Writing an External Privacy Policy

Writing an External Privacy Policy

In Part 1 in our 2 part series on privacy policies, we discussed how to write a privacy policy to be used internally by employees. In Part 2, we will explore how to formulate a privacy policy that can be used by customers and suppliers.


Why is an External Privacy Policy Needed?


You may be wondering why an external privacy policy is even necessary, especially given most customers won’t even read it. 

Firstly, privacy policy is often required by law if you collect personal data from your clients. Some of these regulations around the world include:

Secondly, a company that proudly displays their privacy policy will promote an environment of transparency and honesty between the company and its customers. This will build consumer trust and confidence leading to a positive brand image. 

Finally, a company can use their privacy policy to protect itself against potential disputes about the way they collect information from their customers. 

What to Include

Before any writing is put on paper, you should make sure that you have a clear overview of what personal information is held by your company, and your personal information handling procedures. Some of this information you may already have, but for others you may need to investigate or conduct audits for.

In your privacy policy, you should first describe your company’s main functions and activities, and identify those that involve personal information handling. Activities may include:

  • Providing specified services
  • Conducting publicity campaigns
  • Handling complaints
  • Running a website
  • Sending out a newsletter

For each activity you should also describe:

  • The personal information that you collect and hold, and how you collect and hold it. 
  • The reasons or purposes for which you will collect, hold, use and disclose that personal information.
  • Whether you disclose personal information to overseas entities.

The types of information your company may collect include:

  • Names
  • Addresses
  • Phone numbers
  • Email addresses
  • IP addresses
  • Access dates and times

The means by which information is collected include:

  • Cookies
  • Weblogs
  • Surveys
  • Web forms
  • Registration for an event or course
  • Newsletter sign-up
  • Placing an order

In terms of personal information handling procedures there are a few items to be on top of:

  • Specific approaches, principles or commitments your company has decided to adopt for handling specific personal information. An example of this is:
    • “In relation to X process, the company will link personal information across business processes, or never do so, or only do so if the individual would expect it, or only with the individual’s consent, or only if not sensitive information, or only for X purpose.”
  • Processes for identifying, assessing and managing privacy and security risk, as well as developing and monitoring controls for those risks
  • Approaches to identifying and handling personal information your company no longer needs
  • Processes for providing access to and correction of personal information
  • Complaints handling procedures
  • Policies for managing contractors when personal information may be disclosed.


Below is an example structure that can be used to set out the information contained within the privacy policy in a layered approach. Headings should be used to clearly separate each section of this structure. A table of contents may also be useful in helping your customers navigate the privacy policy.

Scope: Describe what the policy applies to

Collection of personal information: Provide key information on what personal information is collected and why. 

Disclosure: Describe the key disclosures and conditions around those disclosures. 

Rights and choices: Describe any rights and choices that individuals have, including the right to request access and correct personal information held about them.

How to make a complaint: Describe how to make a complaint about privacy and what to do if they are not satisfied with the outcome.

Contact details: Include at least a phone number and email address that won’t change with personnel. This will add another level of transparency to your privacy policy. 

Other Considerations


Regularly Review and Update Your Privacy Policy

You should regularly review and update your privacy policy to reflect changes to your current personal information handling practices. Your policies surrounding changes to the privacy policy should even be incorporated within the privacy policy itself. You should also notify your current clients of any changes at the time the changes occur via an appropriate communication level, such as email or your website.

Make Your Privacy Policy Easily Available

There’s no point in having a privacy policy that promotes transparency if no one is able to see it or know where to find it. 

Your privacy policy should be free of charge and in an appropriate form. This means that if your company has a website, your privacy policy should be easily accessible from it. It is common to have a privacy policy in clear, legible text within the footer of a website, and appear on every page of your site. 


Privacy policies are a great way of showing off your transparency regarding the collection and use of personal information to current and prospective clients. The key information that should be included in this privacy policy are what information is being collected, how it is being collected, and why it is being collected. Your privacy policy should be clearly structured, regularly updated, and made easily available so that clients feel more safe doing business with your company.


Include all methods of collecting personal information in your privacy policy

contact details

Ensure that you include ways customers can contact your business

Book a Demo Now

Learn more about how Polonious can help your company.

5 ways to stop workplace harassment and discrimination before it hurts

5 ways to stop workplace harassment and discrimination before it hurts

Stop harassment and discriminatioon before they startIn this blog we’ll look at five ways to help prevent harassment and discrimination among staff before they take their toll.


1. It’s okay to say something

If people are too scared to say something, then it probably won’t get said. Start by reassuring staff that it is okay to report any incident of harassment or discrimination. Make sure everyone in the organisation has access to a newsletter (or other notification) that poor behaviour won’t be tolerated and should be communicated.

If most people know they are likely to be “dobbed in” then the potential for sinister conduct is reduced. It’s also good practice for employers to encourage staff to identify issues before a complaint is made to prevent unnecessary escalation.


2. Do have a policy

Don’t think matters will always resolve themselves, or should be handled in an ad-hoc way by the individual presented with a complaint. Have a consistent policy for dealing with harassment or discrimination and make sure the policy template is recognised, and can be applied by, all the key stakeholders.

The policy doesn’t need to be overly bureaucratic but it should clearly define the severity of different incidents and an appropriate course of action to resolve them.

A policy which facilitates managers who listen and engage with employees to resolve potential disputes makes it easier for everyone if there is a problem. And it makes it easier for staff to raise a question in proper way that will result in an answer.


3. Keep an eye out

Are certain staff clearly not themselves? Keep a look out for anecdotal changes in behaviour, participation and performance. Such changes could mean harassment or some other incident which has led to dissatisfaction. A change in emotion state is one of the best ways to discern if something is wrong that no app can replicate.

Employers should keep an eye out for any sign of employee distress or dissatisfaction, and you can conduct management training to notice the signs of unhappy employees.

Casually observing staff while they are working should give you enough clues to any dissatisfaction or changes in morale.

In addition, keep an eye on who is leaving the organisation and why. A high turnover in one department or under one manager might indicate a toxic culture.


4. Monitor the metrics

In addition to point three above, use automated metrics where it is practical to do so. Things like anomalies in sick leave, measurable output and email volumes can be flagged for follow up by HR to see if there are any concerns.

Identifying trends will indicate both good and poor performance and a feel for what is likely to change in the event of harassment or discrimination.

This tactic can be applied across the company and should reduce the need to “look over the shoulder” of staff to determine if there is a problem.


5. Fine tune your processes

When new trends that appear in the workplace – for example, a new social network – the processes and policies for dealing with inappropriate behaviour should be updated accordingly. Using a new social network to harass co-workers is not acceptable, even if it wasn’t part of an exciting policy.

Ensure your policies and processes are flexible and can be consulted on, and updated, by all stakeholders.

Updating your processes is important as different workplaces have different forms of harassment and discrimination. A workplace where there is potential for dishonest activity (handling money, privileged access, etc) might be very different to one that does not.

At Polonious, our application helps organisations develop better policies and processes, and improves the challenging task of dispute resolution.

By stamping out the first sign of a toxic culture staff will be happier and stick around for the long run and the company’s ethical standards will be highly regarded.

Comparison of 8 Major Companies’ Code of Ethics and Conduct

Comparison of 8 Major Companies’ Code of Ethics and Conduct

Good corporate governance incorporates a set of rules that define the relationship between stakeholders, management and the board of directors of a company and influence how the company is operating. The importance of corporate governance cannot be understated as it enables organisations to achieve their goals, make formal decisions, prevent fraud, control risks and assure compliance. 

To determine the appropriate ethical guidelines for your company, you might consider studying some of the best examples of code of conduct examples for businesses. 

This blog will help you understand:

  • Definition of Code of Ethics
  • Definition of Code of Conduct
  • Difference between Code of Ethics and Code of Conduct
  • Comparison of 8 Major Companies’ Codes of Ethics and Conduct 

Code of Ethics

A code of ethics is a set of guiding principles intended to ensure a business and its employees act with honesty and integrity in all facets of its day-to-day operations and to only engage in acts that promote a benefit to society. Sometimes referred to as a value statement, it behaves like the “Company’s Constitution” with general principles to help guide employee behaviour.

The document outlines a set of principles that affect decision-making. For example if an organization is committed to protecting the environment and “being green”, the code of ethics will state that there is an expectation for any employee faced with a problem, to choose the most “green” solution. It does not cover specific behaviour like a code of conduct, rather it outlines the principles that should guide that behaviour.

Typically, focus areas include:

  • Social Responsibility
  • Discrimination
  • Environmental issues

3 Types of Codes of Ethics

A code of ethics can take a variety of forms, but the general goal is to ensure that a business and its employees are following state and federal laws, conducting themselves with an ideal that can be exemplary, and ensuring that the business being conducted is beneficial for all stakeholders. The following are three types of codes of ethics found in business.

Compliance-based Code of Ethics

For all businesses, laws regulate issues such as hiring and safety standards. Compliance-based codes of ethics not only set guidelines for conduct but also determine penalties for violations.

In some industries, including banking, specific laws govern business conduct. These industries formulate compliance-based codes of ethics to enforce laws and regulations. Employees usually undergo formal training to learn the rules of conduct. Because noncompliance can create legal issues for the company as a whole, individual workers within a firm may face penalties for failing to follow guidelines.

To ensure that the aims and principles of the code of ethics are followed, some companies appoint a compliance officer. This individual is tasked with keeping up to date on changes in regulation codes and monitoring employee conduct to encourage conformity.

This type of code of ethics is based on clear-cut rules and well-defined consequences rather than individual monitoring of personal behavior. Despite strict adherence to the law, some compliance-based codes of conduct do not thus promote a climate of moral responsibility within the company.

Value-Based Code of Ethics

A value-based code of ethics addresses a company’s core value system. It may outline standards of responsible conduct as they relate to the larger public good and the environment. Value-based ethical codes may require a greater degree of self-regulation than compliance-based codes.

Some codes of conduct contain language that addresses both compliance and values. For example, a grocery store chain might create a code of conduct that espouses the company’s commitment to health and safety regulations above financial gain. That grocery chain might also include a statement about refusing to contract with suppliers that feed hormones to livestock or raise animals in inhumane living conditions.

Code of Ethics Among Professionals

Financial advisers registered with the Securities and Exchange Commission (SEC) or a state regulator are bound by a code of ethics known as a fiduciary duty. This is a legal requirement and also a code of loyalty that requires them to act in the best interest of their clients.

Certified public accountants, who are not typically considered fiduciaries to their clients, still are expected to follow similar ethical standards, such as integrity, objectivity, truthfulness, and avoidance of conflicts of interest, according to the American Institute of Certified Public Accountants (AICPA).

Code of Conduct

A company’s code of conduct covers major legal, ethical, and compliance risk areas to help employees make the right choices, even when they’re not easy. Your  code of conduct sets the  ethical standards and establishes expectations for employee behavior in the workplace. Employee adherence to your company’s code of conduct is essential to maintaining a reputation of integrity and preventing risk for your organization. Codes of conduct cover specific behavioural expectations in specific situations.

Topics may include:

  • Conflicts of Interest
  • Protecting Company Information
  • Financial and legal integrity
  • Reporting wrongdoing

Difference between Code of Ethics and Code of Conduct

A Code of Ethics governs decision-making, and a Code of Conduct governs actions. They both represent two common ways that companies self-regulate. They are often associated with large companies, and provide direction to employees and establish a public image of good behavior. 

A code of ethics is broader in its nature, outlining what is acceptable for the company in terms of integrity and how it operates. A code of conduct is more focused in nature and instructs how a business’ employees should act daily and in specific situations.

8 Examples of Major Companies’ Code of Conduct and Ethics

To determine the appropriate ethical guidelines for your company, you might consider studying some of the best examples of codes of conduct for the following major businesses.

Technology Companies


Google’s Code of Conduct emphasizes its values such as customer care, integrity and transparency. The document clearly states who must adhere to the standards set forth and how misconduct will be addressed.

It highlights the importance of speaking up and taking action against wrongdoing. Overall, their Code of Conduct is concise and well organized.


Microsoft’s Standards of Business Conduct revolves around one central theme: trust. Microsoft emphasizes that trust is an important aspect of its operations, including with customers, governments, fellow employees, investors and representatives.

The code of conduct also offers a process to help employees make difficult decisions that reflect Microsoft’s values and standards. Offering a process can be a useful way to simplify complex ethical decisions and ensure consistent behaviour. However, avoid getting too specific as this may result in legalistic responses, e.g. ‘Well, the code of conduct didn’t specifically say NOT to do that…’.

Read more on their website


Facebook’s Code of Conduct covers important topics such as conflicts of interest, harassment, confidentiality and protection of user data. Despite not using photos and visuals, it is simple, concise and easy to comprehend.

The company also highlights that employees can report violations anonymously to sources that they feel comfortable speaking to, including managers, HR and/or the Legal Department. The code of conduct also includes links to the company’s whistleblower and complaint policy.

Learn more about Facebook’s Code of Conduct on their investor relations website


IBM’s Code of Conduct revolves around their core values which are:

  • Dedication to every client’s success
  • Innovation that matters, for our company and for the world
  • Trust and personal responsibility in all relationships

The company further highlights environmental affairs, human rights principles, and workforce diversity in their business conduct and expectations of their employees. These achievements are highlighted in their Corporate Responsibility report

Overall, their Code of Conduct appears to be well organized and easy to understand. 

Financial Institutions


The ANZ Code of Conduct and their supporting policies set the expected standards of behaviour linked to their values.

Their guiding principles include:

  • Integrity
  • Collaboration
  • Accountability
  • Respect
  • Excellence

The company has two Codes of Conduct, which provide employees and Directors with a practical set of guiding principles to help them make fair, balanced and ethical decisions in their day to day work:

  • ANZ Non-Executive Directors Code of Conduct
  • Code of Conduct

The ANZ Non-Executive Directors Code of Conduct outlines their code guiding principles followed by the actions to be undertaken. This includes:

Act Ethically and Professionally

  • Act in the best interests of ANZ and create trust, confidence and goodwill with ANZ’s shareholders, customers and other stakeholders
  • Undertake our duties with appropriate care and diligence and in accordance with our legal obligations
  • Behave in a way that takes into account ANZ’s impact on the community and the environment in both the short and long term
  • Understand our authorities and any relevant limits and exercise any such authorities responsibly and within limits
  • Use all of ANZ’s systems and equipment appropriately and for proper purposes. This includes email, messaging, internet access, and technology and banking systems
  • Not engage in conduct (either in our capacity as a Director or otherwise) that may cause damage to ANZ’s reputation or is incompatible with our position as Directors of ANZ

Act with integrity

  • Act honestly and transparently in all our dealings with and for ANZ
  • Not knowingly mislead directly or indirectly, make false statements or mislead by omission
  • Not make promises or commitments we know ANZ does not intend, or would be unable, to honour
  • Use goods, services and facilities provided to us by ANZ in accordance with the terms on which they are provided

Treat all people with dignity and respect

  • Treat all people we deal with through our work with respect and dignity
  • Never harass, bully or unlawfully discriminate
  • Make appointment decisions based on merit

Manage conflicts of interest

  • Not improperly use the name of ANZ, our position or information obtained by us as a Director of ANZ for personal financial gain or to obtain any benefit for any other person or business
  • Fully disclose all relationships we have with ANZ in accordance with policies on independence that the Board may adopt from time to time
  • Ensure any personal dealings with ANZ must be in accordance with policies that the Board may adopt from time to time
  • Fully disclose any material personal interest, as well as any other interest which is appropriate to disclose in order to avoid an actual or perceived conflict of interest, in accordance with such policies that the Board may adopt from time to time
  • Never accept or offer any improper payment of benefits in connection with their role as an ANZ Director
  • Never accept any gift, reward or entertainment, including disclounter products, free travel or accommodation, if there is an expectation that could conflict with our role as an ANZ Director.

Protect privacy and confidentiality

  • Respect the privacy of others
  • Not improperly disclose any information about ANZ that is not already in the public domain
  • Ensure that confidential information relating to ANZ customers, staff or operations is not disclosed, inadvertently or deliberate, to third parties without the consent of ANZ

Comply with the code, law, policies and procedures

  • Be aware of and comply with all relevant laws and regulations applicable to use
  • Not take any action, or fail to take action, that may breach the law or applicable ANZ policies and procedures
  • Complete all induction and education programs required of us to build and maintain our awareness and understanding of relevant laws, policies and procedures

Furthermore, it encourages employees to contact the Group General Counsel or Company Secretary if they are unsure of their obligation or ANZ’s expectations.

These documents can be found on ANZ’s official website.


CommBank’s Code of Conduct articulates the standards of behaviour expected of their clients and stakeholders. The Code connects their purpose and values with a ‘Should We?’ test, to help deliver the right outcomes. Their ‘Should We?’ calls into question transparency, consistency with values and policy, as well as fairness which helps employees exercise good judgement.

The document specifically articulates the standards of behavior the company expects of their employees when engaging with, and balancing the interests of, the Bank’s stakeholders. The following outcomes have been outlined:

  • Fair customer outcomes are at the heart of our strategy, plans, decisions, judgements and actions.
  • Our products and services are fair, transparent, and meet customer needs, and our distribution approach is appropriate for customers. We are compassionate to the circumstances of customers, including those who are most vulnerable.
  • The potential for unfair outcomes is proactively identified, and complaints and issues are managed in a timely manner.
  • Market manipulation, insider trading, failure to manage conflicts of interest, and inappropriate sharing and use of confidential information are not tolerated.
  • We recognise that environmental and social risks can impact our business and communities and we are committed to ensuring that these risks are identified and managed appropriately

Westpac Banking Corporation

The Westpac Banking Corporation’s Code of Conduct defines four outcomes, each stronger aligned with the company’s values. This includes 1. Helping our customers and communities, 2. Being ethical, 3. Strengthening our corporate compliance, and 4. Supporting our people. Underneath each outcome, it outlines what this means for Westpac and their employees.

Helping our customers and communities

  • We are always helpful and do the right thing by our customers, suppliers and community
  • We always look for ways we can be better and simpler
  • We help our customers to make informed choices and our communications are clear
  • We lend responsibly and provide vulnerable customers with extra support and care
  • When designing, distributing and fulfilling our products we always consider their fairness and suitability for our customers
  • We handle customer complaints confidentially, with consideration and respect and take responsibility for proactively resolving complaints or referring them to the right person
  • We proactively identify potentially unfair customer outcomes, identifying the cause of the issue and if we make a mistake, immediately own it and fix it
  • We consider the long-term environmental and social impacts of our decisions

Being Ethical

  • We are trusted to do the right thing and act with honesty, integrity and due care and skill in all our dealings with the bank including as customers
  • We ensure that our actions, personally and professionally, do not put Westpac Group’s reputation at risk
  • We always ask ‘Should We?’ rather than just ‘Can We?’
  • We put the customer and bank ahead of personal interests and identify, declare, record and appropriately manage conflicts of interest
  • We uphold market integrity and protect against market misconduct, market manipulation and insider trading
  • We compete fairly to provide our customers with great products, service and innovation
  • We understand and comply with our offshore obligations when dealing with international customers or markets

Strengthening our corporate compliance

  • We protect our community and the integrity of the financial system. This includes meeting our anti-bribery and corruption, anti-money laundering and counter-terrorism financing and tax transparency obligations to mitigate the risk of fraud
  • We take accountability for identifying, managing and reporting all forms of risk, including compliance and conduct
  • We are open and transparent with regulators and report in a constructive, accurate and timely way
  • We use technology in a safe, secure and productive way
  • We keep customer, supplier and other third party information and our own confidential and sensitive information private and secure; protecting it from unauthorised use and not using it inappropriately for personal gain or sending it inappropriately to a third party

Supporting our people

  • We create a safe, diverse and inclusive place to work where we welcome diversity of thought and experience, prioritise our people and our customers’ safety and wellbeing and do not tolerate discrimination, bullying or harassment, including sexual harassment
  • We employ, promote and reward employees who live our purpose, values and behaviours and act in accordance with the expectations of our Code of Conduct
  • We work together as a team, support each other and are professional in our interactions
  • We take unlawful and unethical behaviour seriously – if we think something is not right, we speak up as soon as possible, and we listen and respond
  • We communicate with the public responsibly and only speak to the media when authorised

The document also highlights policies for topics such as conflict of interest, sexual harassment and anti-bribbery and corruption which help achieve the above outcomes. Managing such issues are critical to meet standards of responsibility and ethical conduct. Learn more about potential breaches in corporate compliance in our 4 part-series in Workplace Fraud.

This can be found on their website.

National Australia Bank

NAB’s Code of Conduct outlines the standards of behaviors expected of employees in order to better serve clients. The structure is fairly similar to Westpac’s Code of Conduct, as it outlines four major values and how they achieve it. The 4  include 1. Excellence for Customers, 2. Grow Together, 3. Be Respectful and 4. Own it. The code further elaborates on ways to achieve these targets such as practicing open communication and always putting clients first.

Furthermore, their policies are divided into the following sections:

  • Customers and Communities
  • Colleagues
  • Governance and Risk

Each section outlines the standards they expect to deliver.

Customers and Communities

  • Fair and ethical customer outcomes are at the heart of our plans, decisions and actions.
  • We only provide products and services that are right for our customers and match their needs and circumstances.
  • Our products and services are transparent and easy to understand.
  • Customer interactions are consistently high-quality experiences. All colleagues complete learning and competency requirements, and only operate in roles where they hold the required accreditations.
  • We take extra care of customers who are at a greater risk of harm or loss because they are experiencing vulnerability.
  • Concerns about unfair customer outcomes are proactively identified and owned or escalated.
  • Customer complaints, pain points and harm – including financial losses, distress and inconvenience – are promptly and appropriately addressed and, where appropriate, remediated.
  • We do not tolerate anti-competitive conduct, market manipulation, predatory market practices, insider trading, failure to manage conflicts of interest, bribery and corruption or inappropriate control and use of confidential or personal information.
  • We recognise that environmental and social risks can impact our communities and we are committed to ensuring these risks are identified and managed appropriately. 


  • Everyone feels safe and included in the workplace and health, safety and wellbeing are promoted. We take a zero tolerance approach so that no one experiences unlawful discrimination, bullying or harassment — including sexual harassment or racism.
  • Customers have confidence in NAB’s integrity and quality of service. This is why we’re only hired, promoted and recognised when we demonstrate the highest levels of professionalism and character.
  • Customers know they are in safe hands. This is because we only act within our authority and carefully consider what’s best for our customers. We always use access to technology and assets responsibly.
  • Customer interactions are consistent and high-quality experiences. We achieve this by ensuring everyone at NAB meets learning and competency requirements, and works in roles where they hold the applicable accreditations.
  • Colleagues do not compromise the integrity of NAB or its stakeholders. Any conflicts or perceived personal conflicts of interest, criminal convictions or charges are declared.
  • Colleagues are rewarded for driving long term, sustainable outcomes.

Governance and Risk

  • We meet our legal and regulatory obligations, voluntary commitments and internal standards.
  • Our customers’ personal information is respected and kept safe.
  • Our policies explain how we handle this information to keep it secure, protected from misuse, interference and loss, and from unauthorised access, modification or disclosure or personal gain.
  • Our customers and community and the integrity of the financial system are protected.
  • Our policies and standards explain how to identify, manage and control the risks of financial crime, bribery or sanctions breaches as well as commercial and personal conflicts of interest.
  • Customer interests and outcomes are a critical component of decision making and align with NAB’s risk appetite.
  • We use clear delegation frameworks for decision making to support our governance and risk management frameworks.

How Polonious Can Help

By setting out standards for behavior, a code of conduct helps minimize risks associated with employee misconduct. A well-written code of conduct makes it easier for employees to behave well because they set clear expectations, creating a positive work environment.

However, compliance is more than just checking the box. A well-managed, compliant, internal whistleblowing mechanism, ethics hotline and case management solution can help you detect problems early, address them and maintain a safe and ethical workplace, while minimizing risk.

The Polonious Case Management Software provides a consistent process that is procedurally fair for all parties, while recording all actions and decisions to ensure all evidence of the process is documented and auditable alongside any evidence gathered regarding the incident or investigation. 

Strong and effective corporate governance helps to cultivate a company culture of integrity, leading to positive performance and a sustainable business overall. Essentially, it exists to increase the accountability of all individuals and teams within your company, working to avoid mistakes before they can even occur.

Strong and effective code of ethics and conduct helps to cultivate a company culture of integrity, leading to positive performance and a sustainable business overall.

Strong and effective code of ethics and conduct helps to cultivate a company culture of integrity, leading to positive performance and a sustainable business overall. 

Making your hotline confidential will ensure employees feel comfortable using it.

To determine the appropriate ethical guidelines for your company, you might consider studying some of the best examples of code of conduct examples for businesses.

Making your hotline confidential will ensure employees feel comfortable using it.

A Comparison of 8 Major Companies’ Codes of Ethics and Conduct can point you in the right direction.

Book a Demo Now

Learn more about how Polonious can help you practice stronger and more effective corporate governance

The Importance of Supply Chain Ethics and Compliance and Top 6 Best Practice Tips for Every Company

The Importance of Supply Chain Ethics and Compliance and Top 6 Best Practice Tips for Every Company

A Deloitte study shows that customers are increasingly expecting businesses to operate at the highest possible standards. With growing recognition of social, ethical and environmental issues, many governments have passed laws aimed to drive responsible business practices and greater supply chain transparency.

Human rights, child labour, environmental impacts and health and safety practices are just some of the ethical issues that organisations must consider when building their supply chains, especially when they extend beyond their own borders and into emerging markets. If they execute bad judgment in just one aspect, their reputation and financial future could be promptly shattered.

With the potential damage to reputation and finances, companies must act to ensure their supply chain processes are ethical at every touch point. 

Due to the rise in ethical compliance expectations, ever-increasing legislations and information being readily available online, it is important now more than ever to evaluate vendors, suppliers and any other points of contact when running risk assessments to ensure your supply chain processes are ethical at every point.

This blog will address:

  • Definition of Supply Chain Ethics
  • Relevant Laws in Australia, United Kingdom and the United States
  • 6 Ways to Build Ethical and Sustainable Supply Chains
  • 3 Strategies to Minimize supply chain risk

Definition of Supply Chain Ethics

As sourcing has become more global, instances of exploitation and malpractice have come to light, raising questions about how ethical corners may be cut to produce goods cheaply.

When talking about ethics in the supply chain, experts generally focus on:

  • Freedom of employment and association
  • The eradication of child labour
  • Safe and hygienic working conditions
  • Appropriate pay and working hours
  • Humane and non-discriminatory treatment
  • Anti-bribery and corruption
  • Environmental awareness

Bribery and corruption is of particular concern to every industry due to ever-increasing fraud schemes. Learn more about workplace fraud in Workplace Fraud: 7 Types of Corruption as well the Importance of Corporate Governance for Fraud Prevention.

Relevant Laws in Australia, United Kingdom and the United States

Modern Slavery

According to Australia’s Department of Home Affairs, Modern slavery describes situations where offenders use coercion, threats or deception to exploit victims and undermine their freedom.

Practices that constitute modern slavery can include:

  • human trafficking
  • slavery
  • servitude
  • forced labour
  • debt bondage
  • forced marriage, and
  • the worst forms of child labour

Modern slavery can occur in every industry and sector and has severe consequences for victims. Modern slavery also distorts global markets, undercuts responsible business and can pose significant legal and reputational risks to entities.

Entities have a responsibility to respect human rights in their operations and supply chains, as outlined in the United Nations Guiding Principles on Business and Human Rights. This includes taking steps to assess and address modern slavery risks.

Taking action to combat modern slavery also makes good business sense. Entities that take action to combat modern slavery in their operations and supply chains can protect against possible business harm and improve the integrity and quality of their supply chains.

They can also increase profitability, investor confidence and access to financing opportunities. Many countries have imposed regulations in order to combat modern slavery.


In Australia, the Modern Slavery Act 2018 requires businesses with over $100 million in revenue to report annually on the risks of modern slavery in their operations and supply chains, and actions to address those risks.

In addition, in August 2021, a proposed amendment to the Customs Act 1901 passed the first stage in the process of becoming law. This amendment aims to include an import ban on any goods produced or made using forced labour, during any stage of the production.

The Australian Senate passed the bill, and it will now go to the House of Representatives for a final stage of approval. Although there isn’t yet a confirmed date for the House of Representatives to discuss the bill, this demonstrates increased government involvement in ethical compliance in supply chains.

United Kingdom

In line with the Modern Slavery Act 2015, every organisation carrying on a business in the UK with a total annual turnover of £36m or more is required to produce a slavery and human trafficking statement for each financial year of the organisation.

The U.K. Government outlines many benefits tackling modern slavery can bring to companies including:

  • protecting and enhancing an organisation’s reputation and brand
  • protecting and growing the organisation’s customer base as more consumers seek out businesses with higher ethical standards
  • improved investor confidence
  • greater staff retention and loyalty based on values and respect
  • developing more responsive, stable and innovative supply chains.

According to the U.K. government, if a business fails to produce a statement for a particular financial year, the Secretary of State may seek an injunction through the High Court (or, in Scotland civil proceedings for specific performance of a statutory duty under section 45 of the Court of Session Act 1988) requiring the organisation to comply. If the organisation fails to comply with the injunction, they will be in contempt of a court order, which is punishable by an unlimited fine.

United States

In the U.S., some jurisdictions have enacted laws that require certain types of companies to investigate their supply chains and to take efforts to combat human trafficking and forced labor. For example, the California Transparency in Supply Chains Act, effective January 1, 2012, requires covered companies to disclose on their websites their efforts to combat human trafficking and forced labor in their supply chains. The law applies to retailers and manufacturers with annual worldwide gross sales over $100 million that do business in California.

Companies subject to the Transparency in Supply Chains Act must disclose the extent of their efforts in five areas: verification, audits, certification, internal accountability, and training. Specifically, in its supply chains disclosure, a company must disclose to what extent, if any, it:

  1. Engages in verification of product supply chains to evaluate and address risks of human trafficking and slavery. The disclosure shall specify if the verification was not conducted by a third party.
  2. Conducts audits of suppliers to evaluate supplier compliance with company standards for trafficking and slavery in supply chains. The disclosure shall specify if the verification was not an independent, unannounced audit.
  3. Requires direct suppliers to certify that materials incorporated into the product comply with the laws regarding slavery and human trafficking of the country or countries in which they are doing business.
  4. Maintains internal accountability standards and procedures for employees or contractors failing to meet company standards regarding slavery and trafficking.
  5. Provides company employees and management, who have direct responsibility for supply chain management, training on human trafficking and slavery, particularly with respect to mitigating risks within the supply chains of products.


In June 2021 the German parliament passed the new Supply Chain Due Diligence Act that will require large companies to conduct supply chain due diligence. They must take steps to identify, prevent and address human rights and environmental issues in their own activities and in their direct suppliers’ operations.

The new law will enter into force on 1 January 2023 and will take effect immediately for companies with 3,000 or more employees, and on 1 January 2024 for companies with 1,000 or more employees. The law will only apply to companies whose head office, principal establishment, center of administration or registered office is in Germany.

Companies affected by the Act should take action as soon as possible in order to ensure that they will comply with the Act as of 1 January 2023. In addition to liability risks in civil law, there may also be a risk of significant fines and penalties, as well as exclusion from tender procedures for public contracts. But smaller companies should also take heed: companies which are directly affected by the Act will (have to) try to obligate their suppliers to comply with their own requirements, so that due diligence requirements might get in “through the back door.”

Environmental Regulations

According to the United States Environmental Protection Agency (EPA), organizations’ supply chains often account for more than 90 percent of their greenhouse gas (GHG) emissions, when taking into account their overall climate impacts. Over the last decade, many legislations have been introduced across the globe in order to address this issue.


The Australian Government has a range of environmental policies to minimise the impact of government operations on the environment.

There are also agency measures and targets for carbon emissions, energy, waste and resource use, as well as set mandatory environmental standards for incorporating sustainability into government procurements.

According to the Australian Government, legislation and policies that are relevant for suppliers, products and materials selection include:

  • Environment Protection and Biodiversity Conservation Act 1999 (Cth)
  • Product Stewardship Act 2011 (Cth)
  • National Waste Policy: Less Waste, More Resources – Strategy 2 (sustainable procurement)
  • Energy Efficiency in Government Operations Policy (2006)
  • Australian Government ICT Sustainability Plan (ICTSP) 2010-2015
  • Australian Packaging Covenant – Action Plan 2010-2015
  • National Environment Protection Measures (NEPM)
  • Commonwealth Procurement Policy Framework and Guidelines
  • State Government Environment Protection Legislation and Regulations, such as the Protection of Environment Operations Act 1997 (NSW)

United Kingdom

The UK Government recently announced that it is developing legislation that would make it illegal for large businesses operating in the UK to use certain commodities that have not been produced in line with local laws, and require in-scope companies to conduct due diligence to ensure that their supply chains are free from illegal deforestation and ecosystem change. A failure to comply could result in significant fines (the precise levels of fines are yet to be determined).

The legislation has the potential to impose market restrictions and extensive supply chain due diligence obligations, but it appears that it will be limited to certain “forest risk” commodities —  including those embedded within products — whose rapid expansion is associated with deforestation. The UK Government is currently consulting on the potential law. The UK Government anticipates that the law will particularly impact supermarkets and fashion houses, meat and dairy producers and businesses using palm oil and other natural ingredients; and has suggested that legislating might offer legal certainty and clear obligations for businesses.

United States

In the U.S., there are a few major federal laws that companies must abide by. 

The Comprehensive Environmental Response, Compensation, and Liability Act – otherwise known as CERCLA or Superfund — was passed in 1980. This provides a Federal “Superfund” to clean up uncontrolled or abandoned hazardous-waste sites as well as accidents, spills, and other emergency releases of pollutants and contaminants into the environment. Through CERCLA, EPA was given power to seek out those parties responsible for any release and assure their cooperation in the cleanup.

The Pollution Prevention Act, passed in 1990, includes provisions aimed at reducing the amount of pollution in the environment by making changes in production, operation, and use of raw materials by both private industry and the government. In other words, the Act is proactively focused on source reduction of pollution, rather than reactively focusing upon how to deal with pollution once it has entered the environment. An area of the Pollution Prevention Act which has had a dramatic and recognizable impact on the general public is the push towards recycling and reuse of materials.

The Occupational Safety & Health Act (OSHA) was passed in 1970 due to concerns with the increasing lack of worker and workplace safety . The main thrust of OSHA is to require employers to provide their workers with a safe workplace. While some OSHA requirements do not directly affect the environment (such as the requirements concerning safety for workers on elevated sites), other provisions specifically address environmental issues (such as the use of toxic or hazardous substances in the workplace).

OSHA is one of the few federal laws that relate to the environment that is not controlled by the EPA. Instead, OSHA is enforced by the U.S. Department of Labor in concert with the National Institute for Occupational Safety and Health (NIOSH), which was specifically created to deal with OSHA issues. In addition, many states have their own workplace safety and health acts. The state acts must have provisions in place which meet, if not exceed, the federal OSHA requirements.

6 Ways to Build Ethical and Sustainable Supply Chains

Manage Supplier Communities

Ethical practices need to be managed in a continuous manner, and companies must think about how they can improve day-to-day collaboration within their supply chains to achieve this. Effective collaboration with trading partners helps to drive greater adoption and adherence to ethical sourcing practices.

Companies should ensure they have up-to-date contact details for each participant in the supply chain. Collaboration platforms can help to encourage this. After all, it’s difficult to collaborate with suppliers if key contact details such as e-mail addresses or phone numbers are missing. By regularly surveying supplier communities, companies can uncover interesting insights into how the supply chain is performing, and what level of ethical practices is being achieved.

Gather Ethical Insights

For many organizations, monitoring the performance of trading partners and truly understanding the ethical “pulse” of supply chains remains a key challenge. To this end, advanced analytics, artificial intelligence and machine learning tools offer a helpful solution, providing a wealth of insights into day-to-day processes. In fact, AI stands to transform future operations, providing a means of ensuring that supply chains meet ethical standards, and applying measurable outcomes that can be applied to every trading partner across the chain. 

Through the use of advanced AI dashboards, organizations will be able to consistently monitor the ethical performance of trading partners. They’ll use the information to make strategic business decisions such as renewing supply contracts with high-performing suppliers, or terminating those with underperformers

Secure Trading-Partner Relationships

Once a supplier has been selected, it’s important to secure the supplier’s interaction with your organization. This helps to increase trust and minimize risk across trading-partner relationships. It can be done using an identity and access management platform for assigning a digital identity to trading partners across the business ecosystem.

In the process, you can ensure that external suppliers, business partners and contractors have secure access to the internal systems they need based on their roles within the ecosystem, including logistics, warehouse management, inventory and enterprise systems, as well as data.

Digitize Your Supply Chain

Upon securing the desired trading partners, companies must then connect them electronically to business operations, in order to establish a digital supply chain.

Ideally, this would take place in a cloud-based, data-integration environment, which allows the supply chain platform to scale in line with changing consumer demands and fluctuating market conditions. Embracing a digital supply chain also helps to prevent the falsification of manual, paper-based supply-chain documents, and therefore indirectly reduces the amount of counterfeit parts entering the supply chain, especially in the aftermarket sector.

Monitor Shipment Provenance

The key to building trust and protecting the reputation of an organization is knowing the source of all the parts that make up a product. Leveraging the internet of things (IoT), organizations can improve supply-chain visibility by tracking both the movement and condition of shipments. IoT sensors measure the temperature of frozen or perishable goods, shock levels as fragile goods are moved, and the location of expensive items via the global positioning system (GPS). In doing so, shippers can help to ensure against spoilage, damage and theft.

While IoT on its own can bring a slew of benefits to organizations, combining it with other advanced technologies such as blockchain can take it a step further. With blockchain, organizations can ensure greater traceability by capturing the source and retaining the provenance of goods as they flow through the supply chain.

For example, if a fire breaks out in a vehicle and the source is found to be the wire harness, a potential government-mandated recall might require the identity of all suppliers who were involved with its manufacture. If poor-quality gold was used in the connectors fitted to the wire harness, evidence in the blockchain can immediately identify where the gold came from — even the mine from which it originated.

While blockchain stands to transform ethical sourcing practices, organizations are still at the early stages of learning about the technology and how it can impact the way they do business. It will be a few years before blockchain finds its way into every business process.

Identify Trustworthy Suppliers

Before embarking on an ethical-supply chain strategy, organizations must first locate trading partners who share the same ethical practices. They can search for potential partners based on specific criteria — for example, whether the business in question maintains sustainable working practices, uses conflict-free minerals in its products, or engages in fair labor practices. It’s imperative that companies be able to trust the partners they work with, to ensure ethical working practices across the end-to-end supply chain.

3 Strategies to Minimize Supply Chain Risk

Aim for end-to-end supply chain visibility

The supply chain involves many different operational stages, and each stage faces its own risks and challenges. If something were to go wrong in one of these stages, the last thing you want is to only find out about issues later down the production line, or even worse at the last minute before the final product or service is delivered to the buyer. 

The sooner you’re aware of any issues, the sooner you can deal with them and prevent them from disrupting or delaying the supply chain, or affecting the quality of final products or services. Therefore, supply chain visibility is extremely important in risk prevention.

Supply chain visibility is about knowing where inventory is on its journey through your supply chain, and if any issues are going to affect the delivery timeline. This information might be exclusively available for supply chain management to see, or customers may be able to see this information too. With this visibility, you can track the progress of orders and ensure quick responses to any changes.

Another form of visibility that can help you reduce supply chain risks is visibility into the financial stability of your suppliers. Acquiring financial reports during the procurement process can help you choose financially stable suppliers, reducing the risk of corruption, bribery, and financial issues affecting production processes. 

Share responsibility by including partners in Risk Planning 

When planning how to mitigate supply chain risks, it’s a good idea to include suppliers and partners in the process. They may have unique insights into the risks your supply chain faces and can help create effective solutions. You will also need to ensure your suppliers’ risk management and business continuity strategies align with yours. 

By including partners throughout the risk management process, you can make sure you’re all on the same page, aware of the risks that need to be managed, and the control measures that should be implemented.

Review Supply chain risks periodically

Your risk management strategies will only be effective if they’re up to date and relevant to your supply chain and business operations. So carrying out a risk assessment once simply won’t cut it. You need to regularly review supply chain risks and ensure control measures and planned responses to different scenarios are still relevant. 

You should review your supply chain risks at least once a year or whenever changes are made to your supply chain and production processes. For example, if you start working with a new supplier, or changes are made to the manufacturing or delivery processes, you’ll need to assess any new hazards. 

How Polonious can Help

Implementing the Polonious Case Management System can help you  improve communication throughout the supply chain. Reports can be filed to draw attention to defective shipments and other supplier issues requiring corrective and preventive action. With improved communication throughout the supply chain, all parties would be aware of the faulty product and be held accountable for taking corrective action.

Once an investigation is complete, suppliers submit a report requesting approval of the corrective action taken. This allows managers to review the actions taken and the measures established to prevent the action from happening again.


It is critical that an organisation implements relevant structures and processes to effectively manage and monitor the compliance processes.

It is critical that an organisation implements relevant structures and processes to effectively manage and monitor the compliance processes.

The risks that may stem from noncompliance with key legislative requirements can be very costly and damaging to an organisation.

The risks that may stem from noncompliance with key legislative requirements can be very costly and damaging to an organisation. 

The consequences of noncompliance range from penalties and fines, to imprisonment, withdrawal of licenses, litigation and reputational risk.

The consequences of noncompliance range from penalties and fines, to imprisonment, withdrawal of licenses, litigation and reputational risk.

Book a Demo Now

Learn more about how Polonious can help you implement an effective and confidential whistleblower hotline.

Fraud Recovery Statistics in Australia, US, and UK and Top 6 Fraud Prevention Tips for Companies

Fraud Recovery Statistics in Australia, US, and UK and Top 6 Fraud Prevention Tips for Companies

 The Australian Commonwealth, defines fraud as a crime where someone dishonestly obtains a benefit or causes a loss by means such as deception. 

Fraud may also involve activities such as:

  • theft
  • accounting fraud (e.g. false invoices, misappropriation)
  • misuse of credit cards
  • unlawful use of, or unlawful obtaining of, property, equipment, material or services
  • causing a loss, or avoiding and/or creating a liability
  • providing false or misleading information to the Commonwealth, or failing to provide information when there is an obligation to do so
  • misuse of assets, equipment or facilities
  • cartel conduct
  • making, or using, false, forged or falsified documents
  • wrongfully using information or intellectual property.

Fraudsters are increasingly finding direct methods to dishonestly benefit from a company’s clients, causing financial and reputational losses to companies across industries. For instance, in banking, fraudsters are increasingly using digital platforms and phishing websites to target victims directly, avoiding banks’ security measures. As such, fraud recovery is often-times, an extremely complicated and time-consuming process. CommBank reports that digital fraud has been on the rise. The most common types of digital fraud seen by the CommBank Digital Fraud team includes:

  • Phishing (aims to manipulate victim into things such as revealing personal information or/or transfer money)
  • Malware (viruses, software, or attachments designed to target online banking on computers or mobile devices to redirect transactions without victims knowledge)
  • Porting (transfer of victims mobile phone number from one service provider to another. Once the fraudster has access to victims messages, they can retrieve one time passwords and make payments via their online banking account)
  • Identity take-over (action of taking over victims identity to access current banking or create new bank accounts and loans. This usually involves obtaining a full name, date of birth, and address and passing identity verification over the phone to update online banking login details)

According to the PwC’s Global Economic Crime and Fraud Survey, the average company experienced 6 incidents of fraud over the past 24 months. This is the second highest reported level of incidents in the past 20 years. This is largely due to the changing business patterns, working styles and ever changing technology. 

The negative effects of fraud can trickle down to customers and clients, leading to reputational damage on top of financial repercussions. As such, it is important for companies to set measures to tackle and protect from fraud, now more than it ever was.

Fraud has a corrosive and far-reaching impact as it continues to affect millions of individuals, companies and their clients across industries. However, fraud can take many forms, and come from both inside and outside a company’s walls, and can be difficult to predict. Reading our 4-part series on Workplace Fraud can help you uncover, investigate and prevent workplace incidents and misconduct:

This blog will primarily focus on fighting against external threats which are ever-increasing in numbers and complexity. This blog will break the topic down into the following sections:

  • What makes Fraud a Challenging problem?
  • Fraud Recovery Statistics in Australia, US and UK
  • Top 6 Fraud Prevention Tips for Companies

What makes Fraud a challenging problem?

According to the Attorney-General’s Department of Australia, here are some of the key reasons why fraud is such a challenging problem.

Fraud is common

According to the Australian Institute of Criminology, there are tens of thousands of instances of reported fraud and corruption against the Commonwealth each year. The prevalence of fraud makes it a challenging and a costly problem for governments to deal with.

Increasing Complexity

Criminals and scammers are adopting new technology and more advanced methods to commit fraud. 

Fraudsters are diverse, creative and adapt quickly

Those who commit fraud are diverse, creative and adapt quickly

They range from people taking advantage of opportunities to those who actively look to exploit government programs. Fraud is a profession for some. Their job and expertise is to examine government programs and find creative ways to exploit those programs.

Serious and Organized Crime is Involved

Criminals use advanced approaches and schemes with professionals, such as accountants, to exploit multiple government programs.

Fraud Recovery Statistics in Australia, US and UK

According to PwC’s Global Economic Crime and Fraud Survey, there is a clear link between investment made upfront, from technology such as anti-fraud programs and capabilities, to resources and programs, and reduced cost when fraud strikes. For instance, globally, companies with dedicated fraud programs reportedly spent 42 percent less on response and 17 percent less on remediation than those with no program in place. 

Fraud Statistics in Australia

According to a PwC research, of the Australian respondents who had been impacted by fraud in the past two years, some 60% said the experience had helped them to streamline their operations, 50% to embrace new technology, and 43% to ensure incidents were reduced subsequently.

Less positively, when it comes to implementing or upgrading technology to combat fraud, Australian companies still find it more difficult than those elsewhere to make the business case for such investments. When asked what factors were preventing them from implementing technology to prevent fraud, over one in four (26%) of the Australian respondents identified cost as the biggest barrier into implementing it – in line with 27% globally. The resulting relatively low level of investment in anti-fraud measures, programs and technology emerges repeatedly in PwC’s research.

Fraud Recovery Statistics in Australia

Between March and June 2020, the Attorney-General’s Department’s Commonwealth Fraud Prevention Centre and the Australian Federal Police (AFP) established a temporary Commonwealth COVID-19 Counter Fraud Taskforce under Operation Ashiba. The taskforce included a range of entities across the Commonwealth such as:

  • Australian Criminal Intelligence Commission (ACIC)
  • Australian Securities and Investments Commission (ASIC)
  • Australian Transaction Reports and Analysis Centre (AUSTRAC)
  • Department of Agriculture   Department of Defence   Department of Education, Skills and Employment
  • Department of Health
  • Department of Social Services
  • National Disability and Insurance Agency
  • Services Australia

The taskforce works in partnership with other agencies including:

  • Australian Competition and Consumer Commission (ACCC)
  • Australian Taxation Office
  • State and territory law enforcement

The taskforce aimed to tackle fraud against COVID-19 economic stimulus measures. It aims to:

  • Provide advice and guidance to Australian Government entities to build in countermeasures in policy, program and system design to counter fraud risks for the new COVID-19 economic stimulus measure and intelligence sharing across the Commonwealth and internationally to enable detection and disruption of fraud
  • Equipped Australian Government entities with deterrence messaging to help build fraud awareness and prevention in government communications, and to explain the consequences of committing fraud into their communications.

According to the Australian Institute of Criminology, the total amount of money recovered increased from $631,800 in 2018 to $879,463 in 2019. This increase was also reflected in the mean (up from $817 in 2018, to $1,217 in 2019), although the median amount recovered remained the same ($200).

The total of amounts recovered in 2019 for the most serious occasion of personal information misuse in the last 12 months was $803,367, 41 percent more than 2018 ($569,342; see Table 16). The mean amount of money recovered in 2019 also increased ($1,035 in 2019 vs $730 in 2018). However, the median amount recovered remained the same at $200.   

Fraud Statistics in the United States

Findings show that customer fraud, cybercrime, and accounting fraud are the top 3 types of fraud reported. The most significant increases were seen in customer fraud (from 28% in 2018 to 39% this year); accounting fraud (21% to 30%); and bribery and corruption (16% to 22%).

It seems self-evident, but the best way to avoid getting embroiled in a new fraud is to investigate and learn from the last one. Yet, according to PwC, 50% of US companies did not conduct an investigation after the last major fraud. And barely one third reported it to their board. Regulators—and, increasingly, the public—are demanding more. Reacting too slowly can not only result in more immediate damage, it can also cascade into a broader crisis.

Similarly to Australia, data shows a clear link between investments made in fraud prevention on the front end, and the cost savings gained on the back end. Companies that have a dedicated program for their most disruptive type of fraud spent less overall than those who do not have a dedicated program in place. 

Sometimes the ROI of fraud preparedness is measured less tangibly—but no less importantly—in terms of positive outcomes. Nearly half (45%) of all global respondents who have experienced an economic crime say they emerged in a better place—citing attributes such as an enhanced control environment, streamlined operations, fewer losses, and improved employee morale.

Fraud Recovery Statistics in the United States

The Department of Justice reported total recoveries of $2.2 billion for the fiscal year ending September 2020.  These recoveries represent the lowest reported DOJ recoveries since 2008.

While it is the decline in recoveries that stands out, the 2020 DOJ fraud statistics do share some things in common with prior years.  First, whistleblowers were again critical to DOJ’s recoveries.  Of the $2.2 billion recovered, nearly $1.7 billion – 76% — was recovered in cases initiated by whistleblowers under the False Claims Act.

This percentage represents an increase from prior years, demonstrating the continued importance of whistleblowers.  Second, as in prior years, healthcare fraud accounted for the majority of funds recovered: of the $2.2 billion recovered, nearly $1.9 billion – 83% – was attributed to healthcare fraud.

Fraud Statistics in the United Kingdom

Economic crime has reached its highest level in the past 24 months with 56% of UK businesses surveyed stating that they were impacted by fraud, corruption or other economic crime. This figure is the highest in the history of the 20 year PwC research and well above the global average of 47%. 

The top 5 types of frauds according to UK respondents were:

  • Cybercrime
  • Customer Fraud
  • Accounting Fraud
  • Bribery and Corruption
  • Human Resources Fraud

Looking across the evolving landscape of fraud, what is causing the most disruption to organisations? In the UK findings of PwC’s studies, cybercrime was stated to be the most disruptive by 28% of respondents, up from 25% in 2018. Accounting fraud almost doubled from 8% to 15%, and customer fraud held onto third spot at 13%.

The same findings show that companies that have a dedicated fraud program in place generally spend less, relative to revenue, on response, remediation and fines. However, setting up such a program is just the start. Once the program is in place, periodic assessment and continuous evolution are key. 

According to KPMG, the number of alleged fraud cases being heard in UK courts in the first half of 2021 has almost doubled compared to the same time in 2020, as UK courts saw continued recovery in the system following COVID-19 lockdowns.

Businesses are now also being increasingly targeted due to their larger financial transactions and the greater potential profits for fraudsters. Aside from the financial costs, being a victim of fraud can cause serious reputational damage for businesses. Concern about adverse publicity probably contributes to under-reporting.

The National Economic Crime Centre (NECC) 2017 Annual Fraud Indicator estimates fraud losses to the UK at around £190 billion every year, with the private sector hit hardest losing around £140 billion. The public sector may be losing more than £40 billion and individuals around £7 billion. 

Remote banking fraud losses are organised into three categories: internet banking, telephone banking and mobile banking. It occurs when a criminal gains access to an individual’s bank account through one of the three remote banking channels and makes an unauthorised transfer of money from the account. VALUE £150.7m -1% VOLUME 43,906 +38% Total remote banking fraud totalled £150.7 million in 2019, one percent lower than compared to 2018. 

Fraud Recovery Statistics in the UK

The number of cases of remote banking fraud increased by 38 percent to 43,906. This reflects the greater number of people now regularly using internet, telephone and mobile banking, and attempts by fraudsters to take advantage of this. In 2019, 81 per cent of the adult population used at least one form of remote banking.

According to UK Finance, a total of £268.8 million of attempted remote banking fraud was stopped by bank security systems during 2019. This is equivalent to £6.41 in every £10 of fraud attempted being prevented. In addition, 17 percent (£25.8 million) of the losses across all remote banking channels were recovered after the incident. In 2021, 15 percent (£30.2 million) of the losses across all remote banking channels were recovered after the incident.  In addition, 16 percent (£25.3 million) of the losses across the internet banking channel were recovered after the incident. 

Here are some of the actions the finance industry can take to combat fraud:

  • Continuously investing in advanced security systems, including sophisticated ways of authenticating customers, such as using biometrics and customer behavior analysis.
  • Providing customers with free security software, which many banks offer.
  • Investing in the Take Five to Stop Fraud campaign to educate customers on how they can protect themselves from fraud and scams.
  • Sharing intelligence and information on this type of fraud so that security systems can be adapted to stop the latest threats.
  • Working with law enforcement, the government, the telecommunications industry and others to further improve security and to identify and prosecute the criminals responsible.

6 Recommendations for Companies to Tackle Fraud

Identify all your risks and address on a prioritised basis

The Attorney-General’s Department of Australia defines a fraud risk assessment as a process to help better understand your company’s fraud exposure, the associated risks and the strength of your existing countermeasures. Companies should perform robust risk assessments, gathering internal input from stakeholders across the organisations and geographies, to identify risks and assess mitigating factors.

These assessments should also incorporate external elements. There is a wealth of information available in the public domain, and ignoring it could potentially result in a big mistake. Risks should be assessed at regular intervals – not via a “once-and-done” approach. These are the common areas where fraud risks can emerge:

  • Policy and program development and delivery.
  • Revenue collection and administering payments to the public.
  • Service delivery to the public, including program management.
  • Provision of grants and funding arrangements.
  • Exercising regulatory authority.
  • Corporate financial transactions.
  • Procurement and contract management.
  • Payroll administration.
  • Changes in the activities or functions of an entity.
  • Issuing or using identity information.

Use the right technology

When it comes to fighting fraud, there’s no one size-fits-all tool. It can be too easy to spend on the wrong things and too hard to understand the value proposition of the right things. But there is a Goldilocks solution for every organization—including yours. Find it by focusing on matching the real risks you face with proven, effective solutions to them.

Using our investigation and automation expertise, Polonious provides cutting-edge investigation management solutions across industries. Our flexible and adaptable software can work across various industries and find creative solutions for every kind of fraud and investigation.

Often, a mix of technologies works well in a solution, with each playing the part best suited to it, rather than attempting to make one piece of software do everything. For example, Polonious often integrates with analytics/detection tool, where the analytics tool finds potential fraud, which is then loaded into Polonious to manage the investigation.

To get the most from these technologies, here are a few questions you might ask yourself:

  • Are they collecting the right data with the right rules and requirements?
  • Have they considered the use of machine learning to reduce false positives, or anomaly detection to identify emerging fraud patterns?
  • Are they feeding findings from investigations back into their fraud prevention program to make it more robust?

Back-up your technology with the right governance, expertise, and monitoring

Recognise that one tool won’t address all frauds and technology alone won’t keep you protected. Technology often is only as good as the expert resources and regular monitoring dedicated to it. Polonious will continue to meet the demands of the ever-changing laws, regulations and standards as well as ensure a seamless onboarding process. However, you must ensure that this is supported by the people managing the program.

Escalate, triage and respond

The ability to react to a fraud once identified is an important capability and element of an effective fraud program. The ability to quickly mobilise the right combination of people, processes and technology can limit the potential damage. ln some cases, a disruptive fraud may be an opportunity – or a strategic inflection point – to trigger broader organisational transformation for brand protection. 

Look for risk markers

Are you seeing an uptick in red flags in your activity monitoring? Are hotline calls up or down? Have enforcement patterns in your industry or geographies changed recently? The Polonious Case Management System has a suite of reporting tools to help you identify trends and prevent future misconduct. This way, you’ll have an opportunity to emerge stronger, clearer, and better prepared than your competitors for the inevitable next incident.

Know how to respond

When your organisation is hit by fraud, you need to know how to respond, and quickly. A consistent approach across global operations is key. For example, conducting investigations, making the right disclosures and taking appropriate disciplinary actions. There’s still more to be done in responding in the right way. Having adequate measures in place can help you respond efficiently during critical moments and even strengthen your organisation’s defences when the next fraud comes along.

There are simple steps that can be taken to help protect customers falling prey to unscrupulous fraudsters. For example, encouraging online platforms to carry warnings, share data on known fraudsters and take down their profiles in order to prevent romance fraud scams. Solicitors and other professionals involved with transfers of customers’ money must ensure their own systems are not vulnerable to being hacked and warn customers that lastminute changes to payment accounts are likely to mean fraud is being attempted. 

How Polonious can Help

When organisations have been impacted by fraud, many find they are able to use the incident as a significant driver of positive change across the business. According to a PwC research, of the Australian respondents who had been impacted by fraud in the past two years, some 60% said the experience had helped them to streamline their operations, 50% to embrace new technology, and 43% to ensure incidents were reduced subsequently.

Means by which fraud can be detected include:

  • Routine internal audit
  • Suspicious activity monitoring
  • External Audit
  • Document examination
  • Corporate security (IT and physical)
  • Fraud risk management

As investigation experts ourselves, we know what it takes to help investigators to their jobs best.

Polonious offers case management solutions designed to help with process management, productivity, automation, and analytics. Our investigation software is a trusted solution from investigation teams worldwide and can help you with risk prevention and detection and ultimately help prove your case to recover more from fraud.

The increasing prevalence and complexity of fraud is a major challenge to global companies across industries.

The increasing prevalence and complexity of fraud is a major challenge to global companies across industries.

Holistic risk assessments and using the right technology can help with prevention and detection of fraud.

Fraud Recovery can be extremely complicated and time-consuming. Holistic risk assessments and using the right technology can help with prevention and detection of fraud.

Book a Demo Now

Learn more about how Polonious can help you implement better risk prevention and detection measures

Developing an in-house investigation management app? Here are the DIY challenges and risks

Developing an in-house investigation management app? Here are the DIY challenges and risks

How Polonious compares to DIY investigation management apps

How Polonious compares to DIY investigation apps

When enterprise and government organisations develop their own applications it is usually in response to a lack of an off-the-shelf product to meet a business need. Investigation management is a specialised requirement which can lead to many types of custom processes and software – from spreadsheets to Web applications.

In this blog we will take a look at the challenges and risks of going it alone for your investigation management needs.

Starting small looks promising

A typical approach organisations take when it comes to developing in-house investigation applications involves finding someone known, the “spotty nephew”, and asking them how much it would cost to build a simple system to manage investigations.

The developer then finds a database, or existing app, which looks simple to manipulate and starts adding fields and linking them to other pages with more fields. And in the end you’ve got a case management system.

But cobbling together different systems (client system, CRM, projects, etc) and calling it an investigation management system involves a lot of custom code or custom integrations, which is problematic, even in the immediate term.

This is typical of the mid-market where there is often a mature IT team. Their challenge will not be what is required to build an investigations management system, but to prioritise that above the core requirements of the business they service.

The developers could write a great case management system, but if they are supporting the day to day business of an enterprise they will have constant conflict between the project and their core business. When they need to ask “what do we do?” the focus will always be drawn to the main business.

DIY carries challenges and risks

Many organisations have had no end of trouble with custom-developed software and a DIY investigation management system is even more of a challenge.

Some of the challenges and risks of a DIY approach organisations might not consider include:

  • Total cost. It is easy to underestimate the TCO of a custom app, including the initial development cost and support. Including time spent finding the right technology platform that will actually work.
  • Maintenance. The maintainability of the code or system must be considered. For example, what happens when something needs to be upgraded or reaches end of life?
  • Skills. You need to hire the best people to continue to develop and maintain it and good people are hard to find and keep.
  • Security. There is also ongoing effort for security maintenance, including the security implications of poor practice, vulnerabilities, and compromises. You also need to ensure regular penetration tests and certifications are maintained.
  • Compliance. Underestimating the depth and breadth of what is required for compliance with regulations like the General Insurance Code of Practice. Can DIY keep up with a constantly changing regulatory environment? Yes, but it’s very hard and it is continuous.
  • Emerging tech. DIY requires you to update the platform over the years as technology is always changing. The system will need to keep up with emerging technologies, including mobile, IoT and cloud.
  • Knowledge management. Investigators have a wealth of knowledge, but is this being translated into the DIY product? You need to have everyone involved in the process on board with the product at all times.
  • Data integration. A good investigations management system will collate data from multiple sources and this needs to be factored into a DIY app. See this blog for more on Polonious’ integrations journey.
  • Usability and acceptance. You also need to ensure staff are able to use the product and get business value out of it.

Replace customisation with configuration

Polonious helps organisations that might need a customised app or process for a unique requirement by enabling configuration throughout our application.

We avoid code level “customisation” and focus on configuration, which is the ideal middle ground. If you have custom requirements then you can configure Polonious to meet the need without time consuming and expensive code changes.

Polonious has a common code base that services all customers, from which many customers have configured Polonious to meet their specific business requirements. However, Polonious is constantly adding new features, with further configurability, in response to customer demand and can also deploy new code as required.

For example, Polonious uses the SAME methodology to build out the business requirements of each customer, whether it is for insurance, banking, fraud or complaints. All of the processes are broken down into their basic elements and built up to be compliant with the appropriate regulation.

We enable customers to immediately focus on the desired product, whether it’s case reports, briefs of evidence, end of month or year reporting, and ensure that the data required is collected as part of the business process.

In summary, it is not a question of if an organisation can or cannot develop their own investigations system, but the time and materials required and ongoing investment often far outweighs any benefit. Failing to keep up with regulatory requirements is also a continual risk.

This blog has some more information on what you will need to build an investigations management application:


Book a Demo Now

Learn more about how Polonious can help you increase compliance in your business.