Insiders: Primary Points of Compromise
Financial Fraud Fighting Needs Internal AttentionLast week's arrest of Gary Foster, the former Citi exec who's been accused of embezzling more than $19 million through wire transfers, has left the industry a little dumbfounded. [See Citi Case Exposes Insider Risks.]
How could a mid-level executive in the bank's treasury department manage to fraudulently push that much money through legitimate transfers? If true, it all happened right under the bank's nose, and it took almost a year to detect.
Sure. Foster is believed to have done a little shuffling to cover his tracks. Investigators brought charges against him after reportedly tracing movement of $900,000 from Citi's interest expense account and $14.4 million from the bank's debt adjustment account to the cash account.
After that, however, it seems the alleged scam was easy to pull off. From the interest expense and debt adjustment accounts, Foster is accused of scheduled eight separate wire transfers to deposit funds in an outside, personal account with his name on it.
Shirley Inscoe, director of financial services solutions at Memento and a former risk management executive at Wachovia who co-authored "Insidious: How Trusted Employees Steal Millions and Why It's So hard for Banks to Stop Them," says the Citi incident is hard to understand.
"It's such a classic case of insider fraud, how did he go so long without being caught?" she asks. "Many banks monitor their employees to detect various types of fraud. I'm pretty sure Citi did not have that kind of monitoring in place. They must have not had anything like that in place, because he would have been caught."
Sadly, as outrageous as it seems that an employee like Foster could allegedly get away with a multimillion dollar scheme that so blatantly abused the bank's legitimate transaction channels, it's not a problem that's unique to Citi. In fact, most banking institutions, from large to small, have done a poor job of keeping up with internal threats.
Let's take the internal breach at Bank of America as a second example. A now former BofA employee was charged last month with leaking customer names, addresses, Social Security numbers, phone numbers, bank account numbers, driver's license numbers, birth dates, e-mail addresses, family names, PINs and account balances to a ring of criminals. The crime ring reportedly used the information to hijack e-mail addresses, cell phone numbers and possibly more to open accounts and order checks under stolen identities.
"I think many banks have cut back on their internal controls and fraud detection because of very tight budgets," Inscoe says. "I have seen and heard that several times over the last two to three years. Banks saying, 'If we had not cut back on this or that, we would have caught this sooner.'"
It's clearly an issue, in more ways than you might assume. This week, another connection to insider compromises was brought to my attention - the link between insiders and increasing attacks waged against lobby and branch-based ATMs.
Over the last year, a handful of reports about skimming devices being attached to ATMs located right inside bank branches or vestibule located outside bank lobbies, has revealed a certain criminal brazenness. These criminals are so bold; they don't care about compromising ATMs right in front of branch staff.
But Mike Lee, CEO of the ATM Industry Association, says bankers should not overlook the possibility that many of these recent attacks have an inside connection. "We wrote best practices for prevention of insider fraud, because we know there are sometimes forms of collusion," he says. [See Insider Threats: Great and Growing .]
When it comes to internal fraud and the damage it causes, banks and credit unions often fail in three critical areas, Inscoe says:
- Internal fraud is misclassified;
- Institutions underestimate how reports of internal fraud breed mistrust among consumers; and
- Not catching and stopping internal schemes quickly adversely affects consumers, who often fall victim to identity theft.