Eleftherios Tsintzas (email@example.com) is the Deputy Audit Division Director at Alpha Bank Romania in Bucharest, Romania.
In their 2018 Report to the Nations, the Association of Certified Fraud Examiners reported that the most common method of fraud detection was a tip (40%). For organizations with hotlines/helplines, the number of the fraud cases revealed through tips increased to 46%, and the median losses from fraud were 50% smaller. Also, the duration of the fraud was 50% shorter at organizations with hotlines.
But what happens if an organization has established a hotline, but the overall whistleblowing process has not been designed and implemented properly?
The case described below has been inspired by a true story, but persons and entities mentioned are fictitious.
A serious allegation
Philip was the chief audit executive in the internal audit division of a financial leasing organization. While sitting in his office reviewing a report from a recently completed audit, he received a phone call from the president of the audit committee. The president informed Philip that a serious allegation related to the anti-money laundering practices of the organization was received.
A reporter had contacted the president, revealing that the organization’s practices facilitated laundering funds of customers—shell companies, whose beneficial owners were individuals sanctioned for gun smuggling. Even worse, an employee of the organization had warned the executive management of the organization several months ago about the relevant practices.
Specifically, 10 months ago the employee had contacted the organization’s hotline and had warned that the organizational arrangements in the Know Your Customer area and the internal controls in place allowed customers—companies (possibly linked to sanctioned individuals)—to legitimize funds from illegal activities. Moreover, he had implied that senior officers of the organization were aware of the relevant practices and turned a blind eye, because these transactions improved the performance of the organization and led to increased bonuses.
The audit committee had been completely unaware of such a warning. Philip had also not been informed. How was that even possible?
Their whistleblowing program
The organization had a sufficiently detailed whistleblowing policy in place that encouraged the disclosure of potential wrongdoing (e.g., breach of legal, regulatory, and statutory requirements or unethical behavior and practices), providing guidance on the process to be followed for raising the concerns.
The policy described the hotline operation and the processes that followed the receipt of a report related to potential wrongdoing. Moreover, the hotline, managed by the risk management department of the organization, was easily accessible 24/7, offering confidentiality and anonymity. When a report related to potential wrongdoing was submitted through the hotline, it was received by an appointed employee of the risk management department, who was responsible for assessing the report and discussing it with his/her manager. If the report was considered credible, it should be forwarded to the executive management for review. If executive management considered the report worthy of investigation, it would be forwarded to internal audit. Following its investigation, internal audit would report the relevant results to the executive management and the audit committee.
So what went wrong?
Philip called the risk management department employee responsible for receiving and assessing the whistleblower reports. This person confirmed that the relevant report had been received through the hotline and assured Philip that the process described in the whistleblowing policy had been followed to the line. She had assessed the whistleblower’s report and discussed it with her manager. Both considered the report credible, so they forwarded it to the executive management of the organization for review.
Nonetheless, the executive management had not considered the report worthy of further investigation, and thus no further action was taken. Now Philip was sure of what had gone wrong.
Indeed, the whistleblowing policy had been followed to the line!
However, the fact that, according to the tip, senior officers of the organization were aware of the relevant practices and turned a blind eye was overlooked by the risk management department. Thus, the whistleblower’s report never reached the audit committee, because it was not considered worthy of further investigation by the executive management of the organization. Moreover, the whistleblowing policy of the organization did not require the whistleblower reports to be submitted to a second layer of dissemination, so as to ensure an extra review, independent of the one performed by the executive management. Had such an independent review been required, the whistleblower’s report could have reached the audit committee.
As a result of the above omissions, the money laundering was not revealed, the organization faced multimillion-dollar fines, the reputational impact was significant, and the organization was eventually taken over by one of its competitors.