap-peared to be — as you might guess — in the business of providing cosmetic surgery for women. When the local agent tried to contact the doctor who was named as the treating physician for Mr. ABC, the doc-tor was hesitant to meet the agent. CRI Group’s agent showed the report to the doctor, and though it was on official letter-head of the clinic, the doctor first denied involvement in the case.

But afterward, the doctor told CRI Group’s agent that while “we don’t treat that kind of illness,” the patient “was in such bad condition that we treated him on humanitarian basis.” Yet the doctor was hesitant to accept that the bills came from his clinic (the agent had already learned that the doctor in question was also the owner of the clinic). Regardless, CRI Group successfully secured the evidence that the

health insurance invoices were fake and Mr. ABC was making false claims to get money from his employer.

That’s how CRI Group’s investigation of false healthcare insurance claims saved one client a significant amount of money. CRI Group not only verifies false invoice claims, but also works with clients to un-cover provider fraud, patient fraud and in-surer fraud. Some of the common methods of fraud that require investigation include:

• Charging, invoicing for facilities and ser-vices not performed

• Billing, charging, invoicing for duplicate times for one service

• Falsifying a diagnosis

• Billing, charging, invoicing for a more costly service than performed

• Accepting kickbacks for patient referrals

• Billing, charging, invoicing for a covered service when a no covered service was provided

• Ordering excessive or inappropriate tests

• Prescribing medicines that are not medi-cally necessary or for use by people other than the patient

• Billing, charging, invoicing verificationsCRI Group’s insurance fraud claim inves-

tigations services include:

• Investigation of cause

• Statement of claimant/employer

• Activities check/claimant interviews

• Background investigation

• Medical/hospital records

• Telephonic interviews

• Clinic inspections and onsite verification

• Disability claim reports

• Death claims investigations

— Case studies compiled by Javeria Adeel, Media Researcher and Fraud360 Correspondent for CRI Group.


CRIGROUP.COM | 31

JA: Do companies know all of their busi-ness partners as well as they should?ZA: In my experience, no. However, they have a false impression that they do, or that they know their business partners as well as they should. They might consider that certain information is confidential and proprietary, in other words “none of their business,” and so they might feel it is not appropriate to dig too deep. When in

a pre-IPO or pre-merger situation, a com-pany is more likely to engage in thorough due diligence. But beyond that, compa-nies usually do not engage in, nor do they realize the importance of, a thorough vet-ting process for their business partners. At least until problems begin to arise, and at that point it might be too late. The potential harm that lurks from association with the wrong partners includes not just

Digging Deeper:The Importance of Vetting Third-Party Partners

Javeria Adeel, Fraud360 Correspondent, sat down with CRI Group CEO Zafar I. Anjum to discuss the importance of vetting third-party partners. Anjum will be at the 2016 ACFE Middle East Fraud Conference, February 14-15, in Dubai.

An Interview with Zafar I. Anjum, CFE CEO of CRI Group


32 | FRAUD360 | ISSUE 1 2016

financial repercussions, but damage to reputation, as well.

CRI Group has experts who conduct a thorough vetting process, helping com-panies take a proactive stance to avoid problems with their third-party affiliations. The biggest issue right now for many com-panies is that in emerging markets, there is still a lack of reliable online and public data to assist with the vetting process. That is why CRI Group has investigators on the ground in hard-to-access locations around the world to gather information in a grass-roots way.

JA: There are risks associated with major business actions like engaging in a joint venture, for example. Are companies assessing (and addressing) these risks appropriately?ZA: In many cases, companies don’t ap-preciate the risks that come with actions like forming a business alliance, joining a licensing arrangement, or any other situation that closely engages them with a third-party partner. They might think that having a contract reviewed carefully by their legal department, for example, provides the protections they need — along with usual hedges against risk such as insurance and reinsurance policies. Unfortunately, such business owners and operators don’t fully grasp the implications of financial and reputational harm that can occur in a business relationship, to the degree that it can sink their business. There are several potential flags for a business when entering into an arrangement with a third-party partner. The following are just a few of them:

• The partner, or potential partner, is unable or unwilling to share necessary information (usually through claims that it is privileged or confidential)

• The partner, or potential partner, has not presented a clear and compelling goal or motivation for the future of the partnership

• The arrangement, or proposed arrange-ment, is largely unequal — one partner stands to gain more, or is valued more, than the other

• There are issues of honesty, usually ob-served in “shifting numbers” (financials) or other information that changes or is contradictory during the negotiation phase or during the partnership

There is a deeper problem. Even going

beyond the red flags and necessary due diligence I’ve already described, there is also the issue of what pre-existing business relationships a prospective partner already has in place. The only way to really con-duct a thorough vetting process is to look into those ties a prospective partner has to other companies, as well as how they interact with local agencies and within their local environment to determine whether they are a safe partner with which to conduct business or enter a partnership. This is another reason why CRI Group’s agents on the ground conduct their due diligence checks at a local level to uncover all relevant information and create a full picture of a prospective partner and their interactions.

JA: Will proper due diligence with potential business partners help compa-nies avoid unnecessary disputes?ZA: There will always be some disputes in business. However, performing proper and thorough due diligence will help a company negate that “unknown” factor that can lead to financial and reputational harm. I mentioned the need to conduct due diligence as part of a proactive mea-sure to reduce risk. The best way to do this


CRIGROUP.COM | 33

is to make due diligence for third-party partners a part of the company’s core op-erational methodology. In other words, any time a prospective arrangement is being proposed or considered, the due diligence process should be automatic, a pre-cursor to any further negotiations and definitely conducted prior to any formal agreement or contract. The following are a few ways that a partners are vetted:

• Any government records that include sanctions lists or other corporate wrong-doing blacklists must be checked.

• The details of the target company’s asso-ciations with other companies, vendors and government should be reviewed.

• An analysis of the target company’s contractors and vendors should evaluate whether their involvement is legitimate and necessary.

• All financial information provided by the target company should be reviewed and vetted for accuracy.

• The contracting process should identify potential risk or liability areas, and also clearly define the parameters of the

relationship (all timing and deliverables, as well as any government sanctions or taxes, for instance).

JA: If a dispute should arise, what are some of the potential consequences?ZA: Financial and reputational damage are the key risk areas. Business leaders often consider the former, but don’t give enough thought to the latter. Reputational harm has the potential to do great dam-age, sometimes greater than the initial financial loss. A company might feel that since they are legally protected to some degree from liability, or insured against fraud, that any harm from a third-party partner is a reasonable level of risk for what might be a lucrative arrangement. Unfortunately, simply being tied to the wrong company can create a public rela-tions nightmare and cause negative reper-cussions that last for years. The horse meat scandal in Europe showed us how a few bad suppliers caused a loss of consumer trust and damage to well-known dis-tributors that were caught up in the fraud through their third-party affiliations.

JA: In conducting due diligence, what should companies do to investigate their

Javeria Adeel, Media Researcher and Fraud360 Correspondent, interviews Zafar I. Anjum, CEO of CRI Group, at CRI Group Headquarters in Dubai, UAE.


34 | FRAUD360 | ISSUE 1 2016

potential (or existing) partners and their partners’ employees?ZA: Some companies are large enough and have the proper staff to launch due diligence investigations, but many don’t have that capability. For them, there are reputable firms that can conduct thor-ough due diligence on a regular basis to help their company be proactive against risk. CRI Group’s experts use a combina-tion of public record searches, in-person interviews, court records searches and governmental records checking during the review process. This includes 1) a review of the target company’s ownership and management. This should include anyone with influence over the company, includ-ing beneficial owners and shareholders; 2) civil, criminal and regulatory history check-ing of the target company, including its risk and compliance programs; 3) a checking of references that can establish details on the target company’s business practices and history. This information can come from business partners, business liaisons and other stakeholders.

JA: Can doing business with the wrong partner lead to problems with regulators?

ZA: Yes, indeed. That’s why a proper risk assessment should address the following:

• What is the relationship between the target company and its own vendors and contractors? In other words, does it have a proper degree of oversight of its partners?

• What are the particular regulatory issues affect the region or country where the target company is based?

• Does the target company have a history of sanctions or other government action? What is its relationship to government officials and the courts?

• Does the company have a strong com-pliance program? Does it conduct risk assessments? Is it transparent in regards to its own due diligence and risk man-agement efforts?

• Are there any “unknowns” that should have been disclosed in the vetting process?

There are red flags to look for. One of

them would be if the target company has an unusual or complicated relationship with a government entity or figure that affects its business operations. Another would be if it uses unorthodox accounting methods or is not transparent in regard to its finan-cial dealings (it does not conduct audits or

Ms. Javeria and Mr. Anjum discuss the importance of proper due diligence and vetting third-party partners during their meeting at CRI Group Headquarters in Dubai, UAE.

What Third-Party and Fraud Risks Threaten Your Business?

Our Third-Party Risk Management (3PRM™) services provide a proactive approach to mitigating risks from third-party affiliations, protecting your organization from liability, brand damage and harm to business.

Visit our booth at the 2016 ACFE Middle East Fraud ConferenceCRIGroup.com | [email protected]

Our 3PRM strategy focuses on:

; Providing third-party risk assessments

; Meeting contracting requirements

; Conducting due diligence

; Providing management oversight

Our fraud experts will:

; Identify fraud risks at your organization

; Implement proactive controls to prevent fraud

; Investigate cases of unethical behavior

; Measure effectiveness and results

Estimated amount of revenues that the typical organization loses each year to fraud.*

Potential global fraud loss (if applied to the estimated Gross World Product).*

*Source: ACFE’s 2014 Report to Nations.

3.7 TRIL

LIO

N


CRIGROUP.COM | 35

won’t provide the results, for instance). Also, it is certainly a red flag if a company doesn’t disclose all of its owners or key principals, or if it is very recently formed — as it might be a shell company created for an adverse pur-pose. Due diligence experts know to look for anything suspicious and will endeav-our to clear up any question marks before advising their client to move forward with a target partner.

JA: What final thoughts would you give business leaders to help them appreciate the importance of conducting due dili-gence with third-party partners?ZA: The nature of business has changed, and due diligence and risk management are crucial today more than ever. Business owners cannot have a false sense of security regarding their associations with other com-panies and organizations. It is not enough to simply have legal professionals review

contract terms, or to expect that liability can be limited or covered by insurance without a risk of greater harm. Financial, operational and reputational damage can put a business under, to speak plainly. Moreover, the increased compliance and regulatory requirements make it impera-tive for any company to have an estab-lished and thorough process for due dili-gence. Firms like CRI Group have experts who conduct such investigations as part of their core business model. They have the staff, experiences and resources at hand to conduct a thorough due diligence inves-tigation and uncover any unseen issues with third parties or potential third parties before such issues evolve into a crisis. No smart business owner would walk into a relationship with blinders on — information is key, and the more you know, the less risk your company will face.

What Third-Party and Fraud Risks Threaten Your Business?

Our Third-Party Risk Management (3PRM™) services provide a proactive approach to mitigating risks from third-party affiliations, protecting your organization from liability, brand damage and harm to business.

Visit our booth at the 2016 ACFE Middle East Fraud ConferenceCRIGroup.com | [email protected]

Our 3PRM strategy focuses on:

; Providing third-party risk assessments

; Meeting contracting requirements

; Conducting due diligence

; Providing management oversight

Our fraud experts will:

; Identify fraud risks at your organization

; Implement proactive controls to prevent fraud

; Investigate cases of unethical behavior

; Measure effectiveness and results

Estimated amount of revenues that the typical organization loses each year to fraud.*

Potential global fraud loss (if applied to the estimated Gross World Product).*

*Source: ACFE’s 2014 Report to Nations.

3.7 TRIL

LIO

N


Reach Your goalsReach Your potential Reach Your peers

Reach Your

Find the knowledge, connections and resources you need to reach new heights in your fight against fraud at the 27th Annual ACFE Global Fraud Conference. Join more than 3,000 anti-fraud professionals in Las Vegas, June 12-17, 2016, to share insights and best practices on fraud prevention, detection and deterrence.

*Payment must be received by March 28, 2016 to receive early registration discount. Offer valid on Main and Full Conference packages only and may not be combined with government, group or student pricing.**The ACFE does not compensate convicted fraudsters. © 2016 Association of Certified Fraud Examiners, Inc. “ACFE,” “Association of Certified Fraud Examiners,” the ACFE Logo and related trademarks, names and

logos are the property of the Association of Certified Fraud Examiners, Inc., and are registered and/or used in the U.S. and countries around the world.

KEYNOTE SPEAKERS

David BarbozaInvestigative Journalist, The New York Times,Pulitzer Prize Winner

Roomy KhanConvicted Fraudster**, Galleon Group Insider Trader Scandal

SAVE$200!

THROUGH MARCH 28*

Judge Jed S. RakoffU.S. District Judge,Southern District of New York

Steve van Aperen“The Human Lie Detector”Body Language Expert

THIS EVENT WILL SELL OUT – Register early to reserve your spot. FraudConference.com
