Citi Case Exposes Insider RisksInternal Controls Could Have Detected Fraud Much Sooner
Gary Foster, who worked in Citi's treasury finance department, was arrested by the Federal Bureau of Investigation at John F. Kennedy International Airport, just as he returned from a trip to Bangkok.
The United States Attorney for the Eastern District of New York has charged Foster with bank fraud. If convicted, he could be sentenced to 30 years in prison.
The Foster embezzlement charge marks the second public blow Citi has taken in less than a month. Also in June, the bank revealed that its online banking platform, known as Citi Account Online, had been infiltrated by hackers. Personally identifiable information about hundreds of thousands of Citi customers was likely exposed. [See Citi Breach Exposes Card Data.]
Tom Wills, a fraud analyst at Javelin Strategy & Research, said in response to the online breach that banks are losing the fraud fight because they aren't focusing on the right things. "If Citi is wise, they'll do some serious reflection, and make sure this particular failure doesn't repeat itself."
Citi has provided few details about the case, but in an issued statement says it is "outraged."
"Citi informed law enforcement immediately upon discovery of the suspicious transactions and we are cooperating fully to ensure Mr. Foster is prosecuted to the full extent of the law."
Lack of Internal ControlsShirley Inscoe, director of financial services solutions at Memento and a former risk management executive at Wachovia who authored "Insidious: How Trusted Employees Steal Millions and Why It's So hard for Banks to Stop Them," says Citi is not alone. Most banks have done a poor job of keeping up with internal threats. [See Database Security Policies Needed.]
"With the economic downturn, I think many banks have cut back on their internal controls and fraud detection because of very tight budgets," Inscoe says. "Any other bank could have just as easily been victimized."
"I have seen and heard that several times over the last two to three years. Banks saying, 'If we had not cut back on this or that, we would have caught this sooner," Inscoe says.
In the case of BofA, the now former employee has been accused not of embezzlement, but of leaking customer names, addresses, Social Security numbers, phone numbers, bank account numbers, driver's license numbers, birth dates, e-mail addresses, family names, PINs and account balances to a ring of criminals. With the information, the crime ring reportedly hijacked e-mail addresses, cell phone numbers and possibly more to open accounts and order checks under stolen identities.
What Stands Out About CitiThe Citi case is a bit different, Inscoe says.
"It's such a classic case of insider fraud, how did he go so long without being caught?" she asks. "Many banks monitor their employees to detect various types of fraud. I'm pretty sure Citi did not have that kind of monitoring in place. They must have not had anything like that in place, because he would have been caught."
Foster was either very clever or was leading a double life that only caught up with him after leaving his post at Citi. According to the complaint filed by the U.S. Attorney, Foster transferred money from various Citigroup accounts to Citigroup cash accounts and then used ACH rails to fraudulently wire funds to his personal account at a different bank.
Between July 2010 and December 2010, Foster had allegedly moved $900,000 from Citigroup's interest expense account and $14.4 million from the bank's debt adjustment account to the cash account. From there, in eight separate wire transfers, he had funds routed to an outside, personal account.
"I'd like more information about this case to know if any of the activity was outside his normal activities," Inscoe says. "With ACH and wire, oftentimes the officer is called to confirm the transaction. But from what I understand, this gentleman was in the finance department; he was not an officer."
Lessons for OthersThat Foster was initiating such large wires should have been a red flag.
Inscoe says transaction monitoring, such as anomaly detection called for in the new FFIEC guidance, would have picked up the fraud. "You'd be surprised how little banks do for ACH and wire fraud," she says. "That's starting to change, because of growing fraud there. But banks are just starting to make investments in that area. Historically, the ACH and wire channels have not had sophisticated fraud-detection capabilities." That knowledge offers opportunity for inside jobs. "They take advantage of the trust of their co-workers, management and the company," Inscoe says.
But certain behavioral triggers should have clued executives at Citi in, even without systemic monitoring.
According to The New York Times, Foster had amassed many high-value possessions, including six residences, two worth more than $1 million, and two luxury vehicles. He also often traveled internationally and posted updates about his travels on social media sites.
"The bank should have picked up on this, one way or another," Inscoe says. In the end, however, he likely gave himself away, by talking too much or getting too comfortable. "He was foolish to post so much on social media sites with information about his activities," she adds. "But, it's obvious he is someone who is creative. ... I mean, you don't hear about a lot of employees conducting wire fraud."