Fraud: making your strategy work

Last month’s article focused on identifying fraud risks that arise for law firms. It suggested that risk controls start with a statement of a firm’s policy and a commitment, from the top, to ensuring that the firm is never regarded as a “soft touch”. Examples of risk controls, for illustration, appear in the table opposite. But as with any risk controls, devising and putting tin place fraud risk controls is not the end of the process. Monitoring compliance may reveal deviation from the intended controls, and perhaps the need for modification of risk controls or for training.

Monitoring

Do you know the extent of compliance (or non-compliance) with the firm’s:

• employee screening procedures?
• client vetting procedures?
• password security protocols?
• office insurance conditions etc?

Do you know if exceptions are being made? Are there differences between practice areas/offices?

Perception: “If we comply withall rules and regulations, we ought to be safe.”

Reality: Compliance may be tight,but fraudsters may find a loophole and exploit any weaknesses.

There is evidence to indicate that sometimes competing priorities arise as between fraud risk management and what some describe as “the client experience”. In other words, rather than cause inconvenience to clients and prospective clients, firms may occasionally relax procedures in relation to vetting of new clients or new instructions. Relaxing the firm’s normal requirement that new clients should be met face to face, to spare a client the “inconvenience” of getting time off work, had the consequence in at least one unfortunate case that the solicitor became the victim of an identity fraud.

Such an approach, while well-intentioned, is misguided. Firms should adhere to a strict application of policies and procedures. Demonstrating a willingness to deviate may be precisely the signal a fraudster wants that there are weaknesses that can be taken advantage of.

Instances have arisen where firms have discussed and agreed with insurers a bespoke set of minimum standards of control in relation to (optional) fidelity guarantee insurance and, following a fraud (which would be covered by that insurance), investigation reveals that the practice has not been complying with those minimum standards.

By monitoring compliance with the firm’s fraud risk controls:

• deviations from the intended controls can be detected and addressed, whether by training or by modification of risk controls;
• the firm’s policy on fraud risk management is supported and reinforced and is shown to mean precisely what it says.

Training

An effective training regime reduces the risk that, after a fraudulent event, colleagues say:

• that the reason they failed to follow a particular procedure was they did not properly understand the procedure or its purpose;
• that, in retrospect, they realise they ought to have spotted warning signs that should have elicited suspicion and enquiry on their part.

Many frauds succeed because of a reluctance by employees to report suspicions and because there are perceived barriers to reporting and whistleblowing.

Ideally, as well as ensuring employees understand the purpose and operation of the firm’s risk control procedures, training should also be aimed at raising awareness of what to look out for and encouraging them actually to look. Many fraud risk management commentaries talk of “red flags” – potential warning signs of fraud. For example, in relation to employee frauds, David Buchanan-Cook (Journal, October 2006, 36) identifies:

• the model employee who works long hours, particularly if not reflected in billable time;
• the employee who regularly fails to take annual leave or who calls in unexpectedly when on holiday;
• an individual who refuses, or does not seek, promotion;
• missing documents or files;
• changes in employee’s lifestyle, e.g. conspicuous spending;
• an employee who is over-protective of duties and is reluctant or refuses to delegate certain tasks;
• addictions, such as alcohol, gambling, drugs;
• computer usage outwith normal hours, or system access via absent or former employees’ passwords;
• copying large amounts of data;
• low employee morale.

The author urges treating this list with caution, but suggests that two or more of these factors together may be cause for further enquiry.

Response to a fraud

It ought to be clear who, in the event of discovery of a fraud situation, will report and take responsibility for the investigation.

Depending on the nature of the fraud, any notification to insurers ought to be made without delay.

Considering the potential for adverse PR within the firm and beyond, there ought to be a plan in relation to communication, as appropriate, to staff, clients and a wider audience.

Learning from the adverse experience ought to result in a tightening of controls to minimise the risk of any recurrence.

Insurance

The firm’s fraud risk management strategy is likely to involve insurance to some extent.

• Client funds

It is not well understood but, in the event of misappropriation of clients’ funds, the compulsory professional indemnity insurance under the Master Policy covers the liability of the principals of a law firm, provided at least one principal is innocent of any dishonesty and has not condoned or colluded in the dishonesty.

If the firm has additional top-up cover, it is likely that it will have the benefit of cover for misappropriation of clients’ funds up to the full amount of the top-up cover.

The self-insured amount (excess) in relation to a fraud claim is twice the normal self-insured amount – typically £6,000 per partner rather than £3,000 per partner (subject to the caps/limits in the Master Policy rules).

It may sometimes be possible to obtain insurance cover (“infill insurance”) in respect of the firm’s liability for the self-insured amount (for any category of claim, not just dishonesty claims).

• Firm’s own money

The firm may have cover for theft of its own money or goods in terms of its office combined insurance policy.

There are also specialised policies (fidelity insurance/fidelity guarantee insurance or crime insurance) which are designed to cover losses as a result of theft of the firm’s own money or goods committed by an employee or, in some policies, by a partner of the firm or a third party (e.g. a computer hacker).

The cover provided by such policies is typically subject to a much more substantial level of self-insured amount (excess), or the requirement to comply with various conditions (minimum standards of control in relation to segregation of duties, signing authorities and funds transfer protocols, as well as conditions with regard to the taking of references for new recruits).

In relation to insurance, the risk conscious practice will consider:

• whether or not to purchase (optional) insurances;
• whether the firm complies with whatever minimum standards of control and references conditions apply as conditions of cover, and ensuring continued compliance;
• what level of cover is adequate;
• where there is a choice, what level of self-insured amount (excess) is acceptable.

The insurance policies mentioned are intended to cover all or part of the funds misappropriated and the investigation costs incurred (which may be substantial), but none of these insurances makes up for the impact of stress and anxiety caused by the fraud. While in some circumstances there may be a contribution from certain insurers to the cost of public relations consultancy, no policy compensates for the damage done to the firm’s reputation.

However good the cover, prevention is far better than cure.

Take action

• Compile a register of fraud risks affecting the firm
• Review effectiveness of current controls
• Establish whether controls being complied with
• Conduct gap analysis
• Devise awareness training and training plan/log
• Check current insurances, their adequacy and what they cover
• Don’t let your firm be seen as a “soft touch”.