Insider Case Exposes Security Lapses

Bank Manager Pleads Guilty to Theft

By , May 24, 2012.
Insider Case Exposes Security Lapses

In Pennsylvania, a former PNC Bank branch manager has agreed to plead guilty to bank theft - a charge that could lead to 10 years in prison and a $250,000 fine.

See Also: 5 Must-Haves for an Enterprise Mobility Management (EMM) Solution

The case, fraud experts say, is notable not for the size of the theft or the punishment, but because it typifies the types of insider crimes commonly committed at banking institutions.

The case also exposes common security flaws that allow such schemes to flourish.

"In this case, it looks like there was a breakdown of controls," says John Warren, vice president and general counsel of the Association of Certified Fraud Examiners. "Banks need to really focus on implementing controls and understanding other warning signs."

Textbook Case

According to the U.S. Attorney's Office for the Middle District of Pennsylvania, Kimberly Laird stole nearly $80,000 over a six-year period while working for PNC's Bellefonte, Pa., branch.

Between January 2005 and November 2011, Laird allegedly stole funds from the bank and its accountholders by opening unauthorized credit and checking accounts and redeeming certificates of deposit.

Using her father's name and the names and accounts of four PNC customers, whose ages ranged from 81 to 89, Laird allegedly stole funds for personal use.

Under the terms of the agreement, Laird agreed to plead guilty to stealing the funds and to pay restitution for the losses. She faces a maximum term of 10 years in prison, a fine of up to $250,000, a three-year term of supervised release and a special assessment of $100.

Warren, co-editor of the ACFE's 2012 Report on Occupational Fraud and Abuse, says the scheme is a textbook example of the kind of insider fraud that affects many banks.

"In terms of what happened, based on the summary, it appears that all of the fraud is related to the bank not properly identifying the customers of the accounts," he says. "She opened accounts in her father's name and other names. That's internal controls 101. You should never have one person opening accounts without more people reviewing those accounts."

The theft of nearly $80,000 spread over nearly seven years explains, in part, why Laird's scheme flew under the radar. She likely stole the funds in small increments, at least at first, Warren says. But the scheme going undetected for so long is unusual. Warren says most insider schemes at banks only last 12 months.

In its 2012 report, the ACFE reviewed 1,388 global incidents of occupational or insider fraud. Of those, 229 were financial institution cases, the largest number for any one industry.

Getting Around Controls

Warren says there likely were warning signs to Laird's thefts. "She may have been living beyond her means, or she may have had excessive control issues about her work, so no one could review what she was doing."

But it's common in these cases, he says, to see inadequate controls that are easily overridden. Because Laird was in a position of authority, she probably had an easier time managing her scheme, undetected.

Randy Trzeciak, technical team lead of the Carnegie Mellon Software Engineering Institute CERT Insider Threat team, agrees that controls are easy for insiders at banks and other organizations to get around.

"In some of the fraud cases we've analyzed, employees know the transaction threshold limits, so they perform their transactions under the thresholds to avoid additional scrutiny," Trzeciak says. "Often, we also see collusion, where two or more people were involved. Since most organizations implement dual controls, our speculation is that the employees got together to overcome those controls."

It's the reason insider fraud is difficult for organizations to detect and prevent. According to the ACFE, the average internal fraud event lasts 18 months before it's discovered, and the median loss is $140,000. And more than one-fifth of the cases included in its 2012 report involved losses that exceeded $1 million.

Follow Tracy Kitten on Twitter: @FraudBlogger

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Regulator Hints at New Cyber Guidance

On the heels of the FFIEC's new business continuity guidelines, Deputy Comptroller Beth Dugan hints...

Latest Tweets and Mentions

ARTICLE Regulator Hints at New Cyber Guidance

On the heels of the FFIEC's new business continuity guidelines, Deputy Comptroller Beth Dugan hints...

The ISMG Network