Insider Case Exposes Security LapsesBank Manager Pleads Guilty to Theft
In Pennsylvania, a former PNC Bank branch manager has agreed to plead guilty to bank theft - a charge that could lead to 10 years in prison and a $250,000 fine.
See Also: Data Center Security Study - The Results
The case, fraud experts say, is notable not for the size of the theft or the punishment, but because it typifies the types of insider crimes commonly committed at banking institutions.
The case also exposes common security flaws that allow such schemes to flourish.
"In this case, it looks like there was a breakdown of controls," says John Warren, vice president and general counsel of the Association of Certified Fraud Examiners. "Banks need to really focus on implementing controls and understanding other warning signs."
According to the U.S. Attorney's Office for the Middle District of Pennsylvania, Kimberly Laird stole nearly $80,000 over a six-year period while working for PNC's Bellefonte, Pa., branch.
Between January 2005 and November 2011, Laird allegedly stole funds from the bank and its accountholders by opening unauthorized credit and checking accounts and redeeming certificates of deposit.
Using her father's name and the names and accounts of four PNC customers, whose ages ranged from 81 to 89, Laird allegedly stole funds for personal use.
Under the terms of the agreement, Laird agreed to plead guilty to stealing the funds and to pay restitution for the losses. She faces a maximum term of 10 years in prison, a fine of up to $250,000, a three-year term of supervised release and a special assessment of $100.
"In terms of what happened, based on the summary, it appears that all of the fraud is related to the bank not properly identifying the customers of the accounts," he says. "She opened accounts in her father's name and other names. That's internal controls 101. You should never have one person opening accounts without more people reviewing those accounts."
The theft of nearly $80,000 spread over nearly seven years explains, in part, why Laird's scheme flew under the radar. She likely stole the funds in small increments, at least at first, Warren says. But the scheme going undetected for so long is unusual. Warren says most insider schemes at banks only last 12 months.
In its 2012 report, the ACFE reviewed 1,388 global incidents of occupational or insider fraud. Of those, 229 were financial institution cases, the largest number for any one industry.
Getting Around Controls
Warren says there likely were warning signs to Laird's thefts. "She may have been living beyond her means, or she may have had excessive control issues about her work, so no one could review what she was doing."
But it's common in these cases, he says, to see inadequate controls that are easily overridden. Because Laird was in a position of authority, she probably had an easier time managing her scheme, undetected.
Randy Trzeciak, technical team lead of the Carnegie Mellon Software Engineering Institute CERT Insider Threat team, agrees that controls are easy for insiders at banks and other organizations to get around.
"In some of the fraud cases we've analyzed, employees know the transaction threshold limits, so they perform their transactions under the thresholds to avoid additional scrutiny," Trzeciak says. "Often, we also see collusion, where two or more people were involved. Since most organizations implement dual controls, our speculation is that the employees got together to overcome those controls."
It's the reason insider fraud is difficult for organizations to detect and prevent. According to the ACFE, the average internal fraud event lasts 18 months before it's discovered, and the median loss is $140,000. And more than one-fifth of the cases included in its 2012 report involved losses that exceeded $1 million.
"It really comes down to not letting one person have the authority to open an account," Warren says. "If they do have authority, then there has to be some kind of system to raise a red flag if suspicious activity occurs," such as a number of checks being written from the account within a short period of time or an immediate request for additional temporary checks.
The key to internal fraud detection depends on a mix of technical and non-technical detection methods. Warren and Trzeciak recommend:
- Fraud Detection Technology. Regular controls must be put in place to pick up on anomalous account behavior or account changes. "When addresses were changed or checks were written, there should have been some sort of follow-up with the actual customer or account holder, and it does not appear that happened here," Warren says. "Like when you bank online, you'll get an e-mail to say a certain high-dollar transaction hit the account. That way, the account holder gets notice early on. It's a basic control."
- Whistle Blowing. Whistle blowing is one of the most effective fraud detection/prevention techniques. Employers must be allowed to anonymously report suspected fraud. "If a manager or someone in a supervisory position is involved in the crime, and if employees suspect, do they have the ability to report the suspicious activity?" Trzeciak asks. "Anonymous reporting would offer them a way to report the fraud without fear of repercussions."
- Dual Controls. No one person should have beginning-to-end oversight over transactions and new accounts. "Requiring two or more people may be an effective way to prevent or detect when something suspicious is happening," Trzeciak says.
- Audits. "Sometimes an external audit process makes sense, just to have a second set of eyes on the accounts," Trzeciak says.
- Mandatory Vacations. Because employees in positions of power can and often do override controls when they perpetrate fraud, many organizations require all employees to take annual vacations so their work can be reviewed. "When you have a fraud scheme like this, especially one that goes on for six years, there are things the fraudster has to do to keep this fraud off the books," Warren says. "She may have had to doctor statements or change mailing addresses so statements weren't going to actual accountholders. ... Banks and others that enforce mandatory vacations can review and monitor an employee's work while they are gone. That likely would have helped pick up on the fraud in this case."