Insiders & Their Significant Others

Nefarious partnerships expose utilities to fraudsters seeking big paydays.

By: Nick Farwig , Samantha Regan , Scott Scholten & Sophia Carlton, CFE

Your top trader just booked a 90-day natural gas swap at twenty cents per MMBtu above market.?The confirms match and the trade appears legit, even though it doesn’t make any sense.?Turns out your trader shared some non-public info about a certain nuke plant that’s going to be off-line.?Armed with that tidbit, the merchant-generator counterparty was more than happy to take above-market gas, knowing that his smallest gas plant would be dispatched for most of the next three months.?And so your trader pockets a fat margin to pad his bonus, while the other side quietly inflates the ISO market-clearing price, creating a windfall for the balance of his 1,500 MW fleet.?

Utility insiders have myriad options to enter into nefarious partnerships with politicians, trading counterparties, contractors and vendors.?

One doesn’t have to look too hard to find headline examples of a utility’s trust and shareholder value destroyed by insider-outsider collusion.?Utilities’ unique price regulation alone makes them especially vulnerable to insider-outsider collusion.?Add to that the massive reliance on third parties during storm response, the wide array of contractors interacting with utilities’ immense footprint, and energy traders motivated by big incentive packages, and it’s no wonder utilities are prime targets for insider-outsider fraud.

The Threat of Insider-Outsider Collusion

When more than one person conspires to commit fraud, the threat is exponentially greater than single actors working alone.?Insider-outsider collusion is effective because co-conspirators bring complementary incentives and abilities to cover their tracks, enabling such partnerships to circumvent controls more easily than a lone wolf.?For example, the use of local suppliers and contract laborers in field operations often lacks adequate transaction communication records to validate compliance with pricing and procurement protocols.

Fraud partnerships also open opportunities that don’t exist when insiders or outsiders work alone.?The figure below showcases the complex web of financial, regulatory and reputational damage these fraud partnerships can enable.

With so many insider-outsider collusion opportunities, utilities require targeted prevention and detection to reduce the risk of material losses and prolonged reputational damage.

Ten Actions to Curb Insider-Outsider Collusion

How can you strengthen your defense against insider-outsider threats? Below are ten actions you can take to protect your company. As every utility is unique, it's a good idea to get help from independent fraud risk experts to formulate your strategy and determine the combination of actions best suits your organization.

1. Strengthen audit trails.?For transactions involving third parties, check that the system-of-record properly date-stamps and records the user who carried out the approval. ?Adopt mandates for real-time recording of in-the-field transactions (such as storm response or ad-hoc procurements).?Similarly, mandate recording of minutes of any meetings with regulators or government officials, and review trader communication capabilities to close the loop on the potential for unrecorded conversations.?
2. Commit to segregation-of-duties basics.?This includes assignment rotations and mandatory vacations across critical roles, including leadership, procurement, committee members, and employees with significant ties to third parties.?Flag and investigate employees who push back on a rotation plan, resist taking time off, or only want certain individuals to cover for them.
3. Enforce internal controls.?Few things exacerbate fraud losses like documented-but-unenforced controls. ??Review and reaffirm delegations of authority for oversight and monitoring of day-to-day access and process controls.?Automate where possible to strengthen preventative controls. Facilitate non-compliance escalation and communicate consequences so that employees and contractors alike understand that controls are not to be side-stepped.
4. Pay attention to relationships.?Insider-outsider collusion doesn’t manifest instantaneously, and their relationships leave trails. Your third-party risk management should include vetting who in your organization is connected to key vendors, regulators, politicians, customer and counterparties, as well as the duration of the relationships (especially if they pre-dated the professional relationship).
5. Increase the perception of detection. Even a small allocation of your risk budget for “surprise audits” can be a powerful deterrent.?When employees know unexpected audits are possible, they’re less likely to attempt fraud.
6. Monitor communications.?Leveraging confirmation processes, audits, keyword algorithms and the like, monitoring communications shared on your network is paramount.?Investigate employees if their communications lapse into unintelligible code, seem unrelated to their primary roles or appear to skirt your company’s policies and procedures.
7. Implement proactive analytics.?Strong processes and controls alone cannot eradicate the threat of insider-outsider collusion.?But fraud activity leaves a signature, often a departure from normal process patterns.?Defining indicators that highlight workarounds and embedding them in machine learning algorithms or other analytics can exponentially improve fraud detection.
8. Foster an ethical culture.?A strong, tone-at-the-top driven anti-fraud culture is a business imperative, but it requires constant vigilance.?Building the right mix of documented expectations, coupled with anti-fraud training at all levels of the organization can bring a fraud-aware culture to life.
9. Maintain internal and external hotlines.?Easily accessible reporting mechanisms increase the chance of earlier fraud detection and reduced losses.?Supported by awareness training, hotlines augment fraud defense through targeted tips, usually based on first-hand observation.?Importantly, hotlines should be enabled for both to internal and external parties, as external sources often contribute significant hotline tips.?
10. Encourage and protect whistleblowers.?A whistleblower policy that makes your company’s stance clear, focusing on a “zero tolerance” of fraud, is invaluable.?The policy should outline what constitutes fraud, the consequences for engaging in fraud or internal control breaches and the mechanisms for whistleblowing (such as your hotline).?

Implementing these actions should be paired with clear ownership of monitoring.?Assigning responsibility for consolidating and reporting is needed to drive transparency and realize the synergy of these layered defenses.

Arm Your Company with the Right Defenses

Tackling fraud should consider the breadth and depth of both internal and external threats, and where the two collide.?Insider-outsider collusion has the power to circumvent good controls and processes and leave a wake of unwanted financial, reputational, and regulatory damages. ?

While fully preventing these partnerships from forming may not be possible, implementing a layered, targeted set of actions can vastly reduce your exposure.