The Fraud and Compliance Disconnect
Despite regulators’ increased oversight, enforcement and willingness to hand out sizable fines and punishments, it seems that companies are still failing at compliance efforts. Surveys routinely show that the world’s biggest companies have made greater investments in their compliance functions, and that regulatory issues are often included in an organization’s “top 10” risks, as is corporate reputation. But these seldom seem to connect and lead to action.
In the wake of the financial crisis, organizations should have realized that their practices would be under greater scrutiny, and that penalties would get harsher, but there has been a slew of corporate governance failures and cases of companies flouting the law outright. German car manufacturer Volkswagen, for example, is still struggling with the fallout of knowingly rigging carbon emissions tests to sell more cars, while European banks Credit Agricole and Deutsche Bank have agreed to pay fines of $787 million and $258 million, respectively, for violating U.S. sanctions on Iran, Sudan and other countries.
The fact that such abuses can go on for so long and at such high levels indicates that there is a failure in companies’ compliance functions, and a reluctance or inability by regulators and enforcement agencies to detect and successfully prosecute such activity. Consequently, some companies and their employees may feel that the rewards outweigh the risk. For example, while Deutsche’s $258 million sanctions-related fine for using “non-transparent methods and practices” between 1999 and 2006 may appear substantial, it equates to just 2.38% of the $10.8 billion in total transactions from that period that the bank conducted.
There is also evidence to suggest that managers and their companies may be inflating their performance to make it appear that they are hitting their targets, particularly in difficult market conditions. In June, an Ernst & Young report found that the risks of fraud, bribery and corruption “remain widespread,” and that “it is not apparent that there have been overall improvements in integrity and compliance activity.”
According to the survey—which focuses on companies in Europe, Africa, India and the Middle East—more than half of all 3,800 respondents across 38 countries (and 61% of those based in rapid-growth markets) believe that bribery and corruption are widespread in their countries. Furthermore, 37% of respondents believe that the financial performance of businesses in their market is often overstated, with 20% adding that their management teams at head office “do not understand the business environment that they face.”
In fact, trusted methods to prevent malpractice were often conspicuous by their absence, with 42% of respondents saying either their company did not have an anti-bribery policy in place or they did not know if one existed. Additionally, almost a quarter of respondents said their organization did not have a whistleblower hotline, and more than a third said they have had no anti-bribery or corruption training.
Other reports have revealed similar results. A September survey of 659 companies worldwide by KPMG found that, “despite greater efforts to build anti-bribery/corruption frameworks, it’s clear that there are gaping holes in them.”
According to the survey, organizations are not taking action to mitigate the risk areas that so many companies say are their main trouble spots. KPMG found that more than half of those respondents with right-to-audit clauses with their suppliers and contractors have not exercised those rights, for example. Only a quarter of respondents use data analysis to mine their own information to identify anti-bribery/corruption violations, with less than half of these continuously monitoring data to better spot potential violations.
Compliance experts are not surprised that the boon in legal, audit and risk spending has neither produced a better understanding of compliance risk nor reduced the likelihood of serious malpractice happening again.
“While it is evident that compliance spending has increased since the financial crisis, it is not so evident the additional investment is achieving the intended results,” said Brendan Hawthorne, managing director for forensic accounting at consultancy Stroz Friedberg.
“Compliance is still a ‘box-tick’ exercise in a lot of organizations, designed to prevent litigation or fines rather than add any long-term value or change the corporate culture,” added Bill Waite, group CEO at global risk management consultancy The Risk Advisory Group.
Lisa Osofsky, European regional chair at financial crime and compliance specialist Exiger, said part of the problem is that “compliance functions rarely get direct access to the CEO or the executive board, so it is hard for them to flag their concerns and make an impression on those people in the organization who have the power to do something.”
Professional bodies like the Institute of Internal Auditors are pushing for more oversight of business conduct and organizational culture, and trying to get a better idea of how risk appetite is tolerated, understood and communicated throughout the organization. But the process of auditing culture is in its early stages, and internal auditors are unsure how it can be done meaningfully and effectively. Another problem is that audit committees decide their work and scope, so if business culture is not an audit priority, it will be overlooked. Other in-house compliance professionals, such as legal, face similar problems.
If compliance professionals cannot make in-roads, then the C-suite needs to set an example. Philippa Foster-Back, director at the U.K.-based Institute of Business Ethics, a nonprofit organization that champions better business standards, believes that the key to ensuring better corporate practices is to have more active boardroom leadership.
“Putting extra money aside for compliance to improve its record of uncovering instances of bad conduct always sounds good, but we believe that the real focus should be on establishing a proper enterprisewide ethical culture enforced by principles and led by the executives,” Foster-Back said.
“Organizations will always find incidences of poor or illegal conduct, and it is important to root them out,” she added. “The recent revelations of corporate misbehavior at organizations like Volkswagen and Tesco have shown that management knew and connived in the wrongdoing, and that there was a culture whereby people who knew and spoke up were either ignored or decided not to say anything because the company was profiting from it. Compliance is only effective if the board is prepared to back it and act on its recommendations.”
Elizabeth Corley, global chief executive at Allianz Global Investors, believes that a major push is needed to make sure market participants realize the extent of their wrongdoing and take it more seriously. “One of the things we found in talking to management, legal and compliance, and audit, is that people very often were confused about what right and wrong was,” she told attendees at a London conference. She added that, despite record fines and beefed up enforcement powers in the world’s financial services centers, bad bankers too often regard their unscrupulous behavior as a minor wrongdoing, akin to breaking the speed limit, rather than being a serious offense.
Sir Gerry Grimstone, chairman of U.K.-based asset management and pensions firm Standard Life, said he has spoken to board members at banks involved in the Libor benchmark rigging (see pg. 30) who shrugged off criticism that they were aware of what happened. His response was to the point: “It is your job to make sure that, if you don’t know what’s happening, there are processes and structures within the company that can bring that to your attention.”
Grimstone has also criticized Volkswagen’s board for failing to act on risk information. “Do you really think there weren’t people who knew that was going on? You can’t easily blame a board member for not knowing something, but you can blame a board member for creating a culture where he doesn’t know something,” he said.
Corporate governance experts firmly believe that a strong “tone from the top” is essential to improve business conduct, but some admit that—in practical terms, at least—employee behavior can really only be monitored by those with direct oversight, namely line-managers and middle management.
“While ‘tone from the top’ is important, translating that into ‘tone from the middle’ is where a number of organizations can struggle,” said Kirsty Searles, risk advisory partner at Deloitte. “The middle is often where high-level dictates turn into business reality. It is also where dilemmas originate on what the right approach is for an organization, such as the tensions involved in growing business and delivering revenue growth when operating in markets that can pose ethical challenges.”
The U.S. Department of Justice’s recent policy to make an example of bosses’ bad behavior may become the most effective approach. Following years of criticism that executives at leading companies and financial firms escaped jail during the financial crisis, the Justice Department issued new guidelines last September to hold individual employees accountable for corporate wrongdoing, not just their companies.
The Justice Department’s approach will also put pressure on corporations to turn over evidence against their executives. The memo, issued to federal prosecutors nationwide, tells civil and criminal investigators to target individual employees from the beginning. It also states that companies cannot get credit for cooperating with the government—and thus get a substantial reduction in fines and obtain a civil settlement rather than a criminal charge—unless they identify employees and turn over evidence against them, “regardless of their position, status or seniority.” The new policies took effect immediately.
“Corporations can only commit crimes through flesh-and-blood people,” said Sally Q. Yates, the deputy attorney general. “It’s only fair that the people who are responsible for committing those crimes be held accountable. The public needs to have confidence that there is one system of justice and it applies equally, regardless of whether that crime occurs on a street corner or in a boardroom.”
Under former Attorney General Eric Holder, no top Wall Street executives went to prison, although prosecutors did collect billions of dollars in fines. A 2014 criminal case against BNP Paribas, France’s largest bank, for violating U.S. sanctions demonstrated the gap between charging a bank and prosecuting employees. Even as officials extracted a record $8.9 billion penalty and made the company one of the first giant banks to plead guilty to a crime, no BNP employees faced charges. The Justice Department said the bank insulated its employees by withholding records until after deadlines to file individual charges had passed. Lawyers suggested that these actions “were the last straw” for regulators.
“Governments have tried over the years to transfer the burden of responsibility for detecting fraud to companies themselves, as regulators and enforcement agencies worldwide have had a patchy record of prosecuting cases and do not have enough resources to pursue every case,” Waite said. “However, it still seems that companies may be prepared to take huge legal risks to secure financial rewards if sufficient threats aren’t there to deter them.”