By Bob Jones, Senior Advisor, The Santa Fe Group
There are three different aspects of fraud that are relevant to third parties. The first is defalcations by the third party’s employees exploiting inadequate internal controls. The second is fraud perpetrated by the principals of the third party. The third, and most common, is data breaches perpetrated by both insiders and outsiders.
As a Certified Fraud Examiner, I subscribe to the Fraud Triangle, defined by noted criminologist Donald Cressey, that describes the three causative elements of occupational white-collar crime. The elements are: pressure (usually an unsharable financial need); perceived opportunity; and the ability to rationalize the act.
Typical rationalizations include: “I’m just borrowing it and will pay it back”; “They’ll never miss it”; “Everybody does it”; “They owe it to me”. The greater the person’s need, the less opportunity he requires to act. Conversely, the greater the perceived opportunity, the less need required to act.
Understanding the fraud triangle illustrates the white-collar crime truism that only a trusted employee will steal. I am occasionally engaged by banks to provide independent expert testimony in litigation involving fraud claims. In the last few years most of the lawsuits I have been involved in have been brought against banks by small to mid-sized businesses alleging that their business’ losses arose from their employees’ embezzlements that were facilitated by the bank’s failure to detect those actions. Quite frequently, however, my bank clients are able to show that the embezzlements resulted from the business customer’s employees’ exploiting the lack of effective internal controls at the customer’s level.
Another point of opportunity arises during the confusion and uncertainty endemic in the integration phase of mergers/acquisitions that offer particularly fertile ground for embezzlement. Employees worried about their future can be tempted to set up their own “severance packages”. Research to resolve imbalances in financial accounts can be delayed, because of the assumption they are the result of errors or carelessness, instead of defalcations. In fact, these periods demand greater scrutiny.
The second aspect is fraud perpetrated by the principals of the third party. A recent example is the February 27, 2018 guilty plea by a senior executive of a large soft drink corporation in a federal prosecution resulting from his incorporating a marketing & promotions firm in his wife’s name. He hired her firm to provide goods and services to his employer, and, over a 10-year period, submitted more than 200 false invoices totaling more than $1.7 million. He is scheduled to be sentenced in June for wire fraud and for failing to report his fraudulent income on his tax returns.
The third, and most common aspect of fraud, is data breaches perpetrated by both insiders and outsiders. While most typically considered information security issues, most often the intent of acquiring the Personally Identifiable Information and/or Protected Health Information obtained through a breach is to commit fraud.
What these three aspects have in common is that their impact can be reduced by a sound Third Party Risk Management (TPRM) program that incorporates a vendor selection process that includes elements such as:
- An assessment of a prospective third party’s internal control regime to ensure it contains basic controls, such as segregation of duties and physical and virtual access control. More rigorous attention needs to be applied in merger/acquisition situations.
- An assessment of the candidate vendor’s financial viability. With publicly traded firms, that assessment includes audit reports and SEC filings; and with small, privately held firms, a review of tax returns and principals’ backgrounds (education, professional, criminal). This assessment would apply to any prospective third party relationship.
- Similarly, the outsourcer will want to inquire into the third party’s reputation. Dun & Bradstreet, other business rating companies, client references and social media can provide insight.
- Vendor responses to Requests for Information (RFI) from an outsourcer can provide valuable information about a prospective vendor’s general suitability by making sure that RFIs include questions dealing with:
- Licenses and certifications.
- Ongoing/pending litigation.
- Operational/fraud loss experience.
- Insurance coverage, e.g., Errors and Omissions, cyber, etc.
- Task/service-specific assessments using responses to Requests For Proposal (RFP). RFPs should:
- Specify outsourced functionality.
- Specify desired service levels.
- Specify security hygiene expectations in detail (level should always meet the outsourcer’s internal security expectations).
- Seek arm’s length security evaluations if recent and relevant.
- Specify resiliency expectations: disaster recovery, etc.
- Obtain information for input into an Anti-money laundering, Bribery and Corruption (ABC) check.
- Specify desired audit rights and commitment to closing open risk related issues within a specified time period.
- Obtain references.
- Solicit information about the third party’s third parties who would be deployed to provide the service/function.
Ultimately, preventing fraud from all three of the causative elements relies on robust TPRM program hygiene, which requires that the program ensures the security and other controls at the vendor level always meet the outsourcer’s internal security expectations.
Santa Fe Group Senior Advisor, Bob Jones, has led financial institution fraud risk management programs for nearly 50 years. A well-known thought leader in the financial services industry and a sought-after expert in risk management strategy, Bob has devoted his career to innovative financial services fraud reduction and risk management. Today, Bob is a consultant, educator and expert witness, and serves as the principal of RW Jones Associates LLC.