In a virtual roundtable with Corporate LiveWire, Salvatore LaScala, managing director and co-lead of Guidehouse's global investigations and compliance practice, discussed the latest regulatory changes and interesting developments in a local, regional, and global scale. LaScala and the other expert panelists discuss which fraud and white-collar crime trends prosecutors will focus on in 2019 whilst also addressing other prevalent topics such as whistleblowing and self-reporting incentives, the impact of smart technology, and a summary of recent noteworthy case studies.
Q. In your jurisdiction, what are the main regulatory provisions and legislation relevant to (i) corporate or business fraud, (ii) bribery and corruption, and (iii) insider trading?
As a general matter, corporate and business fraud includes illegal or unethical conduct that unjustly enriches a company and/or individual. Bribery and corruption and insider trading are examples of such behavior.
The seminal anti-bribery and corruption regulation in the United States is the Foreign Corrupt Practices Act (FCPA). The FCPA, which is administered by the U.S. Department of Justice (DOJ) and the U.S. Securities and Exchange Commission (SEC), at its base makes it unlawful for certain classes of persons and entities to make payments or provide any other items of value to foreign government officials in exchange for obtaining or retaining business. In addition to the FCPA, there are other federal laws — as well as state and local laws in the U.S. — that prohibit bribery and corruption in other contexts. For example, commercial bribery is where one private party bribes another private party to obtain some type of unfair advantage. Another example of bribery is making payments to a political official in exchange for voting in a certain way or promoting certain legislation.
Insider trading, the trading of a public company's stock with access to material nonpublic information about the company, is prohibited by Rule 10b-5 of the Securities Exchange Act of 1934. Insider trading is also illegal under U.S. mail and wire fraud statutes, as set forth in the United States Code. Insider trading cases are prosecuted by the DOJ and the SEC.
Q. How is the continuous development of smart technology impacting fraud and white-collar crime?
While there have certainly been improvements in technology in recent years that have advanced financial crime detection, the industry has, in some ways, lagged. For example, detecting fraud, which includes a return on investment, is fairly advanced while anti-money laundering, which does not indicate a “return on investment” or enhance the bottom line, has long been deploying rules-based systems to conduct transaction surveillance for the detection of potentially suspicious activity. These rules-based systems require constant testing and optimization — yet a high rate of false positives is typical throughout the industry. Moreover, advancement has slowed with respect to detecting new money laundering typologies.
Artificial intelligence (AI), specifically machine learning, is the first innovation in years with the promise to significantly enhance our ability to detect and prevent financial crimes of all categories, especially money laundering.To be clear, AI technology is not new. For the past decade, data scientists have worked to make machine learning accessible and adaptable.The complex algorithms have been written, the keys to manipulating massive data sets are known, and the technology is universal enough to be applied to different problems. Now it is up to financial institutions to make the leap and use AI and machine learning to detect human traffickers, narcotics and arms sales, terrorist payments, and the money laundering that fuels these activities.
AI technology will completely change the way we go about rooting out this activity. Using unsupervised learning (the process by which a model draws inferences from uncategorized data to analyze and identify patterns and underlying structures), transaction-monitoring models can group customers according to their behavior and then flag truly anomalous behavior that is potentially suspicious. This is unlike a rules-based system, where customers may be segmented by basic characteristics. Anomaly detection is not as effective because 1) the customers are not grouped by behavior, and 2) someone has to write the rules to catch every potential anomalous behavior, of which there is a limitless supply. Machine learning is allowing banks to home in on truly anomalous behavior that is potentially suspicious. And this is leading us to discover new financial crime red flags in real time — rather than waiting for law enforcement and regulators to report them to banks.
Q. What is the difference between unlawful and unethical conduct and to what extent has the line blurred in recent years?
Unlawful conduct is behavior that is expressly prohibited by a specific legal constraint (i.e., statute, regulation) that can trigger sanctions or penalties (i.e., monetary fines, imprisonment). Unethical conduct on the other hand is behavior that, while not technically illegal, is generally considered immoral.
Just because conduct may be legal doesn’t mean it’s ethical. For example, some executives would argue that their primary responsibility is to the organization’s shareholders and that as long as their actions to maximize profits are legal, it’s irrelevant that their behavior may be considered unethical. Others argue that companies have a responsibility to society as a whole to not only behave legally, but also (and perhaps more importantly) behave ethically.
As the line between illegal and unethical behavior blurs and the focus on the social responsibility of corporate leadership increases, corporations have increasingly focused their compliance programs on both illegal and unethical conduct.
Q. How can companies ensure they get the correct balance between implementing risk management and risk prevention?
Effective risk management means that senior management makes deliberate decisions to understand, accept, and mitigate identified risks. As a side note, it’s important to recognize that risks change as the organization changes — thus organizations should have a process in place to identify and address the revised risk profile. This requires resources, commitment, and authority given to responsible individuals. Once the risks are identified, organizations need to institute controls to help mitigate and manage the risk. Communicating the risk strategy broadly, collaborating between all departments of an organization, and identifying and reporting on emerging risks are essential for understanding the risks and accurately disseminating the information so relevant stakeholders are able to manage these risks.
Risk prevention means the act or practice of stopping something bad from happening. Risk prevention methods include comprehensive policies, procedures, processes, and controls that are designed to prevent and detect illegal or unethical conduct. Each organization should tailor relevant industry best practices and risk prevention methods to fit its needs. This may include limiting the products it offers or geographies in which it is willing to do business. It might include deciding not to accept certain types of clients.
Companies can ensure the right balance between risk management and risk prevention by identifying risks and determining how much risk they are willing to tolerate. Senior management must set its risk appetite based on a careful analysis of various factors, including the following:
Existence of an enforcement action, i.e., consent order, Deferred Prosecution Agreement
Financial reward impact
Senior management can then manage the risk by either eliminating it — cutting ties with certain customers — or by managing it with an adequate control environment. Risk management and risk prevention share the same goal: Reduce the organization’s risk, loss, and liability exposure.
Q. Can you talk us through the various steps a company should take upon discovering fraud?
The availability of reduced penalties for cooperation and the increased number of whistleblowers create incentives for companies to be proactive in assessing and investigating potential allegations of illegal or unethical conduct. Of course, the key step in the investigation process is to ensure that the organization has developed and implemented an effective and comprehensive corporate compliance program to prevent and detect such conduct — in other words, the best offense is a good defense. Because no compliance program is perfect (and regulators don’t expect compliance programs to prevent and detect every instance of illegal or unethical conduct), an effective compliance program should recognize that there may be a need to conduct investigations into potential wrongdoing and should also contain an employee whistleblower program that allows employees to anonymously report any potentially illegal or unethical activity. The compliance program should include documented internal investigation protocols that address matters including, but not limited to, preservation, collection, and analysis of documents; preparing for and conducting employee interviews; internal and external communications regarding the matters; when to retain outside counsel, and investigative and forensic experts; and considerations for making voluntary disclosures to the government.
Q. To what extent have whistleblowing and self-reporting incentives changed the way companies manage and respond to fraud?
There are various U.S. whistleblower statutes, rules, and regulations, including Section 922 of the Dodd-Frank Act and the False Claims Act. Generally, these regulations allow financial rewards to individuals who provide information that results in a successful enforcement action or prosecution against a wrongdoer. To encourage the free flow of information regarding potentially illegal activities, whistleblowers are also provided with anonymity, and federal law prohibits retaliation against them for providing such information.
Since the advent of the SEC whistleblower program, more than 14,000 whistleblower tips from all 50 states and 95 foreign countries have been received and significant financial rewards have been paid out. More than $168 million was paid to 13 individuals in 2018 alone. In addition to the U.S., comprehensive whistleblower protection laws have been adopted in more than a dozen countries and several other countries provide more limited protections. The pace of whistleblowing is only going to increase as more whistleblower payments are made and publicized and whistleblowing is viewed more and more as a potentially lucrative activity.
The increased number of whistleblower complaints and payments has required companies to react to and address whistleblower allegations more quickly. This trend has also forced companies to consider the need for voluntary disclosure to the government to admit wrongdoing before whistleblowers call attention to it.