Citi Case Exposes Insider Risks

Internal Controls Could Have Detected Fraud Much Sooner

By , July 5, 2011.
Citi Case Exposes Insider Risks


See Also: Stop Mobile Payment Fraud, Not Customers

n June 26, federal authorities arrested a former Citigroup executive for allegedly embezzling more than $19 million from Citi and its customers.

Gary Foster, who worked in Citi's treasury finance department, was arrested by the Federal Bureau of Investigation at John F. Kennedy International Airport, just as he returned from a trip to Bangkok.

The United States Attorney for the Eastern District of New York has charged Foster with bank fraud. If convicted, he could be sentenced to 30 years in prison.

The Foster embezzlement charge marks the second public blow Citi has taken in less than a month. Also in June, the bank revealed that its online banking platform, known as Citi Account Online, had been infiltrated by hackers. Personally identifiable information about hundreds of thousands of Citi customers was likely exposed. [See Citi Breach Exposes Card Data.]

Tom Wills, a fraud analyst at Javelin Strategy & Research, said in response to the online breach that banks are losing the fraud fight because they aren't focusing on the right things. "If Citi is wise, they'll do some serious reflection, and make sure this particular failure doesn't repeat itself."

Citi has provided few details about the case, but in an issued statement says it is "outraged."

"Citi informed law enforcement immediately upon discovery of the suspicious transactions and we are cooperating fully to ensure Mr. Foster is prosecuted to the full extent of the law."

Lack of Internal Controls

Shirley Inscoe, director of financial services solutions at Memento and a former risk management executive at Wachovia who authored "Insidious: How Trusted Employees Steal Millions and Why It's So hard for Banks to Stop Them," says Citi is not alone. Most banks have done a poor job of keeping up with internal threats. [See Database Security Policies Needed.]

"With the economic downturn, I think many banks have cut back on their internal controls and fraud detection because of very tight budgets," Inscoe says. "Any other bank could have just as easily been victimized."

That truth played out in May, when an internal breach at Bank of America led to the compromise of customer accountholder information, proving internal fraud is a problem.

"I have seen and heard that several times over the last two to three years. Banks saying, 'If we had not cut back on this or that, we would have caught this sooner," Inscoe says.

In the case of BofA, the now former employee has been accused not of embezzlement, but of leaking customer names, addresses, Social Security numbers, phone numbers, bank account numbers, driver's license numbers, birth dates, e-mail addresses, family names, PINs and account balances to a ring of criminals. With the information, the crime ring reportedly hijacked e-mail addresses, cell phone numbers and possibly more to open accounts and order checks under stolen identities.

What Stands Out About Citi

The Citi case is a bit different, Inscoe says.

"It's such a classic case of insider fraud, how did he go so long without being caught?" she asks. "Many banks monitor their employees to detect various types of fraud. I'm pretty sure Citi did not have that kind of monitoring in place. They must have not had anything like that in place, because he would have been caught."

Foster was either very clever or was leading a double life that only caught up with him after leaving his post at Citi. According to the complaint filed by the U.S. Attorney, Foster transferred money from various Citigroup accounts to Citigroup cash accounts and then used ACH rails to fraudulently wire funds to his personal account at a different bank.

Between July 2010 and December 2010, Foster had allegedly moved $900,000 from Citigroup's interest expense account and $14.4 million from the bank's debt adjustment account to the cash account. From there, in eight separate wire transfers, he had funds routed to an outside, personal account.

Follow Tracy Kitten on Twitter: @FraudBlogger

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Inside nullcon Security Event

After six years, India's nullcon community-driven hacking conference is still going strong. Founder...

Latest Tweets and Mentions

ARTICLE Inside nullcon Security Event

After six years, India's nullcon community-driven hacking conference is still going strong. Founder...

The ISMG Network