Employee theft exists in all organizations to some extent. However, financial institutions have unique problems with internal fraud. Many experts see banks as especially vulnerable to employee fraud for essentially the same reason the 1930’s gangster Willie Sutton said he robbed banks: “Because that is where all the money is.”  According to the FDIC, insider abuse currently accounts for more than half of all bank fraud and embezzlement cases investigated by the FBI.

Difficult choices

According to the 2004 report on fraud by the Association of Certified Fraud Examiners, one of the most effective means of preventing insider fraud is the threat of detection. It also determined that the most effective means of detecting internal fraud is through tips provided by other employees.
This is also a particularly difficult area as the person committing fraud or insider abuse may be a manager, supervisor, or a friend. How do you “squeal” on a friend or someone who controls your paycheck? Does your institution have well-defined procedures and support for employees who suspect and want to report fraud by another employee?

What are common behaviors that are red flags?

Potential problems can often be uncovered when certain warning signs are evident. It is critical for employees to be alert for irregular or unusual activity, and to fully investigate the circumstances surrounding the activity. Do not be afraid to challenge any activity that looks suspicious, even if it is by an executive officer or board member. Some warning signs that a fellow employee may be engaged in fraud or insider abuse include:

• Significant behavior changes
• Living an unexplained lavish lifestyle
• An obvious drug, drinking, or gambling problem
• The super-employee – the one accepting extra jobs not normally his/hers, putting in an unusual amount of overtime, volunteering to do other people’s jobs, etc.
• Employees who avoid taking vacations
• Employees who try to override internal controls
• Employees who assume responsibilities that are not normally theirs in order to control a certain area or function
• Irregularities in data entered on loan or credit applications
• Discrepancies of any kind
• Computer logins or activity at unexpected hours
• Indications in log or audit files that employees are trying to exceed their privileges
• A person requesting or using computer privileges beyond that required for their assigned job functions
• A person storing or processing sensitive bank information on a computer not intended for that purpose
• Persistent lax security habits in spite of warnings and management counseling

Incident reporting

There are three aspects to consider in reporting security incidents. The first is to define detailed procedures for how an employee reports the incident internally. Internal reporting procedures may vary, but should provide several options, including directly reporting the incident to a supervisor or the Chief Security Officer, completing an incident report form, and anonymously reporting the incident (through a hotline or other means).
Second, all financial institutions need to develop specific procedures to report the incident to regulators and law enforcement, as mandated by federal regulations. Guidelines for filing a Suspicious Activity Report (SAR) must be followed. If laws were broken, the Chief Security Officer will also need to notify law enforcement agencies and cooperate in the investigation as appropriate.
Finally, if any customer information has been compromised in the process, the recently released “Interagency Guidelines on Security Breaches” requires institutions to notify their federal regulator and their customers if misuse of sensitive data has occurred or is reasonably possible. Sensitive data include customer name, phone number, etc., in conjunction with key information such as Social Security number, drivers license number, account number, credit/debit card number, PIN, or password. Notification must occur if the institution determines that misuse has occurred or is reasonably possible. Customer notification processes must consider the following:

• The institution is required to notify all applicable customers, unless they can determine that only specific customers have had their information compromised. Thus, if an employee inappropriately obtained customer data from a loan application system (perhaps for the purpose of selling the data to a third party), all loan customers would have to be notified unless the institution could prove that only a subset of loan customers were affected.
• No specific requirements are provided regarding the timing of customer notification. This allows for possible delays that law enforcement may request during the investigation of the incident.
• Notification can take any form that is a standard within the institution: written, phone, or email.

What can the financial institution do to improve detection?

To minimize vulnerability to insider fraud and abuse, appropriate internal controls must be well established and communicated. These processes must be supplemented with technology controls, such as “always on” monitoring and Intrusion Detection Systems. But even with the best of controls, internal thefts and security breaches can and do happen. The early detection of internal fraud is an essential element in limiting a bank’s risk. To increase the likelihood that employees will report suspicious activity from another employee, and provide that early detection, financial institutions must:

• Provide employee training: Provide anti-fraud education for all employees and mangers. All staff must be given ethics training so that they understand the organization’s standards and expectations, and what is not acceptable. Clearly communicate expectations. Discuss the issue of fraud, the impact to employees and customers, how to spot potential insider fraud, and specify detailed procedures regarding what to do if it is suspected.
• Provide a confidential hotline for reporting incidents: Studies have shown that employees are less likely to report suspicious activity to an internal hotline within the bank, mainly because employees do not feel assured of anonymity. Therefore, it may be necessary to establish a hotline outside the bank. The Association of Certified Fraud Examiners, for example, has EthicsLine, a confidential, toll-free subscriber service. Calls are answered 24 hours a day, everyday of the year, for a nominal fee by Certified Fraud Examiners. Information concerning the call is relayed back to the subscriber within one business day.
• Support whistle blowers: Without management support, few people will risk being ostracized for expressing their suspicions, even anonymously. On the other hand, if employees believe that they work in an open communication environment, there is a higher probability that they will alert the proper individuals if something suspicious does happen. In a survey by KPMG, 61% of employees who witnessed acts of wrongdoing failed to report them because they did not feel that management would take action. Demonstrate to employees a commitment to take all such reports seriously.

By increasing the perception of detection, banks can significantly decrease their risk of loss.

Assurity River Group can help

Assurity River Group offers specific services to help you assess and improve your information security program. We can:

• Review your existing Information Security Program, detailed security policies and acceptable use guidelines and suggest improvements.
• Assurity River Group’s Information Security Program Charter and policy architecture define a policy structure that starts with board approved policies and extends down to a coordinated set of specific policies that protect all information assets.
• Conduct security awareness training programs for your employees.
• Implement a managed Intrusion Detection System to alert you to suspicious IT activity.

Assurity River Group’s consultants can assist your organization in being proactive in your defense against internal and external threats.
Contact Jeff Olejnik (jolejnik@assurityriver.com) at 651.259.6888 for more information.