S-RM was recently asked to share some of our insights in a roundtable discussion on Fraud, Asset Tracing and Recovery: International Challenges for Corporate Disputes Magazine.
Senior Managing Director, Cyber Security
Billy Gouveia leads S-RM’s cyber team in the US. His practice focuses on helping clients build their cyber security capabilities, protect their data and be prepared to respond to cyber incidents. He joined S-RM from a tech start-up and, over his career, he has worked in management consulting at Booz Allen Hamilton, Sungard, and Protiviti. He previously served in the US Army and holds degrees from Columbia University and Georgetown’s School of Foreign Service.
Kobre & Kim
Jef Klazen focuses on international enforcement of judgments and arbitration awards, as well as related cross-border asset tracing and recovery. Described by the publishers of Global Arbitration Review as “a lawyer who thinks like an investigator” and as someone who “gets great results”, he advises companies and individuals on how to enforce and otherwise monetise judgments and how to recover stolen assets.
Head of Disputes & Investigations
Marcus Fishburn has been the head of disputes & investigations at S-RM since early 2018 and has overseen the growth of a practice specialising in asset tracing and cross-border fraud investigations. He has worked on complex investigations across EMEA, sub-Saharan Africa and South Asia, and his practice involves close collaboration with in-house legal teams and retained counsel. He read Sanskrit at Balliol College, Oxford, and has an MA from King’s College London.
Advisor to S-RM
Richard Blaksley has 30 years of experience in the investigations and business intelligence sector. With 15 years at Kroll, rising to head its EMEA and subsequently Asian regions, he was then an initial partner of GPW & Co. His work has covered multiple jurisdictions on behalf of leading law firms, multinational corporations, private clients and foreign government agencies. Notable cases in which he has taken a lead have been the identification of assets misappropriated by the Bhutto family of Pakistan, the large-scale privatisation frauds of Viktor Kozeny in Azerbaijan and elsewhere, and an early role in the ongoing 1MDB investigation.
Senior Director, Corporate Intelligence
Victoria Brudenell joined S-RM in 2014. She previously spent five years at a London-based corporate intelligence firm, where she specialised in complex investigations and asset traces in Russia and the wider CIS region. Ms Brudenell has an MA from the University of Cambridge in Modern & Medieval Languages. She speaks French and Russian.
CD: How would you characterise the nature and scale of fraudulent activity afflicting the business world? What are some of the defining trends you are seeing?
Gouveia: Three defining trends relate to cyber fraud – phishing, invoice fraud and ransomware. Phishing, and its variants such as ‘vishing’, demand that firms have a strict process in place which enables employees to easily verify that contacts are genuine. Invoice fraud can be prevented by avoiding companies’ reliance on inbound requests to change payment details, no matter how legitimate or familiar they appear to be. And certainly, ransomware attacks continue unabated and pose enormous costs to organisations across different regions and industries. Of note is the increasing prevalence of attackers who threaten to publicly disclose data if the attacked business does not pay the ransom. Therefore, previous efforts to reduce the impact of a ransomware attack by backing up critical data will no longer be adequate protection. Ransomware is best prevented by avoiding phishing and limiting remote network connections, as well as making sure that protection software is installed, applications are kept up to date and data backups are tested.
Blaksley: The prevalence of fraud within businesses, expressed either as a percentage of turnover or the proportion of bad actors among the workforce, has stayed broadly consistent through the ages. What changes is the methodology and, on a basis partially synchronised with the economic cycle, the extent to which it is noticed or prosecuted. The basics have not really changed – greed, hubris, complacency and a lack of checks and controls remain the principal drivers. Supplier fraud, inventory fraud and payroll fraud, and their variants, remain the primary channels. What has increased substantially, in terms of both scale and sophistication, are third-party frauds perpetrated against a business from the outside. Identity theft, impersonation, phishing, push fraud, payment diversion and social engineering have all taken significant tolls on businesses across the board, both large and small, ‘sophisticated’ and ‘naive’. For many years the mantra was ‘beware the enemy within’, and while that cautionary approach must remain strong, external threats are now more dangerous and prevalent than they have ever been.
Brudenell: The risk of fraudulent attacks on businesses is constant. The incidents attracting most column inches are crippling cyber attacks on high-profile companies, and we have certainly seen these attacks have a greater financial and operational impact in the short and medium terms than more ‘traditional’ fraudulent activity, such as the actions of rogue employees. There is an increasing acceptance in the business world that there is a duty to employees and shareholders to put processes and systems in place to mitigate this risk.
Fishburn: Cyber-enabled frauds are becoming more frequent as personal data stolen in past attacks is circulated online. The key trend that we are seeing here is patience. Threat actors often lie low for months once they have access to a company’s systems or an employee’s mailbox. They will become familiar with the company’s organisational structure, while learning to impersonate the senior manager’s tone and language. They will wait until they know that large payments are expected and will target times when governance is less strong or key people are out of the office, such as public holidays. The key takeaway here is that while the initial breach might be a cyber problem with a cyber solution, the rest of the fraud is facilitated by the very human art of social engineering. The only silver lining is that fraudsters’ mistakes also tend to be human in nature: be it excessive spending, an entity hubristically name after a beloved family member or a boast to the wrong person.
CD: What are the main challenges facing those tasked with tracing assets misappropriated by fraudulent means?
Blaksley: Since asset traces began, the ‘hider’ has always enjoyed both tactical and ‘first mover’ advantage over the ‘seeker’. The increase in anti-money laundering (AML) standards and, broadly speaking, the increased observance of the AML processes has progressed at a similar pace to the increase in privacy laws. An unintended consequence of these two parallel, and individually laudatory objectives, is that once a hider has managed, by whatever deception or lackadaisical application of AML controls, to park stolen assets somewhere, the stonewalling afforded to him by enhanced privacy protection rules make the identification of those assets considerably more difficult. At the same time, police resources are increasingly directed toward other areas. White-collar fraud now falls low on the list of priorities and asset recovery has never, in any event, been a function of policing. So, in the UK at least, the combination of investigative powers being limited by enhanced privacy protection and the absence of being able to invoke statutory policing powers means that an evidentiary base for civil court proceedings can be hard to establish.
"For many years the mantra was 'beware the enemy within', and while that cautionary approach must remain strong, external threats are now more dangerous and prevalent than they have ever been"
- Richard Blaksley, Advisor to S-RM
Brudenell: The increased use of cryptocurrencies such as Bitcoin and Ethereum as a means of laundering embezzled or corruptly acquired funds is also a growing challenge in this space, as they are, by their nature, very difficult to trace.
Fishburn: The trend toward a patient and more professional approach to fraud, means that fraudsters are usually well-prepared for what comes next. Assets misappropriated by fraudulent means can be transferred offshore within seconds, but it can take years for the victim, their counsel or law enforcement to unwind these structures. Strings of offshore entities can be used to disguise the flow of funds, hide beneficial ownership and impede investigators. Fraudsters will also store assets in jurisdictions with a weak rule of law and little or no political will to facilitate enforcement by international parties. They will often use paid nominees to hold assets on their behalf, but the challenge is even greater if a fraudster trusts their close family or business associates to act as proxies. Investigators need to be given the licence to pursue leads which might not come to anything, especially if there is a sizeable award in play. The biggest mistake a company can make is to assume that the absence of ‘low-hanging fruit’ means there are no assets whatsoever.
"Technology alone cannot replace the necessity of diligent open source work, couple with well-placed and well-informed human sources."
- Marcus Fishburn, S-RM
Klazen: The main challenges include, first, the high speed at which assets can be moved around or transferred to nominees in order to stay one step ahead of those seeking to recover the assets, second, the ability to shelter assets in banks, trusts and shell companies in countries where information about those assets is neither public nor readily accessible through court-assisted discovery, and third, the lack, in many countries, of police and prosecutors who have the time, training and resources to investigate sophisticated fraudsters.
CD: To what extent is technology helping to both detect fraud and aid asset recovery?
Brudenell: Over the last few years, a number of technological solutions have come to market seeking to assist in online data gathering in aid of asset recovery. These paid-for models mirror the excellent resources released by investigative journalism organisations, such as the Organised Crime and Corruption Reporting Project (OCCRP) and the International Consortium of Investigative Journalists (ICIJ), and shorten the time required to trawl the internet for information. Natural language processing (NLP) is starting to work well to filter out unhelpful results. What none of them do, however, is entirely replace a detail-focused and analytical mind, and while they aid the gathering of information, careful assessment of the data remains critical.
Klazen: Of all the technological developments over the last decade, the widespread use of social media has probably been the most helpful aid to asset recovery. Even when fraudsters are diligent about hiding their stolen assets and their own whereabouts, we often see that the fraudster’s spouse, child or friend has put information online showing off their wealthy lifestyle in a certain location. This often provides useful leads in identifying sources of further information about the assets, such as the name of a luxury hotel in a particular city whose billing records can then be requested through court procedures or the tail number of a private airplane that can then be tracked.
Fishburn: Artificial intelligence (AI) and machine learning (ML) are hugely effective tools for detecting unusual activity or patterns of behaviour and raising fraud alerts. Companies which handle a large volume of transactions, such as securities exchanges, money exchanges and banks, use AI to flag unusual patterns in transactions. A suspicious money transfer can then be temporarily blocked for review by the compliance team. These technologies can be used to identify fraud in real time, rather than after the fact. The ability to conduct forensic investigations on hard drives and mobile devices can be a valuable source of leads for asset recovery. The tools for data capture, forensic analysis and enhanced review are now extremely sophisticated, meaning that relevant data can quickly be unearthed from enormous and unconventional data sets. However, technology alone cannot replace the necessity of diligent open source work, coupled with well-placed and well-informed human sources.
CD: In what ways can the legal and regulatory landscape present challenges to those seeking to pursue, secure and preserve information and assets, often in a number of jurisdictions?
Fishburn: There are several legal and regulatory issues which have a bearing on asset tracing, including company filing obligations, privacy protections, discovery laws, and the availability of interim remedies. From an investigator’s perspective, understanding the variance in these issues between jurisdictions is critical as it helps clients to develop an effective asset recovery strategy and channel resources appropriately. It is also critical to avoid the legal pitfalls which can arise through unfamiliarity with a new jurisdiction. For example, carrying out an asset-tracing investigation in Germany is hindered by stringent privacy laws that prevent legitimate access to many types of public records. In certain states in the US, specialist licences are required to perform any form of investigative work on the ground. And tactics like surveillance are illegal in some jurisdictions or in certain contexts. The General Data Protection Regulation (GDPR) has also resulted in the disappearance of some useful tools, for example in social media analysis, making it more challenging to understand a suspect’s lifestyle and network of associates.
Gouveia: The cross-jurisdictional nature of cyber crime makes attribution and prosecution a severe challenge. In fact, it is interesting to note that a recent ransomware victim took the unusual step of commencing legal action against unknown attackers. Taking legal action could help ransomware victims protect themselves from the legal fallout in the wake of a breach. In early 2020, manufacturing company Southwire filed a complaint in a federal court, seeking damages from unknown hackers. The company also obtained an emergency injunction from an Irish judge to take down a public website hosted by an Irish firm where hackers had posted some of Southwire’s stolen data.
Blaksley: Judgments arising from common law civil proceedings are frequently challenging to enforce in wider jurisdictions. Where awards have been reached through arbitral proceedings, which is significantly less common in the pursuit of civil fraud matters, the provisions of the New York Convention are helpful, but even then can be tortuous to pursue. A combination of dogged legal pursuit, coupled, where the possibility exists, with political pressure and public exposure, can sometimes hasten recovery. The principal challenge facing those seeking to legitimately recover assets is the strict necessity to follow the rule of law that has been advantageously ignored by one’s adversaries.
Brudenell: Some legal systems can be prohibitively slow, expensive, inefficient or corrupt, making successful asset recovery an outside prospect. For example, Nevis, a notorious offshore paradise, requires a US$100,000 bond to begin legal proceedings. And in India, a foreign party attempting to enforce against assets can expect to be mired in delays of several years as they make their way through the local courts, while often combating police investigations and counter-allegations instigated by a savvy local adversary. The key challenge is one of time – the legal and regulatory landscape does not move at the pace of those seeking to take steps to hide information and assets. As a result, legal teams and intelligence gatherers are often playing a game of catch up. A useful way to mitigate this is to be open-minded about legal and investigative lines of enquiry in the early stages of any response, as being too prescriptive, in, for example, jurisdictions to focus on, can cause an opportunity to be missed. Companies have no option but to move quickly when they have the legal right to assume control of computers and phones, as there is often a small window in which to halt any transfers and the deletion of evidence. It is important that in these instances, often involving employee fraud, qualified cyber forensic experts are involved from the outset to ensure the correct chain of custody of the data.
CD: What steps can companies take to overcome the challenges of enforcing asset recovery, particularly in difficult jurisdictions around the world?
Klazen: There are several important steps companies can take. First, they should put robust security systems in place, including cyber security systems, to reduce the risk of being targeted by thieves and fraudsters from outside the company. Second, companies should perform thorough due diligence on potential commercial counterparties to ensure that the counterparty has assets in creditor-friendly countries that could be used to recover a debt if the counterparty fails to hold up its end of the bargain or otherwise causes damage to the company. Third, companies should develop and maintain good relations with local law enforcement so that they will be more likely to assist quickly and effectively when the company believes it has been the victim of a crime. Finally, companies should contact asset tracing and recovery specialists as soon as it becomes apparent that assets have been stolen or are missing, as it is important to act quickly to try to freeze assets through the police, the courts and so on, before they are moved into structures or countries where they are difficult to detect.
Brudenell: It is always helpful to have a plan in place for how to approach asset recovery. Companies that have planned for the worst-case scenario will have trusted advisers on hand and onboarded, and will therefore be able to respond to issues immediately and not be held up by internal processes. If you are trying to recover a significant loss, you do not want to be testing a new relationship – you need support from trusted and well-known providers. Assembling the correct team of experts, including appropriate local legal counsel, is crucial to overcoming any barriers to enforcement. Irrespective of the complexity of the jurisdictions in question, it always pays to be ahead of the game. It is important to follow correct procedure for the jurisdiction in question when serving individuals with notice of legal proceedings. Errors in service are often used as the first line of defence by respondents.
"Irrespective of the complexity of the jurisdictions in question, it always pays to be ahead of the game."
- Victoria Brudenell, S-RM
Fishburn: Asset tracing is always an iterative process and it is critical that companies start that process early. The earlier companies can gain visibility over their adversary’s assets, the stronger their position. Companies entering long-term business partnerships should carry out some preliminary asset tracing work. If the partnership ends in dispute, the company then has a snapshot of its counterparty’s asset position, allowing it to move quickly against assets in the friendliest jurisdictions. The snapshot of assets can also be used to demonstrate whether a counterparty has dissipated assets in response to the dispute – a critical element to obtaining freezing orders. If the most valuable assets lie in jurisdictions which are difficult – either due to an unfavourable legislative climate or the adversary’s protected domestic position – then companies need to think more strategically. A common technique is to inconvenience and embarrass the debtor by targeting their most prestigious lifestyle assets. Of particular use in this regard are movable lifestyle assets such as aircraft and vessels, as these might move into a ‘friendly’ jurisdiction. Disrupting an adversary’s access to these assets, or to a key residential property, will often compel them to negotiate a settlement.
CD: Have any recent corporate fraud cases caught your eye? What lessons can we learn from their outcome?
Brudenell: The introduction of unexplained wealth orders (UWOs) is an interesting development in asset recovery. While they can only be applied by a prosecuting authority, they are a useful weapon in civil claims. Details of their scope and usefulness are still emerging, and it will take some time before they settle into the asset recovery toolbox. It will be interesting to see whether they have any impact on foreign nationals’ willingness to secure money in the UK in the form of property.
Blaksley: Although one needs to be circumspect about cases that are currently ‘live’, the Patisserie Valerie story is notable. For all the wisdom of the board, one has to wonder why the company’s shareholders did not query why their business – which was not fundamentally different to other businesses, similarly located, selling broadly similar products to a largely similar customer base, and yet lacking its competitors’ vast economies of scale – could consistently appear to return such vastly greater net operating margins. It may be wrong to suggest anything before formal findings are declared, but a lack of controls may have played a part.
Fishburn: A recent notable case was the scam perpetrated on Lekoil, an AIM-listed oil exploration company, which saw its share price collapse after discovering that the $184m loan it thought it had agreed with the Qatar Investment Authority (QIA) was fraudulent. Lekoil had paid $600,000 to a Bahamas-based intermediary before realising the loan was non-existent. Lekoil pointed to a “complex façade”, but while it is very early days in the investigation, there appear to have been a number of warning signs: the supposed broker’s website was full of spelling errors and text copied from elsewhere on the internet, the entity had no track record of which to speak, and the interest rate it was offering was well below market rate. Lekoil had ticked the boxes on due diligence, commissioning public record searches by a respected company on the supposed broker. But due diligence is not binary, and clearly the exercise did not go as far as it should have done in terms of investigating either the broker’s track record or the QIA representatives’ bona fides – neither of which existed. Companies fail to undertake proportionate due diligence for many reasons, including penny pinching and wilful blindness, but the cost of that failure can be extreme.
CD: What steps may be taken to pursue recognition and enforcement of judgments in asset recovery? In particularly challenging jurisdictions, how can parties increase the chances of a successful outcome?
Klazen: The key to success is to develop and implement a coordinated, international asset recovery plan rather than taking a country-by-country approach. This allows companies to leverage investigative and legal tools that may be available in some jurisdictions but not in others and deploy them in a way that will most help the overall recovery effort. For example, where there have been US dollar denominated transactions, those transactions will almost always have been processed through a US-based routing bank, even if the point of origin and the destination are in other countries. Broad judicial discovery powers in the US permit someone enforcing a judgment or arbitration award to ask US-based banks for wire-transfer records, as well as bank account information, by serving a subpoena; most banks have entire departments of staff whose job it is to respond to subpoenas. This can be an effective way to trace funds in US dollars around the world. It can also help obtain evidence that the target is trying to hide assets from creditors, which can then be used to seek freezing orders in other countries.
"The key to success is to develop and implement a coordinated, international asset recovery plan rather than taking a country-by-country approach."
- Jef Klazen, Kobre & Kim
Blaksley: Less applicable in the course of normal, ‘run-of-the-mill’ fraud, but we would like to see far greater and more imaginative use of UWOs. Where there is a glaring mismatch between apparent enjoyment of assets and obvious sources of income or wealth, it is reasonable for the courts to seek an explanation. It may be necessary to require some reason for seeking an answer, such as strong circumstantial association with another party’s loss, but nevertheless UWOs, or the concept behind them, have a compelling attraction. There is no record yet of a civil UWO ever being sought, currently they can only be brought by official prosecuting authorities, but were such a concept allowed, it could be a game-changer in civil recovery. In the US, for example, the application of civil Racketeer Influenced and Corrupt Organisations (RICO) Act orders, as first used in Motorola v. Uzan, altered the entire legal landscape in US civil fraud cases.
CD: What essential advice would you offer to companies in terms of building a fraud detection framework that can analyse behaviour, identify trends and raise red flags?
Blaksley: Many of the old rules still apply – companies should enforce mandatory two-week holidays for all staff who exercise any form of internal financial function and insist on no remote working while they are away from the office. A diligent bookkeeper who never takes a holiday is still one of the major red flags for internal fraud. Companies should educate all staff on how phishing attacks and identity fraud works, insist on third-party oral confirmations for all changes to banking details, internally or externally requested. Set up and promulgate a good whistleblowing protocol across the business; do not imagine that your auditors know the first thing about fraud or have any innate ability to detect or prevent it – they do not.
"Fraudsters will leverage tools to obscure digital identifiers, requiring more robust authentication steps to protect organisations from fraud."
- Billy Gouveia, S-RM
Fishburn: Fraudsters adapt, so companies cannot just put a system in place and forget about it. They need to be proactive about keeping up to date with trends in fraud. But despite the rapid innovation in fraudulent tactics and parallel developments in fraud detection programmes, companies must remember that most fraud relies on traditional human failings of complacency, gullibility and blind obedience. There is no technological solution to these problems, only rigorous training and robust processes. If employees really understand the risks posed to their business by fraud, are trained to recognise the warning signs and work in a corporate culture which encourages them to escalate their concerns, then most losses can be prevented.
CD: How do you envisage the fraud, asset tracing and recovery landscape evolving in the years ahead? Are there any specific trends you expect to emerge?
Gouveia: A recent rise in cheque fraud could motivate firms to avoid paper cheques and replace them with safer electronic payments. Attempted cheque fraud increased to $15.1bn in 2018, up from $8.5bn in 2016, and accounted for 60 percent of attempted fraud against US deposit accounts, according to a survey by the American Bankers Association. Successful cheque fraud made up 47 percent, or $1.3bn, of banks’ fraud losses, up from $789m in 2016, closely followed by debit card fraud losses at 44 percent, or $1.2bn. These numbers point to three trends we see emerging. First, digital identity corruption must lead to new fraud prevention strategies. Digital identities have been corrupted at scale as fraudsters skilfully bypass detection systems and exploit the growing grey area between trusted behaviour and what is recognised as fraudulent behaviour. Second, fraud orchestration will continue to grow in complexity. Fraudsters are taking the time to organise multistep attacks that are significantly harder to detect because they demand anomaly detection at multiple stages. Third, single request attacks will surge. Fraudsters will leverage tools to obscure digital identifiers, such as internet protocol (IP) addresses and device fingerprints, requiring more robust authentication steps to protect organisations from fraud.
Fishburn: Investigators are increasing their sophistication in tracking money laundered via cryptocurrencies. However, money launderers are also learning how to use technology such as ‘tumblers’ – which split a payment into payments to various addresses, then combine the funds again – to anonymise transactions. We would expect to see this arms race continue. The other trend, already well underway, is internationalism. Fraud rarely recognises borders, and effective asset recovery requires a global outlook. This means companies will have to collaborate with experienced knowledge experts in the field. Investigators, forensic accountants, digital forensic experts and local counsel all have a part to play in asset recovery. There is no quick fix, but close collaboration between every party, clearly defined roles and a joined-up strategy will often be the making of a successful asset-recovery process.
Klazen: While new data privacy laws can pose hurdles, there are other trends that will facilitate asset tracing and recovery. For example, in 2018, the UK government amended its laws requiring British overseas territories to establish a publicly accessible register of beneficial ownership interests in companies by the end of 2020. Those territories include the Cayman Islands which already has a non-public register of beneficial ownership in place. These registers will provide greater transparency regarding true ownership of companies, even where the shares in the companies are held by nominees. Of course, this will cause some people to simply set up new companies in countries where such information need not be disclosed, but the more countries feel compelled to create such registries, the better from an asset recovery perspective. Data leaks such as the ‘Panama Papers’ and ‘Paradise Papers’ have awoken many people to the realities and complexities of how wealth can be hidden, which, in some countries, has translated into pressure on policymakers to implement laws that facilitate greater transparency.
Blaksley: Internal fraud attempts within businesses will continue to exist for as long as there is business. On average, the volumes and the frequency of such attempts will barely change, but you absolutely can make sure that your business is at the lowest end of the victim scale. Threats from outside the organisation will get more creative, more brazen and more frequent. Banks in the UK will tacitly, and quietly, pull back from their promise to reimburse state victims of push fraud.
Brudenell: We would expect the use of cryptocurrencies in fraud to continue to grow at speed. They are open to abuse by fraudsters as they are an attractive way to store and move money which is difficult to trace. In a decision published in January 2020, AA v Persons Unknown, Re Bitcoin, the English High Court recognised Bitcoin, and by extension other cryptocurrencies, as property. This is a critical step in allowing them to be subject to injunction.
This article was first published in the April-June 2020 version of Corporate Disputes magazine.