25 November 2008

QFD: The End of Compliance...

Corporations will continue to be responsible for the criminal behavior and actions of their employees, 3rd party suppliers and other contractors for at least the near term. In a case that has the defense legal eagles and "Usual Suspects" arguing against the corporate liability issue, the intent is getting cloudy or is it crystal clear?

But in a case now pending before the 2nd U.S. Circuit Court of Appeals, United States v. Ionia Management SA, the defendant corporation, as well as a diverse group of business and legal organizations acting as amici curiae, are asking the court to re-examine what had previously been accepted as black-letter law regarding when a corporation may properly be held vicariously liable for the acts of its employees.

While the defense bar has successfully battled some of the U.S. Justice Department's specific tactics in corporate criminal investigations (such as pressuring companies to waive attorney-client privilege or deny payment of employees' legal fees), this is the first significant direct challenge in recent years to the long-standing doctrine of corporate criminal liability. Their arguments, if accepted by the court, could have far-reaching consequences for the balance of power between the government and the targets of corporate criminal investigations.

Even if the corporate compliance programs are in full force and the financial integrity unit is robust in it's efforts, the "Operational Risk" still exists for litigation. How the cases settle or end up in deferred prosecution deals is another subject. Andrew Weissmann is in the precarious position of having been on the other side of the court room during the Enron trial. Now after having moved to the defense he is feeling the size of the governments powerbase.

Mr. Weissmann, 50 years old, says he noticed the "glitch" in the law four years ago as a prosecutor when he helped put together deferred-prosecution agreements of Merrill Lynch & Co. and Canadian Imperial Bank of Commerce for their conduct in connection with the Enron collapse. It struck him that the standard for criminal liability might be too low for "companies that work hard to create compliance programs" and yet are still on the hook, he says.

Regardless of the amount of awareness building, education and corporate window dressing you can't ultimately control human behavior. More compliance enforcement and regulatory pressure may seem to be the answer. A voluntary effort to shore up security, soundness and the opportunity for malfeasance in the work place may not be working effectively. And still the liabilities exist from the plaintiffs and government adversaries to gain compensation. So what is the answer?

The answer lies in the "Enterprise Architecture" of our institutions and the failure to implement the process of "Quality Function Deployment" (QFD). This has been ignored by senior executives and US business because many judge it to be too complex. One only has to look at the state of our automobile manufacturers versus the likes of Japanese companies to get a sense of the success of incorporating QFD on a comprehensive basis. But now apply this to the culture of an organization and how each individual makes logical business decisions instead of emotion-based decisions.

What many liability issues begin with are the employee(s) who made a bad decision. QFD in its simplest form is a tool to promote communications. Among peers and connected teams within the organization it provides the methodology to catch errors, omissions and emotional bias early in the process. As an example, let's take the Request for Proposal (RFP). Many companies depend heavily on winning business by responding to RFP's. A "deal makers" perception of importance to the RFP determines the effort for the response. Many times, this is influenced by an incentive plan. The human behavior to accept or decline the effort on an RFP as well as what it takes to push it through the organization for executive sign offs, is not always compatible with the strategic and quality measures of the enterprise.

Over time this will form an unimaginable amount of moral decay within a company. This leads to bad behavior and unethical decisions that people make because the business enviroment has rewarded it for far too long. So who is to blame here? The employee or the culture and company that has condoned and encouraged the behavior that ultimately damaged someone or something.

Implementing QFD in your information-based enterprise could have a dramatic impact on achieving a defensible standard of care by reducing the likelihood of catastrophic emotional decisions. More importantly, QFD programs such as this that are directly reducing the likelihood of bad employee behavior and criminal incidents, can reduce the necessity for invasive compliance programs that most everyone wants to ignore.

18 November 2008

Virtual Truth: False Information Risk...

How does "False Information" impact the risk to your organization? Decisions based upon faulty or inaccurate information is the root of many of the systemic failures of catastrophic history. The Titanic, Challenger Shuttle and Three Mile Island nuclear incident can all be attributed to the integrity of vital information.

Fast forward to the financial crisis and the past decade of consumer credit expansion strategies. What data have you been collecting from US consumers or clients about their personal identifiable information attributes? The Information Age has drawn us into a more dangerous business operating environment as these digital assets have become another commodity to be sold in an international market place, to the highest bidder. Are you ready when the federal "Suits" or the local LEO's (Law Enforcement Officer) knock on your door in pursuit of the truth:

The Fair Credit Reporting Act (FCRA) spells out rights for victims of identity theft, as well as responsibilities for businesses. Identity theft victims are entitled to ask businesses for a copy of transaction records — such as applications for credit — relating to the theft of their identity. Indeed, victims can authorize law enforcement officers to get the records or ask that the business send a copy of the records directly to a law enforcement officer. The businesses covered by the law must provide copies of these records, free of charge, within 30 days of receiving the request for them in writing. This means that the law enforcement officials who ask for these records in writing may get them from your business without a subpoena, as long as they have the victim’s authorization.

The financial integrity of your future as a business and as a consumer is at stake. Christopher Burns brings this to light in a dramatic fashion in his new book; Deadly Decisions:

"First, it is often extremely difficult to validate, corroborate, or verify the information we are dealing with, except by comparing it to the other information we are dealing with. And often the whole system is contaminated by misunderstanding, bad data and false assumptions that are hard to spot. The truth test rarely works. And second, the real issue of truth is not whether you or I should believe this or that, it is what we believe together. The truth that matters is group truth, and where we get into trouble is when a whole organization--a company, a community, a nation--starts to act on information that has been gathered from many sources and processed by many people but has come to contain significant elements that are false."

Beyond "Red Flags" imposed on business, the LEO community is starting to acquire what it needs for more effective deterence and enforcement mechanisms. The ID Theft Enforcement and Restitution Act of 2008 is providing prosecuters with the tools to address cyber extortion schemes such as the Express Scripts Case:

Corporate custodians of confidential medical data should be closely monitoring events connected to a nightmarish computer security breach in the St. Louis region.

Express Scripts is one of the nation’s largest pharmacy benefits managers. The company, with headquarters in St. Louis County, handles approximately 500 million prescriptions per year for 50 million workers at 1,600 American companies. Early in October, it received an extortion letter, the details of which it released on Nov. 6.

The letter included personal information on about 75 Express Scripts clients — Social Security numbers, dates of birth and, in some cases, information about prescription medications. Whoever sent the letter demanded money from the company — the amount has not been disclosed — and threatened to use the Internet to reveal personal and medical information about millions of people if the demands were not met.

Now the clients themselves are receiving extortion demands directly from the criminal elements behind this latest critical incident. Express Scripts has hired a new Senior Compliance Counsel to start December 1 and one of the Board of Directors has tapped a unit of his former company to provide ID Theft professional services. It looks like they are heading in the right direction.

Trusted Information is at the core of current global trading, business transactions and the fabric of our own personal identities. False information and knowledge is what creates operational risk factors that can change a whole company or the integrity of a whole nation. Systems that comprise vast databases of "so called" trusted information are at our fingertips being utilized to make coherent and effective decisions. Yet what may be the more catostrophic Operational Risk beyond the simple stealing of information is the potential opportunity for the destruction of vital information.

The vulnerability of our institutions and the critical infrastructure of the United States economy is ever more at risk of a systemic loss. While our stolen data will continue to be sold to the highest bidder on a global platform for trading, the 4GW "Non-State" actors will change their modus operandi. This is a given.

Trusted Information systems that have certified integrity and the oversight controls to ensure the highest level of virtual truth is the "Holy Grail." The degree to which these same systems include false knowledge is our most complex problem for business and government in the next decade.

14 November 2008

General Counsel: OPS Risk Priorities...

As General Counsel are you keeping up with the latest technology being deployed in your enterprise? Do any of your employees use Twitter? What about your "Generation Y" and the use of P2P file sharing programs. Does your CxO in charge of Safety, Security, Investigations and Corporate Integrity have the latest report on employee violations of your Information Assurance and Acceptable Use policies?

Unknown to corporate America, the popular peer-to-peer file-sharing networks that allow music and movies to be shared could be sharing something else with the public: company secrets and personal data.

Management-side lawyers are sounding alarms to their corporate clients, warning that peer-to-peer networks are increasingly becoming a gateway for trade secrets, confidential financial information and personal data.

The economy is continually downsizing and employees are now being sent home to work in "Virtual Mode" and Operational Risk loss events are matastasizing. Corporate Counsel and CxO's must provide thorough due diligence, security awareness training and effective annual audits of employees who work from home or may be perpetual "Road Warriors" hopping the globe from hotel to hotel. Why?

In 2007, Citigroup Inc.'s ABN Amro Mortgage Group reported that the personal information, including Social Security numbers, of more than 5,000 customers was leaked when a business analyst signed up to use a P2P file-sharing service on a home computer containing the personal information.

If you are a General Counsel and your organization is authorizing the use of encryption on laptops or other personal social networking sites or systems, it's imperative to pay attention to their application. The use of encryption for data security can be utilized to keep the data secure in the event of a breach or a lost digital asset. It can also be used to cloak fraudulent or criminal activities:

In an expanding probe of investment giant UBS, the Justice Department on Wednesday announced the indictment of the Swiss bank's chairman of global wealth management, accusing him of playing a key role in a tax evasion scheme to shelter secret U.S. account holders from income tax bills and drive up bank revenue.

Raoul Weil, who oversaw the Swiss bank's cross-border private banking business serving 20,000 U.S. clients, helped conceal a combined $20 billion in assets from the Internal Revenue Service, the indictment charged.

"Prosecutors said the executives and managers used nominee entities, encrypted laptops, numbered accounts and other counter-surveillance techniques to conceal their U.S. clients and offshore assets."

"If the company policy is written correctly, employees have no privacy interest in any materials created or accessed on company computers. With such a policy in place, an employer generally can review with impunity an employee's activities on the company's computer system."

Whether information is discoverable is going to be a different matter. A careful review of most social networking sites privacy policies will most likely reveal that posted information is not private, therefore discoverable. Therefore, effective legal and IT security awareness programs and education is essential in any enterprise where employees are working remotely.

The modern day General Counsel must rely on the Chief Privacy Officer working diligently with the Chief Security officer and the Chief Compliance Officer to mitigate Legal Risk. The convergence of these responsibilities lies more on the Chief Operational Risk Officer to see that all parties are synchronous in their strategies and efforts. They may be the best person to insure the entire spectrum of operational risks are being thoroughly addressed.

11 November 2008

AML: Transnational eCrime Ecosystem...

The Operational Risk threat matrix from "Advance Fee Fraud", "Nigerian Letter (419) Fraud, Foreign Lottery/Sweepstakes Fraud and "Overpayment Fraud" is still growing exponentially. During our current economic crisis, the spike in these consumer Mass Marketing schemes is to be expected. Global Anti-Money Laundering (AML) operations are in high gear at home and abroad.

The "Transnational Economic Crime Ecosystem" is thriving and the major phases of the environment continue to be a major challenge for global financial institutions and law enforcement:

  1. Collection
  2. Monetization
  3. Laundering

Let's take a closer look at "Overpayment Fraud":

Overpayment Fraud - Victims who have advertised some item for sale are contacted by buyers who remit counterfeit instruments, in excess of the purchase price, for payment. The victims are told to cash the payments, deduct any expenses, and return or forward the excess funds to an individual identified by the buyer, only to discover they must reimburse their financial institution for cashing a counterfeit instrument.

The predominantly transnational nature of the mass marketing fraud crime problem presents significant impediments to effective investigation by any single agency or national jurisdiction. Typically, victims will reside in one or more countries, perpetrators will operate from another and the financial/money services infrastructure of numerous additional countries utilized for the rapid movement and laundering of funds. For these reasons, the FBI is uniquely positioned to assist in the investigation of these frauds through its network of Legal Attache offices located in over 60 U.S. embassies around the world. By leveraging its global presence and network of liaison contacts, the FBI has successfully cooperated with other domestic and foreign law enforcement agencies to combat, disrupt, and dismantle international mass marketing fraud groups.

Despite the best inter-agency enforcement efforts to combat mass farketing fraud, the FBI remains cognizant of the fact that the only enduring remedy for this crime problem lies in consumer education and fraud prevention programs. Towards this end, the FBI has not only produced its own mass marketing fraud prevention pamphlet but coordinates on other public information efforts with the DOJ, FTC, and the USPIS. The FBI also supports a consumer fraud prevention website in conjunction with the USPIS which can be located on the web at: http://www.lookstoogoodtobetrue.gov.

While the number of Mass Marketing Fraud cases has declined over the past few years, the number of new money laundering cases has risen to over 500 in FY 2007 alone. This is to some degree as a result of the cooperation being given to law enforcement by the financial instituions themselves. And for good reason. There is a new sheriff in town.

(Reuters) - A U.S. tax investigation into UBS AG (UBSN.VX: Quote, Profile, Research, Stock Buzz) is concentrating on senior and midlevel executives and bankers, and could result in one or more indictments, the New York Times said, citing people briefed on the matter.

Investigators are sifting through more than 70 names and related account details of American clients provided by UBS over the last few months to the Justice Department, which has passed the details to the Internal Revenue Service for further scrutiny, the paper said.

The Justice Department and the IRS plan to build both civil and criminal tax-evasion cases against some of the clients, the people told the paper.

The U.S. tax investigation risks compounding damage to UBS's reputation at a time it has been forced to make bigger writedowns than any other European bank in the credit crisis.

The U.S. Department of Justice is investigating UBS over offshore services provided to U.S. clients from 2000 to 2007 to find out whether UBS helped wealthy Americans dodge taxes. The Swiss bank was singled out by U.S. President-elect Barack Obama as one of the banks who helped "tax cheats." It decided earlier this year to stop offering offshore Swiss bank accounts to U.S. citizens.

Yet the collection phase of mass marketing fraud is not about "70" or a "100" UBS clients who are trying to cheat on their taxes. It is still about the millions of phishing and spam messages that circle the digital globe in search of their targets or prey. These illusive criminal organizations behind this organized cybercrime wave are continually exploiting the vulnerabilities of our financial institutions and our own human behavior.

"Merchandise Mules"
are being recruited by the hundreds if not thousands to reship goods outside North America. These criminals are utilizing stolen identities and credit cards to purchase goods on eCommerce sites and eBay and then requesting to ship the goods overseas. Unfortunately, those who are elderly or even just down on their economic luck fall victim to this tremendous economic crime tsunami:

Much of the modern organized crimes are very similar to the old. The most significant transformation from the streets to cyberspace has enlarged the territory of individuals and organized groups.

Enabled by the Internet, criminals can operate in cyberspace where less governance, a transnational stage, and a multitude of transactions to monitor complicate surveillance and enforcement. From counterfeiting drugs and software to identity theft and credit-card fraud, illegal transactions are increasingly infiltrating legitimate businesses where counterfeited goods and money laundering are buried in the billions of legitimate computer transactions made daily around the globe.

Counterfeited products are rising through global distribution via Internet sites. According to the World Health Organization, 50 percent of the medicines sold online are counterfeit.

The expanse of international criminal activity has been followed with an increase in prosecution through cooperating international law enforcement agencies willing to join the fight against globalized crime.