Risk and Compliance
Preventing and investigating FRAUD in the workplace
Preventing and investigating fraud in the workplace | 1 2 | Preventing and investigating fraud in the workplace Contents
Introduction...... 4 How corporate governance can help prevent fraud...... 6 Could you spot a potential fraudster?...... 14 Ways to reduce the risk of fraud...... 16 Key employment law issues for fraud prevention...... 20 Monitoring staff phone calls, email and internet use...... 24 Can insurance help to manage fraud risk?...... 32 What policies and procedures should you have in place in case fraud occurs?...... 34 Enabling employees to report fraud...... 40 Discovery of a fraud: the first 24 hours...... 46 Ensuring that your investigation complies with employment law obligations...... 50 Data retention and recovery: where to look and what (not) to do:...... 54 Freezing assets and tracing funds...... 60 Involving the police and criminal investigations....66 Using private investigators...... 72 Useful contacts...... 78
Preventing and investigating fraud in the workplace | 3 Fraud continues to be a significant issue for many businesses.
But it is a risk that can be reduced and managed to some extent. Almost all frauds against a business will involve employees - sometimes as perpetrators and sometimes as the innocent dupes of outsiders. We continue to see cases where our clients lose money by falling victim to a dishonest employee who, had thorough vetting been carried out, might not have been hired. We see cases where employees have been able to defraud their employer by methods that could have been detected if proper procedures were followed. And we see cases where employees have been tricked into overriding standard procedures and clients have lost substantial funds as a result. Three examples from recent cases we have dealt with may illustrate some of these points. Case 1: An accounts payable clerk received an email apparently from a supplier saying that the supplier’s bank account details had changed and quoting a new sort code and account number. Without further checking the clerk directs payments to the new account, which of course is not genuine. Substantial funds are lost before the problem comes to light as a result of the genuine supplier chasing for non-payment. A few simple checks could have prevented this. Case 2: A senior member of the finance department has the authority to approve his own expense claims. An internal audit identifies this as a risk area and recommends that an additional level of approval is introduced. The internal audit report is not acted on and substantial false expenses continue to be submitted, fraudulently approved and paid. Case 3: An accounts payable clerk operated an online payment platform provided by a bank. This was designed to provide an efficient payment system with proper approval processes. The clerk was telephoned by someone impersonating the CEO who convinced the clerk that the company had to make highly confidential payments for a transaction overseas that should not be discussed with anyone except the CEO and a previously unknown external lawyer. The clerk received apparently approved invoices and payment instructions by email from the supposed lawyer, purportedly signed by the CEO and the Group Treasurer. Substantial payments were made to an overseas bank, only some of which were intercepted and recovered. The accounts clerk bypassed the online payment platform, failed to carry out basic checks and accepted someone she thought was the CEO telling her on the phone that the payments were highly confidential and should not be discussed with anyone else within the organisation. These experiences reinforce some basic messages: • Carry out background and reference checks when recruiting. Speak to referees. • Staff carrying out any aspect of payment functions should be reminded that there are people out there keen to steal your money and they need to be eternally vigilant. Under no circumstances should they depart from established and proper procedures; they are there for a purpose. Ensure that staff are trained to appreciate that each one of them is potentially in the front line of defence against a fraudulent attack on the business.
4 | Preventing and investigating fraud in the workplace • Someone, no matter how senior they are, telling an employee that a transaction is confidential and should not be discussed with anyone else is a clear warning sign. Most businesses do not need to make confidential payments. Anyone told to make one should immediately discuss it with their supervisor and escalate it if necessary. • Be careful not to permit management to override established procedures. • Any requested change in procedure should be verified by back-up checks. In Case 1 above a simple telephone call to the supplier would have revealed the scam. Check email addresses behind email names. • Follow up on all concerns, reports and audit recommendations. • If in doubt - check. Management must make it clear (by regular communication, not just by a well written whistle-blowing policy) that any employee with a concern should report it. If it turns out to be misplaced, a report in good faith will nevertheless be appreciated and commended. • Perhaps one of the most important features that can reduce the chance of fraud occurring is the culture of an organisation. Where management makes it clear that inappropriate behaviour of any kind is not acceptable, that even seemingly trivial misdemeanours are dealt with firmly and management leads by example, a culture of zero-tolerance can develop in which fraudulent conduct is less likely to arise and more likely to be detected early. This practical guide is designed to help businesses consider some of the basic procedures that have been proven to reduce the incidence of fraud. If a fraud is discovered it will help you conduct investigations into fraud in the workplace at short notice, often under pressure. It will alert you to some of the key problems you may face in conducting investigations and provides a straightforward guide to help you navigate through some of the areas where problems are most likely to arise.
Andrew Keltie Joanna Ludlam Partner Partner Tel: +44 (0) 207 919 1376 Tel: +44 (0) 207 919 1822 Email: andrew.keltie@ Email: joanna.ludlam@ bakermckenzie.com bakermckenzie.com
Preventing and investigating fraud in the workplace | 5 How can CORPORATE GOVERNANCE help prevent fraud?
Fraud by a company’s management or employees, or their involvement in criminal or unethical activities either against the company or on behalf of the company, is likely to result in the company incurring financial losses and reputational damage. Losses may arise from funds lost directly as a result of a fraud or from the costs of internal and external investigations into improper conduct. Good corporate governance can reduce the risk of fraud at every level within a company.
6 | Preventing and investigating fraud in the workplace What is corporate governance? How can The phrase “corporate governance” can be used to describe the internal policies, processes and people, which serve the Good corporate needs of shareholders and other stakeholders, by directing governance can and controlling management activities with objectivity, “ provide companies accountability and integrity. The term encompasses principles such as transparency and accountability but in the broadest with the tools to sense, it is the way in which a company is run. In other words, prevent fraudulent corporate governance means rigorous supervision of the management of a company; it means ensuring that business practices. is done competently, with integrity and with due regard for the interests of all stakeholders. Good corporate governance is embodied in practices such help prevent fraud? as quick and accurate reporting of quality information, the establishment of clear, credible and well-documented ” decision-making and review processes, and effective two-way communication with shareholders and other stakeholders. Good governance is, therefore, a mixture of legislation, non- legislative codes, self-regulation and best practice, structure, culture, and board competency. Good corporate governance can provide companies with the tools to prevent, as well as identify, potentially fraudulent, or other criminal and unethical activities and business practices. In general, the nature of the arrangements that a company should have in place will depend on its size, the nature of its business, the jurisdictions in which it operates and the associated risks that it faces.
Using corporate governance rules and standards to help prevent fraud The Combined Code Much of governance goes beyond the legal framework. Company law deals at length with the individual and collective responsibilities of directors, but contains few references to processes, quality standards or outcomes. In the UK there is a system of self-regulation. The Combined Code on Corporate Governance, published by the Financial Reporting Council (FRC), the independent regulator for promoting confidence in corporate reporting and governance, sets out standards of good practice in relation to issues such as board composition and development, remuneration, accountability and audit, and relations with shareholders.
Preventing and investigating fraud in the workplace | 7 One of the key Even if a company is not required to comply with the provisions tenets is that no of the Combined Code, following at least some of its guidelines “ will enable a company to highlight those areas where the risk one individual has of fraud is more likely. Conforming with the Combined Code is unfettered powers considered to be good practice. of decision. The current version of the Combined Code was published in September 2012, and applies to accounting periods beginning on or after 1 October 2012 (for prior reporting periods, earlier versions of the Code will apply, although companies are encouraged to consider whether it would be beneficial to adopt some or all of the new provisions in the revised code earlier ” than formally expected). It is a requirement for UK companies with a primary listing of shares on the Official List of the UK Listing Authority (“UKLA”) to report on their compliance with the Combined Code and to disclose and explain any ways in which their actual practice differs from the model behaviour laid out in the Combined Code. Such companies are also required to review their arrangements for compliance with the Combined Code annually. One of the key tenets of the Combined Code is the separation between the roles of chairman of the board of directors and the company’s chief executive, such that no one individual has unfettered powers of decision. Related to this is the requirement that the board comprises a balance of executive and non-executive directors, so that decision making cannot be dominated by any one faction of individuals. In conjunction, these two principles should prevent one director or a small group of senior directors from taking decisions contrary to a company’s best interests. It may be worth reviewing the existing management structure of your company to evaluate the extent to which these principles are observed. Amongst other principles, the Combined Code suggests the establishment of an audit committee made up of two or three independent non-executive directors, at least one having relevant financial experience. The committee should monitor the integrity of the company’s financial statements, and review internal financial controls and risk management protocols, amongst other responsibilities. Such a committee, distinct from the annual external audit, could operate as a preliminary mechanism for identifying potential fraudulent conduct occurring within a company’s own walls.
8 | Preventing and investigating fraud in the workplace The main changes from 2012 to the UK Corporate Governance Code included that boards should confirm that the annual report and accounts taken as a whole are fair, balanced and understandable, that audit committees should report more fully on their activities and that FTSE 350 companies should put the external audit contract out to tender at least every ten years. As with all existing provisions of the Code, these additions are subject to “comply or explain”.
Other relevant rules and good practice In addition to the Combined Code, examples of good practice can be found in the new Handbooks published by the Financial Conduct Authority (FCA) and Prudential Regulation Authority (PRA), the successors to the now-abolished Financial Services Authority. The Handbooks came into force on 1 April 2013. (www. fshandbook.info/FS). Regulated firms, and companies with a primary listing of shares on the Official List, are required to have in place adequate systems and controls proportionate to the risks that they face. Regulated financial services companies are legally obliged to report financial crime. Compliance procedures should ensure not only that it is difficult for individuals to perpetrate a fraud against the company, but also that individuals cannot become involved in criminal activities during the course of their employment on the company’s behalf. Companies should consider the extent to which fraud prevention is an item regularly on the board’s agenda and whether it is properly discussed. The FCA also published, in April 2013, “Financial Crime: a Guide for firms”, which provides guidance to firms on steps they can take to reduce their financial crime risk, aims to enhance understanding of FCA expectations and help firms to assess the adequacy of their financial crime systems and controls and remedy deficiencies. The theme of this Guide is that the FCA expects senior management to take clear responsibility for managing financial crime risks, which should be treated in the same manner as other risks faced by the business. There should be evidence that senior management are actively engaged in the firm’s approach to addressing the risks.
There should be evidence that senior management are actively “engaged in the firm’s approach.
” Preventing and investigating fraud in the workplace | 9 Also in 2012, the European Commission published an Action Plan setting out a series of legislative and other initiatives on company law and corporate governance that the Commission proposes to implement during 2013 and 2014. It includes proposals to: improve the quality of corporate governance reporting; give shareholders more oversight of directors’ remuneration; improve the transparency and conflict of interest frameworks applicable to proxy advisors; require institutional investors to disclose their voting and engagement policies; and develop guidance on collective engagement and the rules on acting in concert. Depending on the nature and scale of their business operations, companies may also wish to consider implementing “whistle blowing” procedures to enable employees to report the commission of a criminal offence, or a failure to comply with any legal obligation, to an appropriate person within the organisation. Under the UK Corporate Governance Code, listed companies must have whistleblowing policies in place, or explain why they do not. The UK Bribery Act 2010 encourages organisations to have in place ‘adequate procedures’ as a defence to corporate liability provisions, whilst whistleblowing or ‘Speak Up’ policies are recommended in the government guidance accompanying the Bribery Act.
Unlisted companies In 2010, the Institute of Directors (IOD) and the European Confederation of Directors’ Associations (ecoDa) published Corporate Governance Guidance and Principles for Unlisted Companies in the UK. This document provides guidance for unlisted companies on the issues involved in designing an appropriate corporate governance framework. It also sets out fourteen optional governance principles which are presented on the basis of a phased approach, which takes into account the degree of openness, size, complexity and level of maturity of individual enterprises.
10 | Preventing and investigating fraud in the workplace Sources of corporate governance information In the UK, all companies are compelled by law to have some form of corporate governance in place. The sources of those requirements vary depending on the type of company in question, but include the following:
• Legislation such as the • The FCA Guide: Financial • The institutional voting Companies Act 2006, Crime: a Guide for firms, guidelines promulgated which provides statutory provides non-binding by bodies such as the restrictions on the ways in guidance as to best Association of British which companies and their practice. Insurers (ABI) (www.abi. directors may operate. org.uk) and the National • Other corporate Association of Pension • The Combined Code governance guidelines Funds (NAPF) (www.napf. (www.frc.org.uk/ such as those published co.uk). CORPORATE/ by the Quoted Companies COMBINEDCODE.CFM). Alliance (www. • The IOD’s Corporate quotedcompaniesalliance. Governance Guidance and • Rules set out by the co.uk). Principles (www.iod.com) Financial Conduct Authority (“FCA”) (www. fca.org.uk) and trading exchanges such as the London Stock Exchange (in respect of publicly listed companies).
“Whistleblowing or ‘Speak Up’ policies are recommended. ”
Preventing and investigating fraud in the workplace | 11 Conclusions No fraud prevention system can ever completely eliminate the risk of fraudulent activity; to achieve such a result would inevitably suffocate a company’s ability to function. However, the strategic deployment of resources to address the threat of the highest value fraudulent activity can be effective. Corporate governance, being a broad brush term for principles of transparent and accountable company management, can help in the fight against fraud. Arrangements that seek to mitigate the risks effectively should include: • Developing a strategy for the management of risks associated with fraud and criminal activities, and for addressing specific fraudulent conduct activities when they arise. • Clear allocation of responsibility for the management of such risks at senior management and Board level. • Compliance with all applicable corporate governance standards and rules (e.g. the Combined Code). • Arrangements for the regular consideration of such issues by the Board. • Arrangements for the effective supervision and regular review of the company’s internal audit and compliance functions.
Employees are more likely to follow by example than adhere “to a policy document. ”
12 | Preventing and investigating fraud in the workplace Companies will, of course, need to balance their practical Finally, here are some need to trust directors and employees in the appropriate day suggested questions that to day discharge of their functions against the requirement to management should ask and implement and maintain appropriate systems and controls for consider whether they are preventing fraud. However, limiting the ability of individuals satisfied with the answers. to engage in fraudulent conduct will be a powerful deterrent • Does management have an against any such individuals who are intent on making personal adequate understanding of gain at the company’s expense. the full range of products Corporate governance needs to be more than a series of well and services that the thought out and well written documents and policies; it needs to organisation deals in? reflect the way an organisation really behaves and is managed. • Is the information Honest and ethical behaviour needs to be promoted from the provided to management top and form part of the culture of the organisation. Employees in a form that is are more likely to follow by example than adhere to a policy manageable and helpful? document that they perceive does not truly reflect reality. Too much information It is important to respond to actual and suspected fraud can sometimes be as consistently and robustly. A culture of zero tolerance can act as unhelpful as too little. a deterrent and as effective fraud prevention, not least because • Is management in a it will help to ensure that inappropriate individuals are less position to make a proper likely to join the organisation in the first place. assessment of the fraud Management should ensure that everyone knows that fraud risks affecting their includes unethical behaviour even when undertaken with the business? interests of the business in mind, such as corrupt payments • Do you have a fraud made to secure a valuable contract. response plan to assist you Analysis of an organisation’s own data can often reveal in responding to a fraud in anomalies that should be investigated. There are data analytic the business, particularly software programmes that can be a powerful tool in identifying one that could be business potential problems. critical? • Is there effective follow up of warning signs? • Is short term behaviour the most highly incentivised? • Who is in control of the cash in this organisation? Many surveys highlight the fact that fraud often occurs within the finance function.
Preventing and investigating fraud in the workplace | 13 Could you spot a POTENTIAL FRAUDSTER?
Profiling is an increasingly common feature of criminal investigations, at least judging by the frequency with which the topic is mentioned in media reports. Does it have any role to play in identifying the perpetrators of a fraud - and perhaps more importantly, alerting organisations to the types of behaviour or personal characteristics exhibited by fraudsters?
Perhaps it does. Many of the larger frauds carried out in recent years have been the subject of study in an attempt to spot recurring features. In this section we draw out some of the most common and striking characteristics of the “typical” fraudster. However, these features are not diagnostic; someone exhibiting several, most or even all of them may nevertheless be an honest, hardworking and loyal employee. These features may just be an indication that some extra scrutiny is appropriate. The characteristics of the “typical” fraudster have been collated by reviewing the Ludwig report published in March 2002, which analysed the fraud committed by Mr Rusnak against Allied Irish Bank and reviews of other frauds, such as Nick Leeson (Barings Bank) and Jerome Kerviel (Société Générale).
14 | Preventing and investigating fraud in the workplace An employee who works An employee who always An affluent lifestyle. Mr excessive hours. This could appears to be busy. He/she Rusnak was cautious and Could you spot a be to access files, make is always about to go into an ensured that he gave the calls or complete forms important meeting and/or impression of only being when no one is around. As a says as little as possible about as wealthy as his salary fraud becomes increasingly their work unless confronted. and benefits would allow complex, the fraudster is Fraudsters may employ such him to be. In many cases forced to put in more time delay and avoidance tactics however, fraudsters seem and effort to ensure it is to avoid explaining too much to be unable to resist an undetected. Mr Rusnak, for about their work and drawing ostentatious lifestyle and example, often traded at attention to the fraud. will flaunt expensive cars, home and at night. houses, holidays and lavish An employee who uses entertaining. An employee who does not password protection on take long holidays. This could all of his/her documents An employee who is in a be to prevent the fraudster and systems to prevent any supervisory role who gives from having to allocate detection of the fraud. new members of his/her work to someone who may team negative reviews. A An employee who is an discover what they are up to. fraudster will be keen to outwardly loyal member of A fraudster who does take stop other colleagues from staff who may have worked time off either due to holidays finding out about the fraud. at the company for several or sickness may insist that Look out for employees who years. Such an employee will any issues be left for them have previously received good know the system, may be to sort out on their return. reviews but who begin to given minimum supervision Mr. Rusnak, for example, receive negative reviews when and may have networks of was allowed to trade while moved into another team. friendly colleagues who may on holiday. Many financial unknowingly help them carry institutions have a strict policy out the fraud. Mr. Kerviel’s requiring employees to take fraud was aided by his at least one two-week holiday in-depth knowledge of the each year. control procedures resulting An employee who professes from his previous role in the to have a very particular middle-office. and esoteric skill or area of expertise. Mr Rusnak promoted himself as a trader who specialised in options and attempted to take advantage of price discrepancies between currency options and currency forwards. A fraudster may use tactics to blind colleagues with jargon to prevent them from discovering the fraud.
Preventing and investigating fraud in the workplace | 15 Ways to REDUCE THE RISK of fraud
It is important to establish a set of systems that are tailored to your particular company and industry and which are reviewed on a regular basis. Below are some general tips and some specific lessons from the Ludwig report and other major frauds.
16 | Preventing and investigating fraud in the workplace Conduct thorough background checks on job applicants. A lack of Fraudsters can often be very charming and convincing at segregation within interview. Make sure you carefully check references and gaps “ in employment and conduct any other background checks a division may allow you believe may be necessary. (See the next section on Key fraudsters to hide Employment Law Issues for fraud prevention, as the conduct of such checks has implications under the Data Protection Act losses and frauds. (DPA) 1998.) In particular, try to speak on the telephone to an appropriate person at the candidate’s previous employer (and the employer before that if possible). Someone may be willing to sound a warning in a conversation that they would be reluctant to put in writing. ” Set up and maintain strong supervision controls. Mr Rusnak’s trading activities did not receive the careful scrutiny that they deserved; the people mainly responsible for Mr Rusnak’s supervision failed to monitor his trading for an extended period. The Ludwig report recommended a number of supervisory controls, including daily reviews of trades by a qualified supervisor, reviews of exceptions reports (which would show unusually large transactions, large settlement terms and large profit and loss swings), procedures for the creation, monitoring and enforcement of position and trading limits, and monitoring to ensure traders stayed within these guidelines. Firms should have clear reporting lines. For example, the Ludwig report stated that operational, risk management and compliance reporting lines should be kept separate from business lines to ensure a segregation of duties. A lack of segregation within a division may allow fraudsters to hide losses and frauds from superiors. In the case of AIB, it was not clear who was accountable to whom, and the reporting lines between parent companies and overseas companies was distorted. The lack of clarity was a key weakness which contributed to Mr Rusnak’s frauds remaining undetected for so long. Successful employees may require more, not less scrutiny. In the case of Nick Leeson, Barings’ management failed to institute a proper system of internal controls to enforce accountability and to follow up on warning signs. Leeson himself stated that the bank would not have collapsed without the incompetence of others and their failure to detect or investigate what was going on.
Preventing and investigating fraud in the workplace | 17 Set up and maintain strong financial internal controls, e.g. separate accounting duties. For example, ensure two signatories authorise payments / expenses (including for senior employees such as directors), and when authorising payments, ensure that all relevant information has been seen and that there is no room to alter the amounts or to add in additional words or figures. Make sure there are robust systems to verify apparent changes to suppliers’ bank account details, for instance, obtain written confirmation of the change from a known individual at the supplier and follow up with a telephone call. Simple identity checks, such as asking the supplier to confirm that amount of their last invoice, can also help to guard against falling victim to the growing trend in “change of banker” frauds. Educate employees about fraud, fraud awareness and ethics. Have a clear system to enable employees to report suspected fraud. Consider setting up an internal or external whistle blowing system. Make it clear that employees are encouraged to share any concerns they have (even if they turn out to be unfounded) without fear of reprisals. Promote a corporate culture, from the top down, of scrupulous attention to ethical and honest behaviour. AIB’s senior management ignored signs of potential wrongdoing and failed to establish robust controls or an environment or honesty and accountability. In the Lynch Report published in relation to Joseph Jett’s fraud against Kidder in the 1990s, some of those who had questions about Mr. Jett’s trading stated that they were hesitant to report concerns about his trading activities. Senior managers must be adequately knowledgeable and understand the complexities of the products/services their firms offer. The Ludwig report stated that it is critical that supervisors understand their traders’ strategies, models and mathematics and that management should discuss rationale and strategy on a regular basis with a trader, as the individuals who supervised Mr Rusnak did not understand how he was making money with the firm’s capital.
18 | Preventing and investigating fraud in the workplace Set up holiday guidelines. Some banks have a guideline that bars traders from trading two weeks per year. In March 2008, the FSA (now the FCA) recommended that firms require two week holidays which would allow other colleagues to inspect trader’s books and ensure they were valued correctly. Another guideline would be to require that a second employee take over from another employee who is away sick or on leave regardless of the level of trust attributed to the employee. Perform regular and irregular audits. Audits of expenses claims should include senior executives.
Preventing and investigating fraud in the workplace | 19 KEY EMPLOYMENT LAW ISSUES for fraud prevention
Data protection concepts Personal data: Information about identifiable living individuals. This includes expressions of opinion about an individual and any indication of the intentions of the employer in respect of him or her. “Sensitive personal data” is awarded a higher level of protection. This includes information on criminal convictions, ethnicity, political opinions, religious beliefs, trade union membership, and medical information. Privacy legislation: The combination of the Data Protection Act (“DPA”), the Regulation of Investigatory Powers Act (“RIPA”) and the Human Rights Act means that UK employees are afforded a qualified right to privacy at work. Interference with the right can be justified, by demonstrating that there is a legitimate reason for the interference and that the method chosen is proportionate to that reason. Data controller: The company which determines why and how personal data are processed. You, as an employer, will be a data controller.
20 | Preventing and investigating fraud in the workplace Data protection principles: Eight principles in the DPA stating Employers should that personal data must be: balance the • processed fairly and lawfully, “ need to “screen” • obtained and processed for one or more specified and lawful candidates against purposes, the privacy of • adequate, relevant and not excessive in relation to those purposes, individuals. • accurate and up-to-date, • not kept for longer than necessary, • processed in accordance with the data subject’s rights under the DPA, ” • secured by appropriate technical and organisational measures that protect against unlawful processing and/or accidental damage or loss, and • kept within the EEA and not transferred outside the EEA unless there is an adequate level of protection for personal data. Vetting and screening issues “Screening” employees during the recruitment process can be an effective way to reduce the risk of fraud in the workplace. It enables employers to filter out individuals who could pose a significant threat to a company’s business, customers or clients, before they have had the chance to set foot on premises or access company systems. Checks range from verifying information provided during the application stage, such as taking up references, checking qualifications and carrying out identity checks, through to criminal records and credit checks. When are checks permitted? Employers should balance the need to “screen” candidates to prevent fraud against the privacy of the individuals concerned. Wherever possible, employers should look to verify information already provided to them during the application process. Vetting enquiries made direct to third parties (such as criminal record or credit reference checks) are naturally more intrusive and should only be used where: • There is a significant risk of harm to the business, customers or clients if the role is offered to an “unsuitable” individual.
Preventing and investigating fraud in the workplace | 21 • Verification of information provided by the applicant may not be adequate to protect against fraud. This may be avoided where, for example, a candidate will not have access to company computer systems and/or confidential information and, as a result, the potential fraud risks are relatively low. Many employers do routinely carry out comprehensive background checks for all candidates, on the basis that the risk of fraud is significant. This is particularly so within the financial services industry. There is also the option of engaging organisations offering a “one-stop shop” service, which can handle all preemployment background checks on an employer’s behalf.
Checks should only be carried out once a firm offer of employment has been made. The offer can be made subject to satisfactory results from the checks. It is a good idea to implement a background checks policy to cover these points.
Identity checks It is becoming increasingly Criminal records checks A simple way to safeguard common for prospective Criminal records checks against fraud is to check if the employers to run general can be obtained from the new employee is who they say internet searches, for Disclosures and Barring they are. The safest approach example using Facebook Service (“DBS”) or Disclosure is to ask the individuals to and LinkedIn, as a form of Scotland (the Scottish produce identification with background check. The UK’s equivalent of the DBS, which a photograph (e.g. passport, data protection authority also has access to records driving licence etc) and proof (ICO) takes the view that for the whole of the UK). The of address such as a council such searches are unlawful DBS is a government agency tax bill, bank or mortgage in the absence of consent. providing controlled access statement. The applicant Such searches could also to criminal records. Blanket should be asked to provide expose the company to criminal records checks are original documentation allegations that personal not permitted, but limited following an offer of information was used in a checks may be lawful where employment. The employer discriminatory manner, which proportionate to the risks must, in any case, check that could undermine any action and where relevant to the the candidate has the right to taken to address allegations job position in question (e.g. work in the UK, which entails of fraudulent behaviour. financial-related roles). obtaining various identity documents.
22 | Preventing and investigating fraud in the workplace Two levels of disclosure Basic disclosures Equally, a poor credit history are available direct to Where standard or enhanced may call into question organisations: Standard disclosures are not available, whether an applicant can be disclosures and Enhanced employers can ask candidates trusted to act responsibly disclosures. Standard to obtain a Basic disclosure. and appropriately with the disclosures are only available A Basic disclosure is a less company’s or their clients’ for individuals in certain comprehensive form of check money, albeit it would be specific professional/ currently only available from unusual to reject a candidate regulated roles (e.g. legal, Disclosure Scotland, which purely on the basis of a poor accountancy and Financial covers “unspent” convictions credit score. Services and Markets Act only and is provided direct to Credit references should (FSMA) approved roles - see individuals. The process for only be obtained if the below). Enhanced disclosures obtaining a basic disclosure employee consents, and only are more comprehensive is relatively simple - the from one of the regulated checks and can only be individual simply completes credit reference agencies obtained for very limited an application form and pays (such as Callcredit, Equifax groups of individuals - e.g. a £25 fee. Typically employers or Experian). Information those who will be working offer to pay the fee and assist held by the credit reference with children or vulnerable the applicant to complete agencies includes information adults, or if there are national the form. When making the in the public domain such security considerations. application, individuals are as electoral roll information, given an option to send a copy FSMA approved roles bankruptcies, county court of the disclosure direct to Applicants for FSMA approved judgments, insolvencies their employer. roles should be asked to etc. Most lenders also provide details of any relevant Credit references provide information on their convictions (which would Credit checks can be a customers to these agencies. include fraud offences), useful tool to help to identify Results of criminal records including spent convictions. unsuitable candidates, or credit checks In addition, employers are particularly those who have When making an employment able to apply for Standard applied for a role in the decision, it is important to disclosures for these financial services industry or consider the results of the candidates. who will come into contact checks carefully and on a with or have responsibility case-by-case basis. Thought for company or client funds. should be given to whether Employers often take comfort the result of the check is from confirmation that an relevant to the job role in applicant appears to have a question and therefore affects responsible attitude towards the candidate’s suitability for their own personal financial the role, and whether it is obligations. relevant to the interests you are seeking to protect.
Preventing and investigating fraud in the workplace | 23 MONITORING staff phone calls, email and internet use
Monitoring employees’ communications may be acceptable where it is necessary to protect the company, for example because a real and immediate risk of fraudulent activity or other financial irregularity has been identified, or because it is necessary to protect the interests of a third party, such as a customer. Blanket or continuous monitoring as a preventative measure because of a perceived risk of fraud will be difficult to justify.
Whatever type of monitoring is undertaken, it must satisfy one of the data processing conditions set out in the Data Protection Act (DPA), and monitoring systems must be properly secured. Employees who are the subject of monitoring or surveillance should receive full information about how and when it might occur. These concepts are explained more fully below. In addition to concerns under privacy legislation certain forms of monitoring, such as purely gratuitous screening, may also breach the term of trust and confidence between employer and employee, which is implied by law into all employment contracts.
24 | Preventing and investigating fraud in the workplace When can monitoring be permissible? The employer must be able to satisfy one of the conditions for data processing set out in the DPA, each and every time it introduces a particular form of monitoring. In the fraud context, the prevention of harm to the business or to customers is likely to allow the employer to establish that monitoring is necessary “for the purposes of legitimate interests” pursued by the data controller, particularly if there have been previous incidents. Theoretically, consent can also legitimise a range of intrusions into employees’ rights. However, consent is typically considered not to have been freely given in the employment context. In addition, in the context of a specific investigation, it will often be impractical to obtain consent. If consent is sought it must be fully informed: an employer must therefore ensure that it provides full information to employees about any monitoring activities (see below). When an employer is monitoring communications which contain sensitive personal data or transferring information obtained as a result of his searches outside the European Economic Area, the available justifications are much narrower than is the case for ordinary personal data. In the context of sensitive personal data, an employer may for example be able to defend his actions on the basis that they are necessary for establishing, defending or exercising his legal rights. However the actions must be reasonably necessary for this purpose and not purely convenient. The Information Commissioners Office is likely to take a narrower view of what might be necessary than an employer. If fraud is suspected it will be easier to find a suitable justification.
Proportionality Where an employer can rely on its legitimate interests (e.g. in the prevention of harm to the business) to justify monitoring, it must also ensure that it balances those interests against the adverse impact on other affected groups. This balancing act is known as proportionality. Other affected groups may include employees and third parties such as customers, whose data protection rights might be infringed if the employer is reviewing emails or listening to communications.
Preventing and investigating fraud in the workplace | 25 Any monitoring activities should not be excessive in relation to the company’s interest in fraud prevention. For example, it may not achieve an appropriate balance between the interests of the company and its employees to monitor emails in an entire department when only one or two individuals are suspected of fraudulent activity. Similarly, in the absence of a real risk that your computer systems are being used to perpetrate a fraud, it will be difficult to justify highly intrusive forms of monitoring such as reviewing email content and checking websites visited by employees. Where fraud is suspected it becomes easier to justify a targeted intrusion. If the company’s aims can be achieved as effectively through other means, monitoring may not be appropriate. In addition, you should consider whether less intrusive forms of monitoring are feasible and would be effective. For example, auditing expense reports might be a more proportionate reaction to concerns about inflated expense claims rather than monitoring telephone calls and the contents of emails. Monitoring must be proportionate to a legitimate aim and your monitoring systems must be properly secured. Equally, the scope of the methods selected will be important - spot checks, for instance, might be more appropriate than continuous monitoring. Similarly, using software programmes with keyword searching capabilities might achieve a more appropriate balance than manual surveillance of electronic communications. Employers should also limit the date ranges searched. The Employment Practices Data Protection Code (published by the ICO) recommends that employers undertake “impact assessments” to demonstrate that they have struck an appropriate balance between respecting employees’ privacy and protecting the business. This entails identifying the business objectives behind the monitoring and the likely impact on employees, before considering alternative forms of monitoring and/or different ways to protect the business.
26 | Preventing and investigating fraud in the workplace Provision of information The provision of full information is vital to compliance with Monitoring must be privacy legislation. You should inform employees not only that particular communications may be monitored but why, how the “proportionate to a information will be used, and to whom it will be disclosed. If you legitimate aim. opt to include such information in an electronic communications policy, you should draw to employees’ attention the contents of the policy, via induction programmes, training, and/or computer “log-on” messages. You should also periodically remind employees of your monitoring practices. In addition, it is important to comply with requests to access the results of any ” monitoring and to retain the data obtained in accordance with a retention policy.
Is covert monitoring lawful? Monitoring is covert when it takes place secretly, without informing employees. As this is highly intrusive, it is likely to be justified only in very rare circumstances (generally, only if a crime or some activity of equivalent seriousness is suspected and even then only where it is appropriately limited in scope and duration, and overt monitoring is likely to prejudice the detection of the misconduct in questions). If applied universally, covert monitoring is almost certainly unacceptable.
Intercepting communications RIPA regulates the monitoring of private telecommunications systems, such as systems for recording telephone calls, blocking emails or monitoring internet usage. Communications are protected when they are “in the course of transmission” (i.e. telephone calls as they take place, or emails before they are read). Accessing communications after they have been sent or received will generally fall outside RIPA, but this would not be the case if, for example, unopened emails are reviewed. A breach of RIPA can constitute a criminal offence. Additional regulations implemented under RIPA provide for circumstances where, in a business context, it is lawful to intercept communications without consent. Several options are relevant in the context of suspected employee fraud, including where interception is to prevent or detect crime, or to ascertain compliance with regulatory practices or procedures.
Preventing and investigating fraud in the workplace | 27 “Monitoring in practice” - what steps can an employer take? Do the None of the privacy legislation explicitly prohibits all monitoring circumstances of employee communications. Having said that however, any “ monitoring (especially in the absence of any specific suspicion), and grounds for should be undertaken only in accordance with strict safeguards. suspicion justify the There is no hard and fast rule as to what is permissible and potential intrusion? what is not. However: • Identify your specific reasons: what are the areas of risk and how can these risks be mitigated? • Are there any less intrusive means of reducing those risks which would prove as effective or nearly as effective? If so, ” use them. • What are the adverse consequences to employees of undertaking the specific methods you have identified? If so, how can they be reduced? In other words, do the circumstances and grounds for suspicion justify the potential intrusion? If the employer wishes to undertake preventative monitoring the answer to this question in relation to the vast majority of employees within the organisation will rarely be yes. Instead, outside certain specific sectors such as the financial services sector, the employer should only use monitoring which is effectively on all the time in a very targeted way - for example, by use of keyword searches aimed at specific groups, and periodic spot checks rather than continuous monitoring. Generally it is helpful if the employer can point to specific incidents in the past which have heightened the sense of risk. In addition the company should: • Check that full information has been given about who may monitor what, when, and for what purposes, how long the results of the monitoring will be retained and who will have access to them. • Always clearly define in advance of any specific search the parameters of the search including: the key search terms, the specific names, dates and timeframes around the search. • Document its reasons and justifications for monitoring.
28 | Preventing and investigating fraud in the workplace • Start small and expand as necessary, rather than the other way around. • Avoid interference with obviously private communications or It is helpful if the materials. employer can • Avoid undertaking measures which result in humiliation “ point to specific (conduct searches outside office hours etc). incidents which • Never use the results of monitoring for purposes other than those notified to the employee. have heightened • Give those accused a full opportunity to make the sense of risk. representations once confronted. • Retain the information only for so long as is necessary for the purpose for which it was collected.
References: can a prospective employer rely ” on a reference? Obtaining employment references can be a useful tool in helping to prevent workplace fraud and references should always be requested. However there is no general obligation to provide one. Good practice also dictates that you seek prospective employees’ consent before requesting a reference.
Is there an obligation to provide a reference? An obligation may arise in certain circumstances, such as where employees’ contracts require the provision of a reference, where this is normal practice for the type of work carried out by the employee, where you have given a binding commitment to provide a reference (for example in a settlement agreement) or where the regulatory environment requires a reference to be provided for the role. Employers are also under a statutory obligation to provide written reasons for dismissal in certain circumstances. Refusing to provide a reference in certain circumstances could lead to a discrimination/victimisation claim and therefore to uncapped compensation for economic loss and/or injury to feelings.
Preventing and investigating fraud in the workplace | 29 Those employers who are regulated by the Financial Conduct Authority (FCA) and/or the Prudential Regulation Authority (PRA) must comply with specific additional requirements. Where an individual proposes to perform one of certain controlled functions for a new employer (for example, acting as an investment or corporate finance adviser), the former employer must provide the new employer with “all relevant information of which it is aware” as soon as reasonably practicable. This includes information relevant to an assessment of whether the employee is “fit and proper” for FCA/PRA purposes, taking into account their honesty, integrity and reputation, their competence and capability, and their financial soundness. In any case, if you have reasonable grounds to suspect such an employee has participated in fraudulent activities, you should inform the FCA/PRA.
Can specific content be required from a former employer? Except in regulated roles there is no obligation to go into great detail in the references and most employers are extremely cautious: • The courts have recognised that an employee (or a future employer) can sue an employer who negligently provides an inaccurate, untrue or unfair reference. The data protection principles echo this requirement for references to be accurate and relevant. • The subject of the reference enjoys protection against defamation, as well as against malicious falsehood, which occurs when an untrue reference is given despite the referee knowing it is untrue, or being reckless as to whether it is true. • The FCA/PRA would be concerned to ensure that references are not unduly positive, for example where this could be misleading as to the individual’s propensity to being involved in financial crime. This might be relevant, for example, if an employee resigned while a disciplinary investigation was ongoing. • If you nevertheless provide a reference, you are under an obligation to exercise due skill and care in its preparation. You may give frank and honest views, but only after taking reasonable care to verify both factual content and opinions. The reference must be accurate and based on “documented fact”.
30 | Preventing and investigating fraud in the workplace Personal references References are sometimes provided by the employee’s colleagues in a personal capacity. In such a case that individual will be legally responsible for the contents of a reference.
Access rights - confidentiality and data protection Employees are entitled to access references that you hold about them, as references are likely to constitute personal data. An exemption in the DPA states that you can refuse to provide a confidential reference that you have written about an employee, although you can choose to provide it (and it will often be reasonable to do so). The exemption does not extend to references that you have received from someone else. However, these may constitute personal data about the referee (i.e. their opinion) and you would therefore have to balance your duty of confidentiality towards the referee with the employee’s interests. Usually, it will be appropriate to release a reference, particularly if it is feasible to conceal the referee’s identity, the referee has consented to being identified, or the reference has significantly affected the employee (for example by leading to a conditional job offer being withdrawn). Factual information such as employment dates and absence records will already be known to the employee and should therefore be provided.
Preventing and investigating fraud in the workplace | 31 Can INSURANCE help to manage fraud risk?
Even with the best fraud prevention strategies, you will not be able to eliminate fraud risk completely. Insurance can be a useful tool for transferring some of the residual risk to a third party. Specialist products are also available for particularly vulnerable industries, such as banking and fund management.
Whatever policy or combination of policies you choose, it will not protect you against all eventualities, and it is important to understand the terms and conditions of your policy in order to appreciate where the gaps are. The most significant restriction in this context is that you cannot insure the business against criminal or regulatory penalties (typically fines). The reasons for this are partly legal and partly commercial. From a legal point of view, insuring against criminal and regulatory penalties is considered contrary to public policy, since the penalties would lose their deterrent effect. A policy which included such a provision could be void. Commercially, no insurer wants to take on the risk of insuring businesses against their own criminal or regulatory breaches, because the potential for bad faith is too great. What insurance policies can cover, however, is the cost of compensating third parties and paying the legal costs associated with defending a claim (whether criminal or civil).
32 | Preventing and investigating fraud in the workplace Below is a checklist of points to remember in order to get the You should ask your broker about most out of your insurance policy: the following insurance products: • Disclose everything which could be relevant to the • Fidelity insurance (also insurers before the policy comes into effect, and referred to as “employee whenever the policy is renewed. Otherwise, the policy dishonesty insurance”) to could be invalidated. Take advice from a broker on what to protect the business against include. losses it may suffer directly (e.g. if an employee steals • Check the terms of the policy carefully before purchasing company assets, misuses it, especially any exclusion clauses, to ensure that you confidential information understand what protection you are buying. or sabotages a computer • Notify claims promptly and follow any procedure laid system) and against down in the policy - otherwise the insurers may be able to compensation payments it refuse to pay the claim. may have to make to third parties as a result of an • Co-operate with the insurer’s requests for information, employee’s dishonesty. even if they seem burdensome. Disputes about insurers’ entitlement to information are usually fruitless and an • Corporate identity expensive distraction from the real issues. Your lawyers protection to protect the will be able to advise you on setting up an information- business against the cost of sharing protocol to maintain privilege over the compensating customers information and avoid having to disclose it in court (where for data protection breaches applicable). that may be associated with a fraud (and related legal • Obtain the insurer’s agreement before instructing costs). lawyers, experts etc, if time permits, as this is often a precondition of receiving payment. • Directors’ & officers’ insurance (D&O) to protect • Do not make admissions or begin settlement talks the company’s directors and (directly or indirectly through mediation etc.) without officers (and in some cases the insurer’s consent unless absolutely necessary, as senior employees) against otherwise the insurer may be entitled to refuse to pay. the cost of participating in a regulatory investigation or defending allegations that they have been involved in dishonesty and against potential claims by shareholders for failing to prevent a fraud. Some D&O policies also provide “crisis communications cover” - a contribution to the cost of hiring a PR agency to protect the company’s image when a fraud has been discovered.
Preventing and investigating fraud in the workplace | 33 What POLICIES AND PROCUDURES should you have in place in case fraud occurs?
Appropriate policies play a dual role of: (i) setting out clearly to employees (and other parties who may have access to the company’s IT systems or other information) the expectations of the company and the parameters within which individuals are permitted to operate and; (ii) legitimising action taken as a result of a breach of any policy, such as disciplinary action or the termination of third party contracts.
34 | Preventing and investigating fraud in the workplace What policies do you need? To protect the company’s interests, implementation of specific policies covering the following issues should be considered: The culture should • Data protection compliance policy, informing employees of be that employees the terms on which their personal data may be assessed “ can come forward and the terms on which employers’ IT systems may be used and processed to ensure the company meets its obligations without fear of under data protection legislation. reprisals. • Information security policy, instructing individuals of practical and technological steps that must be taken and rules that must be adhered to. • Monitoring policy, either separate to or part of the above policy, an organisation should clearly and fully inform ” employees of the types of monitoring activity undertaken by it, who will have access to the data collected and why such activities are undertaken (see the section on monitoring for more details). • Whistleblowing policy, informing individuals of reporting mechanisms in the event of any suspicion of fraud or other malpractice (see the whistleblowing section on page 17). The whistleblowing policy and the mechanism used to report the fraud should be publicised. The culture that the employer promotes should be that employees can come forward without fear of reprisals. These policies will operate alongside other “traditional” employment policies and practice: • Your disciplinary rules and procedures. The disciplinary rules, supplemented by ethical codes of practice, should leave employees in no doubt about the standards of conduct expected of them in relation to financial matters. • Training. Where some of the rules to which employees are subject are technical, training is also recommended to stop employees asserting that they did not know, or did not understand, the rules. The rules should include a right to suspend on pay while investigations are pursued. • You should have a clear expenses policy which sets out the types of expenses which can be claimed and in what circumstances. The policy should be supplemented by internal rules or authority to bind the company and the levels of expenditure which require specific approval.
Preventing and investigating fraud in the workplace | 35 Contractual provisions in employment contracts When getting their house in order employers should also consider whether they can enhance their prospects of preventing or detecting fraud early by inserting appropriate provisions in employment contracts. In reality provisions such as those listed below are of limited legal effect, but can operate as a deterrent and are part of the armoury in the fight against fraud. The following contractual provisions could be considered: • Provisions requiring employees to take holiday in the year it is accrued and not to carry forward holiday except in exceptional circumstances. Although an employer cannot always oblige an employee to take holiday if he or she does not wish to do so, managers should still be trained on how to encourage the take-up of holiday. • Provisions requiring employees to render exclusive service and not to put themselves in a position of conflict. • Provisions requiring the disclosure of wrongdoing. Such a clause would require an employee to disclose the wrongdoing of others about which he is aware and is important for manager level positions. In addition, such a clause should require the employee to disclose his own wrongdoing. Such clauses are recommended because, except in the case of fiduciaries, there is no clear implied obligation to disclose your own or another’s wrongdoing. Again, if the employee breaches this provision there is in fact little that an employer can do to compel compliance (and an employee is more likely to be dismissed for the matters constituting the fraud than a failure to own up to it). However the existence of such a term will operate on a psychological level, particularly during an investigation. • Provisions permitting suspension on full pay and garden leave. Both may be useful in response to a fraud and give the employer greater flexibility and freedom when carrying out investigations into allegations of fraud.
36 | Preventing and investigating fraud in the workplace Data Protection compliance (including data security) Fraud or cases of IT misuse frequently take place due to The threat of fraud the absence of basic controls, whilst information security can be external as management enables information to be shared at the same “ well as from within. time as ensuring the protection of information and assets. Effective data protection compliance itself plays an important role in preventing and detecting fraud. Those who will be responsible for the detection and investigation of fraud should be fully schooled on an organisation’s data protection policies and trained on the requirements of the DPA and other privacy ” legislation. This will require effective inter-departmental communication between IT, HR and the business heads who should all be aware of the obligations in this respect. They should, for example, be trained on the use and content of impact assessments and the protective steps and measures that they will need to adopt when monitoring or responding to allegations of fraud. They should understand the limitations on their freedom of action in instructing investigators and choosing technology to combat fraud. Systems designers and systems purchasers should understand an organisation’s responsibility for data protection compliance. One person should be appointed to be accountable for any investigations/ monitoring activities and to make sure that each of the stakeholders is complying with privacy requirements. The threat of fraud can be external as well as from within. Companies should also be aware of the risk of fraud perpetrated through the loss of employee or customer data and should take appropriate security measures to protect the personal data they hold. By requiring specific security measures and implementing appropriate procedures, data protection compliance can both remove (or at least reduce) the opportunity for fraud to be committed as well as assisting in an audit trail should fraud be uncovered or suspected.
Preventing and investigating fraud in the workplace | 37 Data protection compliance policies should unambiguously inform individuals of the security measures that must be put in place to protect an organisation’s information and property, including both technological measures (such as encryption, password protection and use of appropriate protection software) as well as physical measures (such as physical security of files and equipment and restrictions on use of portable storage devices). Clear rules on the acceptable use of the company’s systems (dealing with issues such as downloading software, use of internet and email and transmitting information electronically) should also either be incorporated into the data protection compliance policy or a separate document. Other issues that should be covered in data protection compliance policies include: • Required steps in the event of a breach of security being discovered (including reporting, responding to and resolving security threats). • An explanation of minimum standards, procedures, requirements and objectives of particular importance to the business. • Details of roles and responsibilities for information security. • Details of who to go to should a breach occur. Companies developing information security policies may be assisted by referring to the ISO/IEC 27000-series, comprising information security standards published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). The series provides best practice recommendations on information security management, risks and controls. All policies should inform individuals of the consequences of failure to comply with the requirements of the policy, which in the case of employees would be possible disciplinary action (up to and including dismissal).
All policies should inform individuals of the consequences of “failure to comply. ” 38 | Preventing and investigating fraud in the workplace Data security breaches In most cases there is no freestanding legal obligation in the UK to inform any other party in the event of a data security Monitoring raises breach, although companies may have taken on such obligation potential privacy under contract and some other jurisdictions do have legislation “ requiring notification. The Information Commissioner’s Office and data protection has published best practice containing guidance in relation issues. to data security breaches. The guidance offers advice on the best approach in the event that a data breach is discovered or suspected and is divided into sections covering the following areas: (i) containment and recovery (ii) assessment of ongoing risk (iii) notification of breach and (iv) evaluation and response. ” Monitoring In appropriate cases, employers should consider whether to implement a system of monitoring for fraudulent activities, for example the use of automated software to monitor email communications. The monitoring of employees or other individuals within the workplace raises potential privacy and data protection issues, and in summary the following considerations will be relevant: • Establishing a clearly defined and legitimate objective for monitoring. • Considering if there are other, less intrusive ways of achieving this objective. • Ensuring that the monitoring is conducted in the least intrusive way possible. • Clearly informing employees and any other individuals who are subject to the monitoring that it is taking place and the underlying purpose. Any monitoring that involves the “interception” of communications (including telephone calls and emails) must also fall within one of the limited exceptions to the Regulation of Investigatory Powers Act 2000. For further details please see the section on monitoring.
Preventing and investigating fraud in the workplace | 39 Enabling employees to REPORT FRAUD
Employers generally, and particularly those in a highly regulated environment such as the financial services industry, should put in place clear procedures to enable reporting of suspected fraud or similar wrongdoing.
An employee is legally protected from suffering any negative impact as a result of making a disclosure about a suspected legal wrongdoing - they do not need to have made the report under a specific policy or procedure. A clear policy for whistleblowers that explains how someone can make a report and that clearly provides that there will be no resulting retaliation can assist companies in uncovering fraud that may not otherwise be reported, and can encourage reporting through specified channels of communication.
40 | Preventing and investigating fraud in the workplace Protection for whistleblowers - Public Interest Disclosures Act 1998 (PIDA) PIDA was implemented to protect workers (meaning employees and the broader category of individuals providing services personally) from dismissal, victimisation or any other detriment by their employer as a consequence of blowing the whistle about illegal practices in the workplace. It was implemented in response to a number of high profile disasters, such as the Piper Alpha, Clapham Junction rail and the Herald of Free Enterprise incidents, where employees were found to have been aware of risks but had either feared raising the matter or had failed to raise the incident properly. PIDA gives protection (now incorporated within the Employment Rights Act 1996) to workers who have made a “qualifying disclosure”, which is a disclosure of information that the worker reasonably believes shows that one of the following has occurred, is happening now, or is likely to occur in the future: • A criminal offence. • A failure to comply with a legal obligation. • A miscarriage of justice. • Danger to an individual’s health or safety. • Environmental damage. • Concealment of information relating to any of the matters above. The disclosure must be made to the employer, or to certain external parties (such as the FSA, the Civil Aviation Authority etc.). PIDA also covers conduct that takes place outside the UK. The concept of a protected disclosure is a wide one and has been interpreted broadly by the UK Employment Tribunals. PIDA has, for example, been held to cover complaints about an actual or likely breach of the individual’s own employment contract, despite the lack of any evident public interest. The UK government has attempted to curb this tendency for a broad interpretation, and PIDA was amended with effect from 25 June 2013 to include an additional requirement for disclosures to be “made in the public interest”. There is however no definition of “public interest” and so employees are likely to continue to seek wide-ranging protection.
Preventing and investigating fraud in the workplace | 41 If an employee suffers a detriment as a result of having made a protected disclosure he can bring a claim in the Employment Tribunal and recover damages for any actual loss he has A policy which is suffered (for instance, non-payment of a bonus) as well as communicated damages for injury to feelings ranging from £660 to £33,000 “ (depending on the severity of the detrimental treatment). If an effectively helps employee is dismissed he can claim unfair dismissal damages to increase the for future loss of earnings, which are uncapped. For both types confidence of of claim, the Tribunals have discretion to reduce compensation by up to 25% if they consider that a disclosure was not made in employees to good faith. Individual employees can also be personally liable if come forward. they victimise colleagues who have blown the whistle.
Why have a Whistleblowing policy? • A large number of frauds are discovered as a result of a tip off. ” • Internal procedures that are readily accessible and which workers are encouraged to use are more likely to result in internal disclosure to the employer, rather than external disclosure (the risk of which a whistleblowing policy wil help to reduce). • It will reduce the risk of undiscovered fraud and other malpractice in the workplace. This can help to minimise the level of damages that an employer would face in the case of a fraud, and the level of sanctions that are imposed by the applicable enforcement authority. • A whistleblowing policy that is communicated effectively helps to increase the confidence of employees to come forward without fear of reprisals. The confidence of clients and shareholders and can enhance the public reputation of the business. • Certain organisations are required to put in place mechanisms for reporting financial irregularities e.g. those regulated by the Securities and Exchange Commission. • It can put the employer in the best possible position to defend claims brought by its employees and can be used as mitigation by an employer who is being investigated for fraudulent activity.
42 | Preventing and investigating fraud in the workplace What should a whistleblowing policy contain? • The policy should explain the types of malpractice that should be disclosed (and distinguish between disclosures covered by the policy and personal grievances). • Employees should be under an obligation to report concerns that fall within the scope of the policy. • The policy should confirm that employees who report concerns will not be subject to any detriment. • The whistleblower’s identity should be kept confidential so far as reasonable. • An internal reporting procedure should be clearly set out and should identify appropriate internal persons for reporting - this will depend on size of organisation but can include line manager, senior manager, ethics and compliance officer, board of directors. There should generally be several different internal contacts to whom employees can make a report. • The policy should stipulate what action the company will take when a concern is reported. Ideally the person who takes a decision on the complaint will be different from the person who investigates it. The policy should also state how/ whether the outcome of the investigation will be reported to the whistleblower and in what circumstances the whistleblower may be able to appeal the decision. • It must be clear that abuse of the system, e.g. malicious complaints, may result in disciplinary action. • Global Policy? Employers understandably want a global policy, however the approach to whistleblowing across Europe and in particular the impact of data protection legislation may mean that an employer cannot have a single effective global policy.
Preventing and investigating fraud in the workplace | 43 Whistleblowing Hotlines Many organisations use whistleblower hotlines (often operated by a third party) to enable employees to report a concern safely and confidentially. The whistleblower hotline can be incorporated into a whistleblower policy as an alternative means of reporting concerns. For US listed companies the operation of a hotline is compulsory under Sarbanes-Oxley Act of 2002 (SOX). Under SOX employees of any group company of a US listed company must be able to report confidentially and anonymously. European law does not however sit easily with the SOX requirements for allowing anonymous reporting. Not only does anonymous reporting allow for the possibility of malicious complaints with impunity, but investigations will be hampered when they are based on an anonymous disclosure because of the limitations on making further lines of enquiry. Therefore to the extent that SOX is not applicable, any whistleblowing policy should encourage reporting on a named, confidential basis. Even where a company is bound by SOX requirements, anonymous reporting should be strongly discouraged. Data Protection considerations In the UK there are no formal rules or guidelines for processing data which is disclosed or processed as a result of a whistleblowing complaint. However, any processing must comply with European data protection principles, and the guidance of the European Commission’s Article 29 Working Party Opinion on whistleblowing procedures. (The Article 29 Working Party represents the data protection authorities of the EU member states). The Opinion requires that: • A whistleblowing policy is managed consistently with the data protection law, particularly the principle of proportionality. Therefore the policy has to: - Limit the access to data provided through disclosures. - Set time limits on the retention of reports. - Come along with a strict confidentiality agreement with all employees who are handling complaints, and with stringent data-processing contracts whenever a third party service provider is involved.
44 | Preventing and investigating fraud in the workplace • Hotlines should not be used as a first point of contact for reporting but as a last resort. • Employees who are accused of unlawful conduct should be informed about the allegation immediately (unless it would genuinely jeopardise the investigation) and must be able to exercise their rights to access and correct the information about them as well as to collect or delete inaccurate information. • An employer has to ensure that the flow of data resulting from whistleblowing to parties outside the European Economic Area (including other companies of the employer’s group) is limited. Exceptions are available if the relevant complaint materially implicates the interests of a foreign entity. • Employers comply with their obligations to properly notify data protection authorities about their processing of personal data in connection with a whistleblowing complaint. In some European jurisdictions, local data protection authorities must approve the hotline before it can be implemented. Code of Ethics Most organisations use hotlines in conjunction with their Code of Ethics, which may contain a section on financial irregularities. Organisations considering the introduction of such Codes or more detailed policies should have regard to the provisions of the Advisory, Conciliation and Arbitration Service (ACAS) Code of Practice on discipline at work, which suggests that new rules may be developed with the involvement of employees.
Processing must comply with the broad European data “protection principles. ” Preventing and investigating fraud in the workplace | 45 DISCOVERY OF A FRAUD The first 24 hours
From the moment a large scale fraud is discovered within a business, the clock starts ticking on a vital 24 hour period for the company and its stakeholders. During this period, those responsible for running the business must make a number of key decisions and act decisively.
Good decisions and positive steps at this early stage can help limit the extent of the damage caused by fraud; bad decisions can have devastating consequences and lead to bad publicity, loss of confidence in the business, invalid insurance claims, permanent loss of assets and even legal claims against the company.
46 | Preventing and investigating fraud in the workplace Take control Leadership The plan Upon discovery of a fraud it is vital that an appropriate person Once a fraud has been is immediately appointed to take control of the situation. discovered, the internal team Depending on the scale and nature of the suspected fraud, this should meet to devise a plan. task may fall to the General Counsel, an in house lawyer or The plan should identify ways in be delegated to some other senior manager or director. The which the company will: seniority of this individual is key. They must be senior enough to make day to day decisions without the need for referral, but • establish what has happened; their role in the investigation must also not detract from the • prevent any further effective day to day operation of the business. damage (both financial and The team reputational) from occurring; An internal team should quickly be assembled to deal with the • increase the chances of fraud. The size and make-up of the team will largely be dictated recovering assets; and by the scale and nature of the suspected fraud. • maintain confidentiality. Initially, the internal team should be kept as small as possible and only expanded if and when it becomes necessary. However, Communications the following people will almost always be required in addition A lawyer should be responsible to relevant members of the board: for setting up a communications structure for the team to ensure • a member of the HR department; that confidentially and privilege • a public relations advisor to deal with media issues; are preserved where possible. Often code words and project • a lawyer to assist with ensuring the confidentiality of names can be a useful means communications between the team; of ensuring that details of the • the company’s auditors; and suspected fraud are not leaked. • an IT specialist to ensure the preservation of electronic data. Obviously, all members of the team must be free from any suspicion of involvement in the fraud. Confidentiality is key. Any and all discussions about the possible fraud must be kept confidential so as not to tip off the suspect or cause unnecessary damage to the company.
Preventing and investigating fraud in the workplace | 47 Initial Discussions The internal team needs to start considering who may have relevant evidence in relation to the alleged fraud, where that evidence might be located and what can be done to preserve that evidence quickly and in complete secrecy. The team will also need to start thinking about who else should be informed about the suspected fraud. This may include other members of staff, other group companies, the company’s auditors (if not previously informed), insurers and/or major shareholders. The external team These initial discussions should enable the internal team to assess the potential size and complexity of the fraud and then consider the need to establish an external team of experts and advisers. Again, the size and make-up of the external team will largely be dictated by the scale and nature of the suspected fraud. The external team may consist of: lawyers; forensic accountants; data preservation/recovery experts; private investigators; auditors and a PR agency. Data preservation/ recovery experts will be especially important in cases where there is a need to safeguard electronic data such as emails. It is essential that any external lawyers appointed have experience investigating instances of fraud and the recovery of assets. One mistake in these preliminary stages could have devastating consequences for both the investigation itself and/or the chances of property being recovered. It is vital that external lawyers are briefed relatively quickly so that, if appropriate, interim relief can be obtained and formal legal proceedings can be commenced against wrongdoers without delay. External lawyers should also be able to provide specialist advice regarding employment law and data protection issues, which will often crop up very early on in the investigation. Instructing external lawyers may also help preserve privilege in documents produced during the investigation. This is especially relevant if the investigation is going to be multijurisdictional because not all jurisdictions recognise in-house lawyers for the purposes of attorney/client privilege.
48 | Preventing and investigating fraud in the workplace Gathering evidence Recovery of assets/involving the As soon as possible after the fraud has been uncovered, police? the internal and external teams should start gathering and If evidence of wrongdoing has assessing the evidence required to prove what happened been uncovered the next step and who may be responsible. In most cases, we generally is to consider the options open advise that the temptation to confront the alleged fraudster is to the business at this point. resisted throughout the early stages of the investigation. Possible options include: A balance needs to be struck between discretion and speed. • applying for a freezing and Speed is of the essence in order to preserve the evidence disclosure orders against the in addition to maximising the chances of recovery of the assets of the fraudster(s); assets. Secrecy is also vital in order to prevent tipping off and/or and thus making it more difficult to obtain evidence. Secrecy • civil recovery of assets by is also crucial in order to protect the reputation of innocent means of a claim in the High employees as well as the organisation itself. Courts; and/or Typically, the starting point in the evidence collection process • notifying the police in an is to analyse the software, hardware and communications effort to have criminal (email, files, telephones) used by the suspect(s). It is also proceedings commenced important not to miss the obvious (but often overlooked) against the fraudster(s); and/ sources of evidence such as the suspect’s desk, drawers and/ or or workspace. Specialist legal advice should be sought prior to any search or document review being carried out in order • applying for a search order to avoid the risk of falling foul of data protection, privacy and/ to search the residential or employment laws, which may vary significantly depending address and/or other on which jurisdictions are involved in the investigation. property connected to the fraud; and/or It may also be appropriate to conduct confidential interviews with individuals who may be able to provide relevant evidence. • immediately suspending or Again, specialist legal advice should be sought before any dismissing any wrongdoers. interviews are carried out. The next steps will depend on Once evidence has been obtained, it will need to be placed a number of factors, including in a secure location, such as on a remote database, or at the the amount and type of evidence offices of the external lawyers and/or accountants. that has been acquired up to that point and the ultimate aim of the company, whether it is to recover the stolen property, punish the fraudster, protect the reputation of the business or any combination of these objectives. Specialist legal advice should be sought as to the best approach in the given circumstances.
Preventing and investigating fraud in the workplace | 49 Ensuring that your investigation complies with EMPLOYMENT LAW OBLIGATIONS
Employment legislation has established a legal right to a level of privacy that often appears to run contrary to the investigations that are necessary in fraud cases. Typically, you will be required to balance the employment and privacy rights of the employee against the commercial needs of your company.
50 | Preventing and investigating fraud in the workplace Investigating an employee Other investigation The initial part of any fraud investigation can usually take Issues place without making the suspected employee aware of any • Searching other employees’ investigation. Such investigations involve a careful balancing act computers raises the same between the rights of employees and those of the company. issues (outlined above) • Searching desks, offices etc. Searching an individual’s as searching the suspect work area, which may include personal property, could be employee’s computer. Again, a breach of that employee’s right to privacy. The courts use proportionality is key. Unless a requirement of proportionality to balance the needs of these other employees are employer and employee. The search could also breach the implicated in the fraud, then implied term of trust and confidence between employer they are clearly not the focus and employee. Whether an employee’s rights are violated of the investigation, and so depends upon the facts of each case. If you have good you should restrict the scope reason to suspect the employee and any alternatives to of any search. carrying out the search would risk losing more assets, and/ • Witness statements. You or risk tipping off the suspect a court is likely to uphold your are likely to interview right to search. It is useful to keep evidence of your analysis other employees in order of the balance between the two sets of conflicting rights. to obtain information. You • Searching computers raises the same issues, as well as should warn employees that Data Protection Act issues, such as whether or not the the information they are information you are searching is personal or sensitive providing is being used in the personal data under that Act. Making such searches context of an investigation covertly may be acceptable in fraud situations because of into an alleged fraud and the risk of tipping off the employee and the seriousness of their evidence could be the misconduct. Proportionality is also key in this context. used in civil or criminal Therefore, you should only search those areas necessary proceedings in the future. for the fraud investigation, and you should take steps to Ideally, you should ask avoid accessing irrelevant information such as information employees to sign and date relating to the employee’s personal life or sensitive data. any statement. You cannot It could amount to a criminal offence to access employees’ force employees to provide a personal webmail accounts without authorisation. statement or appear before a court to give evidence, except by issuing a formal summons. Whether this is appropriate will depend on the circumstances.
Preventing and investigating fraud in the workplace | 51 Disciplinary issues Depending on the size of the fraud, the employment risk and issues may appear to be of less commercial concern, but you will need to understand them in order to evaluate them properly. • When do you take Serious fraud will amount • What if the employee disciplinary action? To to gross misconduct. If fails/refuses to attend? minimise any potential this is established, the Due to the fear of claims (see next point) sanction will usually be self-incrimination, you should commence summary dismissal. The solicitors will often a formal disciplinary employee should have a advise employees not procedure as soon right of appeal. to attend, or will simply as there is sufficient avoid attending. If the • Can the employee be evidence for there to be employee persistently fails represented? Typical a reasonable suspicion to attend without good disciplinary procedures of fraud. Typically, reason, depending on the do not permit any external however, there are circumstances you might representatives to be other factors pointing to be able to set a revised present (except trade maintaining the secrecy date and inform the union officials). However, of any investigation for a employee that the hearing in fraud cases you are longer period than would will proceed whether or likely to be accusing the be considered fair (for not he/she attends. employee of a criminal act, example, the need to apply and so the employee may • Should the employee be to the court for an asset refuse to attend unless suspended? To protect freezing or disclosure his/her solicitor is present. evidence and because order), and it is likely that Whether you allow this of the seriousness of these will outweigh the or not will depend on most fraud allegations, employment risk. the circumstances, and the employee can be • What form should the the degree of risk with suspended throughout disciplinary action which the Company is the disciplinary procedure take? Once invoked, the comfortable. provided you keep in touch company’s disciplinary with him or her, suspend rules and procedures on full pay and indicate (and the ACAS Code on clearly that the suspension Disciplinary Procedures) is not a disciplinary should be followed as sanction. The contract of normal. employment or employee handbook will usually contain a right to suspend in appropriate cases.
52 | Preventing and investigating fraud in the workplace Dismissal At the end of the process, if you decide that the employee has committed fraud on the balance of probabilities - not beyond all reasonable doubt, which is the criminal test - you are likely to dismiss him/her summarily, without any payment. • Could the employee have any claims? The employee has two sets of rights - contractual and statutory: Contract: The employee’s right to a notice payment does not usually apply in gross misconduct situations. However, the employee is still entitled to full pay and benefits (including accrued pension rights) up to the date of termination, including any accrued but untaken holiday. It may be the case that some benefits can be withheld from the employee in these circumstances if this is expressly provided for in the relevant scheme rules. Statutory: An employee with more than two years’ service (or one year if employment commenced prior to 6 April 2012) has the statutory right not to be unfairly dismissed. Perpetrating a fraud will be a fair reason for dismissal if you have a genuine belief in the employee’s guilt following a reasonable investigation. The procedure must follow the ACAS Code on Disciplinary Procedures and be open and even-handed (e.g. all evidence must be provided to the employee in advance, and the employee must be given the opportunity to respond/explain and present his/ her own case). As suggested above, the needs of a fraud investigation often run contrary to allowing such a full procedure. If the investigation is flawed in any way, it is possible for the employee to succeed in a claim for unfair dismissal. The employee would be entitled to a basic award based on age and length of service (similar to a statutory redundancy payment) and a compensatory award. The compensatory award is capped at the lower of (i) a specified amount that increases each year (£74,200 from 1 February 2013) and (ii) 52 weeks’ gross pay. There may be a reduction for contributory conduct of up to 100%. Nevertheless, the failure to follow a procedure will give rise to a liability that must be balanced against all the other needs. • What if the disciplinary allegation is not upheld? The employee has the right to return to his/her position. This may not be possible on a practical level, and if not, it is likely to result in a negotiated settlement agreement.
Preventing and investigating fraud in the workplace | 53 DATA RETENTION AND RECOVERY: where to look and what (not) to do
Each day, a typical organisation will generate thousands of emails, telephone records, letters, internet records and items of transactional data. To be successful, a fraud investigation will require the capacity to locate any one of these items.
If fraud is discovered or reported within your organisation, you will need to take active steps to identify what has occurred, who is responsible and how any damage to the organisation can be reversed and prevented in the future. Retention and recovery of the data associated with the fraud will be central to carry each of these tasks out effectively because, if captured properly, the data will provide an independent record of what has occurred. Among other things, such data can be essential evidence in tracing and recovering the proceeds of the fraud and in proving who is liable for it.
54 | Preventing and investigating fraud in the workplace The data to be recovered will primarily be electronic and Procedures to follow once a fraud located in the organisation’s employee PCs, laptops, tablets, is discovered: Blackberries, mobile and smart phones, security swipe cards, Things to do now USB memory sticks and other portable hard drives. There are • Audit your IT systems - know various procedures you should have in place and implement what information is held and on discovering the fraud, to ensure that electronic data is where. preserved and can be used for the purposes of an investigation, a criminal prosecution or a civil claim. • Establish a policy for day-to-day retention of communications and records. Action to take now • Know what steps to take if you • Conduct an audit of data-retaining devices and systems. It is need to preserve and recover essential to know what devices and systems you have on site data. and off site that retain data, and which may be analysed for • Establish a policy for handling the purposes of an investigation. If that information is not electronic records when a readily available, consider an audit of relevant devices. fraud is suspected. • Do you store documents in the cloud? Does this bring Things to do if fraud is discovered additional risks? Ensure you know how to quickly and • Do not use the shut down efficiently retrieve documents from remote third party function on PCs or servers. owned servers. • Retain independent IT • Establish a policy for retention of electronic records. This specialists to prevent data policy should state how data generated is to be captured, contamination. stored and managed on a daily basis. It should include the • Seek legal advice concerning frequency with which back-up copies of stored data are the conduct of your created. investigation. • Think about your BYOD policy (Bring Your Own Device). • Follow established policy There is a growing trend in which employees are allowed guidelines regarding digital to use personal equipment to perform business. This could evidence. present obstacles to recovery of evidence if, for example, an And also... employee does not consent to allow inspection of the device. • Be aware of Data Protection Act issues. • Establish a policy for handling electronic records once • Remember there are various fraud is discovered. In addition to giving your company the sources from which to recover best opportunity to secure the relevant data, this policy will data, e.g. CCTV, smartphones’ also ensure that records preserved will be admissible in GPS systems and swipe card any subsequent legal proceedings. It is preferable to seek records. legal advice immediately after a fraud is discovered (or even suspected). • Could anyone be perpetrating fraud right now? Would your company be able to capture the necessary data?
Preventing and investigating fraud in the workplace | 55 Step 1 - identify key data • Fraud investigations need to be undertaken on a ‘need-to- know’ basis. The perpetrator could be wiping his laptop as you discuss plans to gather evidence. Further, be careful who you trust. It is not unheard of for investigations to reveal that a company’s IT personnel have been on the inside of the fraud. • Make a data map to identify data sources and quickly share the knowledge (on a ‘need-to-know’ basis) with key individuals, possibly those in a compliance function who will work together with your IT personnel to gather information if there is a suspected fraud. • Don’t tamper with PCs until an IT forensic expert is available. In some cases, switching an affected PC on or off will cause the operating system to make changes to hundreds of hidden system files and render it difficult to track the activity history. Separate to the hard disk, relevant data may be stored in the RAM, a volatile storage area which is emptied as soon as the PC loses power. This part of the memory may hold encryption keys for encrypted data, “undo” information, or evidence of attacks from an external network connection, all of which would be irretrievably lost if the computer is turned off. It is essential to leave computers running as you find them until an IT forensic expert is able to assess the best way to proceed. • Identify any other sources of data. PCs aside, there are many other devices that may be the sole source of crucial evidence. For example, security ‘swipe’ cards and CCTV footage may provide a history of an employee’s movements both into and within an office building. It may be that this evidence will be useful to exonerate employees whose identities have been used to perpetrate fraud, for instance, by showing that they were not at their desk when operations were carried out from their PC. Also, many smartphones gather GPS data which can be helpful in charting a person’s movements. See the separate box for a detailed list of other information sources. Identify at an early stage which of these may be helpful.
56 | Preventing and investigating fraud in the workplace • Retrieve data from your servers, tapes, backups and archives. Historic data is not generally accessible to a perpetrator of fraud, so obtaining backups will help you to get a ‘snapshot in time’ which could contain vital evidence. Be careful who Think also about Legacy Data Systems – old or outdated you trust. systems and devices could be vital if there is evidence that “ fraud has been carried out over a long period of time. • Take action to preserve the relevant records. Initially your IT personnel should be involved at an early stage because they will have the best knowledge of your internal company ” systems and the ways in which to extract the desired information. However, it is often advisable to appoint an external data recovery specialist experienced in organising, conducting and reporting on internal investigations.
Step 2 - Obtain and secure the data Digital information is easy to manipulate, and there is a significant risk that it may become inadmissible in legal proceedings if it is not properly handled. There are certain ways to authenticate digital data (e.g. cryptographic hashing), but a court may conclude that the evidence is inadmissible if there is a risk that it could have been altered or tampered with. • Document the process and use established and reliable software. An external data recovery specialist will be able to “image” the entire hard drive of a PC. This is achieved by using specialist software which ensures that no information is introduced to the original hard disk during the process. In this way, the entire contents of the drive can be analysed. All procedures undertaken should be recorded for later use during the investigation or subsequent legal proceedings (see the guidelines below). • Where possible conduct investigatory steps outside of office hours. In some circumstances, this may avoid those suspected of fraud becoming aware that they are under investigation and allow for further evidence to be obtained. In other cases it will avoid disruption to other employees caused by an investigation and help maintain confidentiality.
Preventing and investigating fraud in the workplace | 57 • Follow the established guidelines. The Association of Chief Police Officers (ACPO) has issued guidelines concerning the gathering and preservation of digital evidence. The guidelines are based upon four principles: 1. No action should change data held on a computer or storage media which may subsequently be relied on in court. 2. Where a person finds it necessary to access original data... that person must be competent to do so and be able to... [explain] the relevance and implications of their actions. 3. An audit trail or other record of all processes applied to computer based electronic evidence should be created and preserved. 4. The person in charge of the investigation... has overall responsibility for ensuring that the law and these principles are adhered to.
Step 3 - Interpret the data • Eliminate irrelevant data. There will invariably be a vast amount of data to sift through. It can often be filtered by keywords, concepts or dates to isolate the relevant data. De- duplication can be used to delete identical copies of relevant data and reduce the amount of material to be reviewed by investigators. • Consider the use of technological tools to assist the review. For example, the use of communication analytics to read metadata associated with emails to draw a pictorial representation of communications between individuals inside and outside of your organisation. These can be useful in quickly spotting anomalies or potential lines of inquiry. Also consider using computer assisted review. This involves training the computer to recognise relevant documents and can assist in the further discovery of relevant material quickly and efficiently. • Provide investigators with data in an understandable form. The data retrieved should be put in a format that can be read by non-IT personnel and easily searched. There are various external providers who are able to load data, such as emails, onto electronic document management systems which allow for data to be searched, reviewed and categorised for the purposes of an investigation.
58 | Preventing and investigating fraud in the workplace • Consider whether a sample review would be a beneficial Devices to track starting point in order to be able to from initial conclusions • Desktop computers and assist in directing the investigators to the most relevant • Laptop computers. types of document. • Tablets • Be prepared for follow-up queries from the investigators. • Mobile telephones. Investigators, whether your company’s legal advisers or • Blackberrys and other portable the police, will often come back with requests for further email devices (e.g. PDAs). information. These queries should be followed up to ensure • USB memory sticks and other an investigation produces the best possible evidence. portable hard drives (including iPods/other MP3 players). Legal considerations for investigation of • Building access cards. electronic records Records to retain • Be aware of obligations under the Data Protection Act 1998 • Building entry, exit and internal (DPA). Review of an individual’s work email account will movement records. involve the processing of ‘personal data’ and will therefore • CCTV still images and video engage your company’s obligations under the DPA and recordings. possibly the Regulation of Investigatory Powers Act (RIPA). • Email messages. Searches can be conducted of employee email accounts, • Files saved on shared network provided that the investigation complies with certain drives. safeguards. These include identifying the parameters of • Telephone calls - fixed line, a search to show that it was proportional to the purpose mobile and VoIP. of the investigation, informing employees when they are recruited that their emails and other records may be • Instant messages such searched by the company, and providing an explanation Bloomberg and Reuters of why, how and when such searches may be carried out. • SMS and MMS messages. You should seek legal advice regarding DPA compliance. • Web browsing histories and Procedures undertaken to ensure compliance should also bookmarks. be recorded as part of the investigation. Investigators • Use of web-based email should be given clear instructions to disregard personal or services, both external (Hotmail, irrelevant records. In some situations ‘personal data’ and Yahoo! Mail, etc.) and internal ‘sensitive personal data’ contained in evidence used in an passwords and encryption keys. investigation will need to be redacted. • Social network sites • Alleged breaches of the DPA can lead to investigation by • Mobile phone apps: There are the Information Commissioner’s Office (ICO), which has a wide variety of apps which the power to demand information or to issue enforcement contain all sorts of information. notices. A failure to abide by an enforcement notice issued Apps such as ‘WhatsApp’ are by the ICO is a criminal offence punishable by a potentially popular alternative forms of uncapped fine. communication. • Be careful not to open yourself to liability under the • Remote log-in/VPN access. Computer Misuse Act. Offences include unauthorized • Entries in financial records or access to a computer. Make sure you have adequate consent similar transactions. (if necessary) before accessing an electronic device, or you might face criminal liability.
Preventing and investigating fraud in the workplace | 59 FREEZING ASSETS and TRACING FUNDS
Of all the weapons available in the legal war chest the injunction, or ‘freezing order’, is perhaps the most effective. As a weapon in the fight against fraud, it is invaluable.
60 | Preventing and investigating fraud in the workplace Freezing orders - what are they? There are different types of injunction. Some are designed to prevent a person or company from taking certain action, others Decide at an early to force certain steps to be taken. In the context of a fraud stage whether to investigation the most useful type of injunction is likely to be “ the ‘freezing order’ (formerly known as the ‘Mareva injunction’). follow the criminal Such injunctions are designed to protect your position, and to or civil route. prevent the defendant from evading justice, by preventing the dissipation, disposal or removal from the jurisdiction of their assets. They have the effect of freezing the defendant’s assets - sometimes domestically but in fraud cases usually all over the world. To be made effective outside the jurisdiction, you will usually also need to seek additional orders in the jurisdiction ” in that you are seeking to enforce the injunction (i.e. where the assets are located). The virtues of a worldwide freezing order can be seen in three separate features. • The freezing order prevents the wrongdoer from taking any steps to move or dissipate his/her assets, which may well include the proceeds of a fraud. • The defendant will be required to provide an affidavit to the court giving full details of all the assets he/she owns worldwide, what they are worth, where they are located and in whose name they are held. • The injunction can be enforced against third parties who may be holding the funds, even innocent third parties such as banks. The police and other regulatory bodies also have the power to apply for criminal restraint orders under the Proceeds of Crime Act 2002 against a defendant to prevent the defendant from dealing with the suspected proceeds of crime, or with assets representing the benefit from the commission of the crime. Therefore, you should decide at an early stage whether you want to follow the criminal route or the civil route, or both, as there is little point in applying for a freezing injunction in aid of contemplated civil proceedings if you are going to abandon the civil proceedings and leave it to the police to pursue the matter through the criminal courts - see the article on “Should I call the police?”
Preventing and investigating fraud in the workplace | 61 When do I need to apply for one? You will need to take into account the following factors when You must act considering whether or not to apply for an injunction: quickly. Delay • You must act quickly. Delay can be fatal to an application for “ an injunction. In any event, the longer you take, the greater can be fatal. the opportunity for the fraudster to remove the money from the jurisdiction. A matter of days can be crucial. • Consider whether you have to give notice to the other party of your intention to make an application for an injunction. The general rule for applications is that notice should be ” given to the other side unless there is ‘good reason’ for not doing so. Typically, evidence of fraud and/or dishonesty on the part of the defendant will mean that giving notice is not necessary, but this should be discussed with your lawyers. • Do you have grounds to apply for a [worldwide] freezing injunction? In order to obtain such an injunction, you will need to be able to present evidence to the court demonstrating that you have a ‘good arguable case’ and that, if the injunction is not granted, there is a ‘real risk of dissipation of assets’. • What is a good arguable case? You will need to show the court that you have a real prospect of proving your case. - Dissipation of assets: you must be able to provide solid evidence to the court (which you will have to swear is true in an affidavit) that sets out objective facts from which it can be inferred that there is a real risk that any judgment or award in favour of you (the claimant) would remain unsatisfied due to the defendant moving, hiding or dissipating assets if the injunction is not granted. A mere expression of fear that a defendant may behave in that way is not sufficient. Cogent evidence of the defendant’s dishonesty may, depending on the extent of the dishonesty, often be enough to persuade the court that there is a real risk that the defendant will move his assets in order to avoid the effects of a judgment against him, however, it should not be assumed that this will be enough.
62 | Preventing and investigating fraud in the workplace • Full and frank disclosure: A freezing injunction imposes severe restrictions upon a defendant to deal with or move his assets. The court therefore requires that an applicant for an injunction gives ‘full and frank’ disclosure of all relevant An injunction is information and evidence available to it. You must therefore an interim measure ensure that the court is made aware of all material facts, “ designed to even if these do not support your case but are adverse to it. preserve things It is essential that your lawyers are made aware of these facts so that they can be drawn to the attention of the court. If full and as they are until frank disclosure is not made to the court, the injunction may be the matter comes discharged, even if the information in question would not have to trial. prevented the injunction from being granted in the first place. • Are you in a position to compensate the defendant for any damage suffered by him as a result of the injunction if your claim ultimately turns out to prove false? The court will require that you give a ‘cross-undertaking in damages’, meaning that you will be liable to the defendant ” to compensate him if you obtain an injunction and later fail to prove that you had good grounds to do so. You will need to provide evidence of your financial means to the court to prove that you will be able to pay the compensation if ordered to do so. It is possible, although rare, that the court will dispense with such requirement if the fraud has caused you to lack the appropriate funds. • Be aware that there is an ‘implied undertaking’ to issue proceedings inherent in any application for an injunction. This means that if you have not actually started formal legal proceedings against the defendant by the time you apply for the injunction (for example, because there has not been time to do so), you are obliged to commence proceedings as soon as possible after the application has been heard. This obligation exists even if the application for an injunction has been unsuccessful, and failure to do so is likely to result in the intended defendant applying for the immediate discharge with an order as to costs against you. Remember that an injunction is an interim, or temporary, measure which is designed to preserve things as they are until the matter comes to trial, although it is also possible to obtain an order to preserve assets after judgment if you are also able to show a real risk that the defendant will take steps to dissipate assets to frustrate enforcement of the judgment.
Preventing and investigating fraud in the workplace | 63 Practical matters On the assumption that you have a good legal case for obtaining an injunction, there are a variety of practical issues that also need to be considered, including: • Do you know where the defendant is? The injunction does not take effect until it has been served on the defendant in question or the defendant has notice of it and a third party is not bound by the order until it has been served with the order or otherwise has notice of it. If the defendant is not resident or present in the UK, you should consider whether the claim should be pursued in another jurisdiction, though it may still be possible to obtain a worldwide freezing order in England against a defendant who is resident outside the jurisdiction if there is some connection with England, such as the availability of the defendant’s assets in England. • Where are the assets? If they are held, for example, by a third party or a bank, do you have the relevant details to enable you to serve the injunction, thereby giving notice to the bank or third party? • Have you checked the employee’s employment contract? In the event of fraud by the employee, does the contract give the employer rights that it can exercise over the employee’s assets, such as a right for the employee’s pension rights to be assigned to the employer in the event of fraud by the employee? If so, this should be taken into account in determining whether a freezing order is necessary. • Do you need more information? If the assets have already been moved, consider with your lawyers whether you have grounds to obtain a ‘Norwich Pharmacal Order’. This requires a bank or other innocent third party to provide information to you about the nature of their involvement in the dealings of the wrongdoer, and the identity of that person or persons. It may be most efficient to obtain this order at the same time as obtaining the freezing and disclosure order against the defendant.
64 | Preventing and investigating fraud in the workplace • Consider whether to put any bank(s) holding the defendants Conclusion assets on notice immediately on discovery of the fraud as Successful injunction this may prevent the bank dealing with the defendant’s applications can be a major assets until you are able to obtain a freezing order. Consider step towards undoing the also whether it is possible to make informal contact with harm caused by fraud. It is the bank to obtain some preliminary information, and vital to understand how to give while you are waiting for the order, consider whether the yourself the best chance of assets represent the traceable proceeds of crime, because obtaining one. By way of the notification of this to the bank (at least in the UK) may briefest summary, remember put the bank under an obligation to freeze funds pending the following points above all: consent from the UK authorities to action any transactions. • Act quickly. • Consider the use that you will need to put the information you obtain as a result of any disclosure order. Do you need • Provide ‘full and frank a carve out from any restrictions on the use to which the disclosure’ of all relevant information can be put? For example, a carve out to be facts. permitted to provide information under compulsion (e.g. • Be ready to produce to the police). Or do you need to use the information to evidence in support of your start proceedings or to obtain a freezing order against the ability to finance the “cross defendant in another jurisdiction? undertaking in damages”. • How will you enforce the injunction? If assets are held, for • Think through the practical example, in offshore bank accounts, you may need to obtain issues such as where the further injunctions in those offshore jurisdictions or to take defendant is and where enforcement steps in those offshore jurisdictions to have an the assets are located. English worldwide freezing order recognised and enforced against the defendant. • Be prepared to pursue the substantive proceedings • Move quickly to retain lawyers in the relevant jurisdictions after the application has so that you are well placed to pursue your funds promptly as been heard. soon as the worldwide freezing injunction has been granted in the original jurisdiction. • Where assets have already been moved: If it appears that the defendant has successfully transferred assets beyond your reach, for example by transferring them into offshore trust vehicles, consider whether there are grounds for: - Seeking an order to restrain the offshore trust from dissipating the assets - this may, for example, apply where you can show that the offshore trust has been set up or used as a mere façade to disguise or perpetrate the defendant’s fraud. - Bankrupting the defendant. If so, the defendant’s trustee in bankruptcy (and/or liquidator in the case of a company) may have wide powers to set aside the relevant transactions and collect the defendant’s assets for the benefit of his creditors.
Preventing and investigating fraud in the workplace | 65 Involving the POLICE AND CRIMINAL INVESTIGATIONS
When faced with an incident of fraud, one of the instinctive reactions of many business managers is to call the police immediately. Sometimes this is born of a sense of civic duty. Sometimes it comes from a desire to see the fraudster punished. On other occasions, it may be a pragmatic question of the cost of pursuing an investigation. In other cases, managers are reluctant to get the police involved at all for fear that publicity may damage the reputation of the business.
66 | Preventing and investigating fraud in the workplace There are a range of issues to bear in mind before deciding whether or not to call in public investigators/prosecutors, not least the potential consequences of a criminal investigation. What follows is a brief guide to the issues that typically arise and the considerations to be taken into account in response to some frequently asked questions about reporting to the police. Here’s what you might do before dialling 999.
Should I pick up the phone to the police as soon as I receive a report that an employee has his fingers in the till? You may want to consider the following before you think about calling the police. • Do you need to investigate to obtain more evidence? • Are there security concerns (e.g. are the IT systems safe from external attack from the fraudster?). • Has any evidence of wrongdoing been preserved? In particular, you may need to image computer devices immediately to preserve the electronic evidence in an admissible format, even if those images are merely preserved to be interrogated at a later stage. (Expert IT assistance will usually be required to achieve this). • Are there money or assets to be recovered? • Has the money been located and frozen? • Have those affected by any freezing orders (e.g. banks where the suspect holds accounts) been notified? • Is it a term of any insurance policy on which you can claim that the incident is reported to the police? • If so, does such a report have to be submitted within a set timeframe? Often, it is more sensible to secure the immediate interests of the business, including freezing any stolen funds, before reporting to the police. Insurance policies often provide sufficient leeway to enable such precautionary measures to be taken first without risking avoiding the policy. • Do you have a plan? You should understand the steps that the police are likely to take next, and the impact this will have on you and your business.
Preventing and investigating fraud in the workplace | 67 Isn’t it my duty to report to the police? • Generally, there is no positive legal duty to report suspicions Involving the police of crime EXCEPT where there is knowledge or a suspicion sends a clear that a money laundering offence has been committed (in “ which case there may be a duty to report to the National message to other Crime Agency (NCA) or a police constable). Remember there employees. may be other obligations to report such as to your insurer, auditors, the Financial Conduct Authority or others if you are a listed company. • However, just because a suspicion has been reported to NCA, this does not mean that it will be investigated. (See the next article headed “Am I committing an offence of money ” laundering?”). What are the advantages and disadvantages of reporting to the police? Before involving the police, you will want to consider the advantages and disadvantages of doing so... Advantages • Saves costs - the police pursue investigations at public expense. • Compensation or restitution orders may be granted in your favour if the fraudster is convicted (discussed further below). • Involving the police sends a clear signal to other employees that such conduct will not be tolerated. • May be necessary as a pre-requisite to a claim on an insurance policy. • Reporting (or the risk of reporting) a suspected offence may be seen as a commercial lever to exert pressure on the fraudster to seek co-operation/repayment of sums stolen. However, note: great care needs to be taken here as receiving payment in return for not reporting a crime could itself involve the commission of an offence, for example the offence of concealment under the Proceeds of Crime Act or under the Criminal Justice Act (unless the monies recovered make good the loss or injury caused by the suspected offence).
68 | Preventing and investigating fraud in the workplace • If found guilty, the fraudster is liable to be punished with fines, imprisonment or other (rather than simply have the proceeds of the fraud removed), and you may regard that as desirable. Your case may not be a priority. Disadvantages “ • Loss of control - the police may be assisted by evidence you supply, but you will be unable to dictate the pace or direction of their investigation. • The police will have a number of other offences to investigate, so your case may not be a priority or even make ” it to the investigatory stage. We understand that fraud is a priority offence for clear-up only for the City of London Police, but not for any other regional force. • Unpredictability: to obtain a compensation order, the prosecuting authority will ordinarily need to obtain a conviction, which may depend on the workings of a jury. That may be less predictable than a judge in a civil case. Moreover, generally compensation orders are only made in straightforward cases where the loss can be easily proven. Further, you have no control over whether a compensation order is actually made and it is not within your power to apply to the court to apply for such an order. • NCA may itself have a competing civil claim to disgorge the proceeds of suspected criminal conduct. • May cause negative publicity for your business. • You may become exposed to third party claims as a consequence of the fraudster’s conduct becoming more widely known. • Disruption may be caused to your business by document requests or requests for interviews from investigators and defendants to any criminal prosecution. • If the investigating authorities obtain a criminal restraint order in support of their investigation, it may have the effect of preventing or delaying payment of the fraudster’s unsecured debts, including any unsecured civil judgment debt that you obtain or may already have obtained against the fraudster.
Preventing and investigating fraud in the workplace | 69 Consequences of a criminal investigation The police and other It may also hamper the As the victim, however, you investigating bodies have evidence gathering process have no opportunity to make wide-ranging powers with defendants to criminal any representations before the available to them, including proceedings refusing to court: any requests must be the ability to search premises, cooperate in the civil process made through the prosecutor. require production and for fear of incriminating Additionally, all the evidence disclosure of documents and themselves. to be relied on in deciding to apply to the Crown Court the amount of compensation After a criminal conviction of for restraint (freezing) orders, must be filed initially with the the defendant, the proceeds which can be used to freeze trial papers, so the recovery of the crime may be extracted the assets of a business of compensation relies on the from the defendant in two or individual. Reporting diligence of the prosecuting principal ways, through potentially fraudulent activity body. the use of confiscation to the police opens the door to and compensation orders. Overall, therefore, while these powers being exercised Confiscation orders are criminal proceedings may not only against a suspected designed to deprive the be less controllable than a fraudster, but also potentially defendant of the benefit of civil claim, if successful they against you (for example, if the crime, with the amounts may result in a more direct the police think that relevant realised going to the State, punishment for the fraudster evidence is held within the not the victim. Compensation and may give you priority organisation). orders are designed to over certain other civil claims Should you wish to begin compensate the victim for the (which can be relevant if the civil proceedings against a loss that he has sustained as fraudster is bankrupted by the fraudster, you do not have a result of the defendant’s action). However, if recovery to wait for the outcome of a actions. Restitution orders of lost assets of significant criminal prosecution, but you are intended to restore value is a higher priority, a should weigh this up carefully. stolen money or property to civil claim (using the many For example, a successful the owner. remedies available from the criminal conviction will be courts to trace, freeze and In making a compensation very persuasive evidence of recovers assets) is likely to order, the court may order guilt in the corresponding achieve the best result. any amount it considers civil case, but the delay in the appropriate in the light outcome of civil proceedings of evidence from and that can result from criminal representations by the proceedings may increase the accused or the prosecutor. risk that the fraudster will be bankrupt and unable to pay, even if interim protective measures such as freezing orders have been put in place.
70 | Preventing and investigating fraud in the workplace How and to whom should I report? • If the value of the fraud the local regional police be exposed to third party is over £1 million, call to force with a view to them claims or it has privileged make an appointment to referring the matter to material from an internal meet with the Serious the NCA (to seize the investigation to protect). Fraud Office. assets), though whether • Let the investigators have the authority does this is • If the value of the claim is relevant paperwork (if within its discretion. less than £1 million, call an application has been and make an appointment • If the amount at stake made for a civil freezing to see the Fraud Squad of is sufficient to justify order, it is normally a your local regional police the expense, it may be good starting point to let force. sensible to ensure that the investigators have external lawyers are the evidence for that • If you are looking for involved in liaising with application). assets of the fraudster the police to protect to be confiscated, and the business’s legal the value of the claim interests (particularly if is at least £10,000, you the business is liable to may also want to contact
Now I have reported to the police, is there anything else I should think about immediately? • Be proactive about staying interim disclosures in civil • Similarly, the police may in touch with the police. By proceedings, check the want to start interviewing remaining assertive and terms of the order to ensure witnesses. involving the key personnel, you are permitted to share • You may want to consider you can ensure that the those materials with the communicating with your prosecutors will keep your police and if not, consider workforce to let them know interests in mind, and applying for a variation of the company’s position in disruptive searches without the terms of order. relation to its cooperation notice can be avoided. • If any of this material is with the investigation and • The police may want to needed for current business the assistance they are to remove or have access to purposes, you will need to provide to the police (e.g. original/copy documents liaise with the investigators are you happy for employees (including any electronic and agree how they will to be interviewed during documents), so you may have access to such business hours? Do you want need to organise the material in such a way as a legal representative of your relevant files and preserve not to interfere with the business to be present to electronic evidence. integrity of the evidence. ensure that its legal privilege Further, if you have At the initial stage, the is maintained?). obtained documents from police may be concerned to third parties as a result of preserve the security and integrity of the evidence.
Preventing and investigating fraud in the workplace | 71 Using PRIVATE INVESTIGATORS
Why use private investigators? Reputable and experienced private investigators can provide very useful services by conducting public surveillance and public interviews. In relation to fraud cases and high profile individuals, law firms may be able to utilise the benefits of reputable investigators’ contacts and existing information gathered to ascertain valuable leads and create a detailed profile of the individual. However, it is vital to be aware of the risks.
72 | Preventing and investigating fraud in the workplace What are the risks of using private investigators? Risk of criminal prosecution? • “Pretexting” is the practice of getting financial institutions and other organisations to disclose personal data (such as account information and credit reports) under false pretences, such as impersonating the prospective victim. It is a criminal offence under the Data Protection Act 1998 to obtain personal data without proper consent. The concern for law firms and other employers of private investigators is that criminal liability can extend to those instructing the investigators. • In the United States in 2006 a scandal emerged surrounding Hewlett-Packard’s (HP) investigation into boardroom leaks. Private Investigators instructed by HP used pretexting to obtain private phone records of directors and journalists. The matter led to extensive adverse publicity in the US and the UK, the resignation of a number of senior officers, the payment of $14 million in settlement of civil claims and a number of individuals faced criminal charges. • In the UK in 2006, David Hughes (former Chairman of the sports clothing retailer ‘Allsports’) brought successful disclosure applications against a corporate investigation agency for documents, the identities of the party instructing them and the party who had gathered the information, after he had been tipped off that sensitive information about his personal bank account had been obtained during an investigation conducted by enquiry agents. • Privacy offences under the Regulation of Investigatory Powers Act 2000. In 2007, the Royal Editor of the News of the World was sentenced to four months in jail after pleading guilty to intercepting phone messages. He secretly paid a private investigator to illegally access mobile phone messages left by the Princes for staff members of the royal household.
Preventing and investigating fraud in the workplace | 73 • The 2012 phone hacking scandal led to the closure of the News of the World and the conviction of a private investigator and members of the newspaper’s staff for Measures include conspiring to intercept voicemails. In response, the the creation of government announced in July 2013 measures to regulate “ private investigators, to be in force from Autumn 2014. an offence to Those measures include the creation of an offence to operate as a private operate as a private investigator without a licence from the investigator without Security Industry Authority. Investigators who have been convicted of illegally obtaining information would not be able a licence. to obtain a licence. • Data offences under the Computer Misuse Act. In 2007, Anthony Waters (a businessman who ran a luxury bathroom company) was sentenced to four months in jail because he paid private investigators to “spy” on his estranged wife with ” the help of special software to monitor what she typed onto her laptop about their divorce proceedings and her finances. • Other offences may arise under the Fraud Act 2006 (false representation) and Protection from Harassment Act 1997, as well as the risks concerning breach of confidence, trespass, nuisance, conversion, breach of copyright or inducing breach of contract.
What is the impact of illegally or improperly obtained evidence on litigation? Is the evidence obtained admissible in court? • Evidence is not necessarily rendered inadmissible solely because it was illegally or improperly obtained. The test of admissibility is whether the evidence is relevant, not how it was obtained. The court must deal with cases justly and may control evidence by giving directions as to: issues on which evidence required; nature of evidence required to decide issues; way in which evidence is to be placed before court; and the court may use its power to exclude evidence that would otherwise be admissible. The European Convention of Human Rights creates a right to a fair and public hearing within a reasonable time by an independent and impartial tribunal. Therefore, the courts must attempt to balance having all relevant evidence before the court (to achieve a just result) against the requirement for observance of the law by those involved in the legal process.
74 | Preventing and investigating fraud in the workplace • Article 8 (right to a private life) and Article 6 (right to a fair hearing) must be considered under sections 3 and 6 of the Human Rights Act. Recent case law has also considered various issues relevant to the use of private investigators including the fact that unlawfully obtained evidence may be admissible and intercepting a home telephone infringes Article 8. • The position in criminal proceedings is that when evidence is wrongly obtained, the court will consider whether it adversely affects the fairness of the proceedings and, if it does, the courts may exclude the evidence.
Does the evidence affect the granting of any remedies? Another potential impact is that the court may refuse an application for a freezing or search order or other equitable remedy on the basis that the claimant does adhere to the equitable maximum of “clean hands” which bars relief for anyone guilty of improper conduct in the matter at hand. Case law illustrates that the courts’ general attitude is to not take a rigid approach to the equitable maxim of “clean hands”. The lack of clean hands will only deny a party of an equitable remedy if the “dirt” has a critical relation to the remedy sought.
How does the evidence affect privilege? A claim for privilege is likely to be undermined where evidence has been obtained illegally. Any documents generated by or reporting on such criminal or fraudulent conduct (and which are relevant to the case) are discoverable and not privileged. Trespass, conversion or inducing breach of contract, do not amount to crime or fraud so as to lose privilege.
Preventing and investigating fraud in the workplace | 75 Summary of risks Employers of private investigators run a range of risks in using their services: • They run a risk of reputational embarrassment in having to explain to a client why the investigators’ illegal actions have dragged a client into an investigation regarding criminal breaches. This risk should be underestimated. In August 2013, the influential Commons Home Affairs Select Committee called upon the Serious Organised Crime Agency (now the NCA) to release details of a list of non- newspaper companies that had used the services of private investigators who were suspected of obtaining information on their clients’ business competitors through illegal and unethical means, such as hacking. The committee identified the sector breakdown of those firms on the SOCA list, which included companies in the insurance; pharmaceutical; food; and oil sectors. • The victim of an illegal investigation may also apply to exclude evidence obtained by the investigators, even that information obtained legitimately, to avoid subjecting the court to what could be argued to be information obtained from a ‘polluted chain of enquiry’. This may lead to the weakening of a case and public, professional embarrassment. • There are also direct risks of prosecution for procuring or inciting a criminal breach. • Even if the information obtained by the investigators is admissible in court, it is possible that you will have to pay the costs of proceedings in return. • There is a risk that privilege in the investigation could be lost when using a private investigator, even if they are legitimate. Care must be taken in communications with any private investigator to avoid and mitigate the risk of inadvertently losing privilege.
76 | Preventing and investigating fraud in the workplace Alternatives? Where there is a genuine need to access confidential information held by third parties, then it is access can be pursued by way of a Norwich Pharmacal order or similar disclosure orders through the court. A Norwich Pharmacal order requires innocent parties to provide information and documents about infringements. The Norwich Pharmacal procedure has also been used recently against solicitors in a case of alleged breach of confidence and is an option to be used against private investigators to uncover the identity of their instructing solicitors.
Practical guidance When instructing a private investigator it is important to ensure that the agency chosen is reputable and that the written engagement letter clearly obliges the investigator (and any subcontractor) to act within the confines of the law. Where it is not clear how information being sought or offered can be gathered legally, it is important to check how they propose doing so.
Preventing and investigating fraud in the workplace | 77 USEFUL CONTACTS
National Crime Agency Crimestoppers Royal Courts of Justice 1-7 Old Queen Street 0800 555 111 The Strand London SW1H 9HP London WC2A 2LL Customs Confidential 0370 496 7622 020 7947 600 0800 595 000 City of London Police Serious Fraud Office Economic Crime Department Data Protection 2-4 Cockspur Street London 37 Wood Street London Commissioner and SW1Y 5BS EC2P 2NQ Notification Line 020 7239 7272 020 7601 2222 0303 123 1113 01625 Fax: 020 7084 4700 54 57 45 Snow Hill Police Station Public Enquiries: 0207239 [email protected] 5 Snow Hill 7000/7190 London EC1A 2DP Financial Conduct Authority Fax: 020 7837 1173 020 7601 2406 25 The North Colonnade, [email protected] (Open 24 hours) Canary Wharf, London E14 5HS Wood Street Office 020 7066 1000 37 Wood Street London EC2P 2NQ Suspicious Activity report 020 7601 2455 Confidentiality Breach Line 0800 2346657 Bishopsgate Police Station All other SAR enquiries or 182 Bishopsgate Consent issues London EC2M 4NP 0207 238 8282 020 7601 2606 (Open 24 hours) Action Fraud 0300 1232040 Anti-terrorism hotline 0800 789 321
78 | Preventing and investigating fraud in the workplace Preventing and investigating fraud in the workplace | 79 www.bakermckenzie.com
Baker & McKenzie has been global since inception. Being global is part of our DNA.
Our difference is the way we think, work and behave – we combine an instinctively global perspective with a genuinely multicultural approach, enabled by collaborative relationships and yielding practical, innovative advice. Serving our clients with more than 4,000 lawyers in over 40 countries, we have a deep understanding of the culture of business the world over and are able to bring the talent and experience needed to navigate complexity across practices and borders with ease.
Andrew Keltie Joanna Ludlam Partner Partner Tel: +44 (0) 207 919 1376 Tel: +44 (0) 207 919 1822 Email: andrew.keltie@ Email: joanna.ludlam@ bakermckenzie.com bakermckenzie.com
Baker & McKenzie LLP, 100 New Bridge Street, London EC4V 6JA Tel: +44 (0)20 7919 1000 Fax: +44 (0)20 7919 1999
© 2013 Baker & McKenzie. All rights reserved. Baker & McKenzie International is a Swiss Verein with member law firms around the world. In accordance with the common terminology used in professional service organizations, reference to a “partner” means a person who is a partner, or equivalent, in such a law firm. Similarly, reference to an “office” means an office of any such law firm.
This may qualify as “Attorney Advertising” requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome.