Innovative Approaches to Fraud Risk Management

The Javelin Strategy & Research Identity Theft Report 2013 states that 5.16% of US customers suffered from identity theft amounting to US$20.9 billion. Moreover, Tablet users had the highest probability of fraud at 9.6%. Victims of data breach had a 22.5% likelihood to becoming fraud victims. Hence, it is clear that while organizations are deploying more processes, technology and resources to prevent fraud, the fraudsters are having a ball. One thing fraudsters do, is to think outside the box. So we have to take a leaf out of their book and be innovative in our approach to prevent and detect fraud. Below are some ideas on the same. Share with me your thoughts on what you think about them.

 1)    Voice Print Analysis

Presently, in most of the banks, a call center agent asks a set of questions to verify the identity of customer for telephone banking. Internal employees, external fraudsters and organized crime groups can easily steal information about date of birth, place of birth, address, secret questions, and card number.

Now voice-printing software is available for authentication of voice. The system automatically verifies the caller voice with the customer’s sample voice to identify fraudulent callers and protect the account.

Secondly, maintain voice records of earlier fraudsters. When system detects a fraudulent caller, it automatically checks against the previous fraudulent call records. Hence, the system will flag if a fraudster has previously conducted a telephone banking fraud. With this, it will be easy to nab the fraudster, if the police had caught him/her in a previous case.

A new voice identity technology is available  that captures the tone of the voice and the type of communication. The software can monitor quality of calls and customer satisfaction from call center agents’ conversations with customers. This will cut manual quality control checks significantly and result in savings in quality control department costs.

2)    Track through Photographs and Location Mapping

Besides having voice-printing software, use a system similar to WhatsApp to identify of customers. WhatsApp sends text messages, images, video recordings, audio recordings, and the location. If banks invest in a similar application and allow customers to download the application on their mobile phones and tablets, the number of telephone and internet frauds will reduce.

If a fraudulent caller is flagged, then the call center agent can request the customer to send a selfie or video. If it is the wrong person, usually the caller will cut the conversation and drop the attempt to commit a fraud.

If the caller is able to circumvent this control, the application will also track the location. Applications track the frequent places a customer visits or calls from. If the caller is from an unusual place, then s/he can be tracked immediately. For example, if a British customer is tracked to a place in India, the call centre agent can ask the caller to verify their location.

3. Track Spending Behavior

Sometimes high value fraudulent payments are processed resulting in huge losses. A study done by Vivek K. Singh*, Laura Freeman*, Bruno Lepri, Alex (Sandy) Pentland for “Classifying Spending Behaviour using Socio-Mobile Data” determined the spending behavior of customers from the social interaction patterns on mobile phones. For example, it showed that more social couple and couples with diverse business interests tend to spend more.

Using big data, insights on spending behavior of customers can be analysed based on personality traits. Tracking social patterns and payment patterns can flag out anomalies when the payment is not in line with the spending pattern. Moreover, a location map can identify the location of beneficiaries of previous payments . Hence, fraudulent payments can be identified at the time of processing itself.

Another advantage from this technology can be for processing retail loan applications. If prospective customers are willing to give the data of mobile phone transactions, then at the time of processing the application itself, the bank can identify which customers are likely to overspend and default in future. The bank can ask for additional securities and guarantees.

Moreover, if the application is installed in the loan customer’s mobile after loan disbursement, the moment s/he is about to overspend which might result in default of EMI, the bank can send the customer an alert to pay the EMI first.

 4. Fraud Risk Conversations

According to psychological studies on emotional intelligence, Negative Emotional Attractor’s activate defense systems and build resistance to change. On the other hand, Positive Emotional Attractors (PEA) activates parasympathetic nervous system and makes a person more conducive to listen and change behavior. An effective team has a 3:1 ratio of PEA:NEA. Another study shows that improving peer-to-peer conversation increases productivity of the team by 30 to 40%.

However, risk management reports are mainly critical hence activate NEA. Moreover, the communication, training material, and code of conduct are all geared towards creating fear and guilt. Hence, it is not surprising that attempts to educate business teams on fraud risks fail.

Fraud risk managers can build a positive interaction model using technology platform. A study conducted by Erez Shmueli_, Vivek Kumar Singh_, Bruno Lepri and Alex ”Sandy” Pentland on “Sensing, Understanding, and Shaping Social Behavior” enables tracking of human behavior through big data analytics. The analytic helps in understanding the behavior, the tone of the conversation and the trust relationships between people.

Using this technology, an organization can use a social networking platform to communicate fraud risks through blogs, videos, and stories. The write-ups and stories should be from the business teams. From the comments section, the application can identify the key influencers and trust holders to bring about change. Thus, change the conversation to change the behavior.

 Closing Thoughts

 The days of holding a gun to rob a bank are nearly over. Fraudsters use social engineering to obtain sensitive information to conduct account takeover frauds remotely. Hence, organizations need to use socio-physics, social networks, and technology to beat the fraudsters in their own game. Being a leader in adopting the latest technology to prevent and detect frauds has an additional advantage, the fraudsters have not discovered the antidote to it. Hence, fraud risk managers have the right weapons to fight. The right tools can make a hell of a difference.

References:

1.  Javelin Strategy & Research Identity Theft Report 2013
2. Classifying Spending Behavior using Socio-Mobile Data – Vivek K. Singh*, Laura Freeman*, Bruno Lepri, Alex (Sandy) Pentland
3.  Sensing, Understanding, and Shaping Social Behaviour – Erez Shmueli_, Vivek Kumar Singh_, Bruno Lepri and Alex ”Sandy” Pentland

 

 

iGate’s Failures in Risk Management

iGate fired its CEO Phaneesh Murthy for sexual misconduct after Araceli Roiz; an American employee accused him of sexual harassment. As per media reports she has claimed that the relationship started soon after she joined the organization in 2010 and is pregnant with his child.

Mr Phaneesh Murthy has the dubious honor of facing two similar charges while working as a senior manager in Infosys in 2002. Reka Maximovitch and Jennifer Griffith had both received huge out of court settlements previously. Now he faces the similar charges from Araceli Roiz. Mr Murthy has acknowledged that he had sexual relationships with Ms Roiz. However, it was with her consent. He has alleged he is being defamed and this is an attempt at extortion.

With the limited information available in the media, one cannot comment on the details of the personal relationship.

However, this disaster teaches a few lessons. iGate could have prevented this reputation damage and legal risks if it would have taken a few timely steps.  iGate board and senior managers failed to take due care of the following risks.

1.     Pre-employment Background Screening

Mr Murthy has an excellent academic and professional achievement record. He was credited for taking Infosys turnover from $ 2 million to $ 700 million. However, when he was hired by iGate in 2003 he was in the news for all the wrong reasons. The sexual harassment cases were all over the media.

iGate needed a CEO who could deliver results. My guess is the board looked the other way or considered Mr Murthy’s infidelities small or insignificant. However, if a junior or middle manager had the same reputation, his career would have been over. No organization would have hired him.

Hence, when generally senior managers background screening is more stringent  than junior or middle managers, iGate board took the opposite stance.  It appears that the same yardstick isn’t being applied for background screening or it is being given lip service.

2.     Failure to Monitor & Control CEO Behavioural Risks

iGate board and senior managers chose to ignore the CEO behavior  As per media reports, the relationship was known to the staff. However, it appears no action was taken to guide or coach Mr Murthy.

Read these statements of Mr Murthy from prior interviews at the time of Patni takeover.

The National – “Everyone says that M&As are about ego. I’ve been a salesperson for 10 years. For every 100 doors that you knock on, 98 get shut in your face. That has knocked away most of my ego. I have two teenage boys who whip my butt in every game. They have gone from wanting to be on my team to not wanting to be on the loser’s team. Because of that, I have no ego left.”

Livemint – “Not at all. I am basically a conservative, middle-class south Indian Brahmin. As it is, we don’t like debt, and I am very uncomfortable with a $700 million (around Rs 3,180 crore) debt.”

Ms Araceli Roiz is 31 years old and Mr Phaneesh Murthy is 53 years old. In conservative South-Indian Brahmin families “divorce” is taboo. With two teen aged boys at home, he started an affair, if Mr Roiz version is true, when she was in her late twenties.

From a psychological perspective, it is a classic case of a talented man unable to deal with his own fallibility and mortality. Mr Murthy is a competitive man and the yearly success in his career may have made him feel invincible and powerful.  He is raised on Indian middle class values that look down on promiscuous behavior  He competes with his own children in games. He was heading an Indian IT organization where the average age of employees is 25-26 years. Does it look like he was suffering from mid-life crises?

The board members and other senior managers could have identified the emotional baggage he was carrying around and addressed the issue. The question arises, when the board knew about his weakness and character problem, was he provided any coaching or mentoring? Or did the board take the view, that as long as he is delivering the numbers, everything will be tolerated.

3.     Lack of attention to work culture

The board and management knew that Mr Murthy had a marked reputation in respect to female employees. Secondly, it appears that is relationship with Ms Roiz was an open secret. From his own words, it doesn’t seem that he took sexual harassment or company policies seriously. In the interview, he stated:

“It was a personal relationship. The company policy states that any two employees having a relationship have to inform the superiors. It is a small note in an employee handbook. I did inform the company about the relationship. Though it was a question of timing from my side as I disclosed this only a few weeks ago, only after the relationship was over.”

According to him, “it is a small note” in the company handbook.  He didn’t believe in walking the talk in personal ethics or corporate code of conduct. Hence, the question arises, what attention iGate paid to maintain the corporate culture.

With previous cases of sexual harassment against the CEO and an on-going affair, did iGate management ensure that the sexual harassment policies were implemented in spirit? If a woman, as per Roiz’s claim, was forced into a sexual relationship by the CEO, what effect did it have on other female employees and work culture? Did it not set the stage for the hostile work culture where women would feel insecure to report cases of sexual harassment? Let us say, another female employee was harassed by a male senior manager, what options does she have when she knows that the CEO is doing something similar? How seriously was sexually offensive behavior taken by the management?

 The organizations pay a heavy price in respect to sexually harassing culture. The direct costs are of course legal penalties and cases, however, the indirect costs are absenteeism, disengagement, high turnover and lower productivity. The iGate management appears to have ignored these aspects while hiring Mr Murthy and during his tenure.

4.     Ineffective Crises Management

iGate public relations team issued the statement – “The investigation, which is on-going, has reached the finding that Murthy’s failure to report this relationship violated iGATE’s policy, as well as Murthy’s employment contract. The investigation has not uncovered any violation of iGATE’s harassment policy.”

It gave information on the interim CEO and search for the new CEO, to rest fears of the investors.

This appears more of an attempt to limit legal risks. According to US laws the company is responsible for sexual misconduct by its employees. Subsequent to the above news, the company has not made any statement or explanation on what it did to prevent such incidents.

According to media reports, the Indian employees received an explanation from the senior managers on the incident and were instructed not to talk to people outside and within the organization. An instruction not to communicate with the media or put comments in social media is sound. However, not to communicate with fellow employees sounds like an attempt to silence. Can management stop the discussion outside office hours between the employees?

In such instances, various stakeholder expectations need to be addressed. It is a sensitive issue that gets the attention of public, bloggers, activists, women lobbies etc. Even the employees psychological stress levels increase and they need to be managed. However, from the information available in the media, there isn’t much effort being done to manage the crises.

Closing Thoughts

Sexual harassment cases cause huge reputation damage and legal risks. I am not sure whether after Mr Murthy’s previous cases, iGate got proper insurance coverage for directors and senior manager liabilities. Implementing sexual harassment policies and holding everyone to high standards of conduct is something organizations need to concentrate on. The issue was taken lightly previously, but now women workforce is increasing and so are the cases of harassment. Unless companies wish to have their name tarnished, they need to take the right steps.

References:

1. Read more: http://www.thenational.ae/business/technology/rise-and-fall-and-rise-again-of-it-star-phaneesh-murthy#ixzz2UBKIGikk
2. http://www.financialexpress.com/news/phaneesh-murthy-i-will-fight-sexual-harassment-charges-vigorously/1118857/1
3. http://timesofindia.indiatimes.com/tech/careers/job-trends/Murthy-scandal-iGate-staff-gets-social-media-code/articleshow/20222185.cms

Fraud Risk Management in Ancient India

Presently, the Serious Fraud Investigation Office of India lacks sufficient powers to initiate investigations and prosecute. The Central Bureau of Intelligence isn’t independent due to which politicians escape prosecution for corruption and money laundering. Indian police force Economic Crime wing doesn’t have expertise in dealing with electronic and financial frauds. The legal system is pathetic and takes a long time to prosecute white-collar criminals. India has a shortfall of trained fraud investigators as it hardly has any courses for students in this line.

All these aspects may make you think that Indians are new to the concept of fraud risk management. This is far from the truth. Kautilya addressed financial fraud risks in 4^th century BC and most of the concepts are still used presently. Let me narrate you some of the concepts he formulated in earlier times.

1.      Formation of a Central Investigation Agency

Kautilya proposed a central investigation agency for a kingdom to do espionage work. A network of spies located in different parts of the kingdom reported information to their handlers. The handlers in turn checked the authenticity of the information from three sources and if correct reported to the agency. The spies did not have direct contact with the agency to conceal true identities..

Spy selection depended on character and social position. Spies were recruited from all sections of society. Spies were positioned in all the departments and commercial ventures of the king to ensure that the head of the departments do not abuse their power or cheat the king. Women were considered particularly useful to penetrate wealthy households to get the inside story. In current India, there is a scarcity of female fraud investigators as it now considered a masculine job. However, in ancient India, women investigators and spies were quite common.

2.      Types of Financial Frauds

Kautilya identified 40 ways of embezzlement. Some of them are mentioned below:

• Overpricing and under-pricing of goods
• Incorrect recording of quantity of raw material and other stocks
• Misappropriation of funds
• Teaming and lading
• Misrepresentation of sources of income
• Incorrect recording of debtors and creditors
• Incorrect valuing and distribution of gifts
• Inconsistency in donations and distributions for charity
• Misappropriating goods during barter exchange
• Manipulating weights and tools for measurement
• Misrepresentation of test marks or the standard of fineness (of gold and silver)

It is interesting to note that Kautilya mentioned most of the frauds that occur in accounting and preparation of financial statements. It shows human psychology has remained the same. However, in India the value system has deteriorated that has resulted in increased fraud and corruption. In olden times, the value of honour was held high. For example, the prime thought in Hindi was – “prann jiye pur vachan na jiye.” (meaning – it is better to lose one’s life rather than go back on a verbal promise given)

3.      Mechanism for Investigation and Punishment

The investigation process was quite similar to the current process followed. Information was initially gathered regarding the fraud from informants, spies, whistle blowers and audits. Background information of the suspects was gathered by sending spies to their residence and business premises.

Subsequently, the people involved, the suspects and witnesses were interrogated. Kautilya suggested separately examining ” the treasurer (nidháyaka), the prescriber (nibandhaka), the receiver (pratigráhaka), the payer (dáyaka), the person who caused the payment (dápaka), the ministerial servants of the officer (mantri-vaiyávrityakara)” for financial frauds. If any person lied, s/he received the same punishment as the main culprit.

Another fascinating aspect is that India doesn’t not have any law similar to the whistle blower provisions of Dodd Frank Act. However, Kautilya proposed –  “Any informant (súchaka) who supplies information about embezzlement just under perpetration shall, if he succeeds in proving it, get as reward one-sixth of the amount in question; if he happens to be a government servant (bhritaka), he shall get for the same act one-twelfth of the amount.”

The punishment for fraud depended on the nature and value of fraud. It ranged from nominal fines to death penalty. The victim was compensated for the losses suffered.

Closing Thoughts

The processes proposed by Kautilya for fraud detection were followed even until the Moghul rule. However, these were dismantled during the time of British Rule as the Indian Penal Code was formulated.  The difference between Mogul rule was that Moguls settled in India, marriages took place between Indian royalty and Mogul rulers and the culture got integrated over time.

The British came to rule for economic purposes. They wished to take advantage of India’s natural resources and vibrant economy. They levied their own rules and did not integrate them with the Indian culture. Hence, over time the Indian value system was lost or kept for namesake only. Overtime, as even after independence the British education system was used, a split ethical value system developed between personal values and business ethics. Therefore, corruption increased in the business environment till it became all-pervasive in the society. It is going to take a lot of effort to change the system now. No short-term solutions  will work.

Risk Management Lessons Learnt in 2012

For risk managers 2012 was an eventful year. The frequency of ethical breaches, regulatory failures, operational disasters and natural calamities ensured that risk managers have their hands full and are not going to run out of work in 2013. In effect, risk management function is at a strategic inflection point and is facing disruption risks. Globalization, rapidly changing technology, economic recession in Europe, political turmoil in Middle East, growth of emerging markets and global warming has changed the risk landscape. Throw out of the window the old stance of managing risks by implementing controls and focusing just on financial processes and operational risks. The 21^st century demands risk managers to focus on strategic, cultural, leadership and human resource risks. This is a bold statement to make, so here are my reasons for making the same. Do you think I am on the right track?

1.      Banking Sector Culture Needs Overhauling

Though I have not done a tally of regulatory fines paid by banks during the year, the numbers are awesome. It the status quo remains the same, paying billion dollar fines will soon become fashionable. The way bankers are behaving, if culture does not change, they will start a competition on who pays the biggest fine and gets away with it. It is clear that bankers gave a lot of lip service of changing to the public after the financial crises. Nothing much changed and they remained complacent with their ability to escape any personal loss due to reckless behaviour. Even with fines, it is investor loss with hardly any personal responsibility. 2013 will determine whether bankers can do the right thing for the right reasons in the right way.

2.      No One is Too Big to Go to Jail

2012 showed that breaking the law isn’t an option for top guns. Big names, for instance, Rajat Gupta and Rebecca Brooks realized the arms of law are long enough to reach them. The psychology that it only is a crime if one gets caught needs to change. A connection even with the Prime Minister doesn’t insulate a person from being held legally accountable.

The downside of capitalism is that business ethics are put on a back burner in pursuit of profitability. 2013 will see the trend of businesses focusing on building ethical cultures.

3.  Senior Management Fails At A Higher Rate

Throughout the year, one heard senior managers being fired for poor performance, regulatory breaches, criminal acts or inability to keep their pants zipped. Tragic but true, that senior managers are failing to walk the talk and assume leadership is about playing power games. They ignore everything in pursuit of a bigger pay packet. It isn’t that leaders didn’t fail previously, but now they make headlines at global level.

Additionally, social media and increasing percentage of women in the workforce has made old management and leadership styles redundant. Flatter organization structures are replacinghierarchical styles. Collaboration is in focus rather than competition. Boomers are leading most organizations, and their style of leadership is passé. Hence, in 2013 we are going to witness higher leadership failures unless organizations start managing leadership risks.

 4. Regulators Take A Tougher Stance

Worldwide regulators have changed their stance. Be it Comptroller and Auditor General of India, Department of Justice of USA or Financial Services Authority of UK, regulators are beating the drums for better compliance. From asking the biggest names in banking to give explanations to holding government accountable for incorrect decisions, they are leaving nothing out of the ambit. They are leading the path for risk managers to follow. In 2013, we are going to see a spate of disclosures from regulators.

Closing Thoughts

Whether we see the banking failure reports, or other aspects of business, risk managers knew and understood the risks. However, they decided to play it safe and not bell the cat. Challenging and confronting business leaders at the expense of ruining ones career can be a tough decision. One avoids the decision, especially when, the lines of accountability state that final responsibility of managing risks lies with the business leaders. However, in the times ahead risk managers won’t have this luxury. They will have to stick their neck out to ensure organization stays legally compliant and manages risks optimally.  I don’t know whether this makes risk managers happy. In my view, in 2013 we should take it up as a challenge and change the dynamics of the risk management function.

Wish you and your loved ones a very Happy New Year.

Bharti Walmart India – Internal FCPA Investigation – Part II

The previous post raised more questions than gave answers. In light of the on-going investigation, it is difficult to predict results. However, I looked at the recently released FCPA Resource Guide to the U.S. Foreign Corrupt Practices Act by the Criminal Division of the U.S. Department of Justice and the Enforcement Division of the U.S. Securities and Exchange Commission. It sets some clear guidelines and mentions earlier cases with similar issues. It is a good read for Indian managers working in multinationals dealing with FCPA compliance requirements. I am sharing below some insights about the implications of the case.

1.      Liability of Indian Employees

As per reports, the CFO and the legal team were suspended during the course of the investigation. If the US Department of Justice decides to pursue a criminal case, these employees can be prosecuted.

Interestingly enough, the Indian managers consider their capability to bribe various government officials to get a job done as strength. One often hears them saying – “Oh, I have a contact; s/he will do the job for X amount of money. Don’t worry about the legal provisions, they can be circumvented.” Since one rarely hears any action being taken by regulators on the provisions of Prevention of Corruption Act of India, hardly anyone hesitates to take or accept a bribe.

However, Indian employees working in multinationals have to think twice about paying a bribe to get a job done. The FCPA guidelines are strict. It states – “The FCPA’s anti-bribery provisions can apply to conduct both inside and outside the United States. Issuers and domestic concerns—as well as their officers, directors, employees, agents, or stockholders—may be prosecuted for using the U.S. mails or any means or instrumentality of interstate commerce in furtherance of a corrupt payment to a foreign official.” Hence, even sending mails to US boss or colleague that involves a discussion of a bribe payment can make an Indian employee liable. Considering the provisions, the best policy for Indian employees is to keep their hands clean and follow the legal process diligently.

Another aspect to note is that a bribe does not need to be paid to hold an employee liable. The guidance note says – “Also, as long as the offer, promise, authorization, or payment is made corruptly, the actor need not know the identity of the recipient; the attempt is sufficient. Thus, an executive who authorizes others to pay “whoever you need to” in a foreign government to obtain a contract has violated the FCPA—even if no bribe is ultimately offered or paid.” Hence, Indian management and employees both can be prosecuted on this basis.

2.      Challenges for Licenses

With the opening of the retail sector, multinationals need to obtain various licenses to operate in India. The challenge is getting the licenses according to their business strategy and plan.

For instance, IKEA recently obtained from Foreign Investment Promotion Board (FIPB) to invest euros 1.5 billion to open 25 stores in India. However, IKEA was granted permission to open single brand stores for furniture only. It was denied permission to sell textiles, office supplies, food and drinks.

Now the question is, under these circumstances what options will the foreign investor consider? Will they agree to sell products according to permission? The permissions maybe denied for the most profitable lines of products. It may not make sense to sell products with low margins. Hence, they will have the difficult choice of either not entering the Indian market or attempt to influence the government agencies to grant permissions for selling other products. If the second option is chosen, there is a high probability of bribes being paid. More so, since Indian government officials know what will hurt the business venture of the foreign company, they might use denial tactics to coerce the organization into paying bribes. Hence, it is a vicious circle.

A LinkedIn member gave a useful suggestion to curb bribes in the licensing process. Rangarajan Gopalan, Investigator US Department of Homeland Securities in New Delhi,  suggested a single window concept for obtaining licenses in retail industry. If government implements the suggestion, the retail companies will not have to run around 32 different agencies to get licenses.

3.      Partner Liabilities  

In the event of the holding-subsidiary relationship or joint venture partnership, the Indian company can be charged jointly and/or separately.

The guidance note illustrated the implications with a previous case. For instance, “a four-company joint venture used two agents—a British lawyer and a Japanese trading company—to bribe Nigerian government officials in order to win a series of liquefied natural gas construction projects. Together, the four multi-national corporations and the Japanese trading company paid a combined $1.7 billion in civil and criminal sanctions for their decade-long bribery scheme. In addition, the subsidiary of one of the companies pleaded guilty and a number of individuals, including the British lawyer and the former CEO of one of the companies’ subsidiaries, received significant prison terms.”

Hence, if the US company is ignorant of the bribes being paid by Indian employees to conduct business, the Indian employees can face criminal charges and the Indian organization may have to pay hefty fines.

Closing Thoughts

The Indian organizations need to assess their FCPA compliance level and not take the issue lightly. The repercussions of ignoring the issue are huge. The legal and reputation risks can put the company to a great disadvantage. Moreover, the employees must follow the legal process rather than find ways to circumvent it.

 References: 

1. FCPA Resource Guide to the U.S. Foreign Corrupt Practices Act by the Criminal Division of the U.S. Department of Justice and the Enforcement Division of the U.S. Securities and Exchange Commission.
2. FIPB clears IKEA retail store plan

Bharti Walmart India – Internal FCPA Investigation – Part I

Walmart after the Mexico US Foreign Corrupt Practices Act investigation identified India operations as a high risk. It commenced an internal investigation with the help of KPMG India and law firm Greenberg Traurig. Recently CFO and five officers of legal team were suspended. The legal team’s job entailed procuring licenses required for stores and other real estate approvals, taxation etc. Bharti Walmart has opened 18 stores till date. Hence, the suspicion is that these officers paid bribes to get the licenses.

According to the Economic Times article, multiple government permissions are required from the government. The Retail Association of India lists 51 different approvals from 32 different agencies. Seeing the corruption index of India and the way government departments’ function, I would be very surprised if an organization manages to obtain all the relevant licenses without any grease payments. Hence, the question is how will the organizations manage to function without paying bribes?

1.      Dubious Dealings

Considering the huge operations of Bharti group, I would be very surprised if the bribes were paid without senior management approval. Most of the liaisons work has senior managers’ tacit or explicit approval. Therefore, is it right to suspend some after obtaining licenses. What happens in such a case to the license? Will the license be revoked, cancelled, or returned? If not, what is stopping the organizations from first taking the licenses by paying bribes and then doing a clean-up exercise to show their commitment to ethics?

2.      Joint Venture Liabilities

The second issue that crops up is the working of the joint venture in such circumstances.  Let us assume the investigation reveals bribes were paid. In such a situation, will Bharti group be expected to pay back the bribe money? Secondly, if the US authorities under a civil case fine Walmart for FCPA contravention, will Bharti be expected to pay the fine. Seeing the trend the fine could be huge and would wipe out profitability of the company. Moreover, US Department of Justice can pursue criminal liabilities. Then will the Indian officers be implicated for the same.

3.      Foreign Direct Investment (FDI) in Retail Industry

The government has recently allowed FDI in retail industry. The challenge is that in India, most of the retail operations operate by paying bribes at different levels. Hence, a foreign investor will not get a level playing field as the anti-corruption laws of their country bind them. The situation is serious. For instance, the next stage after obtaining licenses would require importing goods.  The FCPA strictly prohibits paying bribes to custom officers whereas in India this is a common business practice. Can an organization wait for months to get its stock cleared by the custom officers? Now the foreign investors will analyse the reward versus risk scenario of their business plans for investing in retail industry in India.

Closing Thoughts

The case opens up interesting aspects of risks of doing business in India. Corruption poses serious obstacles in doing fair business dealings. The FCPA and laws of various countries strictly prohibit paying bribes to foreign officials. The US government has followed some stringent measures against companies contravening the laws. Under such circumstances will the joint ventures between foreign investors and Indian counterparts work?  India cannot change overnight, so what is the solution? Share your thoughts with me on this.

References:

Bharti Walmart suspends CFO, legal team due to FCPA bribery probe

Coal Gate Scam – Should Auditors Comment on Policy Decisions?

The Coal Gate Scam report has squarely put the loss of Rs. 1.86 lakh crores (USD 35. 097 billion) at the Prime Ministers door. Comptroller and Auditor General (CAG) report states that Prime Minister Manmohan Singh agreed to introduce competitive bidding for allocation of coal blocks way back in October 2004. However, his office indulged in delay tactics of approving the revised policy. This resulted in allocation of coal blocks according to the old policy introduced in 1993. Failure to use competitive bidding resulted in a loss of Rs. 1.86 lakh crores (USD 35.097 billion).

This raises interesting questions from the corporate sector perspective. Should auditors see the validity and applicability of policies? Alternatively, should they restrict their role to the compliance of existing policies?  What happens when a policy or standard operating procedure of an organization is redundant however is still being followed? If competitors are using better processes, technology and policies than the organization, what role should auditors play in it?

1.     Delaying Policies Becomes a Political Game

According to the CAG report, the Screening Committee allocated blocks and the process lacked transparency. Allegations are that private companies with political links benefited at the expense of others. However, competitive bidding policy could have been introduced with an amendment from the administrative desk. Prime Minister’s role becomes critical as he was also fulfilling the responsibilities of Minister of Coal. CAG says he made it into a bigger issue that the policy should be changed for all minerals and not just coal; hence the process for making such large-scale policy change was different. This allowed the coal ministry to follow the 1993 process.

This happens in the corporate sector too. For instance, an employee or a small group suggest a change to an existing control process that will take just one man-month effort. Some others with vested interests do not wish for the change to occur. However, they can’t reject the suggestion for strengthening controls without looking bad. Hence, to stall the project, they add a few more suggestions which make the project larger into 24 man-months effort. Now the change can only happen once the huge budget is approved. Since, the project is not priority; it stays on the bottom of the budget approval list. Hence, status quo remains and subsequently someone exploits the control weakness to conduct a fraud.

In such a situation, as an internal auditor would you highlight the initial attempt to strengthen controls and put responsibility on the other group for delaying the change? Do we as internal auditors go back in such depth to find out what projects or policies were kept pending approval and they had such a huge negative impact?

2.     Auditor’s Role in Policy Review

The Supreme Court has upheld CAGs power to comment on policies. Justices R M Lodha and A R Dave bench said “Do not confuse the constitutional office of CAG with that of an auditor of a company or corporation.” This response was in respect to a petitioner’s contention that CAG should restrict itself to auditing expenditure and not comment on the government’s rational of policy decisions. The bench had further added – “CAG is not the traditional Munimji to prepare only balance sheets. It is constitutionally mandated to examine the efficiency, effectiveness and economy of the decisions of the government in using resources. If the CAG will not do this, then who will?”

This viewpoint raises some interesting points for internal auditors in the corporate world. Should auditors be commenting on strategic or policy decisions of the company?

For instance, the company decides to use print media for advertising open job positions. However, it is much cheaper to use job portals and social media. These significantly reduce the cost of recruitment. Should an auditor restrict himself to checking that all expenditure is authentic or question the hiring policy?

Another aspect is the strategy decisions. Let us say, Company A decided not to enter into the emerging markets, whereas Company B operating in the same industry entered the emerging markets and increased the profitability tremendously. Should an auditor audit strategic decisions, and not just say that it is management responsibility. Where is the line of demarcation drawn in respect of corporate internal audit?

Institute of Internal Auditors new standard applicable from 2013 ‘Achievement of the organization’s strategic objectives’ states that – “The internal audit activity must evaluate risk exposures relating to the organization’s governance, operations, and information systems regarding the achievement of the organization’s strategic objectives”.  Hence, should we conclude that evaluating strategic decisions comes under internal audit purview?

3.     Auditor’s Role in Calculating Presumptive Loss

The CAG audit reports on 2G licenses and Coal Block allocations have raised a storm due to the calculation of presumptive loss figures. The government’s contention is that CAG should not be calculating the opportunity loss, as policy decisions are taken to benefit the public.

CAG however, contended that – “We had never commented on government policies, neither did we ever say that auction was the only route or that all natural resources should be auctioned. In both 2G spectrum licences and coal block allocations, we had only commented on the ‘effectiveness or non-implementation’ of policies. The presumptive loss or windfall gain figures are only to highlight the serious issues of an act of commission during implementation of government policies.”

In the corporate world, internal auditors make an observation and restrict their recommendations to suggest improvements. In rare cases, a cost-benefit analysis is done on the impact of the control weakness. We generally fail to draw management attention to the seriousness of the issue, as they are no numbers given. Should corporate internal auditors change their approach to audit work to give a cost-benefit analysis for their observations? Will that garner more attention from the management and initiate action?

Closing Thoughts

These are questions worth debating about and there are no easy answers. The business world internal auditors can learn quite a few lessons from the government auditors. They are doing a good job of raising contentious issues. Below is a poll to assess your views.

References:

1. CAG not a ‘munimji’ of govt’s balance sheet: SC
2. CoalGate: CAG does not let Manmohan, PMO off the hook
3.  Performance Audit of Allocation of Coal Blocks and Augmentation of Coal Production (Ministry of Coal)

Why Auditors Fail To Detect Frauds?

When media reports a new fraud, the first few thoughts of public are – “What were the auditors doing? How did they miss it? Were they involved?” The auditors get labelled as morons, conspirators or criminals. Generally most people jump to the conclusion that auditors had malafide intentions and became accomplices to get more business. While this may be true in some cases, auditors need the benefit of doubt. They sometimes genuinely miss the cases despite their best effort to diligently perform their duties. This post is an attempt to explain why auditors miss the frauds.

I want to share a joke with you before I explain. Two drunkards were walking on a railway track. The first said to other – “I am really tired, I hope the steps will end soon.” The second replied – ‘Yeah. I wish they had put the handrails at a better height, my back is killing me.”

1. Auditors responsibility to detect frauds

We can laugh at this, but if I say most of us don’t see clearly, there will a lot of angry reactions. So I am not saying anything, and am requesting you to watch this video.

Now did you see the moon walking bear?

Auditors have the same problem. They have to to give a true and fair opinion on the financial statements. They are not required to focus on detecting frauds. Hence, the audit programs are not designed to conduct tests to  detect fraud symptoms and probability. Therefore, with no specific coverage auditors fail at detecting frauds. Extract from Section 143 of New Companies Bill is given below:

“The auditor shall make a report to the members of the company on the accounts examined by him and on every financial statements which are required by or under this Act to be laid before the company in general meeting and the report shall after taking into account the provisions of this Act, the accounting and auditing standards and matters which are required to be included in the audit report under the provisions of this Act or any rules made thereunder or under any order made under sub-section (11) and to the best of his information and knowledge, the said accounts, financial statements give a true and fair view of the state of the company’s affairs as at the end of its financial year and profit or loss and cash flow for the year and such other matters as may be prescribed.”

2. Auditors punishment on failure

The second question frequently debated is – “Should auditors be punished if they fail to detect frauds?” Section 147, clause 4 of New Companies Bill states auditor’s liabilities in respect to fraud in the following words:

“Where, in case of audit of a company being conducted by an audit firm, it is proved that the partner or partners of the audit firm has or have acted in a fraudulent manner or abetted or colluded in any fraud by, or in relation to or by, the company or its directors or officers, the liability, whether civil or criminal as provided in this Act or in any other law for the time being in force, for such act shall be of the partner or partners of the audit firm and of the firm jointly and severally and such partner or partners of the audit firm shall also be punishable in the manner as provided in section 447.”

This clause puts auditors on shaky ground. It is difficult to prove innocence once a fraud is detected. How can an auditor state – “I did my work properly, saw these documents, looked at the same audit evidence but didn’t find anything wrong with it.” Most will jump to the conclusion that the auditor knowingly ignored all the evidence. So here is another video. Watch it, and then you will see how this situation can occur.

According to various experiments, 75% of the people failed to observe the person swap in the experiment.

Think of this from an audit evidence perspective. An auditor is checking 100 vouchers with supports. One voucher among the 100 is fraudulent. What is the probability of the auditor noticing it? One can safely assume that it will be less than 25%.

Is it surprising that auditors fail to detect frauds after seeing these experiments. Though they are trained, they are human. The same psychology works with them too.

Closing thoughts

The success rate of detecting frauds will be higher when the auditors – external and internal – have specific responsibility to detect frauds. Without the specific responsibility, regulators can continue to complain and investors will share their anguish, however all will be futile. The laws need to be devised to hold someone responsibly for detecting frauds. What is your opinion?

A modified version of this article was published in the Middle East Accountant Magazine.

Lessons from Rajat Gupta’s Downfall

When I started my career, Rajat Gupta was an icon. Indian Gen X wanted to achieve his heights. He made us realize that Indian professionals can compete in the global arena and win. Now with his name tarnished with insider trading charges, every professional would be thinking – we don’t want to follow his path. The fall is always the hardest from the top floor of the building, not the ground floor. Whatever he built in his lifetime, today lies in shambles. His family is going to pay a heavy price for his wrong-doing. He has from being a case study on “what to do to fulfill your career dream” has become a study for “what not to do in your career”. I feel sad to say this, but here are some lessons all of us can learn from his downfall.

1. Poverty is in the mind and not in the bank balance – JP Morgan Chase estimated Gupta’s net-worth as US $ 130 million but as Rajaratnam joked – “Gupta wanted to be in the billionaires club“. Gupta’s greed got him down as he was unable to draw the line for his wants.

2. Don’t break the rules to get ahead – Gupta as ex-head of McKinsey knew he was duty bound to maintain confidentiality of boardroom information. He traded confidential information to meet his own personal targets. A McKinsey executive said – “It is mind-blowing that the guy who ran the firm for so many years could be going to jail for violating that principle.”

3. Choose friends carefully – That’s what parents say to kids but we forget it in our adult life. Gupta befriended  Rajaratnam, and though one cannot say he lacked judgment, he did manage to rationalize wrong-doing to keep the friendship alive. He got enamored by the Rajaratnam’s lifestyle. Relationship with  Rajaratnam, who had a dubious reputation, led him astray.

4. Keep feet firmly on the ground – Ideas of invincibility and grandiosity lead to delusional thinking. Rajat Gupta was fined by SEC for insider trading. Instead of paying the fine, he chose to pursue the case legally. With the indictment, he is facing over 10 years of prison sentence. He took the decision to challenge SEC due to over-confidence and arrogance.

5.  Correct wrong-doing immediately – A person walking an unethical path rationalizes that s/he will get away with it, if they aren’t caught the first time. Gupta after doing insider trading for a few times got comfortable in his role. Mr. Naftalis said -“Having lived a lifetime of honesty and integrity, he didn’t turn into a criminal in the seventh decade of an otherwise praiseworthy life.” Gupta lost his principles over a time. He didn’t stop when he should have and didn’t take any corrective actions.

6. No one is above law – With the well-known figures in India and international arena facing trails and convictions, it is apparent that no one can escape the hands of justice. Sooner or later, the path will lead to a prison sentence. Being ethical pays in the long-run by keeping a person safe.

7. Protect your legacy – Rajat Gupta had an impeccable reputation of a world-class professional and a great humanitarian. His list of good deeds is long and was known as an exemplary citizen of the world. With these charges, he leaves a legacy of a criminal. A journey from  the boardrooms to a prison cell. There can’t be a greater tragedy on the professional field.

Closing thoughts

It is heartbreaking to find that our heroes have feet of clay. Gupta traded a comfortable old age with a prison cell for satisfying his insatiable hunger for power and money. An extremely intelligent man, an alumni of IIT and Harvard, failed to make the right ethical choices.  In the end, Robert Gilbert’s quote comes to mind –

“Conquer your bad habits or they will conquer you.” 

References:

Rajat Gupta Convicted of Insider Trading

SEBI Revises Consent Process

While Rajat Gupta, ex-board member of Goldman Sachs is facing the trial by fire on insider trading charges in US, Stock Exchange Board of India (SEBI) has tightened the screws on the consent process for stock market manipulations and offences.

SEBI last week revised the earlier rules passed in March 2007. Some of the critical features of the revised consent process are:

1. Face the Music

“Certain defaults including insider trading, front running, failure to make an open offer, redress investor grievances and respond to the summons issued by SEBI are excluded from the consent process. The defaults falling in the category of fraudulent and unfair trade practices, which in the opinion of SEBI are very serious and/or have caused substantial losses to the investors, shall also not be consented.”

The details are below:-

“SEBI shall not settle the defaults listed below:
i. Insider trading i.e. violation of Regulation 3 and 4 of the SEBI (Prohibition of Insider Trading)Regulations, 1992;

ii. Serious fraudulent and unfair trade practices which, in the opinion of the Board, cause substantial losses to investors and/or affects their rights, especially retail investors and small shareholders or have or may have market wide impact, except those defaults where the entity makes good the losses due to the investors;

iii. Failure to make the open offer (except where the entity agrees to make the open offer or if in the opinion of the Board, the open offer is not beneficial to the shareholders and / or the case is referred for adjudication);

iv. Front-running; for the purpose of this circular, front running means usage of non public information to directly or indirectly, buy or sell securities or enter into options or futures contracts, in advance of a substantial order, on an impending transaction, in the same or related securities or futures or options
contracts, in anticipation that when the information becomes public; the price of such securities or contracts may change;

v. Defaults relating to manipulation of net asset value or other mutual funds defaults where the actions of the asset management company (AMC)/ mutual fund (MF)/sponsor, result in substantial losses to the unit holders, except cases where the entity has made good the losses of the unit holders to the satisfaction of the Board;

vi. Failure to redress investor grievances(except cases where the issue involved is only of delayed redressal);

vii. Failure to make such disclosures under the ICDR and Debt Securities Regulations, which in the opinion of the Board, materially affect the right of the investors Non-compliance of summons issued by SEBI;

ix. Non compliance of an order passed by the Adjudicating Officer (AO), Designated Member (DM) or Whole Time Member (WTM);

x. Any other default by an applicant who continues to be non-compliant with any order passed by the (AO) or (DM) or (WTM).”

This means that where SEBI considers breach of law or listing guidelines, the companies, investment managers, brokers etc. won’t be able to pay a fine and get away with it. Previously, on such charges, SEBI allowed them to pay the fine while not admitting guilt and sometimes by voluntarily agreeing to debar from the  from stock markets. Now without being allowed to go through the consent process, the organizations and persons alleged to have committed the above-mentioned acts will have to go through a legal process for criminal offences except in some exceptional cases. SEBI has allowed itself some room for maneuverability for some cases. In regular cases, now an organization can go through the consent process only for small technical breaches.

2. One Time Lucky

“No consent application shall be considered, if any violation is committed within a period of two years from the date of any consent order. However, if the applicant has already obtained more than two consent orders, no consent application shall be considered for a period of three years from the date of the last order.”

Hence, this clause allows leeway once only in a couple of years. If an organization has already gone through a consent process, it is not going to get away easily without some criminal charges the next time round. The practice of organizations to claim a mistake has been made every year whenever they get caught will have to stop.

Closing Thoughts

The rules are good. SEBI is finally gearing itself to govern and regulate the stock markets properly. This move in the long-run will build investor confidence and dissuade asset managers, brokers and organizations from indulging in malpractices. Reliance Industries has an ongoing case for insider trading, along with a couple of other banks for front running and stock market manipulations. Reliance has appealed to the Bombay Courts to be allowed to go through the consent order process available before as it’s case is  from 2007.

The method SEBI chooses to deal with the older cases, will decide the fate of many organizations. It appears the organizations are worried, and that for regulators is a good strategy. The last high profile case of consent was of Anil Ambani group in which the group paid a Rs 50 crore (USD 8.93 million ) fine. Hence, in all likelihood the organizations with pending cases will either have to pay high fees or face criminal charges.

References:

1. Streamlining of Consent Process
2. Modified Consent Process Circular
3. Reliance Industries moves Bombay High Court on new consent order rules