Corporate LiveWire Fraud & White Collar Crime Virtual Round Table 2025

Richard Freeman is a Director in the forensic accounting team at Forensic Risk Alliance (FRA)’s London office. He has extensive experience with anti-fraud and corruption, internal investigations, regulatory investigations, and due diligence. He has worked with clients and counsel internationally across industries including aerospace, banking, oil and gas, manufacturing, and pharmaceuticals. Notably, Richard managed an FRA team of 30+ forensic accounting professionals supporting Airbus in a multi-year forensic accounting review within the context of a multinational bribery investigation that concluded with a landmark settlement involving the US, UK and French authorities. Richard participates actively in the ICC FraudNet network.

Q&A

1. Have there been any recent regulatory changes or interesting developments?

The UK government officially published the much-anticipated failure to prevent fraud (FTPF) guidance on 6 November 2024, confirming that the FTPF offence will come into force in September 2025. As such, to avoid financial penalties, companies that meet a certain size threshold will need to demonstrate that reasonable controls were in place to prevent an employee, agent, subsidiary, or other "associated person" who provides services on behalf of the organization, committing fraud. The guidance recommends that a fraud prevention framework should be informed by six principles:

• Top-level commitment: demonstration by senior management of a commitment to prevent fraud
• Risk assessment: assessment of the specific fraud risks an organisation faces
• Proportionate risk-based prevention procedures: fraud prevention measures should be proportionate to the risks identified and to the scale of an organisation’s activities
• Due diligence: due diligence on “associated persons” to mitigate fraud risk
• Communication, including training: internal and external communication to embed fraud prevention policies
• Monitoring and review: regular monitoring and review of fraud prevention policies and procedures

The offence extends to cover incorporated bodies and partnerships formed in the UK and those formed outside of the UK where a UK nexus is present, such as where an overseas based organisation commits fraud in the UK or targets victims in the UK.

The specified fraud offences included under the FTPF offence include several accounting-related offences, such as false accounting, fraudulent trading, fraud by failing to disclose information, and cheating the public revenue. Organizations must demonstrate proactive measures to address these offences, including having a well thought out formal investigations procedure in place, incorporating learnings from their experiences and any sector specific investigations/enforcement actions. Seeking to rely on the results of statutory audits to uncover fraud will not be considered a sufficient defence against an accusation of FTPF.

FTPF will require a robust anti-fraud control environment. While it is not the role of an auditor to uncover fraud, an audit could identify deficiencies in an organisation’s internal controls. The steps an organisation takes in response to these findings now become more important. If a fraud occurred because of a control weakness that was identified in the audit, an organisation would previously be concerned with conducting the subsequent investigation and explaining the results to the Audit Committee, the Board, the regulator, and potentially shareholders. Now, the organisation would face the additional concern of a potential FTPF offence.

2. Are you noticing any new trends in the types of cases being pursued by regulators or in the way criminals are operating?

Cryptocurrencies are starting to be accepted as more mainstream forms of investment and financial instruments and are therefore attracting more attention from regulatory and law enforcement agencies. However, price volatilities and nascent regulatory oversight have allowed bad actors to take advantage of the investing public by leveraging cryptocurrencies as conduits for fraudulent activities. We are now seeing a wide range of schemes perpetrated through cryptocurrencies, including traditional fraud such as investment scams and newer types of cryptocurrency-specific fraud such as smart contract exploits and address poisoning attacks.  According to the Chainanalysis 2024 Crypto Crime Report, funds sent to illicit addresses reached US$24.2 billion in 2023.

Due to the decentralised nature and complexity of cryptocurrencies, regulatory agencies in the United States have been slow to provide guidance and enact specific frameworks for regulation. Other jurisdictions across the globe, such as the European Union and Dubai, have already passed or debated cryptocurrency specific legislation. However, the United States has not; instead, leveraging its existing legal framework to regulate the cryptocurrency industry. This has led to the phrase ‘regulation by enforcement’ and outcry from the industry for regulatory guidance that identifies the major cryptocurrencies that qualify as securities (falling under the jurisdiction of the SEC) and those that qualify as commodities (falling under the jurisdiction of the CFTC).

The administration change in the US, as well as a Republican-controlled Senate, could pave the way for a regulatory roll out that is seen as more positive by the industry. The passage of proposed legislation could formally classify digital assets from a legal perspective, delineate the roles and responsibilities for regulatory and supervisory agencies, and provide consumer protection benefits. Although potential new regulation and crypto-centric policies may provide more regulatory clarity in the US, this presents new challenges for global firms attempting to comply with country-specific requirements that may require more rigor in the design and implementation of controls for cryptocurrency compliance programs.

Overall, the recent push worldwide on crypto regulations should be seen as a positive for compliance and investigation professionals alike, as global regulations, along with industry engagement, are setting a “higher bar” for the industry. It’s unknown whether these global policies will have a profound impact on the US regulatory framework, but given the heightened focus on stablecoins, travel rule, and AML/CTF, at a minimum, new best practices and global standards will emerge to improve the industry’s ability to curtail illicit activity.

3. Are there any examples of inter-agency collaboration in the fight against fraud and white collar crime?

A lot of fraud and white-collar crime is cross-border. Criminals can de-fraud their victims remotely from thousands of miles away and then transfer the proceeds of that fraud between countries in seconds. As a result, cross-border fraud and white-collar crime is a major problem for authorities and investigators.

However, there are strategies in place to respond to this problem and a key one is inter-agency collaboration. Whilst criminals commit cross-border financial crime, the efforts of national and international enforcement agencies and regulatory authorities also need to be cross-border in nature. Effective collaboration between agencies and authorities ensures that information is shared promptly, and that coordinated action is taken to detect, investigate, and prosecute white-collar crime.

We have recently heard from members of the DoJ and SFO explaining that their working relationship is closer than ever, and the lines of communication are always open. Representatives of both agencies spend time with their counterparts to cement the working relationship. Further, we have seen an increase in the use of mutual legal assistance treaties to support cooperation between agencies in different countries to aid cross-border investigations and prosecutions.

FRA has witnessed firsthand this trend of inter-agency collaboration in many of our biggest cases over the years. In January 2020, Airbus announced its agreement to pay penalties of €3.6 billion, in what was the world’s first simultaneous settlement with four national authorities: the French PNF, UK SFO, US DoJ, and US Department of State. Behind the landmark fine was an equally ground-breaking international collaborative investigation into bribery and corruption.

In December 2022, Switzerland-based multinational technology company ABB reached a “full and final settlement” of $327 million in total, with the National Director of Public Prosecution in South Africa, the US DOJ, SEC, and the Office of the Attorney General of Switzerland related to the legacy Kusile project in South Africa, awarded in 2015.

In March 2024, Gunvor SA pleaded guilty to violating the US Foreign Corrupt Practices Act (FCPA) by bribing Ecuadorean government officials to secure deals with state-owned oil company Petroecuador between 2012 and 2020. The company agreed to pay more than $660 million to resolve the investigation by the US DOJ and Swiss Office of the Attorney General.

These are just some of the examples of high-profile inter-agency collaboration that we have seen, and we expect to see more cases like this in the future.

4. What is fraud risk management and why is it so important?

All organisations are subject to the risk of fraud. This is repeatedly demonstrated by well-publicised instances of fraudulent behaviour committed by executives, employees, and third parties. Fraud negatively impacts reputations and brand-strength. At the top end of the scale, it causes companies to collapse, suffer huge losses, and can result in people being imprisoned. Smaller scale fraud can still result in loss of profit, confidence, and trust among stakeholders.

Fraud risk management is an internal initiative that reflects the expectations of the Board of Directors and senior management, showcasing their dedication to integrity and ethical values in handling fraud risk. It focuses on understanding the potential fraud risks relevant to an organization, the factors required to mitigate these risks from occurring or not being detected, and corrective actions when it does.

Effective fraud risk management programmes include ongoing evaluations and mechanisms for the flagging of potentially fraudulent activity. When implemented successfully, such a program should act as a strong fraud deterrence.

Understanding an organisation’s fraud risk is vital and is normally achieved through a risk assessment. This provides the foundation for devising effective strategies to manage these risks, and whilst it is not possible to eliminate all fraud, it is important for organisations to identify and understand the risk of fraud that is specific to them.

Fraud risk encompasses internal and external fraud and ranges from theft perpetrated by those within an organisation, to more sophisticated schemes such as romance scams and investment fraud supported by AI. Understanding the organisation and how fraud can materialise is the first step in developing robust fraud risk management.

The importance of an effective fraud risk management programme has only increased with the UK’s Failure to Prevent Fraud (FTPF) offence coming into force in September 2025, and the need to conduct a fraud-based risk assessment. The FTPF guidance published by the UK government states that there may be some limited circumstances where it is deemed reasonable not to introduce measures in response to a particular fraud risk. However, “it will rarely be considered reasonable not to have even conducted a risk assessment.” Where an ineffective fraud risk management programme will likely result in an organisation falling foul of the FTPF offence, a well-deployed programme can contribute to its defence.

5. How can businesses effectively identify and manage their fraud risk?

For an organisation to be able to identify and manage multiple types of risk, it relies on the presence of an effective compliance programme. A core element of any compliance programme is the risk assessment.

Risk Assessment

A fraud risk assessment is essential in helping organisations proactively identify external and internal risks that can have a significant impact on their reputation, expose them to criminal or civil liability, or jeopardize assets.

It is important for organisations to ensure they conduct a fraud risk assessment, either as a standalone exercise or as part of a wider risk assessment addressing multiple types of risk, such as bribery and corruption. The assessment should be conducted or, as a minimum, reviewed on an annual basis to identify potential fraud risks specific to the organisation. The risk assessment acts as the first step in seeking to identify and manage potential fraud risk.

Once identified, specific fraud risks should be aligned to the organisation’s corporate strategy and regulatory requirements. This will likely need the input from multiple areas and functions and levels of seniority that understand the organisation’s business model.

Having identified potential risks, mitigating measures need to be implemented. This can include developing internal controls to address the identified risks, usually via formalised policies and procedures. Internal controls should be well defined with clear ownership.

Testing and Monitoring

The defined internal controls should also be tested regularly to determine their effectiveness in mitigating the potential risk, and results of the testing should be fed back into the risk assessment process.

Governance

Further, an organisation should clearly identify its three lines of defence and ensure each line knows its role and responsibilities. The first line of defence is typically the operations team, and they will be responsible for identifying the specific fraud risks the organisation faces and conducting the testing of the internal controls. The second line of defence will typically be the compliance team, who will maintain a degree of independence from the business. Their role is to support the identification of the specific fraud risks the organisation faces and review those risks for relevance to the business. They will also perform a targeted testing of compliance and financial controls. The third line of defence will typically be the Internal Audit function that should be fully independent from the business. Their primary responsibility should be to assess whether the fraud risk management framework is effective.

Training and Communication

Ongoing training is a key part of effectively identifying and managing fraud risk. Organisations should implement regular awareness training on code of conduct and fraud. If high risk employees are identified during a risk assessment, targeted training should be developed for them.  

Culture

Whilst the risk assessment, testing, governance, and training are all important parts of an effective compliance framework, it is equally as important that an organisation demonstrates that its senior management are invested in the framework. Elements of the framework should be embedded into the day-to-day activities and corporate culture.

6. What are the best practice procedures for internal investigations and are there any rules or regulations regarding how such investigations should be conducted?

Internal investigations are an important tool for any company committed to identifying misconduct. When conducted in good faith and good practice, they enable remediation or self-reporting before issues escalate.

Internal investigators act on behalf of the corporation - not the employees. Their purpose is to determine and understand the facts so that the company can assess whether the allegations are substantiated and what further steps are required. But bias is a key risk in any internal investigation. When investigators judge a set of events or become tied to a certain narrative before the investigation is complete, they are unlikely to consider evidence that disputes their thinking and their findings will inevitably distort the truth. Investigators must maintain objectivity.

Even while acting on behalf of a company, internal investigators should always treat individuals with professionalism and respect, especially when undertaking interviews. The interview is part of the fact-finding process and the interviewees’ position in respect to misconduct allegations must be considered fully and fairly. This means keeping an open mind to the possible conclusion of “no wrongdoing.”

Companies must ensure that their investigators are well-trained and provide adequate resources and support to maintain their fairness during investigations. This might include measures like regular debriefs and upward reporting, involving a larger number of investigators to bring more perspective, or involving outside assistance who do not have close ties to anyone in the company.

In investigations that might have a material impact on the company - reputational or financial - it is in the company’s interest to ensure some level of independent oversight. A good practice is for the company to form a committee of relevant senior managers and independent board members to oversee the investigation process. This independent oversight can challenge poor investigative practices and ensure that alternative hypotheses are given proper consideration.

Companies should also have a process for identifying the investigations that warrant outside assistance from lawyers, forensic accountants or data specialists. For serious matters, this is an important step to reduce the risk of bias and future fallout for the company.

An internal investigation is only worth doing if the process is fair and objective.