New UK Law Shines a Light on Internal Fraud Surveillance

Up until now, monitoring employees to prevent fraud in organizations has remained a taboo subject and not discussed or reported very often, possibly to avoid tarnishing the company’s image and reputation. Yet, internal fraud committed by employees and agents have accounted for high volumes of fraud losses in organizations globally. While huge budgets are spent every year to prevent and intercept fraud committed by external parties, employee surveillance systems and procedures have not been a topic of discussion in the industry. However, now things are set to change as the UK government enacted the Economic Crime and Corporate Transparency Act (ECCTA) in October 2023, which has employee fraud prevention as one of its key provisions.

The current landscape

Over the years, the scale of internal fraud in organizations has reached staggering levels. Employees in certain departments are in unique positions by virtue of having access to customer accounts, company internal accounts and records, organization policies, loans processing, transactions, credit limits, invoice payments and so on. These can be ammunition for employees to commit fraud for material gains like higher fees and commissions, achieving work related targets or purely for misappropriating funds for personal benefit.

Take the case of a large U.S. bank whose employees opened millions of accounts in the name of their customers in the recent past without their knowledge or consent to meet aggressive targets and earn high bonuses. Employees of a UK bank manipulated the LIBOR a few years ago to benefit the bank’s trading positions. Employees of another U.S. bank misrepresented the quality of mortgages while selling mortgage-backed securities to investors. Several companies have been found guilty of accounting fraud to inflate their balance sheet. Cases of agents fraudulently selling products or services (e.g. cards, insurance policies, loans/credit, investments) by misrepresenting features or even without the customers’ consent are not uncommon, either.

These are not one-off examples; rather we have witnessed several cases of fraud committed by employees where the intent was to benefit themselves or the company. Yet the internal fraud monitoring landscape is far from mature in most organizations across the globe. Except for trading related surveillance, most firms do not have documented policies to prevent or detect internal fraud, the risks may have rarely been assessed, and consequently no specific controls built for this function.

New UK law

A key provision of the new UK law is “Failure to prevent fraud,” which essentially focuses on fraud committed by individuals associated with an organization, including employees, agents, subsidiaries or any other person providing services on behalf of the organization. This clause applies to large companies that have (i) more than 250 employees, (ii) turnover of more than £36 million and/or (iii) a balance sheet total of more than £18 million.

These companies will now face strict penalties, including unlimited fines, if any of their associated parties are accused of committing fraud that was intended to benefit the company or any person to whom the associate provides services on behalf of the company.

However, defense is available to a company accused on the above charges if it can demonstrate that it had reasonable procedures in place to prevent insider fraud or there were no reasonable circumstances for the company to have such procedures in place. This clause makes it imperative for organizations covered by the law to take a fresh look at their internal fraud risks, build corresponding controls if not already in place and monitor existing controls if any to align with identified risks.

What it means for organizations

Internal fraud perpetrated by employees or agents of companies have consistently ranked among the top categories of financial fraud. Industry reports suggest that almost all cases of internal fraud are unearthed either during internal audits or through whistleblowing, at least 12 to 15 months after such fraud is committed. The fraud management function in most firms focuses on mechanisms to prevent, detect and mitigate risks of external fraud involving customers or third parties. But with UK ECCTA, companies covered will now have to establish the three lines of defense for internal fraud surveillance as a regulatory compliance mandate.

To start with, internal fraud prevention and monitoring requires clearly drawn up policies, well-documented procedures, educating employees about ethical conduct and the organization’s policies on internal fraud. The role of each line in the three lines of defense must have clearly laid out responsibilities and operating procedures. A formal internal fraud management mechanism is pivotal in preventing and monitoring employee fraud.

Risk assessment comes next. Organizations must establish an enterprise-wide risk assessment framework, to identify internal fraud risks, for example, those arising from physical and digital accesses, roles of specific departments (e.g. finance, accounting, vendor management), rights granted to agents and so on. Corresponding controls must be designed for each risk. It is imperative to review the effectiveness of such controls while also keeping track of new risks on a regular basis.

Enhanced security for employees and consumers

When an insider commits fraud, there are several others associated with the organization who get negatively impacted – the customers, other employees and the brand itself. Customers may face financial losses, employees’ morale and job security take a hit, while the company incurs reputational damage. Companies covered by this new law will also face strict penalties including unlimited fines.

Most organizations across the world may be exposed to risks of internal fraud, albeit to varying degrees. Building a secure, ethical workplace by incorporating internal fraud prevention measures can protect against such frauds on the one hand and improve productivity and customer trust on the other. So even while ECCTA may apply to organizations in the UK, regulators in other jurisdictions may soon follow suit given the scale of employee-enabled fraud across the globe.