22 April 2012

Workplace Trust: Integrity, Ethics & Legal Risk...

Operational Risk Management professionals wonder about the "Tone at the Top" and decisions at the latest Board of Directors meetings to ignore or investigate a whistleblowers claims of ethics or governance violations in the workplace.

The financial services companies have for years been the target of scrutiny for claims of fraud, mistreatment of consumers and violations of several U.S. federal regulations many under further examination by the SEC.  As time goes on in the evolution of maleficence you will find examples of wrong doing in other private sector areas, such as the Defense Industrial Base (DIB), Retail and Information Technology (IT).  Think about your own company and ask yourself how you treat and respond to the 800 number Ethics Line and those who staff the Internal Audit, Risk Management or Information Security departments.  Are these enablers or impediments to your future success?  Your answer may be a clue to the issue at hand.

The professionals in the Inspector Generals office, the Operational Risk Management department and the General Counsels office are also there for a good reason.  Think about them as the last "Thin Blue Line" between your company becoming a success or falling into a cultural abyss that will plague the institution for decades.  Steven Pearlstein explains from the Washington Post:

Steven Pearlstein: How could SAIC miss this? By , 
Last week in these pages, The Post ran a profile of John Jumper, the straight arrow former Air Force general who was brought in as chief executive of local contracting giant SAIC in the wake of an embarrassing overbilling scandal involving bribery, kickbacks, foreign shell corporations and a safe deposit box stuffed with $850,000 in cash. 
A year ago company officials were publicly denying that there were any problems at all with its contract to build a new timecard system for New York City, which by then was so late and so over budget that “CityTime” had become a frequent target for the New York tabloids and political embarrassment for Mayor Michael Bloomberg. 
It was just last June that SAIC executives and directors first informed shareholders that there might be a little $2.5 million overbilling problem with the contract and that federal prosecutors had brought criminal charges against six employees of an SAIC subcontractor. Shareholders had to read deep into Note 9 of that quarterly report to learn that there might be “a reasonable possibility of additional exposure to loss that is not currently estimable” that “could have a material adverse impact” on the company’s finances.

This episode by one DIB contractor, was not the first nor will it be the last.  One has to ask whether the advice these companies are getting from their outside counsel is always the right course of action.  The government and the internal risk management departments are going to be continuously deluged with new whistleblower claims.  Not just because new laws are in place to protect them and to provide them with the incentives to come forward.  It is because good people are sick and tired of having their organizations reputation tarnished and their respective ethical practices being jeopardized by a few bad cowboys or rogue actors.  Yet now, the Retail sector is being taught a serious lesson regarding a potential FCPA violation by Wal-Mart.  David Barstow at the NYT has this to report:

Published: April 21, 2012  MEXICO CITY — 
In September 2005, a senior Wal-Mart lawyer received an alarming e-mail from a former executive at the company’s largest foreign subsidiary, Wal-Mart de Mexico. In the e-mail and follow-up conversations, the former executive described how Wal-Mart de Mexico had orchestrated a campaign of bribery to win market dominance. In its rush to build stores, he said, the company had paid bribes to obtain permits in virtually every corner of the country. 
The former executive gave names, dates and bribe amounts. He knew so much, he explained, because for years he had been the lawyer in charge of obtaining construction permits for Wal-Mart de Mexico. 
Wal-Mart dispatched investigators to Mexico City, and within days they unearthed evidence of widespread bribery. They found a paper trail of hundreds of suspect payments totaling more than $24 million. They also found documents showing that Wal-Mart de Mexico’s top executives not only knew about the payments, but had taken steps to conceal them from Wal-Mart’s headquarters in Bentonville, Ark. In a confidential report to his superiors, Wal-Mart’s lead investigator, a former F.B.I. special agent, summed up their initial findings this way: “There is reasonable suspicion to believe that Mexican and USA laws have been violated.”

Mitigation of Operational Risks in the workplace, such as fraud and corruption is different than it is outside the enterprise.  The difference is, that corporate executives do not always believe that their own employees would behave this way.  They could be naive to the reasons why fraud finds its way into the psyche of some of the organizations must trusted officers.  Corruption and the signs that an organization has lost its way from a place of cultural integrity and one that condones others to look the other way or for many to help perpetuate schemes of wrong doing, requires a massive organizational transformation.  A transformation that is lead by focused and talented Operational Risk professionals.

But most of all, even if you have these professionals on your team already, there are still some important ingredients to achieving your own "Defensible Standard of Care":

1.  If you think you have funded the risk management department in your enterprise adequately, you haven't.  Do not confuse your outside audit function with your internal risk management function. 
2.  If you don't understand how your 800 number ethics line works and the outsourced organization that runs this, then you need to do so immediately. 
3.  If you have a favorite outside counsel to help you with investigations, it might be time for a check up.  Even more importantly, it might be time to get your outside counsel firms and your outside audit firms invited to a meeting of the minds on corporate integrity. 
4.  If you find any indications that 1 through 3 have been ignored, pushed aside or been giving you a false sense of security, then you might consider making a career change.

Tech Inc., a rapidly growing software company operating in 45 countries, learns that the U.S. Department of Justice (DOJ) and the Securities and Exchange Commission (SEC) are investigating payments made by its subsidiaries in Brazil and China for possible violation of the Foreign Corrupt Practices Act (FCPA). Bob, the general counsel for Tech Inc., suspects that the source of the investigation is an employee who anonymously lodged a hotline complaint alleging that the company was 1) paying independent sales agents excessive commissions and 2) providing generous discounts and rebates to some of its channel customers and distributors. The complainant also said he believed the problem extended beyond Brazil and China based on discussions he had with other employees.

14 April 2012

Too Big to Fail: Basel III to ID Theft...

Now that the Basel III wheels are in motion and the "Top 29" vital Global banking institutions have been identified, Operational Risk Management is on everyones mind. The capital reserves will continue to assist them in becoming more resilient to the systemic volatility ahead. Are you feeling the uncertainty starting to disappear? Not for a minute.

As these banking institutions try to withstand the economic impact of a nation state failure like Greece, the consumers who are the customers of the "Top 29" too big to fail, are being simultaneously barraged and systemically targeted by international crime rings. Identity thieves have set up transnational operations, that will continue to plague millions of consumers at these same banking institutions. Their own governments continue to try and deal with the nexus of criminal elements, consumer privacy and law enforcement. How bad is it for the U.S. Treasury, as one example:
Identity theft involving tax fraud is increasing faster than law enforcement and government officials can deal with it, according to testimony today before a House oversight subcommittee. Identity theft to scam fraudulent tax refunds from the government has increased 100 percent in just three years.
”As of Aug. 31 of this past year, IRS incident tracking reports indicated that the numbers of taxpayers affected by identity theft has more than doubled since 2008 to over 580,000 taxpayers this year alone,” said J. Russell George, Treasury Department inspector general for tax administration.
The crime has become too easy. It’s like a party, according to Rep. Richard Nugent, R-Fla., whose district has a problem with tax-related identity theft.
“Tampa Police Department has busted what the lawbreakers call ‘make it rain’ parties, where criminals get together in a hotel room with Internet access and file fake return after fake return,” Nugent told the committee.
How does paying out billions of dollars to these fraud crime rings using your social security number and date of birth increase the operational risks on our banking institutions? Everyone who is a consumer at one of these banks who is a victim of fraud, will one day deal with the aftermath. If the fraudsters are filing a fraudulent tax return that impacts you, then the odds are that you may end up paying a higher interest rate and this will not be the only place they are using your ID Theft misfortune for financial gains.
For the victims of tax fraud identity theft, the people who had fraudulent tax returns filed in their names, getting the problem fixed and their lawful refund paid could take a year and a half.
“A typical path for an identity theft refund case that is not complex may take as long as 18 months to resolve,” said J. Russell George, Treasury Department Inspector General for tax administration.
The cost of dealing with Identity Theft has so many dimensions. The protection of Personal Identifiable Information (PII). The fact that the IRS and law enforcement have difficulty sharing information on the consumers themselves due to privacy laws. The technology and online Internet forums for buying and selling fraudulent identities is prevalent. The continuous salvo of attacks on financial institutions to compromise the cyber defenses that they have established is a 24 x 7 battle.

To exacerbate the problem, the "Death Master File" (DMF) is the genesis for much of the Identity Theft and tax fraud when this information gets into the wrong hands. The U.S. Social Security Administration has been publishing this list of 90 million dead Americans since 1980 to help the "Top 29" fight fraud. At the same time, the Identify Theft fraudsters are using the same data to perpetuate their schemes:

Identity thieves are cashing in on dead children across the nation, stealing their Social Security numbers to collect fraudulent tax refunds from the Internal Revenue Service.
Grieving families — including the Watters family of Lake Forest — say their anguish is amplified by the realization that the crooks get help from an unexpected source: the Social Security Administration’s “Death Master File,” which records and lists information about everyone who dies in the United States.
Armed with the deceased child’s Social Security number and other personal information, crooks falsely claim them as dependents and have the refunds routed to them.

One reason that the financial institutions, government agencies and law enforcement are going in circles is because "Operational Risk Management" processes and tools are still not as robust as they could be. As the Basel III regulatory mandates kick in along with other new laws, methods and tools, all of the impacted parties will get better at deterring, detecting, defending and documenting in this complex information age.

In the mean time, consumer beware. Look long and hard at the "Top 29" list and decide if you need to move your funds to somewhere else. And before you do, look at the online banking login page for that institution. Are they still using only a single factor user name and password? Multi-factor authentication is not fool proof, yet it does tell us whether the institution is serious about Operational Risks in the area of Information Security. This is a key indicator of their ability and capability to try and keep your data out of the hands of the transnational eCrime rings.

Finally, you have to take the monitoring of your own Identity, and all of your family members identities seriously. It will be far more proactive, than anything else that will be done by governments or financial institutions alone. Regardless how fast they implement the latest tools and technology the fraudsters are moving just as fast. By adding your own diligence on top of the banking institution, government agency or other entity (Doctors / Lawyers / Dentists/ Insurers) that may have your Personal Identifiable information, you are decreasing your odds of becoming an Identity Theft and fraud victim.

Financial risks for the banks and the consumers will continue to be the current state-of-play. Basel III alone will not eliminate the threat of failure or the possibility of a serious bank fraud. Monitoring services or checking your credit report on a quarterly basis, will not keep the ID Theft criminals from stealing your PII. Implementing both on a proactive and pervasive basis will make a positive difference over time. This is what Operational Risk Management is all about, in the global institution board room and at your own home office.