Author: Jonathan J. Rusch

Two recent reports have highlighted cybercriminals’ targeting of charitable institutions for cyberfraud schemes.  On December 14, The Register reported that the Save the Children Federation disclosed to the U.S. Internal Revenue Service (IRS) that in 2017 it had lost nearly $1 million to a cyberfraud scheme.  According to the IRS Form 990 tax return that Save the Children filed in August 2018,

IN APRIL 2017, AN UNKNOWN CRIMINAL HACKER OR HACKERS POSING AS A SAVE THE CHILDREN EMPLOYEE FRAUDULENTLY INDUCED THE ORGANIZATION TO TRANSFER $997,400 TO AN ENTITY IN JAPAN ON THE FALSE PRETEXT THAT THE FUNDS WERE NEEDED TO PURCHASE SOLAR PANELS FOR HEALTH CENTERS IN PAKISTAN. BY THE TIME THAT THE FRAUD WAS DISCOVERED, IN MAY 2017, THE TRANSFERRED FUNDS COULD NOT BE RECALLED, BUT SAVE THE CHILDREN WAS SUBSEQUENTLY ABLE TO RECOVER $885,784 FROM ITS INSURANCE CARRIERS TO MITIGATE THE FINANCIAL LOSS. IN ADDITION, SAVE THE CHILDREN COORDINATED WITH THE FBI, AND THROUGH THEM, JAPANESE LAW ENFORCEMENT TO ASSIST IN CRIMINAL INVESTIGATIONS RELATED TO THIS INCIDENT, AND WE HAVE TAKEN STEPS INTERNALLY TO STRENGTHEN CYBERSECURITY AND OTHER PROCESSES TO PREVENT CYBERFRAUD.

IN A SEPARATE INCIDENT, SAVE THE CHILDREN WAS PROVIDED WITH FALSE BANK ACCOUNT INFORMATION FOR A VENDOR, RESULTING IN A DIVERSION OF $9,210 TO AN ACCOUNT IN BENIN. FORTUNATELY, THIS DIVERSION WAS DISCOVERED IN TIME FOR SAVE THE CHILDREN’S BANK TO RECALL $9,090 OF THE FUNDS FROM BENIN, RESULTING IN A LOSS OF ONLY $120.

On December 19, The Times reported that the Wellcome Trust, a major funder of medical and other scientific research in the United Kingdom, disclosed details of two phishing attacks in its 2018 Annual Report.  The technique in this case was a classic spear-phishing attack: four Trust senior executives received emails that purported to be from a colleague, but opening the emails enabled criminals to have access to their emails for a number of months.  While the attacks reportedly did not result in financial losses, the Trust reported the breaches to the United Kingdom Information Commissioner’s Office and Charity Comission and stated that it was taking a number of mitigating actions
for this and other kinds of cyber threats.

Note: Information-security and compliance officers at nonprofit or charitable institutions of any kind should take note of these reports, and use them to educate senior officials and employees at their institutions about the willingness of cybercriminals – some of them the agents of North Korea and other state actors — to extort or defraud them, and in the process to risk causing them potentially costly damage.

Some people in the charitable and nonprofit sector might think that their organizations are unlikely to be targeted by cybercrime schemes, because their organizations are not profitmaking and are dedicated to helping others.  In fact, various cybercriminals have shown that they are indifferent to the charitable or beneficial purposes of an organization in conducting their cyberfraud or cyberextortion schemes.  If criminals are willing to inflict ransomware attacks on health-care entities, universities, and state and local governments to extort money from them, and as a consequence risk paralyzing critical operations at those institutions, foundations and charitable causes should not assume either that they are exempt from cyberattacks or that none of their counterparts are similarly being targeted.  As Save the Children and the Wellcome Trust have learned, for some cybercriminals the road to wealth is paved with good intentions.

On December 14, the U.S. Department of Justice announced that it had filed a civil action on December 12 against three subsidiaries of YRC Worldwide — YRC Freight Inc. (YRC), Roadway Express Inc. (Roadway), and Yellow Transportation Inc. — alleging that these companies violated the False Claims Act by systematically overcharging the government for freight carrier services and making false statements to the government that hid their misconduct.

The Department alleged that, for more than seven years, from September 2005 to at least October 2013, the defendant companies defrauded the U.S. Department of Defense “by millions of dollars for shipments that were actually lighter, and thus cheaper, than the weights for which the defendants charged the government.  It also alleged that the defendant companies “knowingly made or used false statements concealing their overcharging practices to the Department of Defense.”  According to the Department’s release, the companies

reweighed thousands of shipments and suppressed the results whenever they indicated that a shipment was actually lighter than its original estimated weight.  Thus, instead of charging the Department of Defense for shipments based on the correct weight, the defendants knowingly billed the government (and their other customers) based on weights that they knew to be inflated.  The defendants also allegedly made false statements to induce the Department of Defense to use them as freight carriers and further knowingly made or used false statements to improperly avoid their obligations to correct inflated invoices and return overpayments.

While the complaint did not specify the amount of damages the government was seeking, it stated that

[a]ccording to the records the Defendants kept for their billings to DOD between June 2010 and October 2012, the Defendants submitted to DOD approximately 725 false claims per month. Based on an extrapolation of those false claims per month to the September 2005 to October 2013 period at issue, the Defendants submitted to DOD approximately 70,000 false claims predicated on weights that they knew were too heavy.

This case by the Department is an intervention in a private FCA action that a qui tam relator, who allegedly worked for YRC and Roadway for more than 40 years, had filed in 2008 under the FCA’s qui tam provisions.  Under the FCA, as stated in the complaint, the government’s remedies include treble damages for damages that the government sustains, as well as a civil penalty not less than $5,500 and not more than $11,000, for each violation of the FCA.

In response, on December 14 YRC Worldwide issued a release in which it deemed the government’s claims “totally without merit” and noted that its business with the Defense Department “currently represents less than one percent of YRC Freight’s annual revenue.”

Note: According to a senior Justice Department official, the FCA, including its qui tam provisions, is “one of the government’s most effective civil tools in protecting vital government programs from fraud schemes.”  In one sense, this case is a typical example of a systematic-overcharging FCA case, and is not the first case that the Department brought in 2018 against shippers for inflating the weight of shipments.

It is noteworthy, however, that the Department chose to intervene in a qui tam private action that the relator brought ten years ago.  Earlier this year, the Department’s Acting Associate Attorney General stated that because frivolous qui tam cases can “lead to bad case law, which can undermine enforcement of the False Claims Act generally,” the Department had instructed its attorneys “to consider whether moving to dismiss an action would be an appropriate exercise of the Department’s prosecutorial discretion under the False Claims Act.”  The fact that the Department intervened here, despite the relative age of the allegations, provides some indication of the Department’s confidence in its proof of the allegations.

On December 12, the United States Department of Justice announced that a former U.S. government contractor  was indicted in the District of South Carolina on December 12 for his alleged role in selling falsified resumes and counterfeit U.S. government training certificates to individuals who were seeking employment on U.S. government contracts in Afghanistan between 2012 and 2015.  The defendant, Antonio Jones, is charged with one count of conspiracy to defraud government contractors and the United States, nine counts of wire fraud, and three counts of false statements.

The indictment alleged

that Jones created an entity known as Wolverine Inc., through which he offered job placement services to clients seeking employment with U.S. government contractors in Afghanistan and elsewhere.  Jones allegedly falsified his clients’ resumes and manufactured counterfeit U.S. government training certificates for his clients to make them appear more qualified than they actually were.  Jones and his clients then used the falsified documents in job applications that were submitted to U.S. government contractors, the indictment alleges.  At least two U.S. government contractors, one of which was based in the District of South Carolina, working on a multibillion-dollar Defense Department contract hired personnel allegedly based on false documents that Jones created and supplied or caused to be supplied to them.

Note: This case should prompt compliance officers in companies that do substantial amounts of government contracting to review their procedures for validating documentation that third-party applicants for contracting assignments submit.  Neither of the companies that allegedly hired people who submitted false documentation are alleged to have had any knowledge of the falsity or complicity in the alleged offenses at the time of hiring.  Nonetheless, government contractors need to recognize that the cost to a contractor of establishing or maintaining robust document-validation procedures is preferable to the cost of undermining government agencies’ confidence in that contractors and its hiring processes.

One of the well-established concepts in social psychology and behavioral economics is loss aversion: i.e., “the idea that losses generally have a much larger psychological impact than gains of the same size.”  While psychologists and economists generally discuss loss aversion in the context of tangible gains and losses, loss aversion has some bearing on our response when a person who we know has made significant contributions in life passes away.  Our immediate sadness at the loss of the person can distract us from thinking about and appreciating the gains that he or she provided to society or to specific people.  For that reason, this post is devoted to a brief appreciation of Professor John Darley, with particular reference to aspects of his research and writing that should be of great interest to corporate-compliance professionals.

Professor Darley, who died several months ago at age 80, was not merely a distinguished Professor of Psychology and Public Affairs at Princeton University for many years, but “one of the foremost figures of social psychology” who strongly influenced the growth and development of that field.  His peers recognized him for numerous contributions in the field, through research, writing, and teaching, on such topics as deviance and conformity, stereotyping and prejudice, “morality and the law, the function of punishment, and the way organizations inadvertently promote evil.”

Perhaps his greatest contribution that has special relevance to corporate compliance was his pathbreaking work, with Professor Bibb Latané, on what became known as “the bystander effect.”  Influenced by the famous 1964 murder in New York City of Kitty Genovese, who reportedly was stalked and stabbed to death while numerous people watched but did nothing to intervene, Professors Darley and Latané conducted a series of experiments that they ultimately described in an influential paper and book.  Those experiments prompted Professor Darley to conclude that

more people present at the scene of an emergency could reduce the chances that anyone would help, either due to pluralistic ignorance (the assumption that because no one is helping, everything must be all right) or diffusion of responsibility (a diminished sense of personal responsibility when others are present).

In fact, corporate compliance officers should recognize that the “bystander effect” can arise in certain corporate settings, even in a company that has asserted that it supports a “speak up” culture.  When multiple corporate employees are gathered in a meeting (whether face-to-face or virtual), and some authority figure proposes a course of action that may lead to unethical or illegal conduct, some individual employees in the meeting may be troubled, but the existence of a “speak up” policy or a confidential hotline may be less salient at that moment than the influence of both pluralistic ignorance and diffusion of responsibility in causing those employees not to speak up.

Another of Professor Darley’s works of value to corporate-compliance experts is his 2005 law review article, “The Cognitive and Social Psychology of the Contagious Organizational Corruption.”  In that article, he synthesized a substantial body of social-psychology research and writing in rejecting the theory of “a few bad apples” who are responsible for corporate corruption.  In his view, “some of the people who launch these corruption-initiating acts do not scrutinize these contemplated acts from an ethical perspective. Strange as it may seem, they do not see them as unethical.”  He also posed the question, “What causes the organization to turn itself into one that works together to produce full-blown ethical transgressions?,” and posed a three-part answer:

First, because these others often accept the implied definition that the first actions were ethical in nature, the distance between that first act and the next one that amplifies it are not easily recognizable. Second, these follow on acts are perhaps seen as ethically grey and further are produced out of considerations of group loyalty and commitment. Third, when one is a committed member of an organization, social identity theory points out that we experience an alteration in personality. We “become” the prototypic member of the group, and the cues around us are that the prototypic group members are engaging in the corrupt actions. Thus we do so also. Finally, it is a little noticed truth that our society offers alternate identities to citizens, and some of them allow for acting in ways that, from the perspective of another identity the person could assume, are unethical. (Footnote omitted)

In elaborating on these answers, Professor Darley made a number of key observations about how human beings actually behave:

Many of the actions that begin cycles of corruption are the products of the intuitive judgment system, which means that they are rapidly arrived at, less than consciously considered, and unintentional in their ethical dubiousness. Further, they are often the product of pressure to make fast decisions. And under this condition, they are not subject to the monitoring of the decision, which is done by the reasoning system. As [Professor Daniel] Kahneman comments, “the monitoring is normally quite lax and allows many intuitive judgments to be expressed, including some that are erroneous.” The suggestion that emerges is that the “natural” intuitive decision is likely to be a self interested one. . . . This decision may be overridden by the more deliberate thinking of the reasoning system, but only if something triggers that system into action. Thus, in sum, corrupt actions are often committed by people who are not themselves corrupt.

Corporate-compliance officers who have heard generally about the value of social psychology and behavioral economics in corporate compliance, but are unsure where to begin exploring these fields, should take the trouble to read this article.  Moving away from a “bad apples” theory of how to structure compliance policies and internal controls, and toward a more dynamic view of how people actually behave in uncertain situations, can lead to meaningful improvements in compliance policies, controls, and even training.  Corporate-compliance officers who adopt that approach will therefore have much for which they can thank Professor Darley.

(P.S.: Compliance professionals who want to explore these fields further can begin with online resources such as the University of Texas McCombs School of Business’s “Ethics Unwrapped” website, or books by two Nobel prize-winning professors: Professor Daniel Kahneman’s Thinking, Fast and Slow (2011) and Professor Richard Thaler’s Misbehaving (2015).)

(P.P.S.: I took Professor Darley’s Social Psychology course at Princeton long ago and obtained the “easy A” that his course was reputed to offer, but did not come to know Professor Darley himself.  What I did not expect to get was a lasting set of insights into behavioral influences and “mental shortcuts” that proved meaningful later in my career to understand initially baffling behaviors of both criminals and victims.)

(P.P.P.S.: Professor Darley died of complications from Lewy body dementia (LBD), the second most common type of progressive dementia after Alzheimer’s disease.  There is no cure for LBD, and there is still, as the National Institute of Neurological Disorders and Stroke (NINDS) has tactfully stated, “a great deal to learn about LBD.”  Those interested in learning more about LBD can consult websites such as the Cleveland Clinic, the Lewy Body Dementia Association, the Mayo Clinic, NINDS, the Stanford Medicine LBD Research Center of Excellence, and in the United Kingdom the Lewy Body Society.)

On December 11, the Singapore Corrupt Practices Investigation Bureau (CPIB) announced that two forklift truck operators employed by Cogent Container Depot Pte Ltd (Cogent), a subsidiary of China COSCO Shipping Group, were charged with violating section 6(a) of the Singapore Prevention of Corruption Act, which criminalizes “corrupt transactions with agents,” for demanding bribes of as low as S$1 (US$0.73) from truck drivers at Cogent.

One defendant, Chen Ziliang, was charged with one count of corruptly attempting to obtain from another person a bribe of S$1, as an inducement for not delaying the collection of a container onto that person’s vehicle, and one count of “embarking on a course of conduct between May 2016 and March 2018 of corruptly obtaining gratification of similar value from truck drivers at Cogent, as inducement for not delaying the collection or return of containers onto the vehicles of these truck drivers.”  The other defendant, Zhao Yucun, was also charged with one count of “embarking on a course of conduct between September 2014 and March 2018 of corruptly obtaining gratification of similar value from truck drivers at Cogent, as inducement for not delaying the collection or return of containers onto the vehicles of these truck drivers.”

The CPIB stated that

[e]mployees are expected to carry out their duties fairly instead of obtaining bribes in exchange for favours. Even if the bribe amount is as low as $1, they can be taken to task. Bribes of any amount or any kind will not be tolerated. . . .

Singapore adopts a zero-tolerance approach towards corruption. It is a serious offence to bribe, or attempt to bribe another individual or entity. Any person who is convicted of a corruption offence can be fined up to $100,000 or sentenced to imprisonment of up to 5 years or to both.

Note: Chief legal and compliance officers in global companies – including, but not limited to, companies doing business in Singapore – should use this case as an opportunity to remind their global and regional anti-bribery and corruption (ABC) compliance teams about the importance of tailoring their monitoring, oversight, and training activities to include, when appropriate, country-specific ABC legal prohibitions and limits on transfers of value.  They may also want to communicate an outline of the case to other senior officers, to underscore the importance of their companies’ compliance with all relevant laws in the jurisdictions where the companies do business.

Moreover, if a company’s ABC policy contains any provisions that appear to approve or tolerate facilitation payments in general, the company may need either to communicate that the company will not allow or approve facilitation payments in certain jurisdictions or revise its policy to eliminate any facilitation-payments exception.  While Singapore represents a particularly stringent application of anti-corruption offenses, various other countries do not recognize facilitation payments as an exception to their anti-corruption offenses.  Accordingly, companies should not assume that law enforcement in those jurisdictions will ignore evidence of repetitive facilitation payments merely because the payments are low amounts.