Kusserow on Compliance: FBI Reports on business email compromise scams

BEC Scams Accounted for 50% of cyber losses last year

The FBI once again reported on the increase in cyber-criminal activity related to ransomware and business email compromise (BEC) scams. During 2019, BEC accounted for almost a half million internet and cyber-crime complaints and caused losses of more than $3.5 billion. Approximately half of the reported loses were as result of BEC, sometime referred to as EAC (Email Account Compromise) crimes, which averaged $75,000 per incident reported. This was the most damaging and effective type of cyber-crime last year. The 23,775 BEC victims accounted for $1.77 billion in losses for victims, which was on average $75,000 per complaint.

These are sophisticated scams targeting business activities and individuals performing wire transfer payments. They normally come about as result of either a compromise or spoof an email account for a legitimate person/company. They use this email account to send fake invoices for business contractors. Sometimes they are sent to employees. They are designed to trick people into wiring money into the wrong bank accounts. An example of this relates to the diversion of payroll funds, wherein HR or payroll receives an email appearing to be from an employee requesting to update and change their direct deposit information for the current pay period, generally routing it to a pre-paid card account.

The most recent innovation has been scammers mimicking employee’s own CEO to steal funds from the payroll department. They hack into a company’s email server and identify which executives’ email addresses they can spoof to trick unsuspecting employees. The FBI also noted a decrease in the number of ransomware complaints, however a rise in the amount of losses per incident. Additionally, 764 health care providers reported being ransomware victims in 2019.

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2020 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Documentary pillars supporting effective compliance programs

16 key documents described

Critical to an effective Compliance Program (CP) is reinforcing it with key documents that provide the supporting pillars. The following describes some of most important compliance program documents:

  1. Code of Conduct. This can be viewed as the Constitution for the organization and should be distributed to all covered persons.
  2. Charters for the Executive and Board Level Oversight Committees. These should establish oversight and support for the CP and define roles and responsibilities.
  3. Compliance Officer Charter/Position Description. It is important to formally describe the role of this position, responsibilities, reporting relationship to the CEO and Board, etc.
  4. Protocols Between the Compliance Office and Legal Counsel, HR, Internal Audit, etc. Many functions overlap or intersect with the Compliance Office. Working relationships need to be defined to avoid “turf issues.”
  5. Compliance Education and Training Policy. This should describe the development and implementation of regular, effective education and training programs for all affected parties, and describe general topics covered, frequency of training, and how you will document completion of the training.
  6. Hotline Charter/Policy. There needs to be a document that establishes a process to receive complaints and how they will be handled. It should describe how individuals can report concerns and ask questions or request guidance.
  7. Policies Addressing Ongoing Monitoring of High-Risk Areas. This is for program managers on their responsibilities to monitor their risk areas, develop and implement written guidance to their staff, training of the staff on how to comply and verify they are following the instructions properly.
  8. Policies Addressing Ongoing Auditing of High-Risk Area. These should address independent reviews of high-risk areas to verify and validate ongoing monitoring is operating the way it should and assist in the reduction of identified problem areas.
  9. Policies Governing Internal Investigations. Outline of the general steps that will be taken to investigate a report of possible problems; and documentation of results.
  10. Policies Addressing Non-Engagement of Sanctioned Individuals and Entities. This should state that there will be no engaging, contracting with, accepting referrals or prescriptions from those that are sanctioned, excluded or debarred from federal and state health care programs.
  11. Conflicts of Interest Policy. This should require all potential conflicts of interest be disclosed and provide a method for addressing them.
  12. Anonymity and Confidentiality Report Policies. Employees should be allowed to report potential wrongdoing anonymously and policy should protect the identity of those who request confidentiality.
  13. Non-Retaliation Policy. This should address protection against retaliation of those reporting potential wrongdoing.
  14. Document Policy Management and Retention. This should outline document retention and destruction requirements and should address electronically maintained documents.
  15. Credentialing and License Policy. This should address which individuals must maintain licensure and state that make clear no engagement or contract individuals and entities that are not properly licensed. It should define verification procedures.
  16. Disclosure of Overpayments and Violations of Law and Regulations Polices. Overpayments are common and sometime there is identification of wrongdoing. Strict rules should govern when and under what circumstances disclosures to outside parties is required.

These are only a starting point. All policies should be reviewed on an annual basis and updated as necessary. This includes eliminating policies that are no longer appropriate or relevant and writing new ones. All policies should be written in a template that permits you to document when a policy was last reviewed and when it was last changed.

For more information on this topic contact Marvin Mills (mmills@complianceresource.com) at the Compliance Resource Center that maintains over 1,000 compliance-related policy templates.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2020 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Board members must meet their compliance obligations

Both the DOJ and OIG have been moving to make board members more accountable for meeting fiduciary duties and obligations in overseeing the Compliance Program. The OIG has long called for a top-down compliance program, beginning at the board level. The OIG and American Health Lawyers Association published “Corporate Responsibility and Corporate Compliance: A resource for Health Care Boards of Directors” that sets forth how these obligations should be met. These standards are being included in Corporate Integrity Agreements that mandate personal attestations from board members regarding the effectiveness of the Compliance Program.

Traditionally, Outside Directors were the primary watchdogs of any board that oversaw of the audit, compliance, and compensation committees, rather than directors from the management of the enterprise. An Independent Director should not be affiliated with the organization as an adviser, auditor or consultant or have personal services contract(s) with the Company. One type of Independent Director that should be on the board is one that is also “compliance literate,” meaning having intimate knowledge of compliance as result of having been a compliance officer, an attorney who has dealt with compliance issues, experience as a compliance consultant, etc. They should have the requisite knowledge and skills to be able to critically evaluate the information and needs relating to the Compliance Program. If not already done, it is advisable for Compliance Officers to work on educating the board on their fiduciary obligations and the merits of having a compliance literate board member.

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2020 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Questions concerning compliance outsourcing

One of the most significant recent trends has been the movement towards outsourcing as many functions as possible that are not directly involved in a business’s core activities. The two most prevalent motivations for outsourcing are cost savings and gaining expertise. For most, there are many questions regarding this practice in the compliance arena.

WHY? Today, many pieces of compliance offices are routinely outsourced to enable the compliance office to focus on the core elements of the program. Among the common outsourced functions to vendors are hotlines, sanction screening services, and training programs. In some cases, the reason to seek expert assistance arises upon departure that creates a gap where assistance is needed until a replacement can be hired. Also, an existing compliance program may need supplemental assistance to deal with added responsibilities, such as HIPAA Privacy/Security Officer support.

WHEN? Often the decision is made when there are identified weaknesses or gaps in operations, such as a vacancy in compliance, privacy and security officers. In other cases, it may be the need for quick fixes as result of government intervention, such as settlement mandates.

WHERE? Where do you find necessary compliance expertise to engage? The easiest starting point is checking the internet to find professional journal articles on the subject. This can provide additional insights into the subject, as well as identify experts on the subject. Also, an Internet search can identify firms that may provide the needed service.

WHO? Who are some of these experts that can fill gaps or supplement compliance programs that have built, assessed, and managed effective compliance programs? They are individuals with hands on experience in multiple circumstances and settings that make them an expert.The following are examples of experts with extensive compliance program consulting experience, as well as having served in multiple compliance officer roles:

  • Cornelia Dorfschmid, Phd, over 20 years of health care consulting experience with service on multiple occasions as designated/interim compliance officer with hospital systems and physician practices.
  • Steve Forman, CPA, 12 years as a health care consultant; 10 years as VP for Audit/Compliance at a hospital system; and multiple service as interim/designated compliance officer.
  • Suzanne Castaldo, JD, CHC, experienced consultant who served as interim/designated compliance officer several times
  • Thomas E. Herrmann, JD, 20 years with the Office of General Counsel to the IG; 6 years as Appellate Judge for the Medicare Appeal Council; and 5 years as a compliance consultant and multiple service as interim/designated compliance officer

HOW? How can an organization use compliance experts to best advantage? There are a lot of benefits in using qualified experts, but key in investing in hiring them is to bring an optimum return of benefit for the cost by ensuring a lot of added value. In addition to day-to-day management, consider including some of the following:

  1. Examine the program to confirm strengths, and identifying opportunities for improvement
  2. Conduct an independent evaluation of the program for senior management and board
  3. Review the Code and other written guidance
  4. Evaluate quality and effectiveness of compliance training
  5. Assess high-risk areas that warrant attention
  6. Assess resources needed to effectively operate the compliance program
  7. Have them identify and build metrics evidencing compliance program effectiveness
  8. Use them to assist in identification and evaluation of candidates for the permanent position
  9. Provide a “road map” for incoming compliance officer to follow

WHAT? What is the level of effort needed to use compliance experts in compliance programs?  For even large organizations, a true compliance expert can hold things together for several months without having to be full time on site. Most organizations can keep their compliance program efficiently using an expert for 50 to 80 hours per month for up to 6 months, before it becomes critical to have a permanent compliance officer put in place. For smaller organizations and most physician practices, the number of hours is often half that rate. With current technology and communication, not all hours need to be on site; however, the key is to have the expert on call and available to address any emergent issues. It is worth noting that the OIG has accepted the fact that for smaller organizations, it may make sense to engage a qualified expert as the Designated Compliance Officer. The OIG cites many reasons an organization may consider using an outside expert, instead of a W-2 full time employee.

For more information on this topic, contact Suzanne Castaldo, JD at scastaldo@strategicm.com.

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2020 Strategic Management Services, LLC. Published with permission.