Going Soft 2 February 2013 5 years ago The US appears to be leading the way in anti-fraud software, which claims to be able to detect fraud by scanning huge amounts of data in the blink of an eye. But does that mean us humans can leave it to the computers to come down hard on those suspected of fraud? Unlikely, says Aziz Rahman. The computer age seems to be a phrase that has been used for decades, as technology has encroached on every aspect of modern life. And yet there always seems to have been areas where it has been assumed that computers could never beat the human mind. But if one development in the US is to be considered at face value then it appears that the computers have stepped into one more place where we never thought they would tread. Computers have been used in fraud for many years. Computer databases of potential victims used in boiler rooms, the hacking into online accounts for illegal gain and identity theft via the internet have become an unfortunate part of modern life. Those perpetrating fraud have latched onto the computer as a powerful means to an end just as much – if not more so – than those of us with more honest intentions. It does seem, however, that the computer is looking to mount a fightback of sorts against those who use it to secure ill-gotten gains. There is now a generation of software that can identify and examine documents, transaction trails or emails that do not seem to be “above board’’. This technology, developed by the US military, has been coming into civilian use in recent months. Hopes are high among many that the software will take away the need for companies or individuals to be ever alert to the potential for fraud in their workplace. Its supporters believe that detecting fraud will soon involve little more than examining what the computer programme flags up rather than examining the movements and behaviour of employees and then interrogating them. After all, why do all the work when the computer can do it for you? Taken at face value, the software sounds amazing. It is supposed to be able to sift through text documents, emails and social media in a way that no previous software could. All the time it is doing this, it is looking for discrepancies in data, any of around 3,000 words or phrases that are (or at least are likely to be) used by those committing fraud and patterns of dialogue. Its searching is based on what academics have called the “fraud triangle’’ – the existence of three factors considered necessary to prompt someone to commit fraud. Those three factors are pressure, opportunity and rationalisation. Or to make it clearer: you feel the need to commit the fraud, you see the chance to do it and you can justify it to yourself. The software is supposed to detect phrases that indicate such conditions. If there is a rise in such indicators then an investigation is triggered. It all sounds perfect, doesn’t it? But can it really be so simple and straightforward? I think not, for a variety or reasons. Firstly, we have seen computer programmes developed for all manner of tasks, both menial and complex. Some have met with success while others have been quietly shelved after what is often called “underperformance’’ but usually means failure. In cases of the latter, factors have often become apparent afterwards that explain why a computer system that was claimed to be the great cure-all flopped so miserably. The reasons why such factors were not apparent earlier may vary from changing circumstances through to blind or wilful ignorance or the desire to sell a potentially money-spinning software system. At this stage, no one can say for certain if such factors exist regarding this great anti-fraud software. But what we can say is that the human factor has to be factored into fraud and its detection. Who can say for sure this new system is fool proof? Will it detect fraud? And if it does, what will it cost to follow up with an investigation? And what if the investigation shows that the software’s suspicions are groundless? There are too many ifs and buts about anti-fraud software. Fraud is a crime carried out with intent by humans. And just as we vary in our appearance, beliefs and tastes, it is equally likely we will differ in our approaches to fraud. Some may succumb to it, those who do may carry it out in wildly contrasting ways and may “advertise’’ the fact to anyone investigating through a huge range of signals. It seems improbable that any anti-fraud software could be so comprehensive as to anticipate and identify all of this. However much such software may cost. The theory of the fraud triangle does at least get it right when it comes to pressure and opportunity. People commit fraud because they feel they have to and because they believe they can get away with it. This latter point is arguably the most important when it comes to fraud. Addressing this holds the key to fraud prevention – far more than any software system could. If people do not believe they can get away with fraud it is extremely unlikely that they will try it. That is not a computer’s discovery; it’s just basic human nature. Introducing an anti-fraud workplace culture may not sound particularly state of the art but it has, so far, proved to be far more effective than any anti-fraud software being marketed. Staff appraisals, vetting of potential staff, a handbook outlining expected standards of conduct and credit checks on potential clients and third parties may not be thrilling and new but they can be worthwhile. Legislation introduced in recent years has placed business people under greater scrutiny and made them much more responsible than they have previously been for the actions of their company and those who work for them. Senior company figures are now criminally liable under a raft of legislation for their firm’s wrongdoing if it was carried out with their consent, connivance or neglect. Whereas they used to only be responsible under the Theft Act of 1968, they now have to comply with the Bribery Act 2010, the Companies Act 2006 and the Fraud Act 2006. The Bribery Act alone makes a company criminally responsible for any corrupt behaviour by its staff, agents and third parties anywhere in the world. At the same time as this extra legislation has started to have an effect, the Serious Fraud Office (SFO) is looking for more self-reporting of wrongdoing by companies. It will soon be able to use the recently-announced Deferred Prosecution Agreements (DPA’s) to seek admissions of wrongdoing without the cost and uncertainty of going to trial. Meanwhile, HMRC can use the Code of Practice 9 (COP9) to get to the bottom of the affairs of anyone it suspects of tax fraud. Whether it is a low-level employee subtly helping himself to a client’s money in the office or a high-ranking employee working abroad using bribes to gain contracts, the consequences will not be good for a company found to have had fraud perpetrated in its name. The authorities are keen to be seen to be cracking down on fraud – and their bite is starting to look as ferocious as their bark, thanks to the new powers they have been granted. This makes placing fraud detection in the hands of miracle software either very brave or very foolish. Or both. Most doctors advocate prevention rather than cure. They tell us it is the best medicine for us: you are less likely to be ill if you take all possible steps to prevent illness. With fraud, a similar approach can keep a company in good, legal health. By adopting a strong, anti-fraud workplace culture a company can prevent the need for any computer trickery. If a company acts on advice to ensure it is legally compliant and creates a workplace environment where whistle blowing is not only encouraged but acted upon, it can show it has taken all possible steps to tackle fraud. Whistle blowers inside a company know how it functions. If we put it in terms of the fraud triangle, they are likely to know what pressures colleagues are under, what scope they may have for committing fraud and quite how they would rationalise it. Creating a facility for whistle blowing within a company would be a way of tapping into such knowledge. But such a facility is also a way of a company showing it has faith in what its employees tell it and that they will act on it. Whether whistle blowing is done anonymously or confidentially, it is a way for a company’s senior figures to gain information that will help it identify fraud or remove the potential for it. Due to certain legal restrictions, the creation and running of a whistle blowing facility has to be done carefully. The right legal advice is necessary. The right legal advice is also immensely valuable when ensuring a company is legally compliant. Being able to show that a company took and acted on the best legal advice to make it as fraud-proof as possible will go a long way to protect it from future allegations of fraud and wrongdoing. It will also make it less likely to fall victim to fraud committed against it by one of its employees. So far, the software hasn’t been invented to do all of this.