Whistleblowers in the Gulf Proceed With Caution

Who commits fraud in the Gulf? The answer from respondents to the survey conducted by the Economist Intelligence Unit for this Global Fraud Report may be an uncomfortable one – especially in a region where even large firms are often privately controlled, usually by members of the same family.

The survey found that, where a company based in the region has uncovered a fraud in the last year and the perpetrator is known, in 42% of cases a C-level executive or middle manager took a leading role in the crime’s design and execution. This is the highest such figure for any region: it was 30% in the Asia-Pacific region, 35% in Europe and 39% in North America. If you take into consideration those crimes where junior employees were involved, the number of fraud incidents in the Gulf jumps to 63%.

Respondents to the survey in the Gulf do not expect this will change. High staff turnover was the most frequently cited cause of increased exposure to fraud in the region, mentioned by 36%. Two-thirds of all fraud that companies in the Gulf discover are committed by individuals who understand the vulnerabilities of the business and are therefore capable of manipulating operational and security vulnerabilities to their advantage.

To date, no country in the Gulf has overarching legislation that provides clarity (or comfort) regarding the treatment and status of whistleblowers or even the management and application of the information provided by them.

So while employees can represent a fraud risk, employees are also a key asset in a robust fraud protection system. In the Gulf, however, many organizations at the shareholder and board levels fail to recognize that their employees are their most effective first line of defense. According to our survey, fraud in the region comes to light most often through an internal audit (in 44% of cases where a fraud was found). In only 20% of cases is the discovery due to a whistleblower’s report. The opposite should be true. In fact, the proportion of frauds unmasked by a whistleblower in the Gulf is lower than that of any other region in the world. The global average is 41% and is as high as 48% in North America, where more than 50% of whistleblower reporting comes from employees.

This low level of employee reporting in the Gulf is driven by two main factors: first, the absence of corporate systems to report wrongdoing; and second, the lack of federal laws for whistleblower protection in the private-sector, particularly if their identities are discovered and they become involved – with or without their consent – in investigations. In other parts of the world, whistleblowers are often legally protected and may even be awarded for the disclosure of information that leads to prosecution. In the Gulf, the situation is starkly different. Kroll has worked on cases in which whistleblowers are harassed, threatened, penalized and, in some cases, have their employment terminated. Unsurprisingly, such treatment discourages disclosure of information to either employers or regulators, even in situations where employees are required by law to report criminal wrongdoings.

On the corporate governance side of the problem, there are a few reassuring indications that the landscape may be changing for the better. In our survey, for example, 35% of respondents from the region reported that their firms intend to invest in new or additional whistleblowing programs and anti-fraud staff training in the next 12 months. Although small relative to the proportion of businesses affected by employee fraud, this figure is still above the global average of 28%.

Such spending is consistent with the growing recognition we find among our Gulf clients that internal reporting will have a direct impact on the reduction of fraud. That said, the success of a whistleblower program depends on several factors. Measures, such as an email address dedicated to internal audit, a fax machine in the corner of an office or the inclusion of superficial language in the company’s code of conduct, singly or collectively, are inadequate and hardly constitute a whistleblowing program. In one case, Kroll found that an employee of a company did not report gross misconduct committed by the CEO because the chief compliance officer responsible for dealing with whistleblower complaints, directly reported to the CEO. Such a scenario does not provide would-be whistleblowers with any confidence in how they might be treated if they report wrongdoing. And if wrongdoing is not being reported, the assumption is that a large percentage of fraud may well be undiscovered. With 42% of fraud committed by senior executives, it is important to maintain reporting lines to officers who are independent of, and isolated from, senior management.

We are often asked by clients how to establish an effective whistleblower protection program. There is no off-the-shelf solution, but rather the program must reflect the true nature of the company – its size, operations, geographies, activities, types of transactions, exposure and so on. Several key pillars, though, are universally necessary to facilitate the creation of an effective program. Firstly, and most importantly, corporate leadership must consciously and proactively create an overarching culture of disclosure and good governance and then support its implementation. This should lead to a number of other crucial elements of fraud control: robust internal audit and compliance functions; clear and obligatory contractual responsibilities for employees along with well-publicized rules and procedures; actionable code of conduct guidelines; transparency in how the fraud prevention system works; fraud response plans and; continual staff training. Embedded in this context, a specific whistleblower protection program requires well-publicized rules and procedures; independent hotlines; and clear policies on the management of information, including the treatment of those who provide it.

As for the second general problem noted above, the legal status and treatment of whistleblowers in civil and criminal matters are usually defined by labor laws and penal codes. To date, however, no country in the Gulf has overarching legislation that provides clarity (or comfort) regarding the treatment and status of whistleblowers or even the management and application of the information provided by them. However, a number of governments in the Gulf region are at the beginning of paving the way for appropriate legislation and procedures to be implemented. The United Arab Emirates, for example, is expected to establish a Federal Authority for Combatting Corruption (although the law has been drafted, at the time of publishing the Authority is yet to be established). The legislation will cover all types of wrongdoing in the private sector, including conflicts of interest, money laundering, breaches of trust, bribery and embezzlement. Relevant here, the legislation will also issue regulations regarding the protection of whistleblowers from civil, administrative or criminal prosecution. The Dubai Financial Services Authority, the regulator in the Dubai Financial International Center (an economic free zone that constitutes the financial district of Dubai), requires entities to have the appropriate procedures and protections in place to facilitate the reporting of wrongdoing by employees. Although it does not extend to non-regulated entities or companies outside the free zone, the interplay between onshore and offshore businesses encourages a wider culture of compliance and reporting.

A complete discussion of whistleblowing in the Gulf requires two caveats. First, the region is not alone in providing insufficient whistleblower protection. Even in some developed economies around the world, the nature of those safeguards remains weak or is still evolving. In the Gulf, a region where financial markets were created only in the last two decades or so, it is understandable that gaps and challenges will exist for some time to come.

Secondly, improved whistleblowing programs are not standalone solutions to fraud. The information they provide may be incorrect or malicious in nature. One example from a recent case involved an email from a whistleblower that disclosed what appeared to be serious allegations of wrongdoing; when investigated, however, it transpired that the writer’s motivation was to undermine a transaction involving the acquisition of a company. In less serious instances, some people inevitably engage in supposed whistleblowing because they feel aggrieved at being passed over for a promotion or pay raise, or wish to undermine a colleague or manager.

A properly designed and executed internal investigation will help senior executives consider the information provided by whistleblowers and decide on next steps. Their investigation needs to assess the severity of the situation and ensure that company systems and assets are not vulnerable to further attacks. A further key question is whether to call in external counsel or even the authorities—a decision largely driven by a company’s industry and regulatory requirements.

It may be tempting to look the other way. We have encountered many situations where confusion and panic after a fraud incident has taken place prevented corporates from implementing plans to combat internal fraud. Clients often fall victim to internal impediments and bureaucracy too, or even lack of budgets to deal with fraud. What might appear to be a small problem, though, is usually the tip of the iceberg. Failing to act on a tip-off can mean the company ends up spending more money after a regulator or public prosecutor becomes involved because in such cases that the public officials take over and dictate the direction of the investigation.

The bottom line is that whistleblower programs are an essential tool in the perpetual struggle against crime, and one which companies – and governments – in the Gulf need to protect and employ better, especially if they are to bring down the region’s high levels of fraud.