Introduction;

The right to erasure or destruction of data is guaranteed to data subjects by Section 40 of the Data Protection Act. Under the Data Protection Act, a data subject may request a data controller or processor to erase or destroy personal data held by them that they are no longer authorised to retain, that is irrelevant or excessive, or that is obtained unlawfully.

While the Data Protection Act provides for the erasure or destruction of personal data of an identifiable natural person, data destruction is not limited to the destruction of personal data.

Organisations can have in place data destruction policies that provide for the destruction of information stored within their premises to avoid storing documents indefinitely.

Case in point: The LSK Code of Ethics and Conduct for Advocates recognises an Advocate’s duty to maintain client records and establish and operate a secure filing and archiving system, so that client records do not get lost or misplaced, or fall into the hands of unauthorised persons. The Code also recognises the need to destroy such records and provides that should an advocate opt to destroy client records, reasonable efforts should be made to inform the client to come and take the files before they are destroyed.

Given the foregoing, having a data destruction policy is important in the data destruction process as it sets out the general principles an organisation, a data controller, or a data processor is guided by in the destruction of data. It also aids in ensuring a secure and compliant data disposal process.

Key components of an effective data destruction policy;

The 10 critical elements of an effective data destruction policy are as outlined hereinbelow:-

1. The scope and purpose of the policy;

An effective Data Destruction Policy must have a defined scope with a comprehensive definition, an explanation as to why the policy is needed, and the persons to whom the policy applies. This ensures that all affected persons are on the same page.

2. Identify the type of data to be destroyed;

In simple terms, data means information that is recorded as part of a relevant filing system. This Clause is essential as it defines what type of data is to be destroyed, be it client files, accounting records, employee records, or personal data pertaining to clients or employees.

The Clause also provides guidance on whether the data is stored in cloud form or in the form of hard copies. If data is stored in an online archival system, whether such archived data is subject to destruction.

3. An outline of how the data will be destroyed;

Identifying the data to be destroyed is key in providing an outline of how the data will be destroyed. The mode of destruction depends on the type of data to be destroyed. Data stored in electronic devices can be destroyed through ways such as deleting / reformatting, data wiping or overwriting, or degaussing. Data stored in physical form can be destroyed by burning, shredding, or recycling.

4. Personnel responsible for destroying the data;

An organisation can elect to destroy data internally or employ a data destruction company to perform the task. When an organisation destroys the data internally, it is important to ensure that it has the expertise to do so.

When choosing a data destruction company, there are certain factors that must be taken into account such as:-

1. A proper chain of custody is maintained to ensure that the data does not fall into the wrong hands;
2. The company provides a certificate confirming that all data has been destroyed and that no breaches have occurred;
3. Whether there are contractual obligations binding upon your organisation not to transfer certain data to a third party for processing, and if so, whether any consent is required to do so; and
4. Whether the data destruction company has an insurance provider to cover incidences of a mishap with your data and the security measures taken by such companies.
5. Transferability of the data;

This Clause sets out the form in which data is to be transferred to the person responsible for its destruction on-site or off-site and the persons responsible for collating all the data for destruction purposes.

6. Timelines for destroying the data;

In any organisation, destroying data that is no longer needed on a regular basis is vital. It is cost-effective as it helps reduce storage and archival charges. An effective data destruction policy ought to have timelines for data destruction. These timelines must take into account the requirements set out under various laws to ensure an organisation’s compliance with the Laws of Kenya.

For instance, under Section 23 of the Tax Procedures Act, it is required to keep tax records for five years from the end of the reporting period to which it relates or such a shorter period as may be specified in a tax law.

7. Exceptions – data retention/archiving;

The policy must state whether part of the data will be retained due to circumstances such as the high cost of destruction, the criteria to be used when retaining certain data, the persons responsible for storing said data, and whether authorisation is required when retaining said data.

8. Nature of consent to destroy the data;

It is important for every organisation to ensure that written consent is obtained before destroying data, such as client files. This ensures that data is not destroyed in an unauthorised manner.

The policy can be brought to the attention of clients, and consent obtained before undertaking the destruction process. An organisation can also consider having a “Return or destruction of Information Clause” in its contracts with third parties.

9. Certificate of “no copies retained” / Data Destruction custody report;

In any data destruction process, whether carried out on-site or by an external data destruction company, a certificate of “no copies retained” is important to enabling an organisation to cover its tracks should legal action be taken against it. A data destruction custody report that shows the chain of custody during the process is also key in protecting your organisation’s interests.

10. Environmental sustainability;

This ensures that the organisation complies with the applicable environmental laws, policies, and procedures and that the destruction process is environmentally sustainable to guarantee minimal environmental damage.

Conclusion;

In conclusion, ensuring data destruction is carried out securely and promptly is essential for every organisation. Having a data destruction policy is key in ensuring a proper chain of custody is maintained, that the process is not compromised and that professionals with the necessary expertise do the destruction.

Implementing a data destruction policy is a must for all organisations. The policy should be tailored to suit the business’s specific needs and must consider technological evolution. The policy should be reviewed and updated regularly and should be communicated to all employees

How can we help?

Have you had success implementing a data destruction policy in your organisation? At Riskhouse International, we have a policy review and development program led by a team of seasoned lawyers with vast experience in policy review and development. We are also available to help review the processes and operations within your organisation, develop a tailor-made data destruction policy that fits your needs, and offer continuous period reviews on the policy.

To learn more about our policy review and development program and to catch up on our other news and alerts you can visit our blog on our website at https://riskhouse.co.ke/blog/.

The post 10 key components of an effective data destruction policy appeared first on Riskhouse International Limited.

Introduction;

According to the Merriam-Webster Dictionary, one of the exceptions to the semantic realm of ‘snitches get stitches’ is the word “whistleblower”. A whistleblower is defined as a person who reveals something clandestine or who informs against another. In an employment setup, a whistleblower can be defined as an employee who brings wrongdoing by an employer or by other employees to the attention of the employer, a government, or a law enforcement agency.

The Legal Framework Governing Whistleblowing in Kenya;

The foundation of whistleblowing in Kenya can be traced back to Section 9 of the Bribery Act [hereinafter “the Act”], which places a duty on public and private entities to put in place procedures appropriate to their size and the nature of their operation, for the prevention of bribery and corruption. Under the said Act, the Ethics and Anti-Corruption Commission [EACC] is mandated to assist private entities, public entities, and any interested person to develop and put in place procedures for the purposes of the said legal provision.

In 2021, the office of the Attorney General, in consultation with the EACC, published the “Guidelines to assist Public and Private Entities in the preparation of Procedures for the Prevention of Bribery and Corruption” [hereinafter “the Guidelines”] with the purpose to assist the public and private entities to prepare procedures for the prevention of bribery and corruption.

The Guiding Principles When Developing Whistleblowing Procedures;

As per the Guidelines, when developing procedures for the prevention of bribery and corruption within an entity, the following principles ought to be taken into account:-

1. The prevention procedures should be in writing and in the Kenyan official languages;
2. During the development of the policies, the entity shall assess and map out bribery and corruption risks in its operations and develop a plan to mitigate such risks;
3. The prevention procedures ought to provide for an implementation structure or arrangement that takes into account the size, scale, and nature of operations of the entity and the identified risks;
4. The procedures ought to provide sufficient mechanisms to facilitate efficient and effective reporting of bribery and corruption within the entity and facilitate, among other things, confidentiality and protection of whistleblowers, informants, and witnesses;
5. The procedures shall designate a person or persons in authority to set up an enforcement structure; and
6. The procedures should provide for effective communication, training, awareness-creation, and dissemination to internal and external stakeholders on the bribery and corruption prevention procedures established by the entity.

Why You Need A ‘Whistle Blowing’ Policy and Procedure in Your Organization;

Every public and private entity is expected to have whistleblowing policies and procedures. While the Act and the Guidelines set out the basis for the development of the procedures to be used in the reporting of bribery and corruption, whistleblowing policies within an organization can cover a wider scope and provide an avenue for reporting other inappropriate acts such as; malpractice, fraud, failure to comply with laws and regulations, crimes and concealment of crimes, abuse and other inappropriate acts or omissions that would prejudice the interests of the entity.

With the rampant increase of fraud and illegal activity within the workspace, the presence of a watertight whistleblower system is likely to reduce the likelihood of illegal activity and create a significant reduction in fraud cases. There are several benefits that a whistleblowing system can bring to an entity, such as:-

1. Violators are held accountable – unlike a system where employees are unable to report any illegal activities within an organization for fear of being exposed, the presence of a whistleblower system encourages people to expose wrongdoing which is a major factor in combating fraud, corruption, and illegal activities.
2. Provides protection to whistleblowers – a policy that guarantees confidentiality and protection to whistleblowers ensures that employees who come forward on illegal practices within the Organization do not face retaliation or victimization from their colleagues or from their employers. This also ensures the whistleblower’s right to access justice is guaranteed, as any employer who violates the policy faces fines or a lawsuit.
3. Reduces reputational risks – Reports of illegal activities within an entity may create bad press for an organization. Creating an internal mechanism and an enforcement structure to handle such incidents safeguards the Organization’s reputation.
4. Promotes a better work culture – a whistleblower system safeguards a safe culture within a workplace and allows employees to voice their concerns without fear of repercussions.

So what next, after providing an avenue for the “whistle” to be blown?

In conclusion, a whistleblower system does more than provide an avenue for the “whistle” to be blown. It helps in promoting proper corporate culture checks and balances by ensuring that issues are dealt with before they escalate to unmanageable levels that can lead to financial and/or reputational loss. It helps an organization comply with the laid down laws and procedures and ensures specific procedures are set out to ensure a safe and ethical way of handling concerns within an organization.

How can we help?

Do you have a Whistleblowing policy in your Company? If not, look no further. At Riskhouse International, we have a policy review and development program led by seasoned lawyers and fraud experts. We are available to help review the processes and operations within your Organization, develop a tailor-made whistleblower policy that fits your organizational needs, and offer continuous period reviews on the policy.

To learn more about our policy review and development program and to catch up on our other news and alerts, you can visit our blog through our website at https://riskhouse.co.ke/blog/.

The post “Snitches don’t have to get stitches” – why you need a Whistleblower Policy in your Organization appeared first on Riskhouse International Limited.

Introduction;

Insurance fraud occurs when someone deliberately lies to obtain a benefit that they are not entitled to or fabricates a claim. Insurance fraud can also occur when an Insurer intentionally denies one a benefit that is due, under an insurance policy.

While fraud is rampant in all types of insurance, in this Article, we shall discuss the various forms of life insurance fraud, and how to prevent them.

Life Insurance companies that have been in the business long enough have encountered various forms of insurance fraud ranging from application fraud, account takeovers, false identities, fake deaths, inflated claims, unauthorized beneficiaries, attempted murder to profit from a life insurance policy, and so forth.

While life insurance fraud is not new, recent research suggests a rise in these incidences since the COVID-19 pandemic. According to Aviva’s Annual Report published in 2021, for example, the UK saw a 13% increase in fictitious claims compared to 2020. Insurers encountered more than 11,000 incidences of insurance fraud totaling £122 million. This and several other reports suggest an upsurge of fraudulent insurance claims related to the COVID-19 pandemic. Fraudsters were quick to pounce on the opportunity and exploit the gaps created by uncertainties during the pandemic. The restriction of movement imposed by Governments also created a challenge in obtaining and verifying documents, resulting in modified underwriting and claims practices which created an opening for fraudsters to exploit.

As the life insurance sector faces numerous challenges, from the COVID-19 pandemic to the ongoing industrialization, it is apparent that fraud prevention remains a priority and should also be given due consideration. By adhering to the below practices, providers can leverage digitization to process claims and ensure timely settlement of claims. This limits the risk of insurance fraud: –

1. Implementing suitable claims control and processes– this should be a basic procedure for providers. For instance, in situations where there are only copies of death certificates, random post-claim audits should be conducted to ensure the legitimacy of death.
2. Regular training and continuous professional education for claim examiners– it is essential for claim examiners to stay current since fraudsters are constantly finding new avenues to exploit. While most claim examiners receive initial training, follow-up training is not conducted regularly. This in turn makes them unaware of the latest schemes, making them ill-equipped to observe emerging red flags. It is therefore important for every insurance company to ensure regular training on emerging trends in insurance fraud and how to avoid them.
3. Ensuring the rest of the organization is aware of fraud schemes and can detect possible red flags – this helps to ensure that there is an extra set of eyes and can save the company from a potential fraud scheme.
4. Attending industry conferences – industry conferences have proven to be effective since they create an avenue for sharing challenges, best practices, and lessons learned. This helps the insurance industry at large to keep abreast of emerging trends in insurance fraud.
5. Collaboration with other business units – when there is a proper communication channel, from application through claim payment, red flags, if any, are easily identified.
6. Application of data and predictive analysis – albeit a work in progress, in recent times, this prevention measure is becoming an important aspect of fraud detection as it can connect data points and identify combinations constituting potential fraud.

How can we help?

At Riskhouse International, we have a team consisting of specialist insurance fraud investigators who can obtain all the requisite evidence that allows insurers to question an insurance claim they suspect to be fraudulent. Our Investigators are capable of dealing with alleged frauds using forensic techniques, experience, and methodologies that produce successful outcomes for our clients. We have established a proven reputation in the industry for exposing suspected insurance claims.

To learn more about this service and to catch up on our other news and alerts you can visit our blog on our website at https://riskhouse.co.ke/blog/.

The post Best Practices for preventing life insurance fraud-post pandemic appeared first on Riskhouse International Limited.

Below are the various forms of payroll fraud schemes and how to prevent them: –

Ghost employees

This occurs when employers create fictitious employees or extend the employment period for an employee who already left the organization on the payroll system. This is done by the payroll accountants or Human Resources personnel and is highly common in organizations with large personnel or where supervision is not detailed. Employers participate in such fraud to increase their allowable deductions when calculating the taxable profit.

This form of fraud can be prevented through: –

1. Periodically auditing the payroll system against employee lists;
2. Checks for specter names, identification numbers as well as statutory deductions numbers to chaff out fake employee details; or
3. Randomly inspecting employee payments that are not subject to statutory deductions.

Falsified Wages

This is also known as timesheet fraud and occurs when employees falsify the timesheet to make it appear as if they worked for more hours or they ought to be compensated more for hours worked. The Timesheet fraud is conducted in two ways: –

1. Padding of hours – this refers to increasing the number of hours worked to reflect more than the actual number of hours worked, and
2. Manipulation of the hourly pay rate – this is aimed at increasing the amount of compensation for each hour worked.

Timesheet manipulation only occurs in companies that have hourly pay rates or that pay for overtime. This form of fraud can be prevented through various ways, such as: –

1. Having a clocking in and out system integrated with the payroll system will help in transmitting data automatically;
2. Having a compensation policy that clearly outlines the standard billable overtime hours as well as a clock-in and out policy; and
3. Regular payroll audits to monitor adherence to the policies.

Pay rate alterations.

This occurs when the pay rate of an employee is altered in the payroll system to increase the individual’s pay rate. Just like the previous schemes, this can only be conducted by a payroll accountant or a Human Resource personnel in collusion with the employee in question. An acute fraudster will alter the pay rate during payroll processing and change it back to the actual rate once payments are initiated. This form of fraud can be prevented in the following ways: –

1. Having a password-protected payroll scheme and limiting access to some features to each person’s essentials;
2. Ensuring that there is a comprehensive authorization protocol in place for pay rates and any other payroll changes; and
3. Doing payroll reconciliations for each payment period i.e., Monthly.

Commission Schemes

This is more likely to be committed by a salesperson or in manufacturing companies where employee bonuses/ commissions are measured by the number of units produced. The schemes are aimed at increasing employee compensation unjustly. Some of the ways through which an organization can prevent this form of fraud include, but are not limited to: –

1. Reviewing financial correlation, whereby an increase in sales commission should be a result of sales revenue;
2. Regular audit of the company’s top performers, or employees that take home high commissions; and
3. Have a commission policy that guides the allocation of commissions and bonus payments, as well as the approval process for the same.

Conclusion;

In an effort to prevent payroll fraud, the management should pay close attention to some of the indications of payroll fraud which include employees who have identical information, such as identification numbers, bank details, addresses, etc. in the payroll system, constant unfamiliar changes in the payroll records, errors in the payroll records as well as unaccounted transactions in the company accounts.

Lastly, in addition to having a human resource policy, it is always advisable for a company to have in place a compensation policy that guides any changes in compensation practices such as payment of salaries, bonuses, and commissions. Periodic payroll audits and reconciliations are also key in curbing payroll fraud.

How can we help?

Payroll fraud investigations are very critical in uncovering fraud. Such investigations involve interrogating employment contracts, a company’s human resource or compensation policy, the payroll system, company bank accounts, and manual employee lists.

At Riskhouse international, we have a team of Forensic Accountants and Fraud investigators who have hands-on experience in conducting investigations on various forms of fraud such as; fraudulent financial statements and other accounting frauds; potentially fraudulent payments; revenue-related irregularities such as revenue overstatement or understatement; matters involving fraudulent disbursements, cash larceny, and skimming; and inventory frauds.

To learn more about this service and to catch up on our other news and alerts you can visit our blog on our website at https://riskhouse.co.ke/blog/

The post The Different forms of payroll fraud and how they can be prevented appeared first on Riskhouse International Limited.