CEO fraud

CEO fraud refers to the act of deception by an individual assuming the identity of a high-ranking official within a company, particularly the CEO, and instructing a subordinate to carry out a specific investment or transaction into a fraudulent account. Consequently, the fraudster succeeds in acquiring investments or payments for personal gain.

With the rapid advancement of technology and increased digitalization, transactions and investments have become expedited, prompting companies to seek the most efficient means available to safeguard the company's assets. While these developments have proven advantageous for the economic market in many respects, they have also led to a significant rise in fraudulent activities and swindling.

Despite being a seemingly straightforward process, CEO fraud can result in substantial losses for the victimized company or party. According to a survey conducted by Finans Norge and Bits KAS, Norwegian companies reported 154 occurrences of CEO fraud in 2018, amounting to a cumulative loss of NOK 34 million.^[1] Additionally, in 2020, the Norwegian bank DNB Bank ASA confirmed that their corporate clients were exposed to fraud risks totaling at least NOK 138 million.^[2]

Fraudsters typically establish contact through electronic channels, such as email, SMS, phone calls, or letters, wherein they fabricate the identity and location of the messenger. The fraud may involve social manipulation tactics to convince the recipient to invest in a particular company. For instance, the fraudster may emphasize the urgency of the investment, demanding immediate action outside the realm of normal authorization and security protocols. Under such circumstances, the fraudster coerces the employee to carry out unconventional investments or unauthorized transfers from the company's accounts.

In recent years, criminal parties engaging in such fraud have become increasingly sophisticated, employing convincing and intricate methods. In certain cases, the fraudulent party gains control over internal communications, sensitive information, and procedures, often monitoring them for several months before executing a profitable transfer. For instance, an investment fund fell victim to a NOK 100 million fraud in 2020 when criminals hacked the fund's e-mail system and manipulated a transaction to a fictitious account in Mexico.^[3]

While technological measures to prevent CEO fraud are limited, there are several administrative and procedural steps that can be implemented to mitigate or reduce the risk. Please see below for some examples of strategic measures that can be employed.

Setting Anti-Fraud on the Board of Director's s Agenda
According to section 6-12 of both the Norwegian Private Limited Liability Companies Act (the "Private Companies Act") and the Norwegian Public Limited Liability Companies Act (the "Public Companies Act"), the board of directors of a Norwegian company has the highest level of responsibility for the proper management of the company. The board shall ensure an acceptable organization of the business. The board's responsibilities include the duty to supervise the day-to-day management and the company's activities in general, cf. Section 6-13 of both the Private Companies Act and the Public Companies Act. The regulation means that the board, as a corporate body, has the overall responsibility for managing the business and ensuring that it is organized and operated within the framework set out in legislation, the company's articles of association and instructions from the general assembly. 

Setting anti-fraud measures on the board of director's agenda is the fundamental step for safeguarding the company against fraud of any kind. 

Enhancing Communication and Education on Risk Within the Company
It is crucial to inform and educate all employees about the prevailing and constant risk of CEO fraud against the company. Furthermore, it should be emphasized that fraud occurrences tend to increase when the senior executives of the company are on vacation or are temporarily replaced.

Authorized employees responsible for transactions and investments on behalf of the company should adopt a vigilant approach, before proceeding with any investment or transaction. For instance, the relevant personnel are advised to meticulously investigate the company or transaction under consideration along with its duly registered CEOs and acquaint themselves with the target company's financial statements and remuneration report. All transactions outside of normal payment routines, e.g., to an account in a country the company normally has no transactions to, unusual or large amounts or haste can indicate fraud. Such meticulous procedures and awareness serve as effective safeguards in detecting and exposing any illicit entities.

Adopting Defensive Measures and Robust Routines
In addition to highlighting the risk of fraud, the company should invest time in educating their employees about the latest fraud methods. Employees must also understand that seemingly innocuous information shared about themselves, or the company, can play a significant role in facilitating fraud.

Companies should establish stringent authorization and payment completion procedures, and regular training of all employees. Examples of effective routines include two-step verifications for authentication, confirmation through encrypted email and, and transferring an initial, smaller sum for larger transactions to ensure accuracy of the recipient account.

Companies should also invest in robust data security measures, e.g., centrally managed computers and devices, only use pre-approved apps on company computers and telephones and other security measures in addition to audit and control procedures. It is recommended that the company decide a secure score to be maintained.

Liability of Banks and Service Providers
According to the Financial Contracts Act ("FCA") section 3-49 (1), service providers are held liable for any economic loss resulting from their failure to fulfil its obligations. The general obligations of service providers are outlined in FCA section 3-1 (1). To establish liability, the loss incurred must fall within the provider's reasonable foreseeability. Additionally, the service provider is responsible for losses caused by subcontractors.

The question of whether the service provider's duties have been breached is based on traditional assessments of negligence. The norm of conduct depends on an interpretation of the first paragraph of section 3-1, which must be supplemented and clarified by other sources in accordance with practice and theory of professional responsibility. There is a breach of the norm of action if the service provider has acted in breach of provisions in agreements, legislation or regulations; Section 10. The provision provides for liability for damages both in and out of contract.

As indicated above, the regulation in the contract with the bank will be the starting point for the assessment. The company should familiarize itself with the regulation in all contracts with its banking partners and seek to include detailed regulations of the bank' s obligations and control mechanisms when executing transfer of assets.

In addition, the bank may be liable on the basis of negligence. In determining the standard of care, it is essential whether the bank has acted within the relevant applicable codes of conduct in the area at the time of the transactions. It is also relevant to emphasize whether the bank has complied with the obligations in the contract with the customer. Furthermore, causal factors and ommisions on the injured party's part are important both for the expectations that should be set for the bank's conduct and when weighing up who is closest to bearing the loss.

External Accountants' Liability
An accountant is legally obligated under section 5-4(1) of the Norwegian Accountants Act (Nw: Regnskapsførerloven) to fulfil their obligations in accordance with the rules and regulations outlined in the Norwegian Bookkeeping Act (Nw: Bokførerloven) ("BKA") and the Norwegian Accounting Act (Nw: Regnskapsloven) ("ACA"). Furthermore, their accounting practices must align with recognized standards of good accounting practice. This includes the responsibility to assess and inform client companies if their current transaction and investment procedures are inadequate to withstand hacking and fraud.

It is important to note that neither of the mentioned legislations specifically regulate liability for damages. The law stipulates that a written contract must be established between the accountant and the client company. The preparatory works emphasize that the accountant's liability should be determined based on generally accepted contractual principles.

The company must carefully consider the contracts with accountants and familiarize itself with any regulations limiting the accountant's liability or responsibility. In addition, robust guidelines for approval and conducting payments should be established, as well as clear obligations for following agreed approval regimes.

Cyber Insurance
Cyber insurance has emerged as a vital insurance solution in response to the growing risks associated with data breaches and fraud. This specialized insurance provides coverage for a company's liability in the event of a data breach involving sensitive customer information.

Certain cyber insurance schemes go beyond liability coverage and offer valuable assistance to mitigate the impact of breaches. These services may include timely customer notification in the event of a breach, restoration of personal identities for affected customers or employees, recovery of compromised data, and remediation of damages to technical systems, such as email. Recognizing that breaches and fraud can lead to operational downtime due to technical disruptions, some schemes also provide compensation for loss during business interruptions.

It is important to note that not all cyber insurance schemes extend coverage for losses resulting from CEO fraud. Additionally, some schemes may include disclaimers regarding reduced coverage due to the client company's own negligence or insecure procedures.

The limited coverage options available underscore the critical importance of maintaining a proactive stance toward education on emerging breach and fraud methods. It is crucial to enforce stringent and secure routines for transactions and the handling of sensitive information. By prioritizing these measures, companies can significantly reduce their vulnerability and exposure to potential losses.

Immediate Measures – Investigations and Surveillance Review

In the aftermath of a fraud incident, it is crucial to conduct a thorough investigation into the circumstances preceding and during the attack. This comprehensive examination aims to clarify the subsequent obligations and rights of the company. One effective approach is to carry out a forensic analysis to identify the vulnerabilities and determine preventive measures for the future.

Additionally, it is essential for the company to promptly assess available options to mitigate the loss incurred. This involves researching whether the insurance or accounting contracts provide coverage for the specific fraudulent event.

Obligations to Notify
Following a fraud attack, the company must be well-informed about the relevant institutions that require immediate notification. It is crucial to promptly inform the service providers, such as banks, as well as the appropriate law enforcement authorities about the occurrence of the fraud.

Where applicable, the shareholder agreement may necessitate the notification of shareholders regarding the incidence of fraudulent activities.

If the company has engaged an external accounting provider for financial management and transactions, the accountant is legally obligated to notify the client in the event of fraud or if they detect any risks or suspicious requests. This duty aligns with the principles of good accounting practice as defined in the Norwegian Accountants Act (Nw: Regnskapsførerloven) Section 5-4 (1) and Chapter 4 of the ACA, which establish fundamental accounting standards.

Moreover, under the provisions of the General Data Protection Regulation ("GDPR") Article 33 (1), the company may have an obligation to promptly notify the Norwegian Data Protection Authority (Nw: Datatilsynet) if the breach is likely to result in a risk to the security of personal and sensitive information held by individuals within the company. The Norwegian Data Protection Authority plays a vital role in overseeing and enforcing GDPR compliance to minimize the risks associated with the misuse of personal data.

In conclusion, CEO fraud poses significant risks to companies, both financially and reputationally. It is imperative for organizations to remain vigilant and proactive in implementing robust measures to prevent and detect fraudulent activities. By establishing strong internal controls, educating employees about potential risks, and regularly assessing and updating security protocols, companies can enhance their defence against CEO fraud.

Furthermore, it is crucial to stay informed about legal developments and obligations, such as contractual liability and the role of insurance coverage, to ensure adequate protection in the event of fraud. Engaging legal expertise and conducting thorough investigations can help uncover the facts surrounding a fraud incident and guide companies in pursuing appropriate remedies.

We are committed to providing our clients with the necessary guidance and support to navigate the complexities of CEO fraud cases. Should you have any questions or concerns regarding this topic or any other legal matters, please do not hesitate to reach out to our experienced team.

[1] https://snl.no/direkt%C3%B8rsvindel

[2] https://www.online.no/sikkerhet/direktorsvindel-kan-ramme-alle/

[3] https://www.panoramanyheter.no/korrupsjon-norfund-utviklingsbransjen/alarm-om-nettsvindel-bistandsaktorerskjerperrutinene/139689