Insider threats often are hardest to detect

Exhibit A: The Securities and Exchange Commission last month filed insider trading charges against an Apple executive whose job it was to execute the company’s insider training prevention plan. That’s like catching a crooked teacher giving out the answers to the test after warning the class they’d be kicked out of school if they cheated.

Speaking of corrupt educators, Exhibit B takes us to what the Department of Justice called “the biggest college admissions scandal” ever prosecuted by the agency. It allegedly consisted of more than 30 parents—some of whom were rich and famous—getting their kids into prestigious colleges by either cheating on standardized testing or bribing college coaches to grant unjustifiable athletic scholarships. 

Curiously, the scam was first uncovered by prosecutors working on an unrelated securities fraud case. Their suspect reportedly gave them a tip about the college admissions scheme, and the Federal Bureau of Investigation set up a sting in a hotel room, where they claim the then-Yale women’s soccer coach accepted a $450,000 bribe from a parent in exchange for granting their child a spot on the team … and with it, admission to the Ivy League school.

There are a few compliance-related takeaways here:

Despite your best strategies, there will always be insider threats that aren’t going to be caught in the net of safeguards, many of which are designed to protect from outside actors.

In a speech about emerging cyber-security threats at the recently held Compliance Week West conference in San Francisco, FBI special agent M.K. Palmore called the insider threat “the one that gets the least attention but deserves much more.”

Truly addressing the insider threat, he said, “requires a fair amount of investment from the enterprise to develop a functioning and mature insider threat apparatus.” The FBI, for example, has a “seriously intrusive” program in which agents must submit extensive financial information every year and take a polygraph test every five years.

That’s not going to fly in the private sector, but that doesn’t mean compliance officers should sit on their hands and wait for the reputationally and financially painful discovery of significant wrongdoing by an employee.

After all, one of the biggest risks in ethics and compliance has to with who you hire in the first place. Risk officers need to have their character antennas up at all times, most importantly in the hiring process. Being a good judge of character is one of the most underrated skills a compliance officer can possess. (And of course, a good background check can’t hurt, either.) 

Compliance officers also need to be relationship-builders. At the CW West conference, Galliard Capital CCO David Lui described the importance of a practitioner getting to know the people in the organization, and in turn making sure employees know the tone you’re trying to set.

“Every lunch alone is a wasted lunch,” Lui said. “You should be meeting with people and building trust at every opportunity.”

You’re not going to catch every money-hungry soccer coach or opportunistic exec, but building relationships, having your moral radar on high, and propagating a tone that ethics are as important as profits puts you in a better position to catch a potentially embarrassing situation before it develops.