Curing the culture of fraud

Fraud is on the rise. In July, KPMG released statistics highlighting that from January to June, losses due to fraud in the UK alone reached £1.1 billion - a rise from £609 million during the same period last year. Almost half of this £1.1 billion was in the private sector. Perhaps more worryingly, a recent survey by Ernst & Young carried out across European institutions highlighted that one in 10 respondent companies had no anti-fraud measures in place at all.

The financial crisis of 2008–2009 exposed a variety of fraudsters, including Bernard Madoff, who lost well over $10 billion of investors’ money. However, it was the €4.9 billion fraud committed by Jérôme Kerviel of Société Générale (SocGen) that caused most financial institutions to look inwards at their own cultures and operations for fear of a similar loss.

For firms trying to mitigate the risk of such losses, questions must be asked as to how and why such frauds occur. “Culture is an important consideration that I think most institutions don’t do a strong enough job in defining,” says Dean Rowan, chief risk officer (CRO) at Gulf One Investment Bank in Bahrain. “Fraud is one area that fits into the weakness that an organisation displays through its lack of definition.”

When Kerviel’s fraud was exposed in January 2008, his defence was to blame the culture at SocGen. Rather than simply being a self-exculpatory excuse, his argument might have contained a kernel of truth. One banking head of operational risk described SocGen at the time of Kerviel’s fraud as a “brake-free culture”.

Regulators tend to focus on formal oversight, auditing and reporting measures, and vendors (understandably) on the software and technology that can prevent or detect fraudulent losses. But banks should remember that fraud, like other financial crimes, springs from a criminal culture, and need to bear in mind how this culture is born, how it can be detected, and how it can be destroyed.

For fraud to occur, according to psychologist Adrian Furnham of Kings College, London, three key factors have to be in place – a ‘fraud triangle’ consisting of rationale, opportunity and pressure. Financial institutions, of course, often have high-pressure environments. And if there is a lack of effective internal controls, there is an opportunity. For those individuals who have the rationale to commit fraud, it could well become a reality.

All three of these factors are likely to be exacerbated during a downturn. Control departments are often the first to lose staff in cost-cutting exercises, making the opportunity for fraud within institutions greater. Staff might be suffering the effects of the downturn themselves, and therefore feeling more inclined to find ways to increase their income. These factors, combined with the pressure of both the working environment and the downturn, can once again make the potential for fraud a reality.

It should also be noted that fraud is not always committed for personal financial gain, and might not necessarily be intentional at the outset – the origin of a fraud could be a controls failure rather than a criminal intention. “Often the fraud starts by mistake,” says John Smart, a fraud investigation and dispute services partner at Ernst & Young in London. “This was arguably true of Leeson [who lost Barings Bank more than £827 million in 1995] and of Kerviel. There’s suddenly a problem because they make a mistake and the system doesn’t pick up the fact that the losses haven’t been recorded properly. This then sows a seed of opportunity.”
Furnham agrees: “What leads people down these routes is opportunity rather than cause,” he says.

The opportunity that can arise from a weakness in controls has to combine with rationale and pressure for the fraud to occur. The financial industry, in particular banking, is often a pressured environment. “If you’re under a lot of stress and pressure, plus if there’s a weakness in the control function – middle office or back office, for example – the risk of fraud is certainly increased,” says Smart.

This breakdown in controls can result from a number of factors. “There can be bullying by the executives on the operational staff or the compliance staff, and insufficient strength in those independent frameworks to make sure the controls and balances that are designed in the system work effectively,” says Rowan. “And wherever there is a weakness, those people who might be inclined to fraudulent behaviour, particularly in the financial services industry, can be quite clever and will eventually take advantage of that.”

Control failures can also occur if mechanisms in place are ignored, bypassed or regarded as unimportant – again, the product of a poor organisational culture.

In the case of Kerviel, SocGen’s weak approach towards its controls was exposed. “SocGen wasn’t fully confirming Kerviel’s trades,” says one banking head of operational risk. “There have to be full front-office to back-office controls in place. Plus your front office needs to be forensic in management.”

Further, a lack of separation between front office and back office can cause problems, as was the case with Leeson, who was running both at Barings’ futures operations in Singapore. “Independence is key,” says the banking head of operational risk. “Independent, effective support functions validating trades and therefore mitigating risks must be in place.” Even if oversight mechanisms exist on paper, if cultural weaknesses mean they are ignored or compromised, they will be useless.

Fraud can also go undetected because basic procedures are not adhered to. “The reality is that a lot of frauds, including the big ones, happen because the basics aren’t in place,” says Ernst & Young’s Smart. “It’s not necessarily a very interesting message, but if you’re not doing your basic accounting reconciliations or basic follow-up of anomalies on a regular basis, you are leaving yourself open to the risk of fraud.”

In the absence of energetic oversight and advocacy, basic controls can stop being effective if too much time passes without them being monitored or challenged. “Control de-implementation is a real risk,” says Mark Coronna, executive vice-president of securities, compliance and insurance at Wolters Kluwer in London. “Over a period of years controls can start to de-implement because of benign neglect or, worse, intent.”

This lapse in controls is often as a result of not having someone in place who is responsible for monitoring their effectiveness. “Someone has to know the bigger picture and put a control environment in place,” says Coronna. “But who monitors this?”

Gaps in control processes could have several causes. An institution could be operating complex, fragmented systems as the result of a recent merger or acquisition. Immature operational risk functions with inadequate systems could also be a result of underinvestment or lack of attention. And the proliferation of hard-to-monitor means of communication such as smartphones, text and instant messaging can means some communications might go undetected.

Greed and pressure
The lack of effective control within a bank’s operational risk framework is not the only cultural element that leaves a company at risk of internal fraud. Remuneration is another factor. According to Ernst & Young’s Smart, the same factors that drove short-term thinking during the asset bubble might also have pushed employees towards fraud. “If you’re driven by a low base and a massive bonus, that’s likely to affect your integrity if push comes to shove and you’ve got to do one more deal to get your massive bonus or to influence the person authorising the bonuses,” he says. “It takes a strong character to say, ‘No, this is the right thing to do, despite the fact it’s going to cost me £100,000.’”

Perceived unfairness in remuneration can also be a strong driver of fraud. “When there are huge disparities in earnings between the most successful traders and the other members of staff, this can push employees to want to prove themselves further in order to achieve the same levels of remuneration,” says Richard Squire, a partner at the Crossbridge consultancy in London.
Furnham agrees. “When you look back [at perpetrators of fraud], their sense of anger, resentment, frustration and disappointment are almost always the motivators that led to misbehaviour,” he says.

Another cultural factor common to most banks, pressure to achieve success, can also leave an opening for internal fraud. “In a high-pressure, highly competitive environment with huge rewards and recognition available to those who succeed, there is always going to be the risk of internal fraud,” says Squire. “The banking environment tends to attract and recruit bright, highly competitive people.”

In cases where there is no personal gain, such as Kerviel and Leeson, it tends to be “kudos or ego or both” that leads to the fraud being committed, according to Smart. Further, once you’ve generated kudos your ability to continue your fraud undetected is amplified – profits, whether legitimate or not, can make an employee all but untouchable. “In the financial services sector there is the sense that if you are a star trader or star performer people don’t really challenge exactly what you’re doing,” Smart says. “And if they do, it’s easy to deflect them.”

This deflection can have grave consequences. “When too much power is given to traders or investors versus the control functions this can lead to a ‘don’t ask, don’t tell’ attitude to understanding how super-normal profits are made,” says Squire. “This was arguably the case with Madoff, Leeson and Kerviel.When there is a sharp focus within the industry on finding innovative ways of making money, this can lead to too great a focus from senior management on profit numbers versus understanding risk factors.”

To mitigate the risk of internal fraud that a bank’s culture can generate, fundamental structures need to be in place. “You need to have a full suite of checks and balances that validate and ensure compliance with the regulations and rules through the compliance, operational risk or internal fraud departments,” says Gulf One’s Rowan. “But fundamentally prevention is better than cure, so defining what the organisation’s culture is is a more redeeming and longer-term proposition than trying to deal with the problem after it has happened.”

Cleaning house
Setting the tone in an institution will help staff to understand exactly what’s acceptable and what isn’t. Staff must understand that, irrespective of the consequences, if rules are not adhered to, there will be penalties. “In one institution, I saw one of the top-three money-making dealers who breached his options position limits publicly dismissed on the trading room floor,” says Rowan. “He hadn’t lost the bank any money, in fact he was continuing to make the bank money, but it was deemed such a critical issue for discipline that the bank took this action. That was confirmation of what was deemed to be acceptable behaviour for the institution.”

Banks should also have training in place to help managers become able to spot potential fraud and deal with it. “If you ask the difficult questions and create fraud awareness around a workshop or training – get a group of managers and training staff into a room and ask them what they might do if they were going to commit a fraud, this would help them to start spotting signs they might have previously missed,” says Smart. “This allows you to understand what really goes on on the shop floor or the trading desk.”

Managers also need to know what information to include in reports. “When there is poor management information with which to monitor business activities it is easy to hide fraud,” says Crossbridge’s Squire. “Likewise, when management reports are produced only at a high level and on a monthly basis without any form of exception reporting to highlight unusual activities, this too can mean fraudulent activity can go undetected.”

Banks could also try to develop a culture of concern between colleagues that can allow for open and honest dialogue. “It’s about a culture of sharing concerns in a way that isn’t squealing on your workmates, because you wouldn’t necessarily want to encourage that,” says Smart. “But an open culture based on transparency about what’s going on that allows someone to say if they’re worried about a certain trading desk, for example. This, combined with a follow-up procedure, can facilitate a more honest and open culture.”

The concept of “squealing on your workmates”, as Smart puts it – more commonly known as whistleblowing – is a tricky one. There are differing views on how effective this is when dealing with fraud. “We, the industry as a whole, do not treat our whistleblowers with the reverence they deserve as a result of them doing the right thing,” says Rowan.

The element of secrecy that can sometimes surround whistleblowing makes it unclear how effective it might be as part of a culture. “You do have to be careful with whistleblowing because you can create the wrong culture in organisations,” says Smart. “It requires evidence rather than just concerns, and is not always open and transparent. You wouldn’t necessarily want to encourage that.” Studies have found a large proportion of frauds are detected because of internal reports – 14% of frauds were discovered following an anonymous tip-off, and 10% following a formal internal whistleblower report, a KPMG study found in June.

Market practitioners list three areas in which banks can act to repair and improve their organisational culture and reduce the risk of fraud. The first is improving fraud-related knowledge and awareness, among managers and oversight staff in particular. “People know there are patterns to look for but they might not know what those patterns are,” says Coronna. “You need to have people with experience within your industry or sector looking at these systems so they know what they’re looking for.”

He adds that the general knowledge and imagination to detect unfamiliar fraud is also important. “You might know some patterns but there will also be new patterns that you won’t know to look for,” says Coronna. “This is where expertise is vital, and that needs to come from former industry experts, compliance officers, regulators or risk officers.”

Just as gaps in systems and controls can give rise to opportunities for fraud, repairing them can help to remove temptation – and improve the bank’s culture. “The system needs to be intelligent, practical and based on best practices,” says Coronna. “Plus you need systems that plug in benignly to main transactions lines.” For example, he suggests banks consider systems where employees have to get permission from their compliance officer to go ahead with a transaction. He also suggests firms make a copy of everything that happens so all transactions can be supervised, audited and monitored if necessary.

In the case of SocGen, simple systems changes could have prevented Kerviel from being able to act fraudulently, risk experts say. “Systems should have been in place to prevent logging in being as simple as it was for Kerviel,” says one banking head of operational risk. “Kerviel was able to access systems he wasn’t authorised to access. This enabled him to hide fraudulent trades.”

Banks would also benefit from sharing best practices in their efforts to mitigate fraud risk. However, this is not as simple as it sounds. “With other types of financial crime there are many areas where best practices are shared,” says Coronna. “Firms have tactical and practical conversations offering ideas, suggestions and best practices. But when it comes to internal fraud, it’s not shared. Nobody wants that stuff to see the daylight.”

Oversight could be improved with changes in the organisational structure, says Squire of Crossbridge. “Companies need to make organisational changes to create clear separation between the business and control functions,” he says. “By investing in an improved operational risk function and supporting systems, firms can have more confidence in their control environment being effective.”

However, again, cultural factors will determine whether these changes are effective or not – without managerial commitment, they might be ignored or bypassed. “Managers need to have intuition and ownership,” says the banking head of operational risk. “They should always be listening and have an intimate knowledge of the processes. Without this, the systems are worthless.” Further, he says, managers must know their team and have regular informal meetings with them individually. “Knowing your team will help you spot weaknesses in your staff, which means you will be alerted if and when the time comes.”

For banks to protect themselves from internal fraud they must have a robust operational and control framework. But without cultural issues addressed this framework might well be ineffective. “Highly engineered solutions are not a panacea,” says the banking head of operational risk. “It needs human, forensic understanding.”

Further, without management commitment, controls might fail. “Controls are a check in the process,” says Gulf One’s Rowan. “The controls, irrespective of how strong they are, can still fail and will fail.” The banking head of operational risk agrees. “Good people make up for broken controls but good controls can not make up for having ‘broken’ people with the wrong people monitoring them. If you had to pin it on one word, ownership would be the word.”