Questions to Ask About Internal Fraud: A Bank Director’s Guide


internal-fraud-12-7-15.pngAmong the many threats to shareholder value that bank directors must address, the risk of internal fraud is among the most challenging. Virtually all bank directors recognize their obligation to actively oversee the way the bank monitors its employees to mitigate the risk of fraud, but most directors also understand the need to avoid micromanaging day-to-day operations.

Treading the fine line between oversight and overstepping can be difficult. Often it means learning to ask the right questions of the right people, particularly of the bank’s senior management team.

Because every bank’s risk profile is unique, no single list of questions can fit every institution. Nevertheless, it is possible to outline some broad principles and useful questions within three general areas of strategic, board-level concern.

Corporate Governance
Major corporate governance elements related to internal fraud comprise management and oversight of the organization including the bank’s published code of conduct, written ethics policy, fraud policies and procedures, and loss reporting practices. Board members should exercise direct and active oversight of these components and be prepared to ask management a broad range of questions, including:

  • How frequently are our code of conduct and ethics policies reviewed and updated?
  • In addition to introducing our ethics policies during new employee training, how else—and how often—are these policies communicated and reinforced?
  • How are fraud losses identified, tracked and reported to the board? Are board members and executives regularly briefed on current fraud issues and trends by the appropriate managers?
  • Are employees able to report suspicious behavior outside the day-to-day management structure, or are they able to report it only through their immediate superiors?
  • Has the bank established a whistleblower hotline that allows employees to report suspected fraud anonymously?
  • How is hotline activity measured and tracked? How is the program’s effectiveness measured and evaluated?
  • How often is the whistleblower hotline publicized and reinforced in regular employee communications?

The Control Environment
The next broad area of board concern, the control environment, addresses the various tools, processes, and other components that implement the fraud policies prescribed by corporate governance. Issues of strategic-level concern in this area tend to revolve around training, accountability, and equitable treatment, as well as the effectiveness, efficiency and reliability of fraud reporting practices. Useful control environment questions for board members to ask include:

  • How is fraud awareness training being provided throughout the organization? Is awareness training tailored to each line of business?
  • Beyond awareness, do employees receive training on ethics, fair service and honest dealing?
  • Are employees being trained on specific anti-fraud practices and controls? Once trained, are they held accountable?
  • Are fraud policies implemented and enforced consistently and fairly? Are senior-level or revenue-producing personnel subject to the same enforcement as junior or administrative staff members?
  • Are anti-fraud controls consistently monitored and tested as part of the internal audit function?
  • Do employees know how to report fraud?

Incident Management and Response
The board of directors has primary responsibility for seeing that there is a defined structure and process for responding to fraud-related incidents and issues, including clearly defined roles and responsibilities. It is important that incident response protocols are applied consistently across the institution, rather than allowing each line of business to pursue its own course. To carry out this responsibility, directors should be prepared to ask questions such as:

  • Is there a high-level, organization-wide policy regarding incident management? Does it set forth adequate protocols including all relevant legal, reporting and regulatory requirements? Is the policy regularly reviewed and updated?
  • Who is the designated management-level employee with the authority to manage and administer fraud investigations and responses?
  • Has management taken adequate steps to support this employee with an appropriate team involving legal, human resources, internal audit, information technology and other departments?
  • Is there adequate oversight to allow fraud inquiries to proceed without interference from the affected lines of business?
  • Does the board receive regular briefings on material issues of fraud or fraud management?
  • How does the organization learn and evolve based on industry events and previous large incidents of fraud?

The scope of a director’s responsibility extends far beyond these three general areas alone, but starting with these broad topics can help board members maintain their focus at the strategic level while still posing challenging questions. In addition to establishing the appropriate “tone from the top,” such questions can help guide the management team toward more active and effective management of internal fraud risk.

What To Do When Your Board Gets a Complaint


Both the Sarbanes-Oxley Act and later, the Dodd-Frank Act, contain provisions protecting whistleblowers reporting violations of securities laws, and in fact, the Dodd-Frank Act seems to encourage such reporting with well defined monetary rewards for complaints leading to successful fines against a company. In September of 2014, an unnamed whistleblower was awarded a $30 million grant.

In light of a recent $30 million whistleblower award and the Dodd-Frank Act encouraging more people to report problems at their companies to the government, how should a bank board handle a whistleblower claim?

Dailey-Michael.pngFirst, have a whistleblower policy/program in place, now, so that if/when a claim arises, the board is prepared to handle it effectively, appropriately and lawfully.  All employees should be trained on the policy and encouraged to report up the chain, pursuant to the policy, any corporate misconduct they discover. It is far better in the end if the bank self-discovers and remedies the problem, than if the government does it for you. Second, work hard to maintain the confidentiality of the whistleblower. Maintaining confidentiality, and even anonymity, helps to ensure no retaliatory action is taken against the reporting employee. At all costs, avoid retaliation. Finally, conduct an independent internal investigation, and do so with the understanding that the reported misconduct could lead to criminal and/or civil litigation. Engage your legal counsel early in the process to ensure preservation of evidence and legal privileges.

—Michael Dailey, Dinsmore & Shohl LLP

DonaldLamson.pngBanks should handle possible whistleblower complaints very seriously.  Regulatory agencies have shown a more severe response to banks over the last few years and whistleblower complaints can reinforce a perception, however inaccurate, that some banks do not have a proactive approach to compliance issues generally. Banks should have procedures for dealing with such claims and allow employees to air their concerns without fear of reprisal. Some may wonder whether this approach may encourage the raising of false claims, but at least banks would have an opportunity to triage employee concerns and demonstrate that they take those concerns seriously.

—Donald N. Lamson, Shearman & Sterling LLP

KathleenMassey.pngBank boards should authorize their audit committees to handle complaints concerning securities law violations.  An audit committee’s charter should make clear that the committee may retain appropriate advisors to investigate such complaints. The board should also ensure that management promulgates guidance for internal reporting on violations. Employees should be encouraged to report violations to appropriate representatives of the compliance, internal audit or legal staff. Recipients of complaints about violations should be instructed to forward them to the chairperson of the audit committee. Upon receipt of a complaint, the chairperson should ensure that it is investigated thoroughly.  If no violation is found, the complainant should be so informed within 120 days after the complaint was made. If a securities violation is found, the bank should decide whether to report the violation to the Securities and Exchange Commission. A report to the SEC should be made within 120 days after the complaint was made.

—Kathleen N. Massey, Dechert LLP

Jonathan-Wegner.jpgBoth public and private banks have potential exposure to Dodd-Frank and Sarbanes-Oxley   whistleblower claims. Therefore, a bank should have proper compliance and anti-retaliation policies in place (reviewed regularly) setting forth behavioral expectations, encouraging reporting, and establishing protocols for handling reports. The bank should also designate a team to investigate and respond to reports. All employees should be thoroughly trained regarding these policies and, in particular, managers should be trained to identify when an employee is reporting and the need to escalate the report within the organization, as many employees do not use “hotlines” or Internet-based reporting mechanisms. Most important, the bank’s senior leadership must lead by example. Senior leadership needs to sincerely and repeatedly promote the virtues of the bank’s compliance, ethics and code of conduct policies.  Reporting questionable conduct, no matter how insignificant, must be genuinely encouraged. And finally, senior leaders must demonstrate integrity in all that they do.

—Jonathan J. Wegner, Baird Holm LLP

Kaslow-Aaron.pngWhistleblower complaints need to be treated seriously. Avoid the temptation to view all whistleblowers as disgruntled employees who are asserting claims against innocent individuals to further their own selfish goals. Failure to promptly address a legitimate complaint will only exacerbate the problem. Regulators look favorably on companies that take prompt action and see them as having strong and effective management. The opposite is true for companies that are unresponsive or hostile to employees’ concerns. Plus, treating whistleblower complaints seriously sends the message that employees will be treated fairly and sets a tone at the top that should foster stronger ethical behavior within the company. The board needs policies and procedures for investigating whistleblower complaints and coordinating corrective action and must communicate them to employees. Doing so will create the conditions necessary for the effective management of whistleblowing.

—Aaron Kaslow , Kilpatrick Townsend & Stockton LLP

The Corporate First Responder: 15 Questions to Consider When a Corporate Crisis Strikes


When a business enterprise is confronted with a situation that suggests that there has been a violation of law, the judgments made at the outset may well be critical to the ultimate outcome.  Indeed, poor choices concerning how the matter should be handled— perhaps made in a rush and almost certainly without full facts—may prove even more prejudicial and damaging to the enterprise than the underlying conduct.  As has often been said, corporations get into real trouble more often due to “flunking the investigation” than due to the conduct being investigated.

The objective of this article is to identify issues that should be considered when a potential violation of law surfaces, and to venture some thoughts on the considerations relevant to addressing them.  The article presents 15 questions to consider at the outset of any crisis investigation.  All of our questions will not be relevant to all situations, and there will undoubtedly be others that will need to be answered in whatever situation you may face.  That said, we chose these 15 questions because, based on our experience, they provide the decision-maker with sufficient insight to develop a picture of the challenge facing the enterprise—and, of equal importance, of what the decision-maker does not know.  

We intentionally have not prioritized the questions because they are so interrelated.  It is not possible to answer many of them until some consideration has been given to all of them.  

We offer one caution in approaching a newly discovered problem.  Sometimes you may find that there is no real issue but merely a misunderstanding.  But once a real problem is identified, as one probes it, it seldom gets better.  As Admiral Nimitz exhorted the fleet in the context of storms of a different sort, “[n]othing is more dangerous than for a seaman to be grudging in taking precautions lest they turn out to have been unnecessary.”

Question 1:  Has the conduct stopped?

It is an obvious principle that illegal conduct must be stopped as soon as it is uncovered.  When faced with illegal or improper conduct, the enterprise must demonstrate its total intolerance of, and swift response to, such conduct to its employees, its shareholders, its regulators and the public.  If misconduct is allowed to continue once known by the enterprise’s governance and control structure (such as the legal department), the enterprise’s exposure is exponentially increased.  At a minimum, if later investigation reveals that an illegal scheme was uncovered and ignored or disregarded, or that the company proceeded at too leisurely a pace, the firm’s ability to argue for leniency will be compromised.  

To view all 15 questions, please click here to download the white paper.

The Dodd-Frank Whistleblower Program: What Publicly-Traded Banks Should Know


whistle.jpgOn August 12, 2011, the Securities and Exchange Commission’s (“SEC”) final rules implementing the sweeping whistleblower program in the Dodd-Frank Wall Street Reform and Consumer Protection Act (“Dodd-Frank”) became effective.  Like all entities within the SEC’s jurisdiction, publicly-traded banks and their compliance officials should take the time now to understand the whistleblower provisions and the new challenges they pose.

The Dodd-Frank Whistleblower Provisions

The Dodd-Frank whistleblower provisions are quite broad.  They extend to people who share information with the SEC or the Commodity Futures Trading Commission (“CFTC”) concerning misconduct that falls within the jurisdiction of these agencies — including accounting fraud, insider trading, stock manipulation, and violations of the Foreign Corrupt Practices Act. 

The whistleblower provisions authorize cash rewards to whistleblowers for original information leading to a recovery exceeding $1 million.  A key condition is that the tip is “derived from the independent knowledge or analysis of the whistleblower.”  The SEC and CFTC have discretion to decide the exact amount of the award based on the “significance” of the information and the level of assistance provided by the whistleblower, as long as the award is between 10 and 30  percent of total recovery.

The Final Rules

The SEC’s final rules  exclude certain individuals from receiving awards, including:

  • officers, directors, trustees, or partners of an entity who learn information about misconduct from another person or in connection with the company’s processes for identifying misconduct;
  • employees whose main duties involve compliance or internal audit, or persons associated with a firm hired to perform similar functions; and
  • employees of public accounting firms performing an engagement required by the securities laws, when the information relates to a violation by the client or its officers, directors or employees.

However, these individuals are still eligible for a reward under Dodd-Frank if:

  • they have a reasonable belief that (a) disclosure to the SEC is necessary to prevent the company from engaging in conduct that could cause substantial injury to investors, or (b) the company is acting in a way that would interfere with an investigation of the misconduct; or
  • one hundred twenty days have passed since they escalated the information to their company’s audit committee, legal/compliance officer, or supervisor, or since they received the information and the circumstances indicate that the audit committee, legal/compliance officer, or supervisor was aware of the information.

The Dodd-Frank whistleblower provisions do not impact the obligation of publicly-traded banks under certain circumstances to report suspected wrongdoing, such as in connection with suspicious activity reports or when the bank is notified by its outside auditors under Section 10A of the Exchange Act of a suspected illegal act that has not been adequately remediated.

Although the final rules do not require that employees report suspected wrongdoing through internal corporate compliance channels before disclosing information to the SEC in return for a bounty, the rules do try to encourage internal reporting:

  • A whistleblower who reports wrongdoing to the SEC within 120 days of lodging a complaint internally will be deemed to have reported to the SEC as of the date of the internal disclosure.
  • If a whistleblower reported original information internally before or at the same time that the whistleblower reported it to the SEC, and the company discloses the whistleblower’s information or the results of an investigation initiated by the whistleblower’s information to the SEC leading to a successful enforcement action, the whistleblower will receive credit for the information provided by the company and will be eligible for an award.
  • When deciding whether to increase the amount of a whistleblower’s award, the SEC will consider whether the tipster reported through internal channels and assisted with any internal investigation.

Dodd-Frank prohibits retaliation not only against whistleblowers who provide information under the award program but also against employees engaged in offering consumer financial products who provide information about what they reasonably believe to be a violation of federal consumer protection laws, even if these employees are not pursuing a Dodd-Frank whistleblower award.

Looking Ahead

Beyond enhancing existing internal compliance measures designed to identify potential misconduct (such as employee ethics hotlines), the Dodd-Frank whistleblower rules make it more important than ever for publicly traded banks to promptly review all claims of wrongdoing.  Doing so will increase the opportunity to remediate any problems and self-report the conduct to bank regulators and other authorities before a whistleblower contacts the SEC first.