Another NHS Fraud – “Sophisticated” Crooks or Bad Practice?

The NHS is huge, so we should not be surprised that there seems to be a regular stream of fraud cases from within the organisation, but it is still intensely depressing and infuriating.

The latest was reported by the HSJ and the victim is a mental health Trust – the Mersey Care Foundation Trust. It is “working with the NHS Counter Fraud Authority following a “sophisticated” incident which happened last month. HSJ understands it involved an invoice payment of around £900,000”.

The Trust confirmed saying it had “been the victim of fraud which has led to the theft of significant funds by external third parties”.  Their Chief Executive Joe Rafferty said that this has been a sophisticated approach to defrauding the trust.

Well, we’ll see about that. Often fraud is not truly sophisticated - rather, it relies on failings within the defrauded organisation. In our experience, the three most common types of invoice-related fraud are:

1. The inside job … an employee creates invoices for non-existent goods and services, payable for a “dummy” company that they control. They use their position within the organisation to ensure these are paid. (A recent example in the shambolic Barnet council demonstrated this approach). A variant is where the member of staff makes the invoices appear to be from a legitimate supplier, maybe even for legitimate goods – but it is their own bank account that the money is paid to.

2. The conspiracy - an inside person and an external person or group conspire to defraud the organisation. The outsider submits invoices that do not reflect real supply, and the insider makes sure they are paid. The invoices may even be from a genuine supplier but are inflated; or may be from someone who does no real work at all.

3. Invoice mis-direction – this has grown in recent years and is where an outsider either submits a fake invoice that looks like it is from a real supplier – but has their own bank details included – or persuades the paying organisation to re-direct payments for genuine invoices from a genuine supplier into the fraudster's bank account.

We don’t know which of these the Mersey Trust has suffered. There is no word of arrests so that might suggest the third option, but we would argue that none of these are really “sophisticated”. And they can all be avoided really,  with close to 100% successful risk mitigation, by following basic good practice.

For example, make sure all payments are supported by a purchase order. Have appropriate sign-offs for orders and payments. Don’t let anyone hold a budget and authorise payments themselves without checking. Have robust processes for supplier master data management – including changes to bank account details (see our recent interview with Costas Xyloyiannis of HICX for more on this).

More will emerge no doubt but we’ve seen this all before. While we sympathise of course, it’s also about time a CFO or two got fired in these public sector cases, where it is not the sophistication of the fraudster that is most noteworthy – it is the gross incompetence of the victim’s management.

Voices (3)

  1. Michael Angel:

    Not sure how I feel about CFO’s getting fired when in some cases it is the slip of a button from someone else that lands the organisation in the proverbial brown stuff. The majority of, if not most NHS Trusts operate a No PO No Payment policy. The level and sophistication of technology used in NHS Trusts can vary as to whether it is a P2P system they have in place or still use the old carbon pads!

    One hopes they can recover the sums lost.

  2. Pete Loughlin:

    Tip of the iceberg Peter.

    1. Sam Unkim:

      I think we have to accept, all the nurturing veneration felt towards the NHS from the first generations growing up under its care, have now disappeared.

      Your local Trust is being defrauded, the only question is, by how much !!!

Discuss this:

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.