Scores of fraud fighters came from the United Kingdom and the continent to learn practical procedures unique to Europe at the 7th Annual European Fraud Conference
Oct. 28-29 in London. 

Attendees at the 7th Annual European Fraud Conference not only had many opportunities to network but they had a choice of 12 breakout sessions within three tracks - Current Issues, High Tech, and Practical Fraud Techniques. 

Ken Farrow, detective superintendent, City of London Police, presented the first day's keynote address on "UK Law Enforcement and Fraud Investigation." During the first working lunch, Chris Brogan, corporate investigator for Security International Limited in London, spoke on "European Directive on Data Protection: How Does it Impact on the Investigation of Fraud & Money Laundering?" The first general session featured Nick Ridley, CFE, an intelligence analyst with Europol, who presented the talk, "Money Laundering from the European Perspective."

Gerrit F. de Gooyer, Associate Member, independent security consultant in Amsterdam, gave the fraud fighters an update on "E-Movement of Funds" during his keynote address on the second day. Harold Warren, Associate Member, retired U.S. treasury agent with the Internal Revenue Service, shared his expertise on "Money Laundering from the U.S. Perspective" during the second working lunch. And during the closing session, Joseph T. Wells, CFE, CPA, founder and Chairman of the board of the Association, reviewed the PricewaterhouseCoopers 2001 European Economic Crime Survey and the ACFE's 2002 Report to the Nation during his message, "Occupational Fraud: How Bad is it?"

Participants enjoyed a gala conference dinner on the second night of the conference.

Three Tracks

The Current Issues track session "Money Laundering from the UK Perspective," was presented by Steven Philippson of Philippson Crawfords Berwald of London. Also included in the track was "International Issues: Bridging the Gap Between Europe and the U.S.," delivered by John Tracey of PricewaterhouseCoopers Forensic Services of Birmingham. The third session of the track was "Reporting Suspicions," taught by Paul Friedman, Associate Member, partner, solicitor advocate at Baker & McKenzie of London, and Jane Colston, senior associate, solicitor-advocate at Baker & McKenzie of London.

The last Current Issues breakout was "Fraud Risk Management," presented by David Cafferty, manager, Matson, Driscoll & Damico Ltd. Of London.

The High Tech track session "Fraud in the Cyber World: What's New," was presented by Simon Gunning, Associate Member, technical director at Digilog UK Ltd. of London. The second session in the track was "Cyber Fraud Investigations: What You Need to Know," taught by Simon Janes, CFE, computer forensics international operations manager at IBAS of Opington, Kent. The third session of the track was "Using Graphics to Present Evidence," delivered by Rosemary Joseph, graphic services manager of the Serious Fraud Office in London. The fourth breakout, "Asset Tracing: Using Technology to Locate Assets," was presented by Harold Warren, Associate Member, retired U.S. treasury agent with the Internal Revenue Service.

The Practical Fraud Techniques track session, "Documentary Evidence, Part 1," was taught by Isabel Picornell, CFE, principal, QED Limited, in the British Channel Islands. Kim Harry Hughes, director, Document Evidence Ltd., of Birmingham, presented "Documentary Evidence, Part 2." The third breakout in the track, "Insurance Fraud," was delivered by John Baker, compliance officer at Lloyd's of London. ACFE President and CEO Toby J.F. Bishop, CFE, CPA, FCA, presented the fourth session in the track, "Fraud Prevention," featuring the ACFE's Fraud Prevention Checkup.

Following are synopses of some of the General Session speakers.

Lack of Emphasis on Fraud Investigations Worsening U.K. Problem

"Fraud isn't regarded as a serious crime" by the politicians in the United Kingdom, said Ken Farrow, detective superintendent, City of London Police. He said many politicians are more interested in the problems of violent crime, drugs, motor vehicle crime and burglary. "But the reality," Farrow said, "is that this little old country of ours is totally dependent now on financial services ... We do not manufacture very much. Our tourist industry cannot support a population that's approaching 60 million. If the financial services' industry goes down the tubes, we are sunk."

Farrow said that in the 1930s, the country had about 110,000 police officers. That figure has grown to no more than 140,000, he said, and law enforcement is not able to spend much time on fraud cases. "We are police officers first, fraud investigators second and fraud has to be the second priority when the chips are down," he said. "Chief officers will say - I've got a murder; your fraud cases will have to wait."

But Farrow contended that fraud affects many more people and for longer terms than more visible crimes. "Fraud destroys people more surely than other forms of crime," he said. "You can certainly get over having your car stolen or your house burgled because the insurance picks up the tab. But you cannot get over losing everything. ... I still receive letters from people who were defrauded 20 years ago and have never been able to repair their lives."

Farrow said there is a crisis of confidence among police officers. He said he often receives letters from company execu-tives who have not been able to interest police departments in investigating frauds of six figures in their firms. "They tell me, 'We try to get a local police force to take on our cases but they just tell us we'll have to go with a civil remedy.' The departments say they haven't got anybody available to investigate.

"I hear this from my masters, who say, 'It's not a police problem anyway. Let business take care of its own assets. They caused the problems. It's their marketing policies often that cause these massive losses we're expected to sweep up after.' And yes, there's some truth in that," Farrow said. "But I'm equally quick to respond by asking, 'Who is it you go to when you need money for crime prevention initiatives of all sorts? So don't you think you have a responsibility to companies that actually fund your operations?"

He said the U.K.'s Serious Fraud Office (SFO) must receive more funds. "It's becoming increasingly difficult for the SFO to recruit retired, experienced investigators," he said. "And we need to double the staff (on local police forces) throughout the U.K. We're looking somewhere in the region of 1,200 officers." He said that the country also needs a national fraud squad and about 85 million pounds to support it.

Despite the serious lack of personnel and funds dedicated to investigating fraud, Farrow said he sees new governmental support. The U.K.'s attorney general, home secretary, and Lord Chancellor have said, "Let's try to find the money" to fund the fraud investigation efforts, Farrow said.

He said he hopes pending legislation (beyond the complicated Proceeds of Crime Act) will be designed to confiscate even more assets of fraudsters, drug dealers, and mobsters.

"We're trying to encourage detectives to think about asset confiscation in every case," he said. Such laws will not put criminals in prison but will take away their money "provided we can show that their assets must have been derived through crime because they have no other viable means of generating such wealth. ... We'll be in a position to say, 'Well, you've got all this wealth. ... You never paid tax on it. So now we're going ... to take a big chunk of that money away."

Fraud Often not Discovered Because of Uneducated Staff

One of the major reasons entities have trouble uncovering fraud is because accountants and auditors are not well trained, says Joseph T. Wells, CFE, CPA, founder and Chairman of the ACFE.

During Wells' session, he said PricewaterhouseCoopers' European Economic Crime 2001 Survey reported that respondents indicated that 58 percent of fraud cases they examined were detected by accident or chance. (See following article.) "In my view, Wells said, "we're sending accounting graduates in to do battle with sophisticated liars and thieves and we're doing that without giving them any (fraud examination) training at all.

"Is fraud worse now than it was five years ago?" Wells asked. "The PwC survey concluded that about 40 percent of large European companies were victimized by fraud during the previous two years. ... Call me a cynic but I would say that if you have a large organization, you have fraud," he said.

The study said that only 20 percent of the entities surveyed have been able to recover more than 50 percent of the losses, he said. "I think that's also high," Wells said. "In almost all cases of fraud I have seen, the recovery has been slim or none. People who commit fraud are not likely to be able to afford that luxury.

"People ask me all the time, 'If I were to commit a fraud and didn't want to get caught what would be your advice?' I say, take all you ill-gotten loot and bury it in a coffee can in your backyard until the stature of limitations has expired. And then take it out and spend it," he said. "We catch most fraudsters when they spend their stolen money that they've depended on," Wells said.

The survey reported that more than half of the victimized entities did not change procedures to prevent future incidents, he said. "So there is a lot of fraud that we will never be able to uncover. But with reasonable steps we can prevent a great deal of fraud," he said. "This (PwC) study claims that large organizations are more prone to fraud. And they claim the reason for this is because of loss of control through devolution of operational responsibility from the center." However, Wells said that the ACFE's Report to the Nation on Occupational Fraud and Abuse of 1996, updated in 2002, showed the opposite among Certified Fraud Examiners - small business is more vulnerable by far. The 2002 report showed that the average scheme in a small business caused $127,500 in losses. According to the ACFE study, the average scheme in the largest companies cost $97,000.

The PwC study said that the audit process detects European fraud in 32 percent. "I don't think that's the case," Wells said. "Most auditors, when looking back over their careers, wouldn't say that they uncovered fraud in a third of their cases." The study reported that organizations may choose not to prosecute because of concerns about negative publicity; fear of a long, drawn-out, judicial process; and the belief that the chance of prosecution or recovery of stolen assets is low.

Wells said that genesis of the ACFE's Report to the Nation was his study of the definition of fraud as classically set forth in Black's Law Dictionary: "All multifarious means which human ingenuity can devise, and which are resorted to by one individual to get an advantage over another by false suggestions or suppression of the truth. It includes all surprise, trick, cunning, or dissembling, and any unfair way, which another is cheated."

This definition implied to him that there were an almost unlimited number of ways people could think up to cheat one another but his experience told him that after investigating and researching thousands of frauds, they seemed to fall into definite patterns. The research project he began in 1993 with the aid of 2,000 Certified Fraud Examiners became the Report to the Nation, which found that there are 44 ways to defraud an entity.

The survey found that out of every 1,000 serious crimes, only 17 fraudsters paid for their crimes. Occupational fraud saddled entities with 6 percent losses both in 1996 and 2002, he said, regardless of the high-profile fraud cases such as WorldCom and Enron. "However, let me caution you," Wells said. "That any estimates regarding fraud are simply that. But we're not talking chump change here. One in six of the cases were in excess of a million dollars, which works out to be about $4,500 per worker per year for the cost of occupational fraud in the United States.

Fraud has much more of an effect on a company than simply missing money, he said. "For example, if you have a 10 percent profit on your product in a retail sore and one clerk steals one sweater then your company has to sell 10 more sweaters to make up for the price of that one theft. So the cost of fraud in direct terms is somewhat misleading," Wells said.

Executive Summary of PricewaterhouseCoopers' European Economic Crime Survey

• Across Europe, 42.5 percent of larger companies have been the victims of eco- nomic crime in the last two years.
• Around 60 percent of frauds are perpetrated by people within the organisation.
• No industry sector is spared. However, financial services appear to be particularly at risk.
• The most prevalent frauds are embezzlement (misappropriation of assets, including monetary assets, by an employee) and breach of trust (misappropriation of assets or financial misrepresentation by management).
• Respondents have outlined cybercrime as the key concern of the future.
• The cost of fraud to those respondents who had suffered and were able to quantify the damage to their organisations was an estimated EURO 3.6 billion over the last two years.
• This equates to an average cost of fraud of EURO 6.7 million per organisation.
• "Collateral" damage includes a detrimental impact on business relationships and staff morale.
• In the detection of 58 percent of frauds, accident or chance plays a significant role.
• Recoveries after fraud tend to be low. Only 20 percent of organisations have been able to recover more than 50 percent of their losses.
• Many organisations do not act on the lessons learned - less than half implemented changes to improve their risk management procedures, leaving them open to fraud again.
• Three quarters of respondents consider the risk of fraud in the future to be at least as high as it is today - one third believe that it will be even higher.

European - U.S. Data War Looming

"In boardrooms across the United States, Europe is suddenly on the agenda," said Chris Brogan, corporate investigator for Security International Limited in London. "In the past three months normally cordial relations between the two allies are being strained to the point of an outright war," Brogan said.

"The growing battle comes in the wake of a new Europe-wide privacy regime that came into force at the end of last year (2001). The new rules demand that any country of business wanting to trade personal information with Europe should embrace a rigorous standard of privacy protection. Any organisation - or country - that cannot protect privacy will be prohibited from conducting international trade," he said.

Brogan said the U.K. Data Protection Act was enacted into law on July 16, 1998 and became effective on March 1, 2000. He defined three legal entities that are created within this legislation: data subject, data controller, and data processor.

A data subject is any living individual, no matter where they are in the world, who can be identified from the data in your possession. This data does not have to be a name and address; it could be a description, a telephone number, or a postal code. In the same environment, a piece of data could mean nothing to one person and yet identify a living individual to another. "When you consider what as fraud investigators do," Brogan said, "it is important to recognize that an innocuous piece of information, before we have finished the assignment, could well lead to identifying one or more individuals and as such would have to be processed in accordance with this legislation."

A data controller is the person or organization that determines the processing that takes place. The data controller is prosecuted or faces a civil action for breaches of this legislation. It is the data controller's responsibility to ensure that the processing of personal data takes place in accordance with the 1998 Data Protection Act, Brogan said.
The data processor is the person or organisation that processes personal data on behalf of the data controller where they are not employed by that data controller. "The data processor does not have to comply with the eight principles of the Data Protection Act, but the data controller ensures this compliance by way of a written contract," he said. "If the contract is not evidenced in writing, this could well be a breach of the legislation, with the subsequent consequences.

The Data Protection Act is based on eight principles. Personal data:

• shall be processed fairly and lawfully;
• should only be obtained and used for a specified purpose and should not be used for any other purpose;
• should be adequate and kept up to date;
• should not be kept longer than necessary;
• must be processed in accordance with the data subject's rights;
• should be kept secure; and
• shall not be transferred outside the European economic area to a country that does not have adequate data protection laws.

Brogan said failure to comply with this legislation may result in any one of
these consequences:

• 5,000 pound fine;
• civil action by data subject;
• case thrown out - information inequitably gathered;
• costs awarded against client;
• thrown out of trade body because of criminal record; and/or
• a visit from the Commissioner's Office.

For more information visit the Web site, www.privacyinternational.org/issues/compliance.

'Faceless' Business Increasing Global Electronic Fraud

Because virtual "e-money" is becoming the norm, the doors are opening to increasing fraud, said Associate Member Gerrit de Gooyer, independent security consultant from Amsterdam.

De Gooyer said the new e-money perpetrators are never seen, commit their crimes from unknown jurisdictions, and cannot be identified using conventional methods.

He said there are four ways to transfer money: 1) physically handling it (paper, cheques, and coins); 2) through machines such as ATMs; 3) through tapes and diskettes; and 4) via credit cards. E-movement of funds is conduced through many means including chip cards, and banking through the Internet and via the telephone.

De Gooyer said that one-third of European companies have secure computer systems as compared to 23 percent of U.S. firms. So if e-money is becoming the norm, disastrous chain reactions are possible. Entities must segregate functions, inspect the routing of e-data, access control, and encrypt messages, he said.

When entities transfer money electronically, they should always: 1) know the customer; 2) know the customer's identification; 3) have the security of no-repudiation; 4) have a date and time stamp; 5) have the transfer authorized; and 6) use a digital signature.

Computer fraudsters often will impersonate Web sites, de Gooyer said, to steal passwords and credit card information. Hackers may also begin their own e-commerce Web sites, place advertisements for the sites in various publications, and then rake in payments without making deliveries. Within a week they will shut the sites down and do it all over again, de Gooyer said.

Biometrics is becoming a common means of thwarting fraudsters, he said. New "smart" ATM cards will contain card owners' embedded photos, which will be compared with photos of card users at ATMs. Iris scans at airports may eventually replace passports, de Gooyer said.

To prevent e-fraud in any entity: 1) make regular backups of all data and software; 2) closely inspect all credit applications; 3) have stringent internal procedures including rigorous password security; 4) sponsor staff fraud awareness training; 5) segregate all duties; 6) establish fraud hot lines; 7) religiously screen all employees; and 8) disseminate IT knowledge throughout executive levels.