Fraud 101: The Elements of an Effective Hotline Program
Bernard “Bernie” Madoff was one of the most infamous criminals in white collar crime history. Madoff’s Ponzi scheme netted almost $64 billion during its run between June 1992 and his arrest in 2008.
During that time, however, U.S. Securities and Exchange Commission (SEC) investigators found that the scheme could have been disrupted earlier if action was taken on complaints to examine Madoff’s operation.
The SEC’s Office of Inspector General (OIG) found that “between June 1992 and December 2008 when Madoff confessed, the SEC received six substantive complaints that raised significant red flags concerning Madoff’s hedge fund operations and should have led to questions about whether Madoff was actually engaged in trading,” according to an OIG report.
In the wake of the investigation, the SEC revamped its approach to handling complaints and tips. The U.S. Congress also passed legislation (known as Dodd-Frank) in 2010 to require new protections and mechanisms for whistleblowers to use to report wrongdoing to attempt to prevent fraud and widespread wrongdoing by corporate insiders.
But, as fraud experts know, it’s impossible to eliminate the risk of fraud.
“It’s just inherent to the human condition and business operations,” says Mason Wilder, CFE, research director for the Association of Certified Fraud Examiners (ACFE). “What you can do, though, is put systems in place to try and prevent fraud—to really detect it as quickly as possible to limit the results or limit the losses.”
One of the most important systems that the ACFE has identified to detect fraud is to have a whistleblower or tip hotline. In Occupational Fraud 2024: A Report to the Nations, a biannual report that assesses the scope of global occupational fraud, the ACFE assessed that nearly half of the reported fraud cases looked at in the report were discovered by tips (43 percent of cases). Wilder adds that this 43 percent figure has remained consistent since the ACFE began producing the Report to the Nations in 1996.
These tips typically came from employees (52 percent), followed by customers (21 percent), and vendors (11 percent).
These tips were usually made using a Web-based whistleblower or hotline program (40 percent), with email (37 percent) and telephone (30 percent) tips just behind.
To the ACFE, Wilder says this demonstrates the importance of having an effective whistleblower program or reporting mechanism that staff, vendors, and customers are aware of.
“If you aren’t providing channels to get those tips, you’re going to be at a significant disadvantage when it comes to detecting fraud,” he adds.
But not all hotline programs are created equal. To better understand what sets effective hotline programs apart, the ACFE conducted a study in 2023 with input from 1,600 respondents from around the world: Africa (24 percent), Asia Pacific (10 percent), Europe (15 percent), Latin America and the Caribbean (3 percent), the Middle East (6 percent), and North America (42 percent).
Paramount to a tipline program’s overall success was trust that reports are taken seriously, that whistleblowers are protected from retaliation, and that whistleblowers’ identities will be safeguarded, the study found.
The ACFE also wrote that participants in the study said that anonymity for whistleblowers, awareness of the program, follow-up actions, and retaliation protection were important for a program’s success.
“Other than hotline awareness, these aspects of the program are all based around trust—that the whistleblower’s identity will remain anonymous, that reports will be taken seriously and acted upon, and that the whistleblower will be protected from retaliation,” the ACFE explained.
Additionally, having a fraud department, independent administration of the hotline program, the ability to receive reports 24/7, multiple reporting mechanisms, and protection against retaliation—including leaders expressing “zero tolerance” for retaliation—were all associated with effective hotline programs.
If you aren’t providing channels to get those tips, you’re going to be at a significant disadvantage when it comes to detecting fraud.
Hotline programs that were administered by an external third party were perceived by 54 percent of survey respondents to be “extremely or very effective,” followed by a combination of internal staff and an external third party (47 percent) and solely by internal staff (39 percent).
This might be because people perceive an external party as being more capable of protecting the identity and anonymity of whistleblowers. Through its research, Wilder says that the ACFE has found that people often prefer to report fraud anonymously because of the very real fear of reprisals.
“Regulators and governments around the world have done a very good job of putting policies in place to protect against those kinds of things,” Wilder adds. “That still doesn’t eliminate the risk that whistleblowers take when they report fraud or misconduct. If you can provide the possibility for anonymity in reporting, that is helpful.”
Regardless of who is responsible for receiving those tips, it’s critical that there are clear policies that define that responsibility and how credible allegations should be escalated. This is a theme that the ACFE regularly revisits in its work, Wilder says.
“There has to be some process where you are establishing the credibility of whatever the tip or allegation is and doing some preliminary investigations to establish predication, which is basically evidence or information that would lead a reasonable person to believe that fraud is occurring or has occurred,” he explains.
Having several reporting methods is also key to an effective hotline. Organizations with hotline programs that provided four to six reporting mechanisms were considered by more than 50 percent of survey respondents to have an “extremely or very effective” program. Only 36 percent of survey respondents gave hotlines with just one reporting mechanism the same rating.
This is reflected in the 2024 Report to the Nations, which found that more employees are using a Web-based reporting mechanism to report fraud compared to the traditional leading method—telephone reporting.
Wilder says he’s not sure if this is a result of the COVID-19 pandemic, the rise of digital natives entering the workforce, or people just becoming more accustomed to interacting with organizations in a digital format.
“What you don’t want to do as an organization looking to establish an effective reporting mechanism is alienate anybody that might potentially have valuable information by restricting the mechanism to only one particular channel,” Wilder says. “Like I said, that might alienate some group based on their technological sophistication or just habits of how they communicate and interact with technology.”
Offering different channels to report fraud or wrongdoing might also assist people with making reports. A rigid reporting structure that uses a fill-in form format might turn away potential tipsters who want to simply report a suspicion or observation of behavior that felt off.
“You don’t want to necessarily restrict those reports with just a bunch of dropdown menus so that if it’s not really obvious what exact type of fraud and what the action was, then the report doesn’t get prioritized because it didn’t check the right boxes,” Wilder says. “You want to provide opportunities for people to give open-ended reports, where they just report a suspicion in what happened or what they witnessed or what they found because you’re going to get varying degrees of quality in tips and allegations.
“You’re going to have a lot of different types of people submitting tips,” he continues. “Some people might have a great deal of knowledge of how fraud occurs, and how accounting systems operate, and what generally accepted accounting principles are, and how to spot when things do not fit into that.”
And on the other hand, you might have a facilities or janitorial staff member notice that a vehicle is at the building when it shouldn’t be or people are accessing parts of the facility during non-business hours. These could also be indicators that illicit activity, including fraud, might be occurring.
“You have to make sure that whatever your whistleblower program or hotline program looks like, you’re giving both of those different profiles and everybody in between the opportunity to report suspicious activity,” Wilder says.
Organizations with effective hotlines also routinely evaluate them. This process can identify opportunities to improve the program—a critical step because fraud evolves.
“Fraud is something that changes quite a bit so you need to be regularly revisiting all your anti-fraud program elements to make sure that they’re as effective as they can be,” Wilder explains. “You have to be testing that hotline. It’s a good idea to have some people call in—some employees do it like it’s penetration testing, essentially call and submit a report and see what happens. See how it ends up getting back to the organization and make sure it works as intended.”
This evaluation should also include assessments of whether another reporting channel is needed, such as adding a text to report feature to supplement a phone-call based option.
Organizations could also look at the number of reports that are coming in via the hotline, how many of those turn into full investigations, and what the resolution of those investigations are compared to the resources spent on them to assess the program’s effectiveness.
“Also, fraud losses. That’s a pretty good, quantifiable metric for organizations to look at—especially those without reporting mechanisms or hotlines in place,” Wilder says. “If you look at profit and loss numbers and fraud losses prior to putting one of those in place versus after putting that in place, that can potentially give you a pretty good idea of how effective it is or isn’t.”
But none of this work really matters if people aren’t aware that the hotline exists and that credible tips made using it will be followed up on.
“Make people aware of its existence, direct them to it, and provide them with the information that they need to know to utilize it because if you just have it in place, but don’t ever tell any staff, customers, or vendors about it, then it’s not the most effective version of it that you can put in place,” Wilder says.
Megan Gates is senior editor at Security Management. Connect with her at [email protected] or on LinkedIn.