Fraud is becoming a significant operational risk to corporates. This is partly because the regulatory environment is becoming more stringent, and partly because digitalisation has created a vast arsenal of weapons that are readily and cheaply available to would-be fraudsters.
What’s this got to do with treasurers? Well, the commonest forms of fraud all involve payments, whether insiders manipulating systems to embezzle money, external parties tricking companies into making payments to them or a combination of internal and external collaborating in the payment of bribes or other forms of corruption. Since, in theory, treasury is where payments converge and where responsibility for payment visibility lies, treasury is in the best position to spot anomalies that may indicate fraud. The remedies for the more common frauds are straightforward and should fall out of a best practice treasury. The most obvious is that there should be a standardised, centralised, transparent and company-wide process for all forms of payment.
Centralise, standardise, monitor
As Frances Hinden, Shell´s VP Treasury Operations says: “We have centralised virtually all our payments in a SSC. Staff will have large numbers of payments to manage but have no discretion on the process and authorities. The ‘Friday afternoon’ fraud where someone pretends to be the CEO in need of an urgent transfer of money doesn’t happen here. If a payment does not come through the standard payment process it cannot be executed”.
Another treasurer of a large multinational operating in countries with high risk of fraud echoes Hinden, “You should keep cash as centralised as possible so that only corporate treasury can make payments: repatriate where you can and cash forecast on daily basis” says the treasurer. Clearly keeping a keen eye on cash flow is a key component for treasurers seeking to prevent fraud.” Standardisation around tightly configured protocols makes detection easier, by making the unusual more obvious, and it allows for systematic, and possibly automatic, monitoring, rather than random checking.
Centralisation is critical and here this means using one group-wide payments platform, rather than allowing local business units to use different tools, especially if those tools do not feed into a real-time link with the central platform. It also means ensuring an effective means of centralized payments monitoring and other controls. Without visibility, and increasingly this means centralised technology too, treasury cannot spot anomalous activity until it is too late.
And monitoring is not just about processes, it’s about people. Finance has a big role to play when it comes to what is effectively becoming internal staff surveillance. Through data analytics and technology it is possible to monitor and cross reference data from employees social media profiles, companies they have interests in, websites they visit, unusual transactions and various other indicators which may not be incriminating in and of themselves but can raise red flags when combined. An employee who appears in social media on holidays with a supplier or a client, or who authorises payments to a charity headed by a relative of a politician are examples of red flags which technology can help uncover through active monitoring.
“You have to create an ecosystem encouraging suppliers, customers and agents to implement compliance programmes. There is no perfect system, but technology is a tremendous advantage.” says Control Risks´ Geert Aalbers “Third party and media monitoring can help. If your suppliers pop up in adverse media, you can immediately check which of your employees is related to that supplier. If you add to that the capacity to research social media, monitor employees emails (within the confines of data privacy laws), and track user activity such as accessing sites which raise cause for concern, it becomes evident that through technology you can literally monitor and analyse a vast array of transactional, public domain and user behaviour data in a way not possible until recently”.
Awareness is key
Another key bulwark against for fraud is awareness. The vast majority of people are honest and find it hard to think like a criminal. This means they tend to believe that anomalies are the result of errors or particular circumstances and they tend not ascribe malicious motives to the unusual. The best examples of this come from the world of cybercrime in which employees are shown, time and again, to fall for malicious malware embedded in email attachments and even to blatant business email compromise (BEC) attacks, also known as CEO fraud, in which treasurers have wired large sums of money out of companies on the say-so of what they believe are senior executives but who turn out to be fraudsters.
One defence is robust, well-publicised channels for employees to report any concerns. The Association of Certified Fraud Examiners’ “Report to the Nations on occupational fraud and abuse” shows that around half of occupational fraud is first spotted by members of staff. Customers, suppliers and competitors are often sources as well. However, some might be fearful to denounce incidents and an anonymous reporting system can be the answer. Again centralisation is also important: local subsidiaries are particularly vulnerable to these kinds of attacks and in the high-profile case of one of the world’s leading wire and cable manufacturers, it was a local finance head who was tricked into transferring 40 million euros out of the company’s bank account to what they believed was the parent company. “You need to make sure that all local subsidiaries understand corporate governance and compliance” says Jose Carlos Cuevas, SVP Corporate Affairs at Duro Felguera. Automation too is crucial. It not only helps to create and maintain standardisation and centralisation but also to remove many of the risks of human error. “The more you automate, the less chance for people to commit fraud”, says Shell´s Hinden. “However, the more you automate, the more vulnerable you may become to cybercrime which requires a different type of defence.” That these types of fraud work at all means basic failures in governance and compliance. Yes, creating global processes and ensuring global compliance with them is a huge challenge that goes far beyond treasury. But treasury builds most of the processes and systems that underpin cash movements and it is basic treasury best practice to implement them successfully.
But what happens when fraud means the making of illegal payments? If this means accidentally dealing with sanctioned countries, firms or individuals, then again this is a failure of basic governance and control. It is relatively easy to set up whitelists of approved counterparties at a master level in an ERP system and then apply blacklists to that master list. To automatically check against sanction and embargo lists, and to incorporate search algorithms to be applied to payments, accounts or beneficiaries. Increasingly, banks will do this for companies by default, since their regulators have wide-ranging powers to prosecute them if they break the same rules. Companies trying to make illegal payments will find few banks willing to execute them and may well lose key relationships if they persist. However, if it means making payments that are illegal because they are bribes, or corrupt in some other way, then treasury has a different problem. Yes, at one level, it is treasury that puts in place financial controls and, as Geert Aalbers, Control Risks´ Head of Brazil and Southern Cone business puts it, “where there is a break down in controls, there is room for corruption.” But realistically, bribes are paid by people who know that they are paying them. They are internal, and they either have the tacit approval of senior management or they will go to great lengths to conceal the true nature of the payment. In the latter case, particularly if bribes are long-standing and made to the same suppliers using small, frequent payments, only a rigorous forensic audit is likely to reveal them. In the former, treasury has a difficult choice to make, as recent scandals have proved. Petrobras and Odebrecht in Brazil, the ongoing saga of Monaco-based Unaoil, Rolls Royce, the engineering giant and SBM, one of the largest firms listed on the Amsterdam Stock Exchange – the list of companies under investigation or which have reached agreements with the prosecution offices of various countries following investigations into bribery and corruption reads like a roll-call of global industry. It is one thing, to have people and systems other than yourself handling fraud, but what happens if you discover what you believe is malpractice? In the most dramatic cases, blowing the whistle can entail personal risk. Michael Woodford, the former CEO of Olympus, after he exposed Olympus’s accounting fraud, went around with armed guards for fear of his own life. Albeit in hopefully less perilous fashion, becoming involved in fraud detection can turn into any senior figure’s worst nightmare.
Ultimately, in these cases, treasurers have an invidious choice. If they blow the whistle on corrupt practices then they rely for their safety and their future livelihoods on the judicial, political and business systems that they may be denouncing. If they choose to remain silent, and the scandal breaks anyway, they risk being seen as part of the criminality themselves. There is no MBA or professional treasury qualification that can help answer this dilemma. That said, things may be getting easier. Companies are slowly changing the way they operate as a consequence of the recent scandals in Brazil. Says Control Risk’s Aalbers: “At corporate level we see an increased focus on improving internal controls. Risk Management has also shot to the top of the corporate agenda, and COSO (a framework for effective internal controls) is in vogue. Risk assessments, the starting point of any risk Management programme, are in high demand. Compliance and Risk Management have also been elevated to Board level because shareholders are increasingly concerned and interested in the types of risks the company takes on, and how these risks are managed. Boards are now nominating governance, risk and compliance committees to ensure that the compliance function can operate independently from the management team." If these improvements happen globally as a result of regulations on AML and KYC, and through the agency of measures such as FATCA, perhaps treasurers won’t have to make that choice after all.