Constant foe

Seventy nine per cent of respondents to a recent Legal Business survey undertaken in conjunction with Marsh expressed the view that the downturn in the economy has significantly increased the risks facing their firms.

Many of the recession-related risks they identified, including pressure on fees, bad debts, reduced workloads in some areas, increased

workloads in others, and the increased risk of clients revisiting transactions, were discussed in “The year that crunched” (Journal, December 2008, 48). Respondents also identified fraud as a risk which had, in their view, materially increased in the last year. Statistics produced by KPMG Forensic reveal that, even before the recession really took hold, employee fraud in 2008 was up almost 400% on 2007 figures.

At the Law Society of Scotland’s 60th anniversary conference in May, John Burbidge-King, CEO of Interchange Solutions, in a session addressing bribery and corruption risks, reminded delegates of the 10-80-10 principle, which holds that, in any given population, 10% of people will never steal, 10% are predisposed to stealing and the remaining 80% could be motivated to steal if both opportunity and financial pressures or other motivating factors arise in combination. Impending redundancy of an employee or his/her partner, a change in other financial circumstances, or a grudge against the firm might provide the motivation factor.

Internal fraud

What can be done to prevent fraud? Given limited ability to influence the factors which may provide the motivation for staff to commit fraud, the best approach to risk control must be to eliminate, or limit as far as possible, people’s opportunity to commit fraud.

Case study

Fitch & Abercrumbie LLP appointed a new cashroom assistant, Elisabeth Snatch. The firm had recently pursued a successful action on behalf of a landlord client to reclaim rent arrears owed by a tenant, Mr Tardie. Decree with time to pay was granted, and Mr Tardie paid instalments in cash each month to Mrs Snatch at Fitch & Abercrumbie’s office. Some months later a dispute arose regarding the sums Mr Tardie had paid. It turned out that not only had Mrs Snatch been siphoning off a proportion of the funds paid by Mr Tardie each month, she had also been putting through a number of fraudulent expenses claims.

In the course of investigations, it became apparent that she had been dismissed from her last firm for very similar offences.

What measures could Fitch & Abercrumbie have implemented with a view to preventing this fraud?

Pre-employment checks/staff vetting CIFAS, the UK fraud prevention service, suggest best practice steps for vetting new staff, including:

confirmation of previous employment details, ideally going back 10 years or more where possible;

confirmation of all qualifications;

confirmation of identity (name and address);

credit reference agency checks;

taking up references (wherever possible providing more information than simply certification of the employee’s period of service).

Improved cashroom procedures

Reducing cash transactions wherever possible helps minimise the opportunities for theft. It is much more difficult to steal where cash is not changing hands. More and more firms are now paying expenses direct into bank accounts by direct funds transfer. This also provides a clearer audit trail, and one that is more difficult to get round.

Reviewing signing authorities for funds transfers, cheques and other transactions is vital to ensure compliance with the required minimum standards of control if the firm has fidelity guarantee insurance, but remember these are minimum standards and, for enhanced risk reduction, you may choose to apply more rigorous controls.

It will never be possible to prevent all instances of (attempted) fraud, and thus, equally as important as preventive measures are the detection procedures you have in place. The presence of robust detection procedures will itself have significant deterrent value.

Audit

In addition to the range of checks which are part of the cashroom partner’s everyday activities, a formalised audit may detect something untoward, depending on the purpose and scope of the audit. However, it should not be assumed that an audit is bound to detect any occurrence of theft or dishonesty and that a favourable audit report necessarily proves the absence of any theft or dishonesty.

Whistleblowing policy

Having a clear whistleblowing policy encourages staff who have genuine reason to suspect that a colleague is involved in some fraudulent activity to report without fear of repercussions.

“Red flags”

David Buchanan-Cook identified a number of fraud “red flags” to watch out for (“Fraud, the threat from within”, Journal, October 2006, 36). These include:

major lifestyle changes which appear beyond the person’s means

• abnormal expenses claims
• refusal to take vacation or sick leave
• significant personal debt problems.

Client/third party fraud

It is not only internal fraud that firms need to be on particular guard for. Business crime of all sorts increases when times are tough, with people under more pressure to make ends meet and facing increased temptation to “bend the rules” to stay afloat.

In times when margins are already particularly tight, there is less tolerance for the additional costs and reputational damage which a firm’s unwitting involvement in a client fraud could bring.

Case study

Vic Tims, a partner at Gradgrind & Co, had a meeting with a new client, Mr I Phoney, who was seeking to arrange a loan secured over his home in order to fund the purchase of a holiday home in Mull. Vic undertook the relevant money laundering identity checks and took on the instruction, which went through without a hitch. Mr Phoney had no other loans secured over his house.

Some months later Vic received a distraught call from someone claiming to be Mr Phoney. This, the real Mr Phoney it transpired, had just discovered that there was now an £80,000 mortgage secured over his home, which he knew nothing about.

Risk management strategies

With the increased risk of fraud, knowing your client is ever more important. Be alive to the signs of identity fraud, as identified by John Scott (Journal, January 2009, 58 and in the April 2009 e-bulletin issued to the profession).

John Scott suggests the following risk management measures:

Be alert to new clients approaching you who claim to be owner of a property which is currently security-free, and who want you to handle a substantial new loan over it.

Ask them to explain why they did not instruct the solicitors who acted in the original purchase.

Consider contacting the previous solicitors to verify information provided to you.

Check the proof of identity very carefully, advising on best practice for verifying the authenticity of client identification documents.

Enquire as to the purpose of the loan. Even where you are offered a plausible explanation, endeavour to obtain independent verification from a reliable source.

If the property is let out, contact the letting agents. Ask them when the landlords were last in touch.

If you do proceed, report any unusual aspects of the transaction to the lender.

Under no circumstances accept a mandate to remit funds to a third party.

Data theft

Much easier for most people to steal than cash, and more difficult to trace and monitor, data is the latest target for organised crime and opportunistic criminals. Data theft has likewise seen a significant rise.

The increasing use of email, web-based programmes and portable IT devices means that there are increased opportunities for theft by third parties and from within. A recent survey by Infosecurity Europe of business commuters found that close to 40% of those surveyed were prepared to steal confidential information for money – some for as little as the cost of a meal out.

How can these risks be mitigated?

Ensure IT security is up to the job. Are your emails encrypted?

An article by David Ford in Legal Week (28 August 2008) pulls together some alarming statistics. Apparently more than half of a law firm’s daily email traffic contains confidential information, yet despite an apparent awareness of the risks, less than 10% of UK law firms encrypt their email.

Are confidential documents, as well as the computers and PDAs from which they can be accessed, adequately password protected?

Can clients or others access the main part of your office unchallenged? Do you operate a clear desk policy? If you have a meeting with clients in your room, what confidential information might clients see during that meeting?

Case study

Carole was working for a funder on a sensitive deal. A colleague in the office was acting for the developer. An information barrier policy had been implemented. At 3pm Carole left for a meeting with the funder. She knew she would have to come back to the office after the meeting, to update one of the funding agreements.

Her supervising partner was concerned when he passed Carole’s desk just before 6pm that evening, and used his mobile phone to take a photo of her desk to act as a reminder when he discussed a number of data security issues with her.

The photo of Carole’s desk is reproduced below. What potential data security risks can you identify? (Answers below.)

More than ever, firms have to be alive to the risk of fraud. Fraud risks ought to be considered when creating your firm’s risk register. Don’t assume that putting in place fraud prevention and detection measures is a once and for all, “set and forget” process. Procedures require regular reappraisal to address the ever-changing risk environment.

Ensure there are no gaps in your firm’s procedures which fraudsters could exploit. Consider whether you have sufficient safeguards in place to prevent theft of money or sensitive data or spot unusual cash flow patterns. Have adequate procedures in place to prevent one person being able to authorise large payments singlehandedly. Be alert to suspicious behaviour and suspect transactions on the part of clients. Don’t be tempted to cut corners in your client or transaction vetting, and don’t be railroaded by clients into undertaking transactions with which you are not comfortable to secure new business.

In summary – don’t let your firm be seen as a soft target. s