The banker - motivated by private gains - continued to approve loans to customers, well beyond the point where there was any chance of them paying back the loans with interest, thereby prolonging the flow of income to the consultancy company. The banker – as the judge remarked – wallowed in luxury provided for by his friends and was simply "motivated by greed", as he exploited the weaknesses in the bank's systems and the lack of supervision, falsified documents, removed or avoided protections that the bank should rightly have had.
Thames Valley Police has stated in response to the case:
“The sum of money lost by HBoS as a result of the actions of a corrupt senior employee and others was at the very least £250M. [The banker] and his fellow conspirators embarked on a spending spree involving yachts in the Mediterranean, villas in Barbados and Majorca, prostitutes, overseas bank accounts, and a general high life. This has been at the expense of the shareholders of the bank, and many medium and small companies which have been bankrupted and ruined. Little will be recovered.”
Is there a lesson to be learned from the HBOs case?
The involved former employees and consultants are now facing long prison sentences, which is good, as it adds to the cost of committing crimes.
Anthony Stansfeld, Police and Crime Commissioner of Thames Valley, has, however, noted the following in relation to the case:
“The cost in time and money for a police force to take on a major fraud investigation is considerable and a judgement has to be made whether the £7m spent on this case, and police officer time, could have been better spent in pursuing other crimes, such as child sexual abuse, and the multitude of lower scale frauds perpetrated against smaller companies and the elderly. If Thames Valley Police take on further cases of a similar nature it will again tie up a large number of police officers and staff. Yet if it is not prosecuted no one will be brought to justice. I have an uncomfortable feeling that other police forces are in similar positions. If a bank is physically raided then a huge police effort will go into bringing the bank robbers to justice. If it is raided by its own staff it may well be ignored.”
Lloyds Banking Group, the current owner of HBoS, announced shortly after the verdict that it had appointed a retired judge to conduct an independent internal investigation, including into steps taken by Lloyds Banking Group following its acquisition of HBoS in January 2009. Once completed, the independent assessment will be handed over to the Financial Conduct Authority.
In addition, following pressure from members of Parliament, Lloyds Banking Group has set aside £100 million for compensation of customers affected by the HBoS fraud.
Viewed as a whole, the lesson learned appears to be complex. If, as suggested by the Police and Crime Commissioner, budgetary concerns of law enforcement authorities are a factor, these should be taken into account when the cost/benefit analysis is made. We will look more into this below, but it points to a very real concern that companies in many cases will be left on their own in the fight against internal fraud. This risk is probably even more imminent when confronted with the complexities of cybercrime.
The many ugly faces of internal fraud?
As extraordinary as the HBoS was, the crime involved is all too common. Internal fraud comes in many forms. Just to mention a few of the practices that we often come across, and where corporate safeguards are often challenged:
- Fake vendors, invoices, etc.
- Data theft and trading in trade secrets
- Kick-back schemes
- Asset misappropriations, etc.
Fake invoices, etc., are a recurring problem, primarily because this kind of fraud is easy to commit and hard to detect. Typically, irregularities will go on for a number of years until revealed by chance in connection with absence or rotation of staff. Document reviews and internal audit routines will in many cases minimise the risk of this kind of fraud.
Data theft covers theft of work-related data, including trade secrets. In most cases this kind of wrongdoing occurs in connection with dismissals of employees. Better data protection and monitoring of data will limit the risk of loss in these situations.
The HBoS case is an example of a kick-back scheme. A corrupt banker working together with fraudulent consultants retaining business from the banker is a classic example of conflicting interests. Proper evaluation of business partners and structured processes are, in our view, necessary elements in making sure that no inappropriate relation develops.
Asset misappropriation is an activity to be watchful about. Company assets are not always as well-protected as they should be. Inventory checks and preventive measures such as randomised controls can be used to limit the risks following from this kind of criminal behaviour.
By no means exhaustive, to the examples provided above illustrate the variety of ways in which a company can be defrauded.
New crimes in the criminal landscape include CEO fraud, hacking, and use of viruses in connection with cyberattacks. We will devote more time on this subject in our next Insight on internal fraud, but it is clear that cybercrime is an area where the rule of law is currently challenged and therefore must be reinforced. Strengthened internal policies and updated IT security protocols are minimum steps that should be taken from the corporate side, but better regulation and new legal tools and remedies are needed and should be developed in order to protect businesses and to deter potential perpetrators.
Adding to the risk of detection
We generally believe the risk of detection to be an important factor when seeking to demotivate crime, including criminal employees. A 100 % detection rate is not, however, in itself sufficient to deter work-related crime if punishment is not delivered or is delivered only very infrequently.
In our anti-fraud work we generally focus on the following points of action:
- Risk assessment
- Anchoring, ownership, and defence structure
- Due diligence, screening, and monitoring where appropriate
- Design of internal safeguards, i.e. four-eyes principles and use of limits of authority
- Rolling out of specific fraud-related initiatives, e.g. conflict of interest projects, facilitation payments, etc.
- Forensic capacity
The starting point when establishing an anti-fraud frame work is thorough risk assessment. The work in relation to the risk assessment is often revealing and we generally recommend that all relevant stakeholders are included in the process or parts thereof.
When risks and fraud-sensitive parts of the business are identified, anchoring and ownership become important. Fighting anti-fraud is, however, rarely a job for just one function of a company. Detection of the crime is one thing. Assessment and reporting another. Designing of new internal mechanisms is a third, etc. The value of any anti-fraud programme or initiative lies in its ability to accomplish its goal, which in this case means its ability to detect or deter crime.
Among the various instruments mentioned above, whistleblowing is a tool that we are particularly fond of. As well as adding generally to corporate crime prevention, we have seen in numerous cases that whistleblowing actually works. We therefore recommend developing and implementing strong whistleblower programmes.
In our experience, whistleblowing is especially effective when it comes to fraud that involves more than one perpetrator since inappropriate relations are often more easily spotted by eyes and ears than by e-mail review. When designing these programmes we find it particular important that the programmes support subsequent investigation. The whistleblower should therefore be guided, in a structured manner, to include all relevant details associated with the matter reported.
Consequently, we believe that whistleblower programmes, properly implemented and applied, are good for deterrence as well as for the detection of crime.
Strong forensic and investigative capabilities, i.e. data collection capacity, proper review and interview procedures, etc., are also important. Our experience is that in many cases there will be smoke, but without the tools or methodology to uncover the facts, the fire will not be located. Forensic capabilities such as the ones described may in these situations make the difference.
Finally, we note that law enforcement today expects businesses to be able to document a matter before the matter is handed over to the authorities.
Punishment is hugely important to the cost/benefit analysis. Two elements are crucial: Firstly, the punishment must, as a minimum, remove all gains of the crime. Secondly, the punishment must in fact be applied.
As for the removal of gains, many law enforcement authorities today focus on asset tracking and recovering, which is good, but more can be done.
A new initiative in the UK is the regime of the so-called Unexplained Wealth Orders (“UWO’s”), introduced in the Financial Crime Act 2017.
The motivation behind the UWOs is to establish a procedure according to which suddenly enriched persons, under certain circumstances, can be required by the authorities and upon review of the courts to disclose information about the origins of their sudden wealth. In short, an UWO will be passed ordering the person involved to account for the targeted property. If unable to do so, the property will be left open for asset recovery.
We have not made a full analysis under Danish law, but we do note that in many cases suspicion begins with rumours of excessive living.
In our view, the UWO regime adds importantly to the possibility of detection and is an initiative worth following also from a Danish law perspective.
As for the actual application of punishment, the Police and Crime Commissioner of Thames Valley, in our view, gave voice to a relevant concern. If in reality certain specific crimes are ignored or not prioritised by law enforcement authorities, where does that leave the private businesses? With the prospect of continuously limited resources the question is therefore whether today's policing prerogative is the best way to secure that the cost/benefit analysis is a sufficient deterrent? Of course, the answer to this question is political. Since corporate assets and values are at stake, it is important that an adequate law enforcement model is consistently developed and applied. Otherwise, we may end up in a situation where criminal employees are not deterred and corporate assets are lost. This holds true now and tomorrow.
In a new series of recurrent seminars Kromann Reumert has decided to focus on corporate criminal law enforcement in Denmark and beyondIn the first session we look at the present state of affairs with regard to corporate enforcement and the response thereto from a business perspective. In the second session we look at fighting internal fraud in own ranks, and kicking back on kick backs.