According to FINRA, Citi's negligence in adequately supervising Tamara Moon, a former sales assistant at a Citi branch in Palo Alto, Calif., resulted in $749,978 being skimmed from the accounts of 22 Citi customers. Moon allegedly falsified account records and performed unauthorized trades that targeted elderly, ill or "otherwise vulnerable" accountholders.
FINRA in August 2009 barred Moon from the securities industry when it launched its investigation. On Tuesday, FINRA said its investigators had determined that Citi failed to detect or investigate a series of so-called red flags that should have alerted the bank to Moon's fraudulent use of customer funds. The red flags included exception reports that highlighted conflicting information in new account applications, as well as customer account records that reflected suspicious funds transfers between unrelated accounts.
FINRA says Citi also failed to implement reasonable systems and controls regarding supervisory review of customer accounts, which enabled Moon to falsify new account applications and other records.
Citi, which did not reveal the name of the former employee, says it is cooperating with authorities to ensure the individual responsible is prosecuted to the fullest extent of the law. "In 2008, upon discovering suspicious activity by a former Smith Barney employee, we immediately notified the authorities, terminated her employment and reimbursed impacted clients," says Citi spokeswoman Elizabeth Fogarty. "Protecting our customers is paramount and fraudulent behavior will not be tolerated."
The fine comes just more than a month after federal authorities involved in a separate internal fraud investigation arrested a former Citi executive for the role he allegedly played in embezzling more than $19 million from the bank and its customers.
On June 26, Gary Foster, who had worked in Citi's treasury finance department, was arrested on charges of bank fraud by the Federal Bureau of Investigation as he returned from a trip to Bangkok. If convicted, he could be sentenced to 30 years in prison. [See Citi Case Exposes Insider Risks.]
Investigators believe that between July 2010 and December 2010, Foster moved $900,000 from Citigroup's interest expense account and $14.4 million from its debt adjustment account into the bank's cash account. From there, in eight separate wire transfers, he allegedly had funds routed to an outside, personal account.
Shirley Inscoe, author of "Insidious: How Trusted Employees Steal Millions and Why It's So hard for Banks to Stop Them," says Citi is not alone. Most banks have done a poor job of keeping up with internal threats. [See Database Security Policies Needed.]
"With the economic downturn, I think many banks have cut back on their internal controls and fraud detection because of very tight budgets," Inscoe says. "Any other bank could have just as easily been victimized."
In May, an internal breach at Bank of America led to the compromise customer accountholder information.
"I have seen and heard that several times over the last two to three years. Banks saying, 'If we had not cut back on this or that, we would have caught this sooner," Inscoe says.
In the Moon case, FINRA says Citi should have detected the suspicious activity involving transfers and disbursements in the accounts. "In one incident, Moon misappropriated nearly $80,000 from an elderly widow's account," FINRA says. "An exception report highlighted two address discrepancies in the customer's account documents where the street address did not correspond to the city and zip code provided for the address, and the telephone prefix did not match the zip code of the address. Moon, who had entered the account information, attempted to explain to Citigroup that the discrepancies arose because the client had moved to Arizona, an explanation that did not seem reasonable."
Julie McNelley, a fraud and financial-services analyst at Aite, says the Citi case is the poster child for why more technologies should be applied to help banks track internal fraud.
"In some cases, Citigroup had the technology in place, and it was human error that is to blame," McNelley says. "In other cases, link analysis could have detected the link between Moon and the account she set up in her father's name," an account to which Moon allegedly transferred $150,000.
"It's not clear from the detail here, but it's likely, based on the description, that the frequency with which Moon was involved in transfers and disbursements was out-of-pattern relative to her peers, and behavior analytics may have been able to flag that anomaly," she adds. "This highlights the need for a comprehensive internal-fraud detection capability. While the $500,000 fine is painful, the reputation damage is much more significant."