May the truth be told

This spring’s NHS Vacancy Survey is bound to show a continuing trend of falling vacancies in each of the key staff groups. And there’s every reason to expect a rise in fraud attempts caused by greater financial pressure on those working in or close to the NHS.
Just a few months ago, Nottingham Crown Court sentenced a pay officer to two years’ conditional discharge after a supervisor noticed unusual payments. Not too far away, a Derbyshire County PCT practice manager had charged personal goods to the NHS and forged signatures on falsified overtime and petty cash claims.

Lax controls still exist
With financial pressures mounting, and set to continue, now’s the time to focus more effort on prevention. The point of entry, that is when candidates are going through the recruitment process, is clearly the best time to spot potential fraudsters. Even a cursory review of new employees’ financial positions will quickly highlight vulnerabilities, as will proper follow-up of references from previous employers.
It’s concerning that many hiring managers still rely on contact details for referees supplied by candidates without first independently checking that the former employer even exists, let alone is the right person to corroborate employment dates. The KPMG Fraud Triangle clearly shows that lax controls tell fraudsters that they’re unlikely to be detected.

Conflicts of interest
Institutions that are reducing staff numbers, or merging departments, will find it harder to apply tighter internal controls. This is partly due to the decreased segregation of duties, and is particularly prevalent when HR and recruitment or resourcing professionals are either close to, or directly involved with, screening new recruits.
There’s a very obvious conflict of interests between recruiting staff with the right skills and experiences, at the right cost and timescales, and ensuring that the information supplied on application forms, at interviews and in assessment centres is the truth. Indeed, it’s rare to find security goals amongst recruitment staff objectives, and they’d almost certainly conflict with many of the efficiency and quality goals that come with attracting and selecting staff for, in particular, hard to fill vacancies.
Whilst senior management teams with responsibility for managing risk, be that statutory, regulatory, operational or reputational, will inherently understand these conflicts, the onus must be on security, risk, fraud and compliance departments to draw up new procedures to eliminate them. All too often, these same departments delegate the execution of otherwise worthy screening policies to the same people who recruit staff. NHS employers that operate such a regime compound their risks by operating under a false sense of security: they think they’ve undertaken the right checks, but could easily and unwittingly grant access to sensitive areas to those they think they can trust.
The clear advice is to ring-fence staff screening, keeping it discrete from the earlier stages in the recruitment process. This is one reason why many large-scale employers increasingly turn to outside, specialist providers.
NHS employers can no longer assume that they’re only protecting themselves from employee-perpetrated financial crime. KPMG’s Fraud Barometer showed an insidious rise in fraud perpetrated by professional criminals, more than ten-fold in the last ten years. It’s particularly difficult to defend against collusion between external professionals and trusted insiders.
The involvement of professional criminals when ID crime is rife should set alarm bells ringing in security, compliance, fraud reduction and recruitment teams, especially in the larger trusts. Recent evidence shows an alarming use of forged passports and other identity documents to gain employment. The Serious Organised Crime Agency (SOCA) itself warns that almost all organised criminals use ID fraud to enable them to commit a whole range of frauds and other crimes.
The UK Borders Agency already targets employers who don’t check who they’re employing. But there are three, far more worrying issues:

  • NHS workers operating under false identities could be working directly with patients, and have access to patient records, controlled medications, and secure sites.
  • Forged ID is very difficult to detect. There are around 3,000 forms of ID in circulation, many of which incorporate security features that are invisible to the naked eye. Introduction of scanning technology in recruitment departments is now vital.
  • The person arriving for work may not be the person who presented ID, even genuine ID, during the recruitment process. Hiring managers receiving new recruits may have never met the candidates during the recruitment process; and agency providers may well check ID to a satisfactory level, but are they also on-site on their first day of work, or do they send details of the agency worker to their client that includes a photo or security pass?

Many NHS employers may have improved their vigilance in checking criminal convictions but failure to check an employee’s identity renders any further check practically useless. Undertaking checks about a person operating under forged ID can even create a false sense of security as the criminal employee gains credence at every step that they remain undetected.

Continuous risk management
Even those employers who undertake simple checks at the point of entry rarely consider their employees’ changing circumstances when thinking about screening. Corruption of vulnerable employees facing, perhaps, insurmountable debt, family crises, their own greed and sometimes a misplaced rationalisation that they’re somehow ‘owed’ additional benefits should deter employers from relaxing controls simply because a member of staff is trusted, experienced in the same employer, senior enough to garner respect, or, junior enough to carry little risk.
As a minimum, employers should refresh some of the basic checks, including ID, financial position and criminal status, every time there’s a substantial change to the employment contract. And, perversely, the fact the practice cleaner often works unsupervised, outside normal hours and amongst sensitive information and systems should challenge the old-fashioned ‘hierarchical’ view of risk that supposes that senior managers pose greater threats.

Driving without a license
One particularly worrying example that highlights the importance of continuous risk management is the number of drivers driving without a valid licence. Employers’ responsibilities are not just for those whose occupations involve driving, nor just those who only drive vehicles owned by the provider.
Anyone who drives a vehicle whilst carrying out work (not including the commute to work) is likely to be covered by a group insurance policy. Driving without a valid licence could well invalidate such a policy and, to complicate this further, there have been instances when employees have been genuinely ignorant of their disqualification because penalty notices were sent to their previous address in cases where drivers haven’t applied for a new licence after moving home. Depending on the role and the amount of driving required, employees should submit to annual checks, more regularly for those with endorsements.

Sharing practice and intelligence

Whilst staff turnover in the NHS can be costly and create operational shortfalls in specific areas, most employees who leave one employer may actually be taking up new, similar positions at other NHS employers. Recidivists, those who repeatedly lapse into previous undesirable patterns of behaviour, should be a real concern and are a good example of the need to follow up references from previous employers.
An important factor in service delivery is the ability to deploy staff quickly. Employees should be able to port criminal record disclosures between trusts, and, once checked, education, employment experience and address histories should be just as easily portable from one NHS employer to the next. With staff turnover for both medical and non-medical workers at around ten per cent during an average career, most employees will change jobs several times. There’s no point in repeating many of these checks every time. Likewise, as in other sectors, NHS employers can collaborate on data matching exercises to identify fraud and to agree to consistent screening processes.

Desperate job seekers
Finally, we can’t ignore the rise in fraud perpetrated against job seekers themselves. UK unemployment could easily top three million. Many people are desperate to find work and are dangerously susceptible to offers that are ‘too good to be true’.
Responsible employers should seek advice from SAFER, the recruitment industry’s counter-crime forum, to protect job applicants’ personal and sensitive information and they must warn people applying for work to only share information about themselves with employers, agencies and job boards that they know and can trust.

About David Chernick
David Chernick is widely recognised as one of the leaders in staff screening to prevent crime perpetrated by or against employees and job seekers and is a renowned speaker and writer on employee trust and referencing. He is a senior manager at KPMG Forensic, which includes ex-police officers, forensic accountants, data mining consultants and fraud risk management specialists and he is a founder of SAFER (Safe Advice for Employment and Recruitment) –