Embezzlers Get Star Billing in Bank Security Nightmares

An armed guard in every branch and video cameras at automated teller machine sites are typical weapons for financial institutions in their battle against robberies and fraud.

But the back office is also becoming a focal point of banks' vigilance as they try to stem perhaps the most crippling form of financial crime: embezzlement.

With the advent of electronic money transfers and shared ATM networks, misdirection of bank funds using a computer has become one of the most common methods of embezzlement.

"A bank employee, with his knowledge of the operations, can generally do much more damage than an outsider," said Jerry Adams, national marketing manager for Diebold Inc., Canton, Ohio.

According to the Federal Bureau of Investigation, reported cases of bank embezzlement or fraud involving $100,000 or more are running at about 1,200 a year in this country.

That translates into roughly one incident per 10 U.S. banks.

And technology often plays a role in these crimes. Of the nearly $1 billion lost per year due to employee-initiated bank crime, FBI officials have estimated that about one-quarter involves fraudulent wire transfers.

Bankers and security consultants are concerned that those numbers might increase as mergers and back-office consolidations force banks to lay off computer technicians, programmers, and other employees. The fear is that some may turn to computer crime to get back at the employers who spurn them.

"If you've got a guy who knows a few passwords and the regular rhythms of the bank operations, you've given away the keys to the kingdom, in many cases," said Dana Turner, president of Security Education Systems, a Forestville, Calif.-based firm specializing in embezzlement prevention for financial institutions.

How Money Goes Off Course

The areas most at risk are fairly obvious, Mr. Turner said. Corporate cash management systems, electronic funds transfer networks, and teller machine operations all involve large sums that can be diverted from their correct course with a few well-placed commands.

The key to preventing crimes like this is a strict audit policy that requires all high-risk areas to undergo sporadic audits of their procedures to ensure that no impropriety is taking place.

It is essential for these audits to be random and unannounced, since most embezzlement crimes depend on a predictable business rhythm for success.

"Many banks do audits on a quarterly basis, which is just ludicrous," Mr. Turner said. "It's like telling a crook when to get his things in order."

In recent years, many computer applications have been designed to prevent the wrong people from gaining access to a bank's computer systems.

One such system, from Racal-Guardata Inc., Herndon, Va., uses "smart card" technology to properly identify each user of a system. Each computer terminal can be outfitted with a system "lock" that can be opened only with the microchip-embedded smart card and a correct personal identification number.

Other software developments designed to thwart unauthorized access to funds transfer and other operations include a password screening package from Baseline Software Inc., Sausalito, Calif.

The package subjects user-chosen passwords to numerous tests to ensure that they are difficult to guess. Misuse of passwords and PINs is a common way for embezzlers to enter a banks network.

Diebold's Mr. Adams and others said that the recent spate of merger activity in the banking industry has paved the way for a new breed of computer-related crimes. As systems managers work to combine back-office operations, security lapses develop between old and new security measures.

"With the mergers, you've got a lot of technical gaps and a whole new motivation for stealing, as many employees get laid off and look for revenge against the company," said Sandy Epstein, president of Racal-Guardata.

In addition, it has become apparent that security measures are lax in the places where they are most needed.

According to figures from several banking organizations, the majority of preventive measures are directed at staff level employees at U.S. banks.

However, 80% of all employee-related crime -- with an average of $1 million per theft -- is attributable to financial officers at U.S. banks.

Subscribe Now

Access to authoritative analysis and perspective and our data-driven report series.

14-Day Free Trial

No credit card required. Complete access to articles, breaking news and industry data.