Stephanie Lhomme, Head of the Compliance Intelligence Investigations and Technology (CIIT) department for Europe & Africa and David Dinnell, Director CIIT at Control Risks explain what banks and the financial sector can do to mitigate the impact when the regulators arrive to investigate alleged fraud and corruption.
It is estimated that Banks in the US and Europe have paid out $128bn – $251bn in fines to regulators since 20091. These have been for a broad range of issues including Forex scandals, Libor rate fixing, money laundering, mis-selling services, breaching sanctions and complicity in massive fraud, such as the Madoff investment scandal. Authorities across multiple jurisdictions are coming together to investigate some serious suspected misdemeanours and investigations are arising from various countries and aimed at banks and financial institutions across the globe. In July, New York state regulators stated that they wanted to install a monitor inside two European banks as part of a currencies market investigation, while other European have been under US investigation for breaking money laundering rules.
When the authorities come calling, hefty fines for corruption and major fraud are not the only things banks have to worry about. Individuals could face criminal prosecution, while banks may be forced to make swingeing changes, such as replacing the entire board, which could challenge the bank’s stability and reputation.
In some cases, initial expectations of the level of fine likely to be imposed following an investigation into a bank’s affairs were far higher than the final payment demanded. There are a number of reasons why this may have happened. Potential regulatory fines may have been reduced as a result of the bank volunteering information and collaborating with the subsequent regulatory investigation efficiently and completely openly, possibly through a Deferred Prosecution Agreement (DPA). To do this effectively, banks need clear protocols, paper trails, reporting lines and to be prepared to share investigative findings from day one.
Under a DPA, a prosecutor charges a bank – this applies to organisations only, not individuals – with a criminal offence but proceedings are suspended. A bank under investigation would agree to conditions such as paying a financial penalty, paying compensation and co-operating with prosecutions of individuals. If it does not honour the conditions, the prosecution may resume at a later date. DPAs can be used for fraud, bribery and other economic crimes.
DPAs are intended to be invoked when there is no public interest in mounting a prosecution, so they would not be suitable for every circumstance. In any case, at the beginning of any investigation, banks should never assume that they could achieve any guarantee against prosecution or any undertaking that no action will be taken against them.
It is important to be able to demonstrate to the regulator that the bank took strenuous steps to address the risk of fraud and corruption. This means having measures in place such as anti-fraud and corruption protocols to monitor internal risk and an effective system to monitor what is happening within the bank. It is crucial to have an appropriate and efficient due diligence process for customers and potential customers especially politically exposed persons (referred as PEPs). It has also become important to monitor the due diligence performed – “monitoring” is key to ensuring that the bank has up to date information on its customers.
Very often, despite the bank’s best efforts to address the risk of fraud and corruption, an investigation comes out of the blue and addresses an issue the bank may not have been able to foresee. There is every chance that even the best-prepared institutions may face an investigation and these tend to fall into two camps. Criminal investigations often result in immediate arrests and confiscation of documents and data. There may be little scope for working with the authorities. Enquiries by regulatory bodies such as the Serious Fraud Office (SFO) in the UK and the US Securities and Exchange Commission may sometimes be preceded by written notice, although there is still commonly a requirement that the bank will provide information requested, whether by producing people for interview and supplying documents.
In some cases, regulatory investigations might result from a bank “self reporting” an issue. Banks are legally obliged to do this and the process of self reporting does allow them to prepare for and control the process to some degree. However, self reporting may also trigger unforeseen consequences as the information disclosed may be used in another jurisdiction against the bank. Both self reporting and DPAs can have negative consequences and it is essential to have external experts who can advise on the practicality of those approaches.
Best practice approach to investigation
There are some practical steps a bank can take to prepare to respond to a regulatory investigation and manage it effectively. Regulators like to see problems resolved quickly. Complete and unconditional co-operation is usually the best option but it is vital to seek expert support as soon as possible.
The first stop will be legal counsel (in-house and external), and advisors with the relevant crisis management, investigations (including forensics) and regulations expertise. Employees from across the bank, including technical and HR staff, may be called in to assist with the investigation. External support will be needed to ensure that staff are able to retain and retrieve documentation efficiently. A co-operative attitude, presenting key information clearly and succinctly, goes a long way here.
External experts can play a key role at an earlier, preventative stage, ensuring banks implement best practice when it comes to compliance and they can demonstrate lessons have been learned and steps taken following previous incidents or have addressed issues identified more widely within the banking sector. Once an investigation is underway, regulators will want unfettered access to internal staff but external experts can also advise or “coach” staff throughout the process to ensure the bank responds adequately to the regulator’s requests.
Banks need to show that oversight has been implemented at every level to backstop employee decision-making and prevent rogue traders and protect against other internal threats. An impartial view of the bank’s processes is necessary, ideally combined with the ability to take an expert view of business systems to audit aspects such as access control, data transparency, retention and deletion and discoverability. Even if this approach does not affect the level of fine or regulatory action taken it can, by making the whole process as efficient as possible, reduce the considerable legal bills that the banks would otherwise run up to address regulatory investigations.
1 http://www.huffingtonpost.com/2014/08/08/big-bank-fines-total_n_5659317.html; http://www.forbes.com/sites/robertlenzner/2014/08/29/too-big-to-fail-banks-have-paid-251-billion-in-fines-for-sins-committed-since-2008/
About the authors:
Stephanie Lhomme is Head of the Compliance Intelligence Investigations and Technology (CIIT) department for Europe and Africa at Control Risks. Stephanie has nearly 20 years of professional experience working mostly in financial and risk consulting across the world, with significant international experience in complex M&A transactions, fraud investigations and anti-corruption matters. Stephanie.Lhomme@controlrisks.com
David Dinnell is a Director in the CIIT department, leading the Fraud and Forensic team for Europe & Africa. David manages a broad array of complex investigations into fraud, corruption and other ethical breaches, supported by teams in Europe and Africa. He specialises in leading multi-disciplined investigation teams delivering innovative and successful investigative solutions for clients. David has over 25 years of experience working in the region and has an in-depth understanding of regional business practise and the risk environment. David.Dinnell@controlrisks.com
For further information visit http://www.controlrisks.com