Cracking Down on Insider Fraud

What Can Banks and Credit Unions Do to Mitigate Their Risk?
Cracking Down on Insider Fraud

Three insider fraud schemes at banks in Minnesota, Texas and California illustrate just how difficult it is for institutions to thwart inside jobs.

See Also: The Application Security Team's Framework For Upgrading Legacy Applications

Detecting and preventing internal fraud requires layers of controls. Fraud-detection systems that monitor employee behavior can play an important role, experts say. It's also important to adopt certain fraud-fighting practices, such as separation of duties for certain transaction types and monthly or quarterly audits.

Prosecuting employees who commit fraud, of course, is a strong deterrent. But many institutions have found it challenging to trace fraud back to one individual or a group of individuals, which has made reporting fraud to law enforcement challenging. And some institutions have been reluctant to report fraud for fear of damaging their reputations.

Three Insider Cases

This week, the Federal Bureau of Investigation issued statements about three internal schemes that involved millions of dollars in embezzlement and fraudulent transactions from customer accounts.

On July 23, Matthew Walker, who once served as the vice president of Farmers and Merchants Bank in Orange County, Calif., was sentenced to 41 months in federal prison for a 16-month scam that defrauded one bank customer out of nearly $2 million. Walker took out a line of credit in the name of a trust, and then made interest payments on the money that appeared to be loaned to the trust to hide his crime.

In another inside job case, a former bank officer at Marshall, Minn.-based Minnwest Bank was charged July 24 with allegedly stealing hundreds of thousands of dollars from customer CD accounts. Barbara Rechtzigel has been charged with stretching her scheme out over 14 years.

And in a third case, Willard Scott, the former president of Huntington State Bank in Nacogdoches, Texas, pleaded guilty July 20 to making false entries to bank records. In 2010, Scott withdrew about $7,400 from a bank customer's checking account to pay his home contractor. Scott concealed the scheme by noting on the withdrawal form that the funds were being used to pay off the bank customer's loan.

Insider Fraud: Big Problem for Banks

Embezzlement and account theft continue to plague banking institutions of all sizes.

Most scams don't rival the $22 million embezzlement scheme Gary Foster, the former vice president of Citigroup Inc.'s treasury finance department, was able to pull off for nearly eight years.

But even some of the smallest incidents cost banking institutions big bucks and reputational damage (see Citi Case Exposes Insider Risks.)

What Institutions Can Do

As more insider fraud events garner mainstream media attention, banking institutions face pressure to step up their technology investments and adopt practices that can detect internal fraud, says Randy Trzeciak, technical team lead of the Insider Threat Research Team in the CERT Program at the Carnegie Mellon Software Engineering Institute.

Banks can use anomaly detection systems and behavioral analytics to detect internal fraud, just as they're used to detect suspicious account activity. Many of these technologies can help institutions detect potentially fraudulent events in real-time or near real-time, Trzeciak says.

"If, for instance, a transaction is over a certain amount, then you could have an automatic control put in place that would flag that transaction for additional scrutiny," he says. "The problem is most insiders that have the ability to approve transactions also have knowledge of those limits, so they're able to avoid that additional scrutiny."

That's one reason many schemes successfully fly under the radar for long periods of time.

Beyond using technology, it's also important to adopt certain fraud-fighting practices, such as separation of duties for certain transaction types and monthly or quarterly audits, Trzeciak says.

"By separating duties, for example, I could not cut a check and also approve the check," he says. "But we do see collusion in these cases, where more than one person is involved. So other types of controls, such as end-of-month auditing, also should be implemented."

Frequent audits give institutions the ability to review transactions and account activity on a scheduled basis, Trzeciak says. They also offer opportunity to review individual employee activity. "With an audit, you would still not catch the fraud until after-the-fact, but chances are you might catch it sooner," he says.

Reluctance to Report Fraud

John Warren, vice president and general counsel of the Association of Certified Fraud Examiners, says more prosecution of those who perpetrate insider fraud would be a strong deterrent. The problem is that many institutions don't report these crimes to law enforcement, in part because they fear reputational damage.

"In our 2012 Report to the Nations, only 66 percent of victim organizations referred their cases to law enforcement," Warren says.

Trzeciak agrees more reporting would help. But according to Carnegie Mellon's research, about 75 percent of insider fraud cases are not reported to law enforcement, and fear of reputational damage is only part of the reason. In many cases, organizations just don't have enough details or information to successfully tie a fraud incident to a single individual or group of individuals.

But Warren says not reporting incidents creates more roadblocks.

"It's very hard to measure or understand the full scope of occupational fraud because so many of these crimes go undetected," he says. "The more cases that are reported, the better understanding we'll have of the full impact."

And when institutions and other organizations don't report fraud, it hinders other employers from weeding out potential offenders, since previous charges would come up on background checks. "A background check won't help you identify a person with past fraudulent behavior if that behavior was never reported," he adds.


About the Author

Tracy Kitten

Tracy Kitten

Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

A veteran journalist with more than 20 years' experience, Kitten has covered the financial sector for the last 13 years. Before joining Information Security Media Group in 2010, where she now serves as director of global events content and executive editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.