Forget Cops and Robbers: It's Age of the Inside Job

Guns are blazing, bringing renewed concern about old-fashioned bank robberies. But inside the banks, time bombs are ticking.

Though not as visible or as quantifiable as the traditional variety, insider crimes - often committed by disgruntled employees - may be a far more costly threat. And experts warn it can get much, much worse.

"Employee theft is on the rise overall because employees don't have the loyalty they used to have," said Michael Slattery Jr., an ex-FBI agent who heads Kroll Associates' North American operations. "Employees don't feel they're part of the family any more."

It is already a multibillion-dollar problem for financial institutions, said Dennis duNann, chief executive officer of Employment Screening Partners, a subsidiary of Deluxe Corp. that focuses on prevention measures. He said the hazard is not getting its due, as robberies and burglaries still attract the bulk of crimestoppers' attention.

Though tellers are often regarded as the main culprits in bank employee theft, there is growing concern about computer-based crimes that can cause much bigger losses than teller-drawer shrinkages or other embezzlements.

The increasing dependence on, and accessibility of, computerized data bases means more people can get and manipulate sensitive information than ever before. Some of them inevitably will have ulterior motives.

"Virtually any employee has access to account holder information to some degree or another," said Robert W. Jones, vice president of fraud prevention/detection for KeyCorp.

Insider risks are the subject of far more talk than documentation. Financial institutions thrive on public confidence; those that are victimized may prefer to eat any losses rather than let the media go to town on their misfortune.

But this is not like the weather, which everybody discusses but does nothing about. Bankers are mobilizing against employee crime, turning to consultants like Mr. duNann, the Kroll investigators, or the major accounting firms.

A 1994 incident at Citicorp offers a glimpse into how significant employee crime can be. It has become part of computer-crime lore precisely because the loss was modest.

In what has become known as the Russian fraud, perpetrators using a notebook computer broke into Citibank's cash management system. In possession of secret codes, Vladimir Levin and his crew transferred $12 million out of the bank. Citibank recovered $11.4 million.

How did the Russians get the codes in the first place? Despite Citi's protestations to the contrary, experts say it had to be an inside job.

"Someone had to give him the account numbers and get him through the firewall," said Rudy Willis, senior managing director of Pinkerton's Los Angeles Investigations.

Charles Cresson Wood, an information security consultant with Baseline Software Inc. in Sausalito, Calif., added:

"There was a lot of skepticism that anyone could pull this off without the help of someone on the inside. Well-founded and well-structured systems will rely on many people," and Citi's undoubtedly filled that bill.

"We investigated the possibility of employee collusion at the onset and found no evidence of that," a Citicorp spokeswoman maintained.

Employee fraud comes in many varieties. Mr. Slattery at Kroll Associates, a blue-chip corporate investigative firm that is being acquired by Equifax Inc., recalled one case in which a bank officer made wire transfers to an account he controlled.

"Because of his position in the bank, he was able to cloak what he was doing," Mr. Slattery said.

In another possibility, a banker with access to dormant account files can pretend to be one of those account holders and withdraw funds. In this scenario, he would be a lone operator, avoiding the risk of accomplices' blowing his cover.

Identity theft is a disturbing trend. An employee who has access to customer information-account numbers, Social Security numbers, addresses, and telephone numbers-might sell that information to outsiders.

With a Social Security number, one can get a birth certificate, which can be the key to getting a driver's license. With such false identification, a criminal can cause all sorts of trouble for the bank customer: charging credit cards to their limits and then fleeing.

Repeated reselling of personal data can result in extended and repeated financial damage to the legitimate customer.

Mr. Jones at KeyCorp said such cases are epidemic.

"These scenarios are typical throughout the industry," he said. Just plug in the dollar amount and name, and put in an application at just about any bank, he said.

Insured financial institutions have insurance policies and bonds that give them an edge over other businesses trying to recover losses. However, if it is information that is stolen-anything from client lists to data encryption codes for wire transfers-things get a bit trickier. Demonstrating the value of the information is often difficult, and banks are required by prosecutors to prove they took all reasonable measures to secure the data.

Tracking down culprits can be arduous and often fruitless. Given the complexity of computer systems and networks, "frequently you lose the capability to make somebody accountable for the things they've done," said Ron Hale, senior manager of Deloitte & Touche's computer assurance services group. Individual accountability gets lost amid a multiplicity of transactions. "It's hard to reconstruct what they did," said Mr. Hale.

As a result, banks tend not to prosecute, which raises questions about effective punishment and deterrence.

"It is really eye-opening to me how much the crime statistics are off because there is so much unreported crime that the business community doesn't want anybody to know about," said Ellen Silverman Zimiles, managing director of KPMG Peat Marwick's forensic and investigative services.

Having spent 10 years in the U.S. Attorney's office in New York's southern district, she said that in several instances she decided, "This would be a strong case for prosecution ... but the companies often don't want the bad publicity."

Banks are required to report every case of employee embezzlement to Fincen, the Treasury's Financial Crimes Enforcement Network, regardless of the dollar amounts. Because they work for federally insured institutions, bank employees are more likely to be federally prosecuted, said KeyCorp's Mr. Jones. Their thefts are federal offenses.

But "the reality is, unless it's real sexy or a big dollar amount, it's hard to get criminal prosecution on white collar crime," said Robert Bird, senior vice president and director of security at Bank of America.

Nevertheless, banks should make it clear to employees that criminal and civil prosecutions can happen. That can be one step toward prevention.

"People do not steal to hoard money," said Mr. Jones. "Nine and a half times out of 10, the money is spent as soon as it is stolen," making recovery difficult. "That's why it's so important to prevent it from happening."

Background checks on new hires are important first steps, said Mr. Jones. KeyCorp is "on the verge of selecting a firm to conduct background investigations for the whole company."

Banc One Corp. vets all new employees, said Lynn Woodard, national pre- employment screening manager. Later this year "we will probably be looking at a higher-level screen for executives with more authority and for promotions," she said.

Banc One also fingerprints all employees that might touch, manage, or process securities, bonds, or stocks.

Fleet Financial Group does background checks on all employees and selective fingerprinting, based on the level of responsibility.

"Pre-employment screening is a great tool, but it's not the total answer," said Christopher J. Carney, vice president and director of corporate security at Fleet. "Internal fraud is often predicated on a change in somebody's personal status," said Mr. Carney, also a member of the American Bankers Association's security and fraud prevention committee.

"Bankers don't hire dishonest people," said Mr. duNann. "They become dishonest because of all the opportunities to steal in a bank."

He theorizes that 5% of the population is likely to steal, 10% would never steal, and the other 85% are basically honest people that, if tempted and facing no serious consequences, will steal. The consultant said banks need to focus on keeping that 85% honest.

A strong ethics policy can be a deterrent. "Banks should make their employees sign documents saying they won't commit fraud," Ms. Zimiles at KPMG said. "It may appear superficial, but it actually does stop people."

"People will play the game as long as they understand what the rules are, and in this case it's 'Thou shalt not steal,'" said Mr. Jones of KeyCorp.

Other proactive measure are periodic training reviews and reminding employees of the ethics codes-and the consequences for violations.

Then there is the notion that a well-paid employee is less likely to steal.

"Loyalty often means 'satisfaction' to the individual. Generally, satisfaction is based on wage and working climate," said Mr. Carney of Fleet.

"If people feel good about the place they're working in, their loyalty tends to be higher," he said. And those feelings can be enhanced with fringe benefits and employee assistance programs.

Mr. Jones has a formula: Need + Opportunity = Crime. Compensation can minimize the need.

"You've got to pay for loyalty," said Mr. Bird at Bank-America.

Another way to thwart fraud is through task-sharing and internal supervision. "It's important to have division of responsibility, so that one person is not able to handle all sides of a transaction without some kind of internal control," said Mr. Jones.

Because small banks tend to be more centralized than their larger counterparts, "there is greater opportunity for senior people to take advantage of the system," said Robert Lindquist, a principal in Price Waterhouse's forensic investigations unit.

"If you were a customer and wanted to conspire with someone, it is far easier to conspire with management at a smaller bank than at a larger bank," he said. "You want to work with someone who can really exercise some influence, whether it be granting loans, falsifying credit information or short circuiting the whole credit approach."

But the smaller the organization, the less sophisticated are the internal control mechanisms and the greater is the reliance on trust, said Mr. Lindquist.

At the same time, larger banking institutions are downsizing, hurting employee morale. And the management characteristics can come to resemble those at smaller banks.

People on the way out "are savvy enough to know that they can really harm a company by damaging their computer systems, by stealing information and taking it to the next place," said Mr. Hale of Deloitte & Touche.

To take the edge off layoffs, banks offer generous retention and severance packages, often including medical coverage and retraining subsidies. "Most people that think about it say, 'It's worth my while to continue being honest,'" said Mr. Bird.

Even as computerization is seen as abetting employee crime, it has to be enlisted in the solution.

In system and software design, "sometimes the security comes as an afterthought," said Mr. Hale. "If people don't look at security from an architectural standpoint, they're not looking at the whole enterprise."

Banks that use contractors on computer programs face the added risk that someone will "put in a Trojan horse or a back door that allows them to enter the system after they leave," perhaps to make illegitimate wire transfers, said Darren Donovan, senior managing director of Pinkerton's New York investigations.

While most banks have "smart systems" in place to detect suspicious activity on their computer systems, they are not infallible. "The way we protect information hasn't kept up with the rapid pace of technology," said Mr. Hale.

At Fleet, "We review our security software and systems constantly," Mr. Carney said.

A system analysis can uncover fraud or people using applications that they shouldn't.

Many detection systems often do not register problems until they are out of control or reach a certain size-in other words, after the fact.

"If it was an authorized person, we probably would never know unless an informant told us who sold the information," he said.

Despite the mounting complexities of insider and white-collar threats, the experts place faith in their systems.

"At the end of the day, most people committing fraud at banks get caught," said Kroll's Mr. Slattery.

Mr. Donovan at Pinkerton's added, "These crimes have a life, a beginning and an end." On-the-books fraud-the diversion or manipulation of funds- leaves a trail that "eventually is going to crumble on you."

"My CEO asks if I sleep at night, and I say, 'Yeah, I can. I'm here to protect you,'" said Mr. Bird. "But that doesn't mean we're not being ripped off right now and aren't going to see headlines tomorrow saying Bank of America loses millions of dollars on some kind of deal. That's the nature of the beast."

For reprint and licensing requests for this article, click here.
MORE FROM AMERICAN BANKER