Financial Crime Risk Management

Fraud - FAQ

May not cover factors relevant to a particular situation or circumstance.


W3.CSS

Frequently Asked Questions

Click Questions to see example responses, some of which include embedded links to reference sources.

Various sources indicate fraud is a serious issue, such as:

  1. Information published by the Office for National Statistics (‘ONS’) from a Crime Survey for England and Wales (CSEW) produced in partnership with the Home Office, indicates for the year ending March 2019:
    • 17% increase in fraud offences – estimated to be in the region of 3.8 million offences
    • driven mainly by an increase in the category “bank and credit account fraud”, which saw a volume increase of 338,000 offences (15%, to 2.6 million offences).
    • It is much more likely for an adult in England and Wales to experience fraud, than a violent offence
    • Total fraud offences cover crimes recorded by the National Fraud Intelligence Bureau via Action Fraud, CIFAS and Financial Fraud Action UK.
  2. Since the 1980’s KPMG has maintained a Fraud Barometer, measuring cases of alleged fraud with losses of £100,000 or more reaching the UK courts. The bi-annual Barometer identifies fraud trends and patterns affecting the UK economy for businesses to be alert to new threats. The Fraud Barometer indicates the volume of fraud cases hitting UK courts in 2018 was up by 78%.
  3. UK findings in PwC’s 2018 Global Economic Crime Survey (GECS) identify fraud continues to run at high levels, with respondents’ experiences showing a shift towards technology-enabled crime, bribery and procurement fraud.
  4. EY’s Global Fraud Survey 2018 (involving interviews with 2,550 executives from 55 countries and territories) identified fraud and corruption were considered to be amongst the greatest risks to business.
  5. UK Finance is the collective voice for the banking and finance industry. Representing more than 250 firms across the industry. UK Finance published ‘Fraud the Facts 2019’. The report identifies despite investment in advanced security systems and innovations to protect customers and stopping more than £1.6 billion of unauthorised fraud in 2018, criminals successfully stole £1.2 billion through fraud and scams.
The Police response to fraud

A 2019 report produced by Her Majesty’s Inspectorate of Constabulary and Fire & Rescue Services (‘HMICFRS’), on effectiveness and efficiency of the police response to fraud, does not provide encouraging reading for victims of fraud. A key finding is ”The law enforcement response to fraud is disjointed and ineffective”. The report ’Fraud: Time to Choose’ includes:

  • ”sadly, we have found too many examples of processes that are inefficient and organisations that are not being properly held to account for their performance. As a result, many victims of fraud are not receiving the level of service they deserve”
  • ”7 of the 11 forces we inspected were unable to tell us how many of the reports of fraud that they received directly, resulted in attendance or other police activity”
  • ”some forces seeking reasons not to investigate allegations of fraud – one force filed, with no further action, 96 percent of the cases it received from the National Fraud Intelligence Bureau; some of these cases had a good degree of evidence, including identified suspects. Staff performing this role were clear that their function was to ‘reduce demand’”

Examples of where a director might be deemed personally liable (i.e. if he or she):

  • False statements by company directors - Intentionally deceives shareholders or creditors of a company by making a false statement as to the company’s affairs (Sec. 19 of the Theft Act 1968).
  • Fraud by false representation - Makes a false representation (express or implied) knowing that it is, or might be, untrue or misleading, intending to make a gain for himself or another, or to cause loss to another or to expose another to a risk of loss (Sec. 2 of the Fraud Act 2006).
  • Fraud by failing to disclose information - By dishonestly failing to disclose to another person information which he is under a legal duty to disclose, with intent to make a gain for himself or another, or to cause loss to another or to expose another to a risk of loss (Sec. 3 of the Fraud Act 2006).
  • Fraudulent trading - Is knowingly party to the company carrying on its business with intent to defraud creditors of the company or of another person or for any fraudulent purpose (Sec. 213 of the Insolvency Act 1986). Example - continuing in business and accepting credit from suppliers, or taking payment from customers knowing that orders will not be filled (i.e. to maximise the amount of money coming in prior to liquidation).
  • Wrongful trading - Where a company continues to trade whilst insolvent and unable to pay its debts as they fall due (Sec. 214 of the Insolvency Act 1986). There may be no dishonest intent to defraud creditors but directors may have failed to carry out their responsibilities (i.e. before commencement of winding up of the company, the director(s) knew or ought to have concluded that there was no reasonable prospect that the company would avoid going into insolvent liquidation).

Please note: FCRM Ltd does not provide legal advice. Nothing on this web site should be considered a legal opinion on interpretation of law or regulation.

For firms supervised by the Financial Conduct Authority (‘FCA’), fraud is:

  • Captured in the FCA's financial crime objective.
  • Relevant to the FCA’s consumer protection objectives.

Whilst the FCA prioritises consumer protection (as potential victims of fraud) more than to the protection of firms (as potential victims), the regulator does expect firms to be responsive to fraud risk in their systems and controls framework. The FCA Handbook (SUP 15.3.17) includes: A firm must notify the FCA immediately if one of the following events arises and the event is significant:

  • it becomes aware that an employee may have committed a fraud against one of its customers; or
  • it becomes aware that a person, whether or not employed by it, may have committed a fraud against it; or
  • it considers that any person, whether or not employed by it, is acting with intent to commit a fraud against it; or
  • it identifies irregularities in its accounting or other records, whether or not there is evidence of fraud; or
  • it suspects that one of its employees may be guilty of serious misconduct concerning his honesty or integrity and which is connected with the firm's regulated activities or ancillary activities.

FCA Guidance

FCA guidance includes examples of good and poor practice on firms preventing losses from fraud, including:

Examples of good practice Examples of poor practice
The firm takes a view on what areas of the firm are most vulnerable to fraudsters, and tailors defences accordingly. Senior management appear unaware of fraud incidents and trends. No management information is produced.
Controls adapt to new fraud threats. Fraud losses are buried in bad debts or other losses.
The firm engages with relevant cross-industry efforts to combat fraud (e.g. data-sharing initiatives like CIFAS and the Insurance Fraud Bureau, collaboration to strengthen payment systems, etc.) in relation to both internal and external fraud. There is no clear and consistent definition of fraud across the business, so reporting is haphazard.
Fraud response plans and investigation procedures set out how the firm will respond to incidents of fraud. Fraud risks are not explored when new products and delivery channels are developed.
Lessons are learnt from incidents of fraud. Staff lack awareness of what constitutes fraudulent behaviour (e.g. for a salesman to misreport a customer’s salary to secure a loan would be fraud).
Anti-fraud good practice is shared widely within the firm. Sales incentives act to encourage staff or management to turn a blind eye to potential fraud.
To guard against insider fraud, staff in high risk positions (e.g. finance department, trading floor) are subject to enhanced vetting and closer scrutiny. ‘Four eyes’ procedures are in place. Banks fail to implement the requirements of the Payment Services Regulations and Banking Conduct of Business rules, leaving customers out of pocket after fraudulent transactions are made.
Enhanced due diligence is performed on higher risk customers (e.g. commercial customers with limited financial history. See ‘long firm fraud’ in FCG Annex 1). Remuneration structures may incentivise behaviour that increases the risk of mortgage fraud.
Further guidance

Additional regulatory guidance can be found in Financial Crime Thematic Reviews (‘FCTRs’):

High-level management of fraud risk

FCTR 2 summarises the FSA’s thematic review Firms’ high-level management of fraud risk.

Small firms

FCTR 10 summarises findings of the Small Firms Financial Crime Review, with guidance for small firms on:

Mortgage fraud

FCTR 11 summarises findings of the FSA’s thematic review Mortgage fraud against lenders, containing guidance on:

Investment fraud

FSA thematic review of Banks’ defences against investment fraud. Contains guidance for deposit-takers with retail customers on:

This may be fraud:

  • Conducted by a company – Such as deliberate falsification of financial accounting records to present a false gain (e.g. over-stating sales/turnover) or to conceal a loss (e.g. under-stating liabilities, asset misappropriation by an employee, or for other reason); or
  • Committed against a company (e.g. false invoices submitted to the company by a bogus supplier or third-party, resulting in payment being made where no goods or services have been provided).

Some companies or their employees seek to avoid paying tax due to HM Revenue & Customs (‘HMRC’), by deploying dishonest evasion measures designed to falsely inflate expenses and/or reduce profitability (and hence Corporation Tax liability).

Other examples
  • Long Firm Fraud - An apparently legitimate business is established. As time passes and having developed a good credit history, the company starts to defraud suppliers and customers. Reneging on sales, having received all or partial payment and also, failing to pay suppliers that have credit exposure to the company.
  • Payment Fraud - Creating false payments (e.g. an employee making fraudulent payments to himself, whilst indicating a different beneficiary in the company’s books and records – a false accounting entry) or by diverting/re-routing legitimate funds received from other parties (e.g. customers, supplier refunds, HMRC repayments, etc.), meant for the company but which do not make it to the balance sheet.
  • Procurement Fraud - The typical procurement to payment cycle be susceptible to fraud risk, such as:
    • Supplier selection – The improper disclosure of confidential information by an employee of the purchasing company to a particular (or favoured) supplier, for personal benefit.
    • Ordering goods or services – An employee of the purchasing company colluding with a supplier and agreeing to pay above the market rate for supplies, despite equivalent quality material being available in the market, at a more competitive price.
    • Receipt of goods or services – Sub-standard goods or services are delivered, or not delivered at all.
    • Receipt and booking of supplier invoices – False or duplicate supplier invoices may not be verified by Accounts Payable against the actual goods or services received. Or a different blend of pricing and quantity appears on the invoice, as to what was actually agreed to be received.
    • Invoice payment - Payments might be re-routed or settlement arrangements changed at short notice. Employee fraud is relatively easy where internal controls do not validate the receipt of goods or services, or where payments or payment systems can be manipulated without appropriate 4-eyes check or challenge.

If you have a Fraud Response Plan this should outline the procedure to follow for suspected (or alleged) fraud, to ensure the response is consistent with senior management expectation and risk-appetite.

In companies’ which do not have a Fraud Response Plan, fraud is sometimes considered a cost of doing business. Whilst this should not be the case, some companies also recognise the police response to fraud is generally weak. Also, when balanced against the combined factors of value lost or at risk, the time it takes to compile a case in support of a civil or criminal fraud allegation, along with the potential impact on business-as-usual activity and the diversion of senior management time, it is not surprising that cost-benefit is a consideration for many corporates.

However, cost-benefit should not be the sole consideration. Other drivers may take precedence, such as:

  • Company directors are responsible for keeping proper accounting records which enable them to ensure that financial statements comply with the Companies Act 2006. They are also responsible for safeguarding company assets and taking reasonable steps for the prevention and detection of fraud and other irregularity.
  • The Financial Conduct Authority ('FCA') expects senior management in firms it regulates, to consider the full implications and breadth of fraud risk, which can affect profitability, reputation, customers and the markets in which firms operate.
  • Where collusion is suspected, the value lost or at risk may not be high. But, the potential for an employee conspiring with third parties to cause financial loss to the company, its customers or its business counterparties, or a repeat event leading to further loss or increased reputation risk, must be taken seriously and appropriate response taken – sometimes regardless of financial value.
  • Senior Management, Audit Committees and Regulators often expect, if not require, fact-based and objective reporting on investigation findings, particularly where a system or control override or weakness, may have contributed to a fraud loss event.

The Fraud Response Plan (‘FRP’) should clearly set out the minimum steps to be taken in response to the discovery of alleged or suspected fraud, including: overall responsibility for initiating and supervising investigations, as well as key requirements for loss mitigation and evidence preservation

FRP benefits include:

  • Promote organisational readiness to respond in a timely and effective manner
  • Set out how internal investigations should be conducted and who to involve
  • Forms part of an integrated anti-fraud strategy, covering fraud prevention, detection and investigation
  • A framework to manage financial and reputation risk

FRP covers tactical and strategic considerations (relevant to the nature, size and operations of the business). Example areas for FRP coverage include:

  • Internal arrangements for reporting, assessment and where necessary, escalation of material fraud risk to a designated person, a governance forum/committee or to senior management
  • Provide guidance for managers, employees and stakeholders on the company’s fraud-risk appetite and how they are expected to respond to suspected fraud
  • Who should be involved in fraud response (e.g. senior manager, legal department, internal audit, fraud team, etc.)
  • External fraud committed against the company or its staff by third parties (e.g. customers, suppliers or other parties), as well as the risk of internal fraud or collusion involving employees and third parties (e.g. leveraging weakness in internal systems or controls)
  • When external support may be required from professional investigators/specialists to make progress
  • Guidance on how to minimise loss, preserve evidence and maintain confidentiality
  • Considering whether remedial action is needed to prevent recurrence

Management and employees are often the first to identify possible cases of fraud or other impropriety. The FRP should therefore be clear on action to take when a case of suspected fraud is encountered. If staff do not know what is expected of them, any action or inaction on their behalf could inadvertently lead to further loss, or loss of evidence to identify person(s) involved.

No. Not in all cases. But, shareholders, regulators, investment partners, etc., might expect reasonable steps to be taken in response, to identify persons responsible and how to mitigate any on-going fraud risk. Where an investigation is initiated this will be influenced by a range of factors, including (amongst other):

  • Assessment of the source / substance of an allegation or grounds for concern - A fraud, misunderstanding, or something else?
  • Complexity of the fraud involved - Simple or complex, wholly internal or involving external parties?
  • Value lost or at risk - An important consideration, but not the only one
  • Risk-appetite - How acceptable is the risk/loss event, could other loss have been suffered but not identified, could fraud have been prevented, is there a material control weakness, etc.?
  • Organisational culture - What does senior management expect to be undertaken, as a minimum, when responding to fraud allegation or suspicion (i.e. tone from the top)?
  • Availability of fraud resource - Internal versus cost, competency and response capability of external support, etc.
  • Following the trail – What is the potential for financial recovery or asset tracing in serious cases and whether this is wholly local, or involving cross-border activity
  • Compliance with the Companies Act 2006 – Directors are responsible for safeguarding company assets and taking reasonable steps to prevent and detect fraud
  • Regulatory risk - Particularly for firms supervised by the FCA:
    • Fraud, errors and other irregularities must be notified to the FSA immediately (i.e. if fraud events arise and an event is assessed to be significant, notification to the FCA under SUP 15.3.17 R is required, with all relevant and significant details of the incident or suspected incident of which the firm is aware)
    • The annual Financial Crime Return (REP-CRIM) includes data points on fraud, including types of fraud encountered, number of resource with fraud responsibility and case volumes.
  • Other…

Regulators, industry bodies and fraud specialists recognise the importance of completing a fraud risk assessment (‘FRA’), to inform development (or maintenance) of an effective fraud risk management framework. Completed on a stand-alone basis or as part of a broader enterprise risk assessment programme using scenarios relevant to the organisation, FRA typically considers:

  • Whether the organisation’s ability to prevent fraud is adversely impacted by a gap or weakness in internal controls
  • How a fraudster (working alone or colluding with a member of staff) might be able to override or circumvent an internal control
  • How fraud could be concealed

Inputs to scenario assessment could include:

  • Details of known fraud events from within the organisation, including how these were undertaken and their consequential impact, along with assessment of any systems or controls failings previously identified;
  • Consideration of internal and external audit findings / recommendations linked to strengthening internal controls to reduce fraud risk;
  • Assessing industry fraud typologies or related risk identified in press or media reporting, linked to illegal / unethical practices;
  • Considering law enforcement or regulatory publications on fraud for relevance to the operating environment;
  • Consideration of any significant organisational change, such as, a merger or acquisition or change in reporting lines or management structure and whether this impacted (or increased) fraud risk to the business;
  • Determining whether existing fraud related training is suitable or fit for purpose, or whether new/emerging risk identified might require an uplift in staff training and awareness;
  • Analysis of loss/shrinkage suffered and whether this might involve fraud in any way, such as, the booking of bad debt provisions, manipulating stock or work-in-progress quantities, or unexplained increase in the level of write-offs or other accounting entries, which serve to balance the books, but where underlying causes may not have been assessed for fraud risk;
  • Materiality of risk associated with employee expense fraud, manipulation of supplier invoicing (or vendor rebates), or other types of corporate fraud risk, relevant to the organisation’s operations;
  • Other ……
FRA output

As noted above, FRA scenarios should be relevant to the organisation, to:

  1. Help identify real risk facing the organisation, with an emphasis on the actual rather than perceived or generic fraud risks.
  2. Inform senior management on risk facing the business, so that, senior management can direct resource utilisation towards addressing real fraud risk, to make a difference where it matters.
  3. Ensure appropriate action is taken to any new/emerging material risk identified in the policy, procedure or internal control framework – consistent with senior management risk-appetite.

Anti-fraud framework arrangements should include:

  • Governance - Senior management risk-appetite, risk ownership and accountability (e.g. by Board member or other individual with authority, expertise and resource), with supporting activity endorsed by the Board or equivalent senior management body:
  • An informed awareness – Document an assessment of how your business is exposed to fraud risk.
  • Policies & procedures - Reflecting due consideration of legal and regulatory risk relevant to the organisation’s countries of operations. Anti-fraud measures might be covered in a range of policies, some fraud specific and some having a nexus to other policies in the wider control framework (e.g. Fraud policy, Whistle-blowing policy, Supplier procurement/RFP policies, Risk/incident reporting procedure, Human Resource policy, Internal disciplinary arrangements, etc.).
  • Risk-based control environment - Design and implement a suitable control framework, reflecting assessed risk and appropriately resourced to promote compliance with policy and supporting procedure(s)
  • Training and Awareness - Develop appropriate training content and ensure coverage of key risk in the operating environment. Content should, as a minimum cover:
    1. Policy, procedure and supporting guidance
    2. Risk-based training of appropriate employees (i.e. generic for all staff, with additional focused content for staff in higher-risk roles’)
  • Compliance monitoring - Controls testing and assurance must be included, to provide assurance or insight for senior management on compliance with policy and procedure
  • Reporting - An internal mechanism accessible to all staff, so as to be able to report any concern identified to an appropriate person (e.g. a Senior manager, Internal-audit function, Compliance function, a dedicated Whistle-blowing line or another designated contact/reporting point).

For more on our fraud services - See Fraud Services