Category Archives: Privacy Fraud

Just Like Me

During a joint training seminar between our Chapter and the Virginia State Police held a number of years ago, I took the opportunity to ask the attendees (many of whom are practicing CFE’s) to name the most common fraud type they’d individually investigated in the past year. Turned out that one form or another of affinity fraud won hands down, at least here in Central Virginia.

This most common type of fraud targets specific sectors of society such as religious affiliates, the fraudster’s own relatives or acquaintances, retirees, racial groups, or professional organizations of which the fraudster is a member. Our Chapter members indicate that when a scammer ingratiates himself within a group and gains trust, an affinity fraud of some kind can almost always be expected to be the result.

Regulators and other law enforcement personnel typically attempt to identify instances of affinity fraud in order to prosecute the perpetrator and return the fraudulently obtained goods to the victims. However, affinity fraud tends to be an under reported crime since victims may be embarrassed that they so easily fell prey to the fraudster in the first place or they may remain connected to the offender because of emotional bonding and/or cultivated trust. Reluctance to report the crime also frequently stems from a misplaced belief that the fraudster is fundamentally a good guy or gal and will ultimately do the right thing and return any funds taken. In order to stop affinity fraud, regulators and law enforcement must obviously first be able to detect and identify the crime, caution potential investors, and prevent future frauds by taking appropriate legal actions against the perpetrators.

The poster boy for affinity fraud is, of course, Bernard Madoff. The Madoff tragedy is considered an affinity fraud because the vast majority of his clientele shared Madoff’s religion, Judaism. Over the years, Madoff’s list of victims grew to include prominent persons in the finance, retail and entertainment industries. This particular affinity fraud was unprecedented because it was perpetrated by Madoff over several decades, and his customers were defrauded of approximately twenty billion dollars. It can be debated whether the poor economy, lack of investor education, or ready access to diverse persons over the internet has led to an increase in affinity fraud but there can be no doubt that the internet makes it increasingly easy for fraudsters to pose as members of any community they target. And, it’s clear that affinity frauds have dramatically increased in recent years. In fact, affinity fraud has been identified by the ACFE as one of the top five investment schemes each year since 1998.

Affinity frauds assume different forms, e.g. information phishing expeditions, investment scams, or charity cons. However, most affinity frauds have a common element and entail a pyramid-type of Ponzi scheme. In these types of frauds, the offender uses new funds from fresh victims as payment to initial investors. This creates the illusion that the scam is profitable and additional victims would be wise to immediately invest. These types of scams inevitably collapse when it either becomes clear to investors or to law enforcement that the fraudster is not legitimate or that there are no more financial backers for the fraud. Although most fraud examiners may be familiar with the Madoff scandal, there are other large scale affinity frauds perpetrated across the United States almost on a daily basis that continue to shape how regulators and other law enforcement approach these frauds.

Perpetrators of affinity frauds work hard, sometime over whole years, to make their scams appealing to their targeted victims. Once the offenders have targeted a community or group, they seek out respected community leaders to vouch for them to potential investors. By having an esteemed figurehead who appears to be knowledgeable about the investment and endorses it, the offender creates legitimacy for the con. Additionally, others in the community are less likely to ask questions about a venture or investment if a community leader recommends or endorses the fraudster. In the Madoff case, Madoff himself was an esteemed member of the community. As a former chair of the National Association of Securities Dealers (NASD) and owner of a company ranked sixth largest market maker on the National Association of Securities Dealers Automated Quotations (NASDAQ), Madoff’s reputation in the financial services industry was impeccable and people were eager to invest with him.

The ACFE indicates that projection bias is yet another reason why affinity fraudsters are able to continually perpetrate these types of crimes. Psychological projection is a concept introduced by Sigmund Freud to explain the unconscious transference of a person’s own characteristics onto another person. The victims in affinity fraud cases project their own morals onto the fraudsters, presuming that the criminals are honest and trustworthy. However, the similarities are almost certainly the reason why the fraudster targeted the victims in the first place. In some cases when victims are interviewed after the fact, they indicate to law enforcement that they trusted the fraudster as if they were a family member because they believed that they shared the same value system.

Success of affinity fraud stems from the higher degree of trust and reliance associated with many of the groups targeted for such conduct. Because of the victim’s trust in the offender, the targeted persons are less likely to fully investigate the investment scheme presented to them. The underlying rationale of affinity fraud is that victims tend to be more trusting, and, thus, more likely to invest with individuals they have a connection with – family, religious, ethnic, social, or professional. Affinity frauds are often difficult to detect because of the tight-knit nature common to some groups targeted for these schemes. Victims of these frauds are less likely to inform appropriate law enforcement of their problems and the frauds tend to continue until an investor or outsider to the target group finally starts to ask questions.

Because victims in affinity frauds are less likely to question or go outside of the group for assistance, information or tips regarding the fraud may not ever reach regulators or law enforcement. In religious cases, there is often an unwritten rule that what happens in church stays there, with disputes handled by the church elders or the minister. Once the victims place their trust in the fraudster, they are less likely to believe they have been defrauded and also unlikely to investigate the con. Regulators and other law enforcement personnel can also learn from prior failures in identifying or stopping affinity frauds. Because the Madoff fraud is one of the largest frauds in history, many studies have been conducted to determine how this fraud could have been stopped sooner. In hindsight, there were numerous red flags that indicated Madoff’s activity was fraudulent; however, appropriate actions were not taken to halt the scheme. The United States Securities and Exchange Commission (SEC) received several complaints against Madoff as early as 1992, including several official complaints filed by Harry Markopolos, a former securities industry professional and fraud investigator. Every step of the way, Madoff appeared to use his charm and manipulative ways to explain away his dealings to the SEC inspection teams. The complaints were not properly investigated and subsequent to Madoff’s arrest, the SEC was the target of a great deal of criticism. The regulators obviously did not apply appropriate professional skepticism while doing their jobs and relied on Madoff’s reputation and representations rather than evidence to the contrary. In the wake of this scandal, regulatory reforms were deemed a priority by the SEC and other similar agencies.

Education is needed for the investing public and the regulators and law enforcement personnel alike to ensure that they all have the proper knowledge and tools to be able to understand, detect, stop, and prevent these types of frauds. This is where CFEs and forensic accountants are uniquely qualified to offer their communities much needed assistance. Affinity frauds are not easily anticipated by the victims. Madoff whistleblower Markopolos asserted that “nobody thinks one of their own is going to cheat them”. Affinity frauds will not be curtailed unless the public, we, the auditing and fraud examination communities, and regulators and other law enforcement personnel are all involved.

A Question of Privacy

CreditCards2Our Chapter recently got a question from a reader of this blog about data privacy; specifically she asked about the Payment Card Industry Data Security Standard (PCI DSS) and whether compliance with that standard’s requirements by a client would provide reasonable assurance that the client organization’s customer data privacy controls and procedures are adequate. The question came up in the course of a credit card fraud examination in which our reader’s small CPA firm was involved. A very good question indeed!  The short answer, in my opinion, is that, although PCI DSS compliance audits cover some aspects of data privacy, because they’re limited to credit cards, PCI DSS audits would not, in themselves be sufficient to convince a jury that data privacy is adequately protected throughout a whole organization.  The question is interesting because of its bearing on the fraud risk assessments CFE’s conduct.   The question is important because CFE’s should understand the scope (and limitations) of PCI DSS compliance activities within their client organizations and communicate the differences when reviewing corporate-wide data privacy for fraud prevention purposes.  This will also prevent any potential misunderstandings over duplication of review efforts with business process owners and fraud examination clients.

Given all the IT breeches and intrusions happening daily, consumers are rightly cynical these days about businesses’ ability to protect their personal data. They report that they’re much more willing to do business with companies that have independently verified privacy policies and procedures. In-depth privacy fraud risk assessments can help organizations assess their preparedness for the outside review that inevitably follows a major customer data privacy breach.  As I’m sure all the readers of this blog know, data privacy generally applies to information that can be associated with a specific individual or that has identifying characteristics that might be combined with other information to indicate a specific person. Such personally identifiable information (PII) is defined as any piece of data that can be used to uniquely identify, contact, or locate a single person.  Information can be considered private without being personally identifiable.  Sensitive personal data includes individual preferences, confidential financial or health information, or other personal information. An assessment of data privacy fraud risk encompasses the policy, controls, and procedures in place to protect PII.

In planning a fraud risk assessment of data privacy, CFE’s auditors should evaluate or consider based on risk:

–The consumer and employee PII that the client organization collects, uses, retains, discloses, and discards.
–Privacy contract requirements and risk liabilities for all outsourcing partners, vendors, contractors, and other third parties involving sharing and processing of the organization’s consumer and employee data.
–Compliance with privacy laws and regulations impacting the organization’s specific business and industry.
–Previous privacy breaches within the organization and its third-party service providers, and reported breaches for similar organizations noted by clearing houses like Dunn & Bradstreet and in the industry’s trade press.
–The CFE should also consult with the client’s corporate legal department before undertaking the review to determine whether all or part of the assessment procedure should be performed at legal’s direction and protected as “attorney-client privileged” work products.

The next step in a privacy fraud risk assessment is selecting a framework for the review. Two frameworks to consider are the American Institute of Certified Public Accountants (AICPA) Privacy Framework and The IIA’s Global Audit Technology Guide: Managing and Auditing Privacy Risks.  For ACFE training purposes, one CFE working for a well know on-line retailer reported organizing her fraud assessment report based on the AICPA framework. The CFE chose that methodology because it would be understood and supported easily by management, external auditors, and the audit committee.

The AICPA’s ten component framework was useful in developing standards for the organization as well as for an assessment framework:

–Management. The organization defines, documents, communicates, and assigns accountability for its privacy policies and procedures.
–Notice. The organization provides notice about its privacy policies and procedures and identifies the purposes for which PII is collected, used, retained, and disclosed.
–Choice and Consent. The organization describes the choices available to the individual customer and obtains implicit or explicit consent with respect to the collection, use, and disclosure of PII.
–Collection. The organization collects PII only for the purposes identified in the Notice.
–Use, Retention, and Disposal. The organization limits the use of PII to the purposes identified in the Notice and for which the individual customer has provided implicit or explicit consent. The organization retains these data for only as long as necessary to fulfill the stated purposes or as required by laws or regulations, and thereafter disposes of such information appropriately.
–Access. The organization provides individual customers with access to their PII for review and update.
–Disclosure to Third Parties. The organization discloses PII to third parties only for the purposes identified in the Notice and with the implicit or explicit consent of the individual.
–Security for Privacy. The organization protects PII against unauthorized physical and logical access.
–Quality. The organization maintains accurate, complete, and relevant PII for the purposes identified in the Notice.
–Monitoring and Enforcement. The organization monitors compliance with its privacy policies and procedures and has procedures to address privacy complaints and disputes.

Using the detailed assessment procedures in the framework, the CFE, working with internal client staff, developed specific testing procedures for each component, which were performed over a two-month period. Procedures included traditional walkthroughs of processes, interviews with individuals responsible for IT security, technical testing of IT security and infrastructure controls, and review of physical storage facilities for documents with PII.  Technical scanning was performed independently by the retailer’s  IT staff, which identified PII on servers and some individual personal computers erroneously excluded from compliance monitoring. Facilitated sessions with the CFE and individuals responsible for PII helped identify problem areas. The fraud risk assessment dramatically increased awareness of data privacy and identified several opportunities to strengthen ownership, accountability, controls, procedures, and training. As a result of the assessment, the retailer implemented a formal data classification scheme and increased IT security controls. Several of the vulnerabilities and required enhancements involved controls over hard-copy records containing PII. Management reacted to the overall report positively and requested that the CFE perform recurring views of fraudulent privacy breech vulnerability.

Fraud risk assessments of client privacy programs can help make the business case within any organization for focusing on privacy now, and for promoting organizational awareness of privacy issues and threats. This is one of the most significant opportunities for fraud examiners to help assess risks and identify potential gaps that are daily proving so devastating if left unmanaged.