Entering into one of the latest deferred prosecution agreement concluded by the Serious Fraud Office in July 2020, the security firm G4S accepted that £21m of profit had been acquired by fraud between 2011 and 2012. Large-scale wrong-doing of this nature make headlines, but is only a small sub-set of the commercial frauds that affect companies on a daily basis.
Previous downturns have shown that instances of commercial fraud rise at times of economic stress. Previously honest businesses trading precariously may be tempted into opportunistic actions, intending to good make good when the situation improves. Events can spiral though, and when the company tips into insolvency, there may be no way back. The effects can range from annoyance to threatening the business itself.
The changing business environment has also given rise to new risks. Cybersecurity is towards the top of every business's risk profile, or certainly should be. A complex web of international financial and trade sanctions is increasingly a trap for the unwary. And digital transformation is introducing a host of new technologies and connectivity to digital supply chains, the risks of which are not always fully understood or managed.
Added to these, the pandemic has seen cybercrime activity levels rise, workforces operating under reduced supervision and government support schemes that are open to abuse. Businesses need to be alive to the risks, and know how they will respond where fraudulent activity is uncovered.
What's the crime?
One of the first challenges after fraud has been discovered will be to work out what offence has been committed, and what remedies are available. There is not one civil cause of action of 'fraud', but rather a range of potential bases for bringing claims, including deceit, conversion, fraudulent misrepresentation where the allegations involve theft, or economic torts or breach of fiduciary duties in the increasingly common scenario of an ex-employee colluding with a competitor.
Broadly, there are three ways that a business may discover potential wrong-doing:
- "Business as usual" triggers, such as red flags raised by internal compliance checks.
- Internal triggers, for example an employee reporting concerns, whether through designated whistleblowing channels or more informally.
- External developments, such as media reports, auditors raising questions or the intervention of an external authority such as the SFO.
Once a red flag has come to light, it is often vital that the relevant issues are investigated quickly and effectively. However, this is easier said than done.
The parameters of the investigation will be informed by considering the 'who, what, where, when and how':
- Who is alleged to be involved, and who has made the allegations? There may be complex considerations around confidentiality within a business, particularly where an alleged fraudster is still employed or where the allegations have been made by a whistleblower, who will be entitled to anonymity and other statutory protections.
- What allegations are being made? Does the nature of the allegations mean that immediate steps are needed to prevent further harm and limit the damage that is being incurred?
- Where have the issues arisen? Are they restricted to one office or part of the business, or does this point to a wider problem? If the misconduct is international, consider whether there are multiple jurisdictions involved, and what this might mean in terms of authorities that might be involved and local laws, including around potential offences, whistleblowers and legal privilege.
- When did the relevant events take place? Whether this is a historic complaint or an on-going issue may affect the urgency and how you proceed (although considerations around self-reporting are likely to be time-critical even where the events are historic).
- How can you contain any on-going risk? Once this has been addressed, the business will need to ask itself "how was this allowed to happen?"
Despite the impact of Covid-19 on the ability to carry out an investigation, it is important to ensure that the conduct and outcome of the investigation are still fair, independent, reasonable, proportionate and thorough. Individuals must be afforded the opportunity to provide comment on all material facts and evidence must be preserved.
It is possible to interview relevant individuals remotely, but there are some additional practical considerations to bear in mind. In order to reduce the likelihood of unwanted third parties being present for the interview, make sure video is turned on, and that any link to the meeting is password-protected. You might also want to consider holding interviews simultaneously to ensure witnesses are not collaborating, and requesting that witnesses do not use phones or keyboards during the interview.
If you are recording the interview, this will have implications from both a data protection and a privilege point of view. For example, unlike the notes of a lawyer, which may be protected by privilege if they contain some legal advice or commentary, a recording of a factual interview is less likely to be covered by privilege.
Access to documents may also be more problematic. Often, documents will be stored in network servers or the cloud, but for data stored locally, consider whether remote access will be possible and appropriate. This can be more problematic where employees use their own devices, or where they are based outside the UK, where different legal and practical considerations may apply.
Taking all of these considerations into account, consider whether external expertise is needed, either to assist with specific matters (such as forensic data collection or local law advice for other jurisdictions), or to conduct the investigation. Law firms with extensive experience conducting corporate investigations (such as Osborne Clarke), will be able to get the investigation up and running quickly, and will also be able to handle any interactions with authorities or actions that might need to be taken to contain the damage or seek redress.
Above all, make sure you are aware of where the risks might lie in the sectors and locations in which you operate, and are ready to act upon any red flags swiftly and effectively.