To keep your financial institution a step ahead of threats, it’s critical to spot common warning signs of internal fraud schemes. Additionally, implementing an automated solution to monitor employee and transaction activity—while sometimes perceived as an act of mistrust of valued employees—can expose suspicious behavior.
The same qualities that help employees work well can also help them perpetrate fraud. In four common schemes—general ledger fraud, identity theft, account takeover, and collusion with external criminals—insiders may devise ways to stay under the radar for years by taking advantage of internal vulnerabilities.
“Two key internal control weaknesses: a lack of segregated duties and lack of oversight through continuous, automated monitoring of journal entries”
—Tom Leuchtner, Wolters Kluwer
This makes it easier for insiders to move funds between accounts. An employee who has the authority to create an accounts payable record for a vendor, for instance, could also create a fake company in the system and issue payments to that company.
Recently, a high-level bank employee was indicted for allegedly transferring more than $4 million from general ledger accounts to her own accounts over a period of eight years and concealing the money in the general ledger. Because the bank employee had charge of the general ledger and the corresponding accounts, she handled journal entries and reconciliations. The indictment alleged that in order to carry out the scheme, the employee falsified information in monthly reports to the board and gave false information to examiners.
This case illustrates two key internal control weaknesses: a lack of segregated duties and lack of oversight through continuous, automated monitoring of journal entries.
In another recent general ledger fraud case, a personal banker allegedly opened both fictitious accounts and accounts with the names and identifying information of bank customers. The employee used these accounts to funnel money from the general ledger accounts.
In a separate case, an accounting clerk made deposits into a personal checking account from suspense accounts. She used different tellers’ computers, after the tellers had already logged into the system, to transfer the funds.
In both of these cases, employees were able to abuse their authority and access to the general ledger accounts to transfer funds from one account to another. While widely recognized as bad policy, sharing of login credentials is very common and can be a signature of suspicious activity.
Another internal fraud scheme on the rise in financial institutions is the theft of customers’ ID data.
One of the schemes of the fraud ring discovered in March involved employees within banks using stolen customer ID to create bank and credit accounts. The fraud ring was able to recruit people to assume stolen identities and withdraw funds because they knew the banks affected did not have sufficient technology and security to safeguard the customers’ information or alert the institutions when it was stolen.
Account takeover is another common internal fraud scheme, and often involves employees acting in collusion with outsiders.
For instance, a bank employee may open a deposit account for a customer and later set up online banking on the account without the customer's knowledge. The employee may then make unauthorized withdrawals from the account or give the online credentials to an external fraudster, who can use them to siphon money out of the account. In another scheme, the employee may sell a customer's PIN and account number to an external fraudster, change the address for the account and request a new check card.
Collusion With Outsiders
One of the more devastating internal fraud schemes, particularly to community banks, is when bank insiders collude with external fraudsters.
Fraud rings tend to be highly sophisticated and organized and may embed their members in a number of roles within a bank. A fraud ring may seek to place a member in Human Resources, for instance, to make it easier to get members hired as loan officers, tellers … or even loss prevention officers. Or knowing that the collections department has a weak background screening process and broad access to customer information, a fraud ring may try to place one of its members there solely to steal customer data.
In another example of an insider colluding with an outside fraudster, a loan officer may apply for a real estate loan under a phony customer name and work with an appraiser, who will submit an inflated appraisal on a property. The employee will then take the funds, making it look like the "customer" absconded with them, and feign ignorance of the situation.
What should you watch for?
Because internal fraud is often difficult to detect, it is essential to watch for certain behavioral and transactional indicators.
1. Employees seeking to disguise asset misappropriations can find plenty of places to do so within the general ledger.
They may manipulate records and find other methods of exploiting weak internal controls. In particular, insiders who have responsibility for both making journal entries and reconciling accounts warrant comprehensive oversight.
Accounting irregularities and other signs to watch for include:
• Insiders, or their interests, frequently appearing on transaction suspense item listings, but not on the “updated” version that is presented to the board of directors or to examiners.
• General ledger entries with incomplete transaction descriptions.
• Bank account reconcilements that are not current or that fail to describe the status of outstanding items.
2. Employees who have access to customer information may be tempted to steal it for their own purposes, to obtain credit and debit cards and open bank accounts. Or they may sell it to outsiders for a profit.
• After-hours logins to customer accounts.
• Frequent or excessive access to high-net-worth or VIP accounts.
• Employees accessing accounts that are unusual for the scope of their job.
3. Employees who are seeking full control of an account, where they or an outsider can make withdrawals or transfers from that account, may be involved in an account takeover scheme.
Unusual or frequent changes to a customer account are good indicators of this type of scheme and may include:
• An employee changing account statement mailing frequency to a longer period.
• An employee not from the team handling the customer has changed a customer address.
• An employee changing a customer attribute and then changing it back within a specific time period (i.e. one month).
• An employee searching for several dormant customer accounts.
• An employee browsing dormant bank accounts and then transferring money from a dormant account.
In addition to watching for warning signs, it is important to monitor the potential for internal fraud risks in certain roles within your institution more closely than others and limit access to such data as Social Security numbers. The more credentials and account access privileges an employee has for customer and employee accounts, the bigger the risk they pose. Two illustrative examples:
1. Dial F for fraud. For example, customer-service roles within call centers are a target for fraudsters and fraud rings because they have access to the bank’s entire database of customers and their identities.
If the call center is outsourced, it may be particularly vulnerable.
2. Guru fraud. The IT department could also be susceptible to fraud. Computer technicians may be able to divert money from customer accounts to dummy accounts, or commit identify theft by accessing customers’ or employees’ personal information.
In one high-profile case, a computer technician stole the identities of other bank employees to open accounts at other financial institutions.
Because of the risks involved with the theft of customer or employee data, employees should only be allowed to view the information they need in order to do their job, and their behavior should be closely watched for some of the warning signs listed above.
Restricting access to customer data can help an institution prevent not only identity theft, but also associated fraud schemes such as account takeover. Continuous monitoring of employee behavior and transactional activity can help uncover warning signs of internal fraud.
To help increase the efficiency and effectiveness of monitoring efforts, a technology solution can automate many of the time- and labor-intensive processes associated with manual fraud detection. By capturing and recording data across a network, an automated approach can alert an institution to threats and create an audit trail of flagged activity to streamline investigation and loss mitigation.
A critical aspect of this type of monitoring is ensuring that it is in real-time. After-the-fact monitoring can help, but most certainly won’t avoid significant losses.
The best monitoring systems identify the behavior that leads up to loss events, targeting fraud at the source and permitting the institution to stop fraudulent behavior before it really starts. In this manner, the best strategy can be deterrence; employees know they are being monitored and should be reluctant to attempt any violations of company policy.
The most effective internal fraud technology solutions include customizable business rules, which can be preset to automatically stop transactions or flag them for further investigation. For instance, rules can be set regarding expected employee behavior. When insiders are operating in a matter that is inconsistent with their behavioral profile, the technology solution will automatically alert the institution. This can help pinpoint activity such as redundant account changes, excessive password changes, and demand drafts.
Also, if an employee is accessing inappropriate information for his or her job function, a technology solution can help link that activity to new deposit or loan activity that has been initiated by that individual.
Rules can be updated frequently as an institution fine-tunes its internal fraud prevention program.
In addition to accelerating the detection of suspicious activity, a technology solution can record internal user activity across an institution that can then be replayed for later investigation. By prioritizing probable fraudulent activity and centralizing case management, it can also help them quickly identify, gather, and close cases when activity is flagged.
By looking for internal schemes as they happen and helping an institution respond to threats more rapidly, a technology solution can help prevent financial losses and damage to an institution’s reputation associated with internal fraud.
At the same time, it can help an institution signal that internal operations are under surveillance. This can help deter criminals as well as prevent an environment of mistrust between management and employees.
Internal fraud schemes are becoming more complex, and implementing a technology solution as part of an enterprise-wide fraud management and prevention program can help an institution mitigate its fraud risks. With the ability to more closely watch and guard the areas of the bank that are likely to be targeted, pick up on warning signs, and strengthen its internal controls, an institution can not only combat immediate threats, but also keep future internal fraud at bay.
Tagged under Risk Management,