Beware of the Fraudster in Your Midst [RMA Journal, The]

Vigilance is the key to thwarting internal fraud. Specific safeguards can help uncover or even prevent unethical and illegal acts.

Banks took an absolute beating as a result of the financial crisis-a beating financially, reputationally, and legally. And not just from the media, shareholders, and regulators, but also from their own employees. Many banks were forced into layoffs that caused them to trim cost centers, such as compliance groups, despite the onslaught of new regulations.

After such a beating, you'd think that banks might catch a break. But instead, fraudsters have been quick to assess the situation and see an opportunity. Indeed, banks are now more susceptible to fraud than ever before. In a 2010 study on global fraud, conducted by the Association of Certified Fraud Examiners and covering 22 industries, the highest percentage of fraud cases occurred in the financial services sector. The reported median loss in those cases was $175,000.

Often, the perpetrator of the fraud comes from within. Whether an unscrupulous teller, loan officer, branch manager, or someone in the higher ranks, the keen fraudster is always looking to exploit weaknesses in the organization's defenses.

For banks, an internal fraudster's opportunities are vast and frequently include check fraud, misuse of ATM cards, improper loan procedures, schemes involving alternative products, or even money laundering. Indeed, an employee perceived as a trusted friend may turn out to be your biggest foe. And without the proper checks and controls, banks can create an environment that may actually open opportunities for-or even encourage-employees to commit fraudulent acts that may go undetected.

Fortunately for banks, relatively simple controls can mitigate losses from internal fraud. The system of controls, however, must address prevention, detection, and response.

Check Fraud

Check fraud is one of the most common fraud schemes and, fortunately, generally one of the least costly. It's common because technology makes it increasingly easy for criminals to create realistic counterfeit checks and use them to defraud financial institutions.

Unfortunately, check fraud can take many forms. For example, a bank employee may identify corporate accounts that maintain significant balances, steal (or copy) a corporate check from those accounts, create counterfeit checks with the same account details, and then deposit the counterfeit checks to a fictitious account. Another scenario may involve a bank employee using checks that were fraudulently obtained from a customer account. Or an accounting department employee may steal blank accounts-payable checks or intercept payments made to the bank from third parties.

Luckily, the controls used to prevent and detect these schemes are simple and common.

First, background checks should be conducted for all new hires. But the background checks shouldn't stop after the employee is hired-periodic monitoring of certain employees is absolutely essential. Just because they have a clean criminal record at the time of hire doesn't mean they'll continue to have a clean criminal record-or that a change in circumstances won't lead them to become desperate. Especially in a depressed economy, individuals frequently turn to actions they might not otherwise consider, and check fraud is easy to understand and, without sufficient controls, easy to commit.

Second, there should be a separation of functions-no one person should have access to account information and access to controlled supplies (such as check stock). And no one person should be able to sign checks and have control over account monitoring. Additionally, bank checks need to be stored securely, and stock control records need to be kept by a designated officer. Customers' orders for checks should be made in writing and signed by the customer.

To prevent and detect check fraud, financial institutions have implemented common controls, including the following:

* Imposing special holds on checks drawn on accounts that have been inactive for a specified period of time.

* Corresponding regularly with customers having dormant, or inactive, accounts to inquire whether the account should be closed.

* Requiring customers who close their accounts to return any unused checks to the bank.

Lastly, all employees need constant reminders that they are the ones on the front lines and that they need to be aware of-and report-suspicious or unusual behavior. Since the implementation of the Sarbanes-Oxley Act, public companies are required to have whistleblower hotlines or other misconduct-reporting mechanisms. And nowadays almost all companies, especially banks, even if not public, have the same or similar mechanisms.

Besides responding to specific allegations, management should periodically monitor the volume and types of calls. For example, while many organizations believe that low call volume is indicative that "all is well," it may actually indicate that employees are either unaware of the hotline reporting mechanism, or fearful of retribution. Therefore, reminding employees of the hotline's existence, encouraging them to use it, and creating an environment where they do not fear retribution are useful fraud-prevention tools that shouldn't be overlooked.

ATM Cards

Automated teller machine (ATM) cards create many opportunities for the internal fraudster.

In one scenario, the sales team responsible for sending ATM cards to customers makes illegitimate copies of the embedded magnetic codes and uses them to produce duplicate cards. These employees are also responsible for dispatching the PIN codes for these cards. With both the duplicate card and the PIN code, these employees are able to make illegitimate withdrawals.

ATM card fraud can more easily occur when there is no segregation of duties between sales personnel issuing ATM cards and sales personnel issuing PIN codes. Other circumstances include the bank's use of the same dedicated courier to dispatch ATM cards and PIN codes. Yet another opportunity occurs when PIN codes are dispatched with the parcel containing the ATM card. (Normally, banks issue PIN codes in a separate mailing seven to 10 days after the ATM cards have been sent.) Another opening for fraud is when the bank does not require the customer to acknowledge receipt of the ATM card and PIN code prior to activation.

Tighter controls can help alleviate these risks. Once again, there should be segregation of duties between those issuing the ATM card and those dispatching the PIN code. All reports generated by the bank should mask sensitive cardholder information, which is required by the card associations and other standards bodies. The bank should also implement encryption systems for all customer information stored in its in-house systems. Paper records that include card numbers should be kept safe and secured.

Override of Credit Approval

Credit appraisal is a key function performed by lending institutions prior to extending credit. Succumbing to the pressure of unrealistic sales targets, bank employees could fraudulently override existing credit-rating requirements or indulge in other unethical practices that expose the institution to undue credit risks.

Two of the possible fraud scenarios related to credit appraisal are as follows:

1. Alteration or fabrication of documents. The bank employee may create, forge, or copy the stipulated documents in order to clear a loan application. For instance, income could be overstated, falsified verification reports could be used, and so on.

2. Overriding of approvals. For cases requiring sequential approvals, the bank employee could obtain secondary-level approvals prior to the primary-level approvals for the purpose of manipulating the multi-level approvals matrix designed by management. Lower-level appraisers might be hesitant to counter cases approved by higher-level appraisers, resulting in processing of ineligible cases.

Indicators of credit approval fraud include the following:

* Employees achieving targets despite aggressive goals set by management and in times of financial crisis.

* Significant numbers of loan applications processed without the management approvals prescribed in the credit approval process.

* Customer applications processed despite the absence of unattested documents submitted by the customer.

* Documents presented with the application that appear to have been altered or forged, or that give the appearance of having been destroyed and reassembled.

An obvious way to address this fraud is to have management set realistic goals. Sales targets should be finalized by department heads after discussion with the sales personnel. In addition, in the event of adverse market conditions, employees should be given the option to revise their targets midyear after consultation with the business heads.

Sales and credit personnel also should be provided with a credit approval document outlining procedures for screening customers before they are granted credit. And an internal compliance team should review documents for compliance with the bank's customer-identification program at regular intervals.

Misappropriation of Loans

Somewhat related to frauds involving credit approval is the misappropriation of loans. In such cases, an individual working for a financial services firm will use the information provided on customers' loan applications to commit fraud.

These frauds are invariably committed in collusion and with the assistance of an individual who is outside of the lending entity. For instance, using forged or fabricated documents, bank employees could collude with customers to have loans sanctioned for higher amounts than the customers are eligible for.

In another scenario, a bank loan officer could set up fictitious loan accounts in the names of family and friends without their consent, again using forged documents. Thereafter, the loan officer could get the loan amount disbursed to these accounts, withdraw funds from one account, and cover up the transactions by transferring funds from another loan account. The loans eventually default.

Also, bank employees could commit fraud in the process of loan repayment though the theft (by intercepting the check) of an amount repaid by an honest borrower, or by the collection of payments on loans that have been officially written off by the bank.

Signs that a bank may fall victim to the misappropriation of loans include the following:

* Numerous instances of loan refinancings by a single employee.

* Several defaults on loans disbursed or approved by a certain loan officer.

* A substantial increase in the number of credit defaulters in comparison to prior periods.

* Numerous inactive loan accounts or accounts with no transaction activity.

* A high number of loan applications processed without all the management approvals prescribed in the credit approval process.

Again, a key pillar of a bank's antifraud policy should be the adequate segregation and rotation of duties. Different functions, such as authorization for transactions, custody of assets, disbursement of funds, and recording of accounting entries, ought to be distributed to different personnel in the accounts and credit department.

Bank policy should also require that the loan disbursement check be handed over directly to the applicant. In addition, the bank's compliance team should review documents for compliance with the bank's customer-identificaA tion program. Finally, each member of the sales and credit team should sign a declaration of adherence to the bank's best practices and credit norms procedures.

Mortgage Fraud

While mortgage fraud schemes are generally thought to be committed by third parties or customers, an employee or trusted counterparty may be looking to exploit certain control gaps as well. For example, a common fraud scheme involves a loan origination officer (or mortgage broker) knowingly making material misrepresentations about a borrower's ability to repay, or even altering documentation. Because loan origination officers and mortgage brokers are often very aware of each bank's lending requirements, they may be tempted to "tweak" the numbers so that an otherwise unqualified borrower meets certain lending limits.

To combat these types of fraud, underwriters need to carefully evaluate the loan file documentation and obtain original source documentation to verify and substantiate the assertions made on the loan application. For example, to validate the borrower's stated income, even if verification of income appears in the file, the underwriter should call the employer or consider obtaining a second verification directly from the employer. Searching public records often helps validate many loan assertions, such as whether the borrower has any prior bankruptcies, owns other properties, or has undisclosed judgments or liens.

Underwriters verifying information contained in the loan file need to pay special attention to the credit report, which can also suggest fraud if:

* There is no credit history.

* The credit file is "thin."

* Information appears contradictory to other loan application assertions (for example, the back-end ratio is low, but the credit report indicates that the borrower is making only minimum payments or has high unpaid balances).

* Liabilities shown on the credit report are not specified in the mortgage application.

* Significant differences exist between the original credit report and any new or supplemental reports.

* There is no segregation of duties between the loan appraisers and the employees who disburse the funds.

To stave off mortgage fraud, the financial institution should follow a policy of obtaining representations and warranties about the borrower and the underwriting processes from the originators. In addition, the bank needs to maintain segregation of duties so that no one person has the power to both authorize and disburse loan proceeds.

For mortgages sourced by brokers, the bank should conduct additional checks to establish the creditworthiness of buyers prior to disbursing the funds. Increased due diligence is recommended as well, such as requiring that documents submitted as income proofs be attested by notaries for authenticity before mortgages of a significant amount are disbursed; and background checks must be conducted on all customers seeking mortgages of a significant size.

Money Laundering

Conjuring up images of shady businesses and organized crime, money laundering is a process by which the origin of funds generated by illegal means is concealed. It's being employed worldwide to conceal such criminal activity as drug and arms trafficking, terrorism, and extortion. The International Monetary Fund has stated that the aggregate size of money laundering in the world could be between 2% and 5% of the world's gross domestic product.

Given the extensive use of electronic funds transfers, tracing movements of suspect money and identifying the real owners of suspicious assets (who are often hidden behind shell companies or offshore bank facades) are enormous tasks for enforcement bodies, intelligence agencies, and governments.

Examples of unscrupulous bank employees facilitating money laundering abound, but a notable one is the <location value="LS/us.fl" idsrc="xmltag.org">Florida-based BankAtlantic, which in 2006 agreed to pay a $10 million fine to avoid federal criminal charges that it allowed drug money to be laundered through accounts at one of its branches. The bank admitted that certain rogue employees violated the company's anti-money-laundering policies and procedures.

To guard against internal complicity with money launderers, banks should require pre-employment background checks on all new employees and conduct periodic credit checks on existing workers. Again, adequate segregation and rotation of duties are crucial. In effect, no one person should have the authority to conduct a transaction, have custody of the instruments, and be able to make accounting entries. Also, employees need to be thoroughly trained in verifying customers' identities according to "Know Your Customer" policies and be instructed to follow the procedures rigorously.

Alternative Products

Looking to expand their services, many banks are beginning to offer various alternative products, such as mutual funds, annuities, and life insurance. These products open up a whole new area for dishonest or desperate bank employees to commit fraud.

One of the more familiar frauds in this area is "churning." This is the term for when a broker engages in excessive buying and selling of securities in a client's account to generate commissions without regard to that client's investment objectives.

Two metrics that can be used to detect potential churning are "annual turnover rate" and "break-even percentage." The annual turnover rate is the number of times per year a customer's securities are replaced by new securities. Turnover ratios greater than six are generally considered to constitute churning. Break-even analysis determines the rate of return that the account has to earn on an annual basis to cover transaction costs, such as commissions. Trading practices that require an account to appreciate in excess of 20% to break even are generally considered churning.

To address churning requires the enforcement of more stringent controls. No representative should be able to exercise any discretionary power in a customer's account unless that customer has given prior written authorization to the representative and that authorization has been accepted, in writing, by a designated person in the firm.

In addition, all new account information, including investment objectives, should be reviewed and confirmed with the customer within 30 days of opening the account. Firms also should have procedures so that customers can forward information regarding corrections and changes to the firm's compliance department or other central location, in addition to their representative.

Fraud Committed by Direct Selling Agents

Banks often contract with direct selling agents (DSAs) to help them sell, usually on a commission basis, some of the aforementioned alternative products.

DSAs are not employees of the bank and may sell the products of several banks simultaneously with little accountability to any of them. Nevertheless, DSAs are the face of the bank for customers and directly interact with them, so customers do place their trust in them. That relationship can lead some DSAs to take advantage of the situation.

For example, a DSA may fraudulently collect cash from customers by claiming it is a processing fee for a loan application. Or a DSA may persuade a customer to hand over a credit card, perhaps by offering to write the credit card number on a form for a new card. The DSA might then surreptitiously copy the number and the card verification value (CVV) number on the back. A DSA also could fraudulently alter documents received from various applicants and create a new false identity through which he or she could apply for a card or a loan. Or a bank employee responsible for processing loan applications might, in collusion with the DSA, misrepresent a walk-in client as a DSA customer in order to facilitate payment of a commission to the DSA in return for kickbacks from the DSA.

There are several indicators that a DSA may be dealing with customers in an underhanded way:

* The number of applications sourced from a particular DSA suddenly increases.

* Commission payments to a particular DSA aren't corroborated by his or her track record of transactions.

* A customer for a credit card or loan submits supporting documents that appear to be altered or fabricated.

* A significant charge appears on a credit card that has been reported lost.

Banks need to have clear policies regarding the use of DSAs and apply a firm hand in enforcing those policies.

A DSA policy should include a well-implemented code of conduct that communicates clear rules on best business practices and ethical standards. Banks also should have a defined code of conduct for DSAs that is part of their contractual agreement.

Employees responsible for the processing of loan and card applications need to be given regular training on the monitoring of DSA transactions and identification of red flags. Finally, the bank should verify DSAs before appointing them, and that includes conducting reference checks.

Theft of Confidential Information

Most of a bank's information is confidential or subject to copyright, patent, and other intellectual property or legal rights. That can be a powerful temptation to dishonest employees.

Labor and employment attorneys say that, given the highly competitive nature of today's business world and a more fluid work force, corporate espionage has become a growing threat to employers.

Bank employees may be enticed to steal confidential information for personal profit, causing what is often irreparable damage to the bank. For example, in return for a kickback, an employee may steal and sell to a bank's competitors confidential research reports, business or marketing plans or projections, or earnings and other financial data.

Also at risk of theft is confidential client information, such as names, addresses, telephone numbers, income sources and amounts, asset holdings, investment preferences, risk tolerances, and financial goals.

Employees can have several motives for stealing this information. They may steal confidential information about a wealthy client in order to contact that client later if they decide to build a book of business elsewhere. Or they may sell confidential client information to a competitor in return for a kickback. In still another instance, they may sell client information to an accomplice who may misuse the same for other financial frauds, such as identity theft.

To guard against information theft, banks need a clear policy that is periodically distributed to all employees. The policy should clearly state that the company has a zero-tolerance policy on theft and that any employee-including executives and managers-violating it will be terminated.

Other safeguards may include having each employee contract contain a noncompete clause that restricts the individual from joining a direct competitor for a specified period of time, or requiring employees to sign nonsolicitation and nondisclosure agreements to prevent them from taking valuable proprietary information.

Finally, IT departments should also monitor computer usage and e-mail traffic to detect transfer of company information to unidentified e-mail addresses or servers, or the use of portable devices to download files or other information.

Conclusion

Clearly, banks are susceptible to internal fraud in any number of areas. And executives need to acknowledge that, unfortunately, a certain percentage of employees will likely be tempted into committing unethical and illegal acts. But for each potential fraud, specific safeguards can help uncover or even prevent such acts.

Equally important is an overall culture of vigilance. To achieve that culture requires that bank leadership commit to a code of conduct that is built around the organization's core values and defines acceptable business practices. This code of conduct will provide employees with guidance for identifying fraud and misconduct risks.

Moreover, a formal procedure for employees to report (anonymously, if necessary) suspected wrongdoing is an indispensible tool in a bank's effort to detect misconduct and to bring potential issues to light before they become significant-or public-legal problems.

These policies should be accompanied by comprehensive training and communications programs for employees at all levels. These programs should be repeated periodically to ensure ongoing employee awareness.

A well-designed and thorough system of checks and balances to prevent, detect, and respond to wrongdoing can go a long way toward addressing the challenge of fraud and mitigate its risks. Ultimately, that means greater protection for the bank's reputation and a more secure environment for its customers' assets.

The views and opinions in this article are those of the authors and do not necessarily represent the views and opinions of KPMG LLP. All information provided is of a general nature and is not intended to address the circumstances of any particular individual or entity.

For additional information, consider enrolling in the RMA course Advanced Operational Risk.

Especially in a depressed economy, individuals frequently turn to actions they might not otherwise consider, and check fraud is easy to understand and, without sufficient controls, easy to commit.

A key pillar of a bank's antifraud policy should be the adequate segregation and rotation of duties.

Conjuring up images of shady businesses and organized crime, money laundering is a process by which the origin of funds generated by illegal means is concealed.

To guard against internal complicity with money launderers, banks should require pre-employment background checks on all new employees and conduct periodic credit checks on existing workers.

Timothy P. Hedley, Ph.D., is a KPMG partner and global coordinator in Fraud Risk Management Services. He is coauthor of Managing the Risk of Fraud and Misconduct: Meeting the Challenges of a Global, Regulated and Digital Environment. Michael B. Humphrey is the national lead for the KPMG Financial Services Investigations Initiative. Jesse R. Morton is a manager in KPMG LLP's Forensic practice. They can be reached, respectively, at [email protected], [email protected], and [email protected].