The perpetration of fraud by a company’s management or individual employees can have a massive impact on the organisation’s operations, finances, value and reputation. And with the UAE government taking fraud very seriously, companies should ensure they take all steps to not only deal with it promptly and effectively, but to also proactively manage long-term risk by preventing fraud in the workplace.
Fraud ranges from breaches by individuals and companies of anti-money laundering (AML) regulations, trade and sanctions laws, to all types of financial crime. Essentially, anything that involves embezzlement, corruption or lying, or that could result in a whistle-blower situation for a company or in an employee’s summary dismissal, falls under the fraud umbrella.
The first steps a company takes upon discovering fraud are crucial to minimising damage. Reporting the fraud internally to the company’s compliance officer and senior management is key, and it may then be necessary to report it externally, either to a local or foreign regulator, the police or the public prosecutor. The extent of the reporting obligations will depend on many factors, including the industry in which the company operates, whether the company is a regulated entity and whether the company operates onshore in the UAE or in a free zone.
Companies may be able to conduct their own internal investigation and resolve the issue privately, thus keeping some control over the process. Under these circumstances, the next key step in investigating the fraud internally would be to carry out a thorough due diligence to understand the facts fully and to ensure that management is properly prepared before speaking to the employees in question.
The company will need to check its internal processes (employee or company handbooks, HR policies, employment contracts, etc), taking into account data privacy considerations. Companies with a robust corporate governance infrastructure already in place find the process less challenging, as they will understand what measures they can take right from the start.
Confining the investigation to a company’s own internal procedures and avoiding broader disclosure may not be an option, however, as they may be under an obligation to notify the police and/or regulators if the crime is in breach of public interest (such as AML regulations), gives rise to health and safety or security issue, jeopardises client or third-party assets, or there is a risk that the employee in question is a flight risk.
For example, the UAE Criminal Procedures Code sets out the crimes that can be settled amicably by the parties. Similarly, the Emirates Securities & Commodities Authority has a specific list of crimes that can be settled privately and others that have to be reported because they are considered to be in the public interest, such as cyber crime, which would be handled by the new cyber crime unit within the public prosecution system.
In a whistle-blower situation — or an investigation instigated by a regulator — the company will have no choice, and, once reported, will to a large extent lose control over the process.
Although there is clearly a negative impact on its reputation if it reports fraud and is embroiled in scandal, the company must consider the impact if fails to report it — and is then seen as a company that tolerates criminal behaviour. In addition, the company risks directors’ and corporate criminal liabilities if it fails to notify authorities in a timely manner.
This is particularly relevant in the UAE’s financial free zones — the Dubai International Financial Centre and the Dubai Financial Services Authority — where regulators enforce a strict position on reporting timelines on the disclosure by regulated entities of material developments.
Reporting fraud will have wider implications if the company has international exposure — for example, a foreign company with a branch in the UAE with regulated activities. Regardless of whether dealing with local or foreign authorities and/or regulators, it is key to be as cooperative, open and transparent as possible, and there can be very serious consequences when the company is not.
The police can decide to incriminate the company reporting the behaviour, as well as the individual, and the actions of a rogue individual can be construed as evidence of broader company behaviour resulting in liability of the company’s officers.
Proving criminal intent by a corporate entity is difficult but senior management’s awareness can often be taken as proof or acceptance of such intent. And there have been several local and international high-profile cases where entities have been criminalised and governments have extracted huge fines as a result.
Fundamentally, a company’s best protection against fraud is by ensuring it has robust corporate governance infrastructure in place to provide better clarity and swifter response. Having clear policies and procedures, training employees regularly on dealing with third-party fraud (whether private or government entities), and most importantly, living the values, rather than undergoing a “tick the box” exercise, are paramount to managing risk effectively.
The writer is the UAE Head of Corporate & Compliance at Baker McKenzie Habib Al Mulla.
