How-to guide: Mitigating the risk of criminal activity (USA)

Introduction

This guide will assist in-house counsel, private practice lawyers, and compliance personnel in developing and implementing policies and practices to mitigate the risk of criminal activity within an organization. As the adage says, ‘an ounce of prevention is worth a pound of cure.’ While there are no guarantees that an organization or its employees will never engage in criminal activity, the likelihood of it happening can be reduced or mitigated by implementing the appropriate programs and procedures.

This guide covers:

The use of measures to mitigate the risk of criminal activity
Measures to mitigate the risk of specific types of crimes
General measures to mitigate the risk of criminal activity
Monitoring and refining the use of measures to mitigate against the risk of criminal activity

This guide can be used in conjunction with the following How-to guides: Understanding white collar crime and Understanding corporate criminal liability.

Section 1 – The use of measures to mitigate the risk of criminal activity

‘White collar crime’ refers to crimes involving deception, trickery, or breach of trust for financial or business gain. Although white collar crime is typically non-violent in nature, this type of criminal activity is far from victimless. It generally results in damages, including financial losses, physical harm, or detrimental consequences for an organization’s operations or corporate culture. The impacts of white collar crime are also wide-ranging, from employee endangerment through the creation of unsafe working environments, to the manufacturing and distribution of dangerous products, to multi-million-dollar losses that affect not only the organization but also the larger economy.

While external criminal actors may pose real and potential threats to a business, an organization will often find itself most vulnerable to the conduct of the individuals who work within the organization. Criminal activity perpetrated from within an organization may take different forms, from fraud and embezzlement to insider trading and economic espionage. To properly mitigate the risks of white collar crime, it is critical that organizations understand the different types of risks and implement valid and reliable methods of preventing criminal activity in the workplace.

There are various measures that an organization can take to mitigate the risk of crime. These measures include the use of technologies that can help prevent crimes from being perpetrated, conducting ongoing monitoring for the detection of unusual activity, implementing and regularly updating (as necessary) internal policies, and implementing security controls and conducting training. The remainder of this resource considers both measures that can be put in place to mitigate against the risk of the occurrence of certain specific crimes and also more general measures that can be put in place.

Section 2 – Measures to mitigate the risk of specific types of crimes

Organizations may face various threats of criminal activity depending on the industry in which they operate and the specific goods or services they provide. As a starting point, to mitigate the risk of such activity, organizations must understand the legal obligations that they have and the various kinds of criminal activity that they could commit or be exposed to. Once this is understood, organizations should seek to assess the distinct levels of risk associated with different kinds of crimes that are likely to occur within their given industry and organization and put in place measures that will mitigate the risk of those specific crimes occurring.

Some of the most common, and most harmful, crimes that may involve an organization or its personnel are detailed below, together with examples of measures that will mitigate the risks of those crimes occurring.

2.1 Financial transactions

There are several types of illegal financial transaction of which organizations must be aware and effectively prevent. Some of the most common illegal financial transactions include cases of fraud, embezzlement, and money laundering.

2.1.1 Fraud

Fraud is a general term used to describe the use of deception for personal or financial gain. More specifically, corporate fraud is when an individual or organization engages in deceptive acts to ensure the individual or organization gains an unfair advantage. Activities that generally give rise to the level of corporate fraud include the falsification of financial records, misrepresentation of products in development, manipulation of share prices, and other conduct that deceives stakeholders.

Measures that organizations can put in place to help mitigate the risk of fraud include:

conducting risk assessments that:
- identify the different kinds of fraud schemes to which the organization may be susceptible, and
- define the risks associated with different fraud schemes;
regularly assessing the organization’s security posture by reviewing the effectiveness of any fraud defense mechanisms being utilized;
using accurate and up-to-date accounting practices to help avoid the possibility of corporate fraud; and
implementing other internal controls, including:
- the use of both internal and external audits to assess whether fraud exists or is a significant risk;
- segregating job duties to encourage oversight and prevent one individual or small group of individuals from having sole control over a transaction or asset throughout its lifespan; and
- developing a reporting mechanism to improve fraud mitigation.

2.1.2 Embezzlement

Embezzlement is the misappropriation of assets or funds by a party to whom the assets or funds were entrusted. It generally involves the entrusted party using the funds for a purpose other than intended, thereby committing a breach of trust and it occurs most often in a corporate setting.

Measures that organizations can have in place to try and mitigate the risk of embezzlement include:

implementing stringent background checks on employees;
conducting assessments of the risks associated with placing certain funds or assets in the control of employees, especially where it is not necessary for the operations of the business;
regularly updating risk assessments, especially when changes to the organization’s personnel or operations occur;
avoiding the creation of opportunities for employees to perpetrate embezzlement (eg, segregating job duties that involve control over company assets, as opposed to placing substantial sums of money in the control of a single employee which may create an opportunity for that employee to attempt to embezzle those funds);
utilizing proper and ongoing monitoring of the location of assets and the value of funds placed in the control of employees to mitigate the risk of embezzlement;
utilizing zero-based budgeting to strengthen the organization’s financial control; and
implementing a system for transaction monitoring and data mining that can assist in the review of bulk transaction data.

2.1.3 Money laundering

Money laundering involves concealing the origins of financial assets that are obtained illegally, generally by transferring those assets between foreign banks and lawful organizations. Through this process, the individual or organization laundering the financial assets ultimately seeks to disguise the illegal activity that produced the assets by transforming the proceeds of the illegal activity into funds that appear to come from a legitimate source.

Measures that organizations can have in place to try and mitigate the risk of money laundering include:

conducting risk-based due diligence of the organization’s customers, partners, and other third parties;
conducting regular monitoring and surveillance using data analytics and other technological tools that can help identify suspicious patterns and transactions;
particularly for organizations operating in the financial industry, training employees on anti-money laundering (AML) and terrorist financing laws and requirements, and ensuring that compliance personnel are knowledgeable about any reporting requirements the organization is legally bound to fulfill;
ensuring the organization’s AML program is aligned with the organization’s risk assessment(s) and reflective of the organization’s day-to-day business operations; and
providing the organization’s crime prevention team with sufficient resources.

For more information on money laundering and compliance requirements, see How-to guides: How to comply with due diligence requirements for financial institutions determined to be of primary money laundering concern, How to ensure sanctions screening and sanctions due diligence is effective, How to identify suspicious activity and make a Suspicious Activity Report (SAR), and How to monitor Bank Secrecy Act (BSA) compliance.

2.1.4 Antitrust violations

The general purpose of antitrust law is to ensure organizations compete fairly. At the federal level, there are three primary antitrust laws:

the Sherman Antitrust Act of 1890, which prohibits competing businesses from forming agreements that would unreasonably restrain trade;
the Federal Trade Commission Act of 1914, which empowers the Commission to establish rules, prescribe requirements, investigate, and seek relief; and
the Clayton Antitrust Act of 1914, which prohibits predatory pricing, tying agreements (whereby customers are forced to buy one product or service to receive another), and mergers that could substantially reduce competition or that tend to create a monopoly.

Measures that organizations can have in place to try and mitigate the risk of money antitrust violations include:

training employees to avoid the discussion of certain issues with competitors, such as pricing or the division of customers or territories, as these conversations could appear to influence competitive pricing in the market, which violates antitrust law;
taking antitrust risk into account with regard to the organization’s mergers and acquisitions strategy by assessing the risk of government antitrust investigations post-closure, evaluating the possible impacts of these transactions on labor markets, and understanding the fact that non-compete terms will likely be closely scrutinized;
considering whether the organization has a valid, demonstrable need to employ the use of exclusivity agreements. In some contexts, exclusive dealing agreements may be deemed reasonable. However, where these agreements effectively give additional sources of supply to a single entity, this may reach the level of an antitrust violation if doing so makes it hard for companies to emerge or compete in the market;
staying abreast of legal developments relating to antitrust, including internationally;
implementing robust internal monitoring and auditing mechanisms to proactively detect potential antitrust issues, including reviewing internal communications (eg, emails, chat messages) and business data for red flags, and conducting regular, unannounced audits of high-risk business units or activities; and
establishing a clear and accessible confidential reporting structure for employees to raise concerns about potential antitrust violations without fear of retaliation, and ensuring that all reported issues are promptly and objectively investigated by qualified personnel.

For further information, see How-to guides: Understanding antitrust and unfair trade practices law and your organization’s compliance obligations, How to build a culture of antitrust law compliance, and How to identify and manage antitrust and unfair trade practice risk; and Checklists: Antitrust compliance and Meeting with a competitor.

2.1.5 Transnational crimes – human rights violations

Transnational crimes are crimes deemed to violate international law (eg, terrorism, organized crime, cybercrime, etc), and the negative consequences of such crimes transcend state lines and national borders. By perpetrating white collar crimes, organizations may unwittingly become complicit actors in violence, forced labor, child labor, the funding of the repression of human rights, and terrorism.

Measures that organizations can have in place to try and mitigate the risk of engaging in transnational crimes include:

using lawful employment practices and recordkeeping procedures to mitigate the risks of engaging in, or being complicit in, illegal practices like those mentioned above;
considering the use of state and federal verification systems, where available, to validate employee information, including the ages of their national or international employees;
conducting routine risk assessments and operational evaluations to proactively address areas in the orgabization that may be vulnerable to criminal activity, as well as conducting regular trainings and audits to ensure compliance with labor laws;
implementing robust due diligence processes for third-party relationships, including suppliers, distributors, agents, and business partners, to ensure they also adhere to human rights standards and are not involved in illicit activities; and
establishing clear codes of conduct and ethical sourcing policies that explicitly prohibit engagement in or complicity with human rights abuses, and providing channels for employees and external stakeholders to report concerns without fear of reprisal.

2.2 Individual/employee risk areas

At first glance, crimes perpetrated by an individual employee, or carried out on the behalf of an individual employee, might seem to carry less weight than larger, white collar corporate schemes. However, crimes committed on an individual level, or perpetrated on behalf of an individual, should not be underestimated and carry with them their own risks. As such, organizations should be familiar with common types of individual/employee crimes to properly identify and address this sort of unlawful conduct.

2.2.1 Theft

Employee theft can come in many shapes and sizes. From petty theft to identity theft and hacking, individual crimes can pose real and serious risks to any organization. Theft can cause economic damage to a company. It can also cause reputational damage, for example, if an employee acting in their own interests stole large amounts of customer data to sell it on the dark web. Virtually any employee with access to company assets can commit theft. Companies should prioritize their anti-theft and other security measures according to the type of company assets that may be stolen.

2.2.2 Immigration-related offenses

Immigration document fraud includes the forgery, alteration, or improper acquisition of immigration-related documentation. For an organization, the commission or cooperation in this crime can not only subject the business to legal consequences, but can also create danger for other employees of the business who may have provided some assistance to the fraudster, either unintentionally or from a benevolent motive. To mitigate the risk of immigration-related offenses, organizations should develop a firm policy against the use of improper immigration documentation, conduct thorough background checks of potential and current employees, and educate their management personnel on ways to identify fraudulent documents.

For further information, see How-to guide: How to prepare for a US Immigration and Customs Enforcement I-9 audit.

Section 3 – General measures to mitigate the risk of criminal activity

To best mitigate the risk of criminal activity, it is crucial that organizations develop and maintain an effective compliance program to assist in the prevention of criminal acts. An effective compliance program should include the development of a culture of ethics, policies and procedures, the implementation of appropriate security controls around systems and documents, training and communication, and due diligence measures (for employees, agents, third parties, customers, etc).

3.1 Developing a culture of ethics

A compliance program can only be effective in preventing criminal activity if a sense of accountability is embedded within the organization. Developing company policies and procedures and training and communication protocols will not help prevent white collar crime unless a culture of ethics is created within an organization from the top down, starting with company board members, executives, and management.

Further, accountability must extend to lower-level employees so that all personnel have a clear understanding of what is expected of them and what their duties are with regard to preventing criminal activity and maintaining compliance. Thus, the individual or group assigned to oversee the compliance program should communicate compliance-related expectations and duties to personnel so employees can effectively meet these expectations.

It may also be valuable for organizations to utilize rewards and incentives to promote diligence and honesty internally amongst employees. For instance, an organization may offer the possibility of promotions or bonuses for personnel who consistently exemplify honesty and integrity in the performance of their job duties. These rewards can help reinforce the organization’s commitment to its core values and ethical guidelines by rewarding behaviors that align with those values and guidelines.

Some researchers have identified personality types that make a person more susceptible towards committing white collar crimes. Some of these traits have also been linked to business success. Creating a culture of ethics will involve setting boundaries for behavior, and demonstrating a lack of willingness to overlook unethical behavior that profits the organization, even if that behavior does not necessarily amount to criminal activity.

3.2 Policies and procedures

In an effort to prevent criminal activity, organizations must establish security policies and procedures based on the organization’s overall security strategy. Importantly, there should be strong legal precedent that helps substantiate the use of any crime prevention policies and provides necessary legal support in the event of a crime being committed. An organization seeking to implement crime prevention and mitigation policies and procedures should work closely with counsel to ensure its policies and procedures are compliant with applicable laws and regulations.

Policies and procedures for mitigating the risk of criminal activity may include, but are not limited to:

policies and procedures for capping the number of accounts that have access to certain data or other assets of the organization;
policies and procedures on limiting the use of the internet or of certain internet sites;
policies and procedures for the mandatory use of encrypted file transfers;
policies and procedures for conducting risk assessments and gap analyses;
policies and procedures for monitoring, reviewing, and logging security events;
policies and procedures for internal or external vulnerability testing with explanations of any circumstances that warrant the use and frequency of such testing; and
policies and procedures for change management protocols.

3.3 Implementing appropriate security controls

Simply informing personnel of the consequences of illegal conduct may deter some bad actors; however, these warnings may have proved insufficient in many instances where criminal acts have been committed and discovered. Thus, it is critical that companies establish and utilize appropriate security controls to thwart potential criminal activity.

Physical security controls can be effective in detecting suspicious activity before a crime occurs. For example, security systems that utilize cameras and motion sensors can be useful in allowing an organization to monitor the activity of employees while also discouraging the commission of crime. It is important that these devices are placed only in common areas and working spaces, and not in areas that invade employees’ privacy (eg, restrooms).

Since a significant amount of criminal activity is conducted online, cybersecurity controls are also imperative. As a first step, organizations should ensure that all personnel maintain knowledge on the most common kinds of cyber-attacks so employees can more readily recognize potential security threats. Second, organizations should implement various security control measures, all of which should focus on one or more of the following areas:

accounts payable and accounts receivable;
the use of company credit cards;
payroll and reimbursement of expenses;
adequate segregation of job duties;
access to the organization’s information systems; and
physical access to the organization’s premises.

Specific security controls may include, but not limited to, the following:

key cards and employee identification numbers for physical and electronic access to the organization and its network;
multi-factor authentication;
strong password security mechanisms for all work devices;
anti-virus and anti-malware software;
encryption of data and Wi-Fi networks;
digital loss prevention software;
maintenance and monitoring of firewalls;
use of utilities that can perform automated patches; and
preservation and maintenance of off-network backups.

3.4 Training

Training is a fundamental element of any successful compliance program. In developing an effective and efficient white collar crime training program, it is useful for organizations to start by understanding some of the reasons people commit white collar crime. According to one study, white collar criminals may not immediately realize the consequences of their crimes because they may not believe these sorts of crimes directly harm people in the way that violent crime does. For that reason, it is important to cultivate an environment focused on ethics and to embed applied ethics (ie, ‘practical ethics,’ which seeks to answer the question of how individuals should behave in particular situations) into any white collar crime training program.

Organizations should tailor training to the risks relevant to their organization and employees. Organizations that work, for example, in the financial industry, will likely need to develop training that focuses more heavily on issues like theft, fraud, and embezzlement, while organizations operating in technology may need training that applies more to issues of antitrust and environmental violations.

Training should provide a basic understanding of the law, cover the key provisions of the compliance program, and be tailored to the director, employee, or third-party’s area of work. Personnel assigned to conduct the training should include a question and answer or conversational element in the training session to increase engagement through direct interaction.

Training personnel should also require participants to take a test at the end of the training, for which they can earn a certification showing that they have successfully completed the course. It is also important that training staff track who has attended the training with a receipt or acknowledgement of attendance.

There are many approaches to the development and delivery of training on white collar crime, and the most effective approach will depend in large part on the size and culture of the organization, as well as the industry in which the organization operates. Large organizations with hundreds or thousands of employees might do well to use outside contractors who can develop different training programs specific to the needs of different work groups and the risks of criminal activity that are most relevant to those groups. Conversely, smaller organizations may be able to save time and money by developing a single training program that is easily adaptable. Organizations should assess their corporate environment and structure to determine what sort of training program will best fit their needs.

Training and education to mitigate the risk of criminal activity should occur at least annually to refresh employees’ knowledge and address changes in the law or compliance methods. It is critical to maintain ongoing tracking and records of the personnel who have completed training and set a deadline for training completion each year.

3.5 Due diligence measures

While it may be impossible to predict all criminal acts that may occur, organizations have a myriad of options available when it comes to preventing crime. One of the most powerful ways to prevent criminal activity is to conduct thorough due diligence of anybody directly connected to the organization (ie, both internal and external due diligence).

Internally, organizations should conduct thorough due diligence of all employees. For example, conducting pre-employment background screenings of all potential employees can help an organization discover whether any prospective employees have criminal convictions, behavioral issues in past employment positions, financial difficulties that may be a motivating factor for theft, or have falsified their information on their application for employment. Any of these circumstances should raise a red flag for an organization seeking to mitigate the risk of criminal conduct.

See further How-to guide: Completing criminal background investigations.

Externally, organizations should conduct due diligence on prospective partners, affiliates, suppliers, and other third parties to ensure the risk these entities may pose to the organization are accurately assessed. Additionally, organizations should undergo scrupulous due diligence when seeking to acquire or merge with another business entity to ensure any criminal activities of that other entity do not become connected or attributable to the organization.

Section 4 – Monitoring and refining the use of measures to mitigate against the risk of criminal activity

4.1 Benchmark for effective mitigation measures

Compliance benchmarking is a process by which organizations measure the effectiveness of their measures against best practices of the industry in which they operate. These benchmarks can provide useful data necessary to assess the effectiveness of the compliance program, as well as identify areas in need of improvement.

It is important that organizations maintain knowledge of industry best practices to ensure their business is operating in accordance with such practices. Organizations should utilize technological tools (eg, cloud-based compliance monitoring software, audit management software, and AI-generated recommendations for compliance and risk, etc), as well as personnel trained to utilize such tools (eg, compliance officers, IT, and operational risk management specialists) to effectively and efficiently evaluate the company’s compliance program. Doing so will help ensure the business is in compliance with legal and regulatory requirements, as well as help mitigate the risks related to non-compliance, including lawsuits, fines, and damage to the organization’s reputation.

4.2 Lessons learned and changes based on risks and liabilities

Any mitigation measures should be subject to regular review for effectiveness. Reviews should occur at least annually, but organizations may want to implement more frequent reviews to be conducted every six months or every quarter to further mitigate the risk of criminal activity.

Additionally, a review of mitigating measures should be conducted after the organization has had to take remedial action in response to a security breach or other threat of criminal activity. This is necessary in order to determine the extent to which the mitigating measures were effective in mitigating risk.

To begin the process of measuring the effectiveness of mitigating measures, organizations may gather data from a variety of sources, including corporate culture surveys, risk assessments, internal and external audit results, among others. To properly assess the data from these sources, it is important to determine the key performance indicators that the organization will use to measure the effectiveness of its mitigating measures. Key performance indicators may include, but are not limited to, the following:

how frequently policies are reviewed or updated;
the number and types of code violations that have occurred;
the duration, frequency, medium, test results, and rates of completion of training;
the number and types of incidents involving personnel who previously completed one or more training programs;
the rates of reported incidents according to each reporting channel made available;
the average time it takes to identify a compliance issue and the average time it takes to fully resolve it, which can indicate the efficiency and effectiveness of the organization's detection and response mechanisms; and
the financial impact of compliance failures, including fines, penalties, and legal costs, which can provide a tangible measure of how well mitigation strategies are preventing costly incidents.

No matter which factors an organization utilizes in assessing its mitigating measures, the primary goal of a review following remedial action is to determine how the program can be improved to prevent similar occurrences in the future.

4.3 Monitoring new legal developments and adapting based on changes

It is crucial that an organization's compliance personnel actively and continuously monitor changes to the legal and regulatory landscape that directly impact their operations and legal duties. This is not a passive activity; it requires a proactive and systematic approach to stay ahead of evolving risks.

For example:

For a financial institution, monitoring new anti-money laundering (AML) and counter-terrorist financing (CTF) regulations is paramount. If the Financial Crimes Enforcement Network (FinCEN) issues new guidance on beneficial ownership reporting, the institution would need to revise its customer onboarding procedures, enhance its due diligence protocols, and retrain relevant staff to ensure compliance. Similarly, changes in sanctions lists from the Office of Foreign Assets Control (OFAC) would necessitate immediate updates to screening software and transaction monitoring systems.
For a manufacturing company with international supply chains, staying abreast of new environmental regulations (eg, stricter emissions standards in a country where a key factory operates), labor laws (eg, new minimum wage requirements or worker safety standards in a sourcing country), or import/export controls is essential. A new ban on certain chemicals used in their manufacturing process in a particular jurisdiction would require immediate reformulation of products or a shift in sourcing, along with updated internal policies and employee training.