Ratley: What impact have legal and regulatory developments had on the landscape of corporate fraud and misconduct in your region over the past 12-18 months?

Scott-Mackenzie: The increasing vigilance on bribery has had a clear ripple effect across the fraud landscape. The increased focus in Australia, and the application of the US Foreign Corrupt Practices Act or the UK Bribery Act, has captured incidents across the spectrum of illegal behaviour. There is a clear correlation between a corporate culture that fosters the illegal payment of bribes and one that is likely to also foster other corporate fraud. As an example, we have seen a matter in which an investigation was undertaken on the concern of bribery by company executives. Whilst an analysis was undertaken of the transactions to detect any payment of bribes, it was detected that a senior executive was implicated in a multimillion dollar theft spanning many years.

Zimiles: The implementation of rules and regulations around Dodd-Frank and FATCA, the imposition of severe sanctions on corporations and individuals, and statements by regulators and prosecutors that corporate fraud will continue to be taken seriously have led to a greater appreciation of compliance. Indeed, the focus by the US Department of Justice on personal liability has become an even stronger focus. As a result, there is an increased need for qualified compliance professionals and compliance hiring is on a huge upswing. At the same time, compliance professionals are now concerned about their personal liability. On a related note, companies are also increasing their compliance-related technology spending – looking for, and implementing solutions that help the human compliance professionals do their jobs more efficiently. Management and boards are becoming more involved in the compliance process, developing a better understanding of how their organisation’s processes work and what can be done to improve them.

Girgenti: We are in a new era of regulatory enforcement that is more aggressive and has an arsenal of new laws expanding the authority and reach of enforcement agencies. Among the major legal and regulatory developments over the past year and a half that have influenced the landscape of corporate fraud have been the reliance by the government and its enforcement efforts on whistleblower laws and the focus on the prosecution of individuals and gatekeepers. The recently released Yates Memo by the Department of Justice underscored the government’s focus on the prosecution of individuals in order for a company to receive credit for cooperation. In addition, with the appointment of a compliance counsel in the fraud division of the Department of Justice, the government has further emphasised that it will closely scrutinise the effectiveness of corporate compliance programmes and internal controls. The SEC’s use of administrative proceedings rather than federal courts to bring its enforcement actions tips the balance further in the government’s favour.

Moosmayer: More and more national legislators are including compliance incentive programmes in their sanction systems for corporations. For example, recently Spain has introduced a programme into its criminal law provisions and Germany is currently debating such a regulation. These regulations will encourage companies to voluntarily self disclose internally detected misconduct. Furthermore, implementing or enhancing compliance measures is crucial in the fight against corruption, and is fully in line with the recommendations of the Anti-Bribery Taskforce of the Business and Industry Advisory Committee to the OECD (BIAC). Besides this focus on companies, the US Department of Justice’s recently issued Yates Memo rightfully reminds us that the individuals who are breaking laws and internal compliance rules must remain in the focus of prosecution.

McNally: New York is ground zero for many of these cases. In October 2015, the US Supreme Court declined to review the most recent decision in United States v. Newman, which held that the benefits an insider receives in exchange for divulging material inside information must be “of some consequence”. And that – in order to be liable under the securities laws – the tippee who subsequently trades on that information must actually know the insider received a benefit. Prior to Newman, prosecutors merely had to prove that the tippee, however far removed from the actual source of information, traded on inside information, even if they did not know that the insider received a personal benefit for divulging such information. Without Supreme Court guidance, courts must now determine what constitutes a “benefit” to an insider – whether it’s the exchange of money, or something less, that’s required. Another headline is that US, European and other executives are now facing acute new pressures from the public, press and prosecutors for individual business leaders to be singled out and charged with criminal conduct.

Swift: The introduction of DPAs has been a significant development. DPAs have been used in the US for years. They are an agreement between the company and the prosecuting authority that generally involve financial and other sanctions, but fall short of a criminal conviction. Corporates should expect to see the use of DPAs in the UK going forward, and therefore should be aware of common issues faced when negotiating DPAs with US regulators, as these may also become relevant in the UK.

Ratley: What lessons can we learn from recent fraud and misconduct-related cases and their outcome?

McNally: For an EU or US corporation, government investigations, while serious, can be the least of the consequences stemming from a fraud case. At this time, the number of class action lawsuits filed against VW for its allegedly rigged exhaust emissions will likely exceed 100 separate cases here in the US. During the past 30 years, America’s top business litigators have successfully defended corporations facing such extinction-level civil litigation – and also won huge awards on behalf of businesses that have themselves been victimised by corporate fraud. On other fronts, cyber fraud is a new frontier in white-collar crime. Hacking and other crimes committed electronically and remotely are sophisticated, difficult to detect and can have devastating consequences on a company. Companies are obliged to devote significant resources to bolstering their cyber security, and to work cooperatively with government authorities when attacks occur.

Zimiles: As evidenced in public statements made by Attorney General Loretta Lynch and SEC Chair Mary Jo White, as well as the recent Memo issued by Deputy Attorney General Sally Quillian Yates, the investigation and aggressive prosecution of both corporations and individuals for fraud is of paramount importance to the US government as such conduct undermines the integrity of world markets. In addition, prosecution of corporate fraud and misconduct has gone global as international prosecutors have stepped up their efforts and collaboration between US and international prosecutors continues to rapidly improve. At the end of the day, companies need to be nimble enough to quickly adapt to new regulations and new regulatory focuses while also being proactive in ensuring they have designed and implemented compliance programmes that include procedures, processes and controls that are designed in a manner to adequately prevent and detect fraud and misconduct.

Moosmayer: The Volkswagen case has the potential to become the next ‘game changer’ following the Siemens case. After the Siemens case, anti-corruption compliance became a ‘must’ throughout the industry. Indeed, the Siemens case triggered the creation of anti-corruption compliance departments and programmes in all major companies and increasingly at mid-sized companies too. The Volkswagen case brings another important question to the table: Where do the responsibilities of the compliance team start and finish? The prevention and control of ‘technical compliance’ in companies is so far not in the scope of any compliance department I know. That means, unless there is a specific whistleblower complaint to the compliance organisation, misconduct in this area will most likely not come to the attention of the CCO. The Volkswagen case may open the discussion on whether a ‘holistic’ compliance concept is warranted and if this should run under the responsibility of the compliance department.

Girgenti: The principal lesson learned is that fraud and misconduct will occur at times in every organisation. Accordingly, companies must continue to design and implement compliance functions that not only have strong internal controls around areas of risk, but also are continuously evaluated for their effectiveness. Since third party risk is so prevalent, whether in the area of bribery and corruption, money laundering, cyber crime, trade sanctions or supply chains, organisations need to be especially focused on mitigating the risks presented by third parties.

Swift: One of the most high-profile cases in recent months has been the conviction, and sentence, of Tom Hayes for LIBOR manipulation. Mr Hayes received, in total, a sentence of 14 years imprisonment, which is the longest sentence ever imposed in the UK for financial fraud. In paragraph 12 of his sentencing remarks, the judge told Mr Hayes: “The conduct involved here must be marked out as dishonest and wrong and a message sent to the world of banking accordingly. The reputation of LIBOR is important to the City as a financial centre and of the banking industry in this country. Probity and honesty are essential, as is trust which is based upon it. The LIBOR activities, in which you played a leading part, put all that in jeopardy”. It does not, of course, necessarily follow that all LIBOR sentences will be as long as that imposed on Mr Hayes; each case must turn on its own facts.

Scott-Mackenzie: We are seeing cyber crime as the emerging trend that causes us the most concern. It would appear that cyber crime is badly underreported and much of the analysis is focused upon cases such as the theft of personal data at major companies, such as the 2014 cyber attack of Target in the US. However, it is SMEs that are often the most at risk, as they are unlikely to have the infrastructure or personnel to respond. A recent incident that we have seen has highlighted this. In this matter a staff member opened an email with ‘crypto-locker’. In this matter, a staff member clicked on an email and the email installed the crypto-locker software. This software encrypts all of the business’s data unless certain payment was made. The result is that the SME was unable to trade until the crypto-lock was dealt with. The key learning in this case was that the SME had a relationship with their insurer that provided the relevant IT expertise to advise on how to deal with the crypto-locker and to meet the costs associated with the business interruption.