It's the dirtiest of a bank's dirty secrets, that pernicious and persistent threat that dare not speak its name: insider fraud. Bank managers may argue existing employees are more than trustworthy and that background checks ferret out dishonest candidates before hiring, but the potential lies deeper: National White Collar Crime Center research shows that three-quarters of all employees have stolen from their employers at least once and some do so regularly.
Though the roots of all crime are the same-motive, opportunity and anticipated reward over punishment-the potential for gain is highest in financial services firms.
PricewaterhouseCooper estimates fraud-both insider and outsider-will cost banks $3.4 billion in 2004; Celent analyst Ariana-Michele Moore suggests 65 to 70 percent of that total harm is done by insiders, or between $2.2 billion and $2.4 billion. "You can do a lot more damage from the inside," she says. "Banks have spent millions of dollars securing their systems from hackers, but they have to look at who they give the keys to."
In the late 1980s to the early 1990s, insider fraud consistently represented 60 percent of all fraud in the sector, according to the FBI's Financial Institution Fraud unit, but that figure as a percentage of total fraud has slipped, given the high incidence of external fraud like ID theft rings.
Insider arrests, however, were another issue: In 2003, 24 percent of all FBI convictions-including felonies, misdemeanors and pretrial diversions-was insider fraud, compared to 23 percent in 2002 and roughly 27 percent in each of 2001, 2000 and 1999. In 2003, the FBI investigated about 7,300 cases of insider fraud in this sector, achieving 2,397 convictions or pretrial diversions-about 33 percent-and recovering some $2 billion in restitution. But this also means that nearly two-thirds of all reported cases weren't solved. Not a comforting thought for bank CIOs.
Although many banks report incidents as SARs-suspicious activity reports-they're not mandated, so the FBI couldn't even guess how much fraud is simply swept under the corporate rug. "For the most part, though, it's in their best interest to report it," explains Jim Vaules, a former FBI agent who is now a fraud consultant with LexisNexis. Even if banks don't know who committed the crime or have insufficient evidence for prosecution, early suspicions may eventually pay off since investigations can take years to surface or conclude.
Insider fraud takes all forms, from abuse of corporate and personal credit lines to selling financial data to taking out mortgages with fake identities. Perhaps the most worrisome new trend is employee sale of customer data to ID theft rings and other criminal gangs-and these gangs' success in planting their own people inside or in bribing low-paid employees. One insider cost his firm $2.7 million after he requested credit bureau reports for corporate and banking customers and sold the data to outsiders, which used them to create bogus identities.
The street value of basic customer data goes for $5 a head, but a universal serial bus (USB) card with the detailed financial background of 20,000 people can net an insider $4 million or $5 million, according to John Keane, director of services the North American division of Norkom Technologies, which has a fraud-detection and prevention module, the Alchemist. "Insider fraud is endemic," he says. "Organizations are hemorrhaging a significant amount of funds."
Though banks have insurance to cover most fraud costs, usually in the form of a financial institution crime bond, CIOs and compliance officers are turning to technology to reduce their exposure to and minimize risk losses. According to FBI and news reports, a number of bank insiders recently have been convicted of stealing from their employers, including:
* Jean Perrier Harper, a former Compass Bank vp, was convicted of defrauding the Birmingham, AL, bank of $10 million by accepting bribes from what the FBI calls "questionable" telemarketers, many from Nevada, to process credit card charges at the bank's processing center. In October, Harper pled guilty to one count of conspiracy to commit bank fraud and bank bribery.
* Former South Bend, IN-based Sobieski Bank loan officer Andrew Udjak was convicted of bank fraud in the illegal procurement of $9 million in unauthorized loans. The former South Bend city councilman was sentenced on March 17, 2003, to four years in federal prison in Terre Haute.
* Former Centura Bank commercial banker Eleanor Guild Coghill pled guilty in April 2003 to embezzling $2.1 million over a four-year period from internal expense accounts by opening numerous bank accounts in fictitious names across the country-and then transferring the funds into her personal account. The sums withdrawn were less than $500 each, under the bank's monitoring limit. Coghill, of Wilmington, NC was sentenced to 63 months and ordered to pay full restitution.
* Gary D. Jones, a former Wells Fargo business banker, was convicted last month of defrauding Wells and Capitol Credit Union of more than $1.3 million in cash and assets for personal use, including the funding of the Nascar Busch series racing venture. He pled guilty to various fraud, conspiracy and embezzlement charges and is awaiting sentencing on July 30. Between November 2000 and March 2003, Jones used fake documents to create an identity and tap fraudulent loans.
* Former US Bank employee Jane E. Brusky was sentenced to 30 days in jail in October for stealing $24,000 from the accounts of four elders. The Plymouth, WI, woman admitted to forging one check from one woman's account, stealing from two people's home-equity credit lines and taking funds from another's IRA-and depositing them into her personal account at another bank. She is also paying restitution.
* Former branch manager Divina Napalan Smith pled guilty in January to stealing more than $123,0000 from Gainesville, FL-based Campus USA Credit Union by opening fictitious accounts, opening lines of credit to those accounts and securing an auto loan.
* Former U.S. Bank Service Center employee Daniel Hess of Fargo, ND, was sentenced in January 2003 to 90 days in prison and nine years' probation for fraud. He used customer credit card numbers, Social Security numbers and other data to buy $28,000 worth of merchandise.
None of the banks named above would talk about the cases, or whether they had implemented antifraud software to help prevent future incidents. However, vendors report that insider fraud keeps many bank CTOs up at night, not least because of the fear of reputational risk. Although the Bank Secrecy Act, the US Patriot Act and Gramm-Leach-Bliley Act have internal-control requirements that help prevent insider fraud, many banks won't aggressively fight the issue until they become victims themselves. "How do you assign a number to the benefits of a solution if you can't realize a savings through fraudulent loss?" asks Celent's Moore. "The ROI is difficult to achieve. It makes it difficult to justify [buying] the software."
Keane urges banks to think of insider-fraud prevention as an add-on to a comprehensive risk-management and compliance package. "Once the patient is on the table and you have him opened up, with an extra little effort, you can get beyond the initial benefit by adding an antifraud component," he says. "And it will give you money back by stopping it from walking out the door."
His Alchemist fraud-detection and prevention module protects against credit and debit card fraud, money laundering, operational risk and other types of financial crime. "Anti-fraud software is really a grudge buy," he says. "But organizations need to buy it. You can think of it as just the cost of doing business, but the other view is that this is an opportunity to put in best-practices operation and have a financial-services crime backbone."
HSBC recently adopted the Alchemist, which surveys historic, transactional, real-time and external data sources to ferret out exceptions and non-standard behavior. The antifraud product monitors employee behavior, access, schedules-including vacation time-as well as account turnovers and tellers' cash turnover rates. "Not taking a vacation can be a clue," he notes, pointing out that some fraudsters fear having their behavior exposed by their temporary replacement.
Verdasys's founders Seth N. Birnbaum and Allen Michels created the company in 2002 after the duo witnessed insider fraud up close and personal: Two scientists at their previous firm, a biotech company, were thwarted in their attempts to download data in an effort to create their own company. The result was Digital Guardian, which detects, prevents and documents incidents of loss and misuse wherever users access, use or communicate sensitive and proprietary information. Armed with their motto "trust but verify," Birnbaum claims the best way to keep internal data confidential is to stop it from leaving the desktop.
The product uses keylog tracking to prevent employee access to certain files or levels of files, halts data being saved on a CD or a USB card, and stops screen capture and printing. "What goes on more and more is that fraud is not just in transactions but in information transfer," says Birnbaum, now the firm's CEO. "We can manage and implement those controls centrally." Red flags, for example, can alert a compliance officer that "this employee has 10 times the number of violations or warnings [against data access] than any others," he says.
Some of the more aggressive players in the space include vendors that first excelled in anti-money laundering software. Searchspace's Fraud Management Sentinel, a plug-in application to its Intelligent Enterprise Framework, monitors transactions to combat against fraud in check deposit and kiting, debit cards, credit cards, ATMs, electronic-fund transfers and wire payments. "We model every [employee] to get transactional profiles," notes CEO Conrad Feldman. A key difference with the product, he says, is that it goes beyond a rules-based, siloed application to a more analytical, integrated approach. "Rules-based systems are failing," he says. "[This product] is very quick to see if you're being attacked on multiple fronts. It routes alerts to the appropriate person, has the ability to put something on watch and enables individual cases to be tracked to resolution." Fewer than half of Searchspace's 20 clients around the world are using the fraud management sentinel, however, one sign that insider prevention may not yet be a top bank priority.
Providus's customizable RiskResolve 3.5, its newest version, features the Oversight Console, which enables real-time detection of insider fraud by centralizing the documentation, assessment, scoring, testing, validating and certification of internal controls across multiple compliance objectives. Designed specifically for banks, this component of RiskResolve is being used by Old National Bank and FHLB Topeka.
Employee ID authentication and access cards, which double as building-entrance and network-access cards, are used by many top banks to monitor employee behavior. Six banks in North America and Europe are in various stages of deploying Axalto's Cyberflex access cards, according to Francois Lasnier, vp of IT, banking access and public sector for eTransaction cards. "You really tie the smart card to an individual and that's part of the insurance policy, as well as the audit trail," he says, noting that the IT department can manage access rights from a single platform, so if an employee moves to another department, his access to his previous job's data is prevented. The product offers another upside: one firm with 65,000 employees saved $1.8 million a year on password resets, which used to cost $50 each.
BSI2000's optical-card technology, now being piloted at a South African bank, used fingerprint biometrics for building-entry and computer-access for all employees; the device doubles as a transaction-monitoring device. "Our customers in South Africa have said they have a real fear of fraud from bank employees, especially in the remote areas, so they specifically wanted that kind of protection built in," says vendor president Jack W. Harper. "They have a real problem with embezzlement and other kinds of internal fraud, which is far more insidious." Banks in India, Pakistan, Poland and Siberia are also considering the product, he says.
But technology can also be a hindrance. "Not only can technology facilitate larger transactions that are illegal in nature, but when coupled with poor controls, it can be manipulated to make detection much more difficult," notes a recent report by The National White Collar Crime Center.
That's why insider-fraud security has to be CEO-level priority, says TowerGroup analyst Christine Pratt. "Banks need an integrated security plan and business managers have to get much more involved," she says. "They have to make the people responsible for security their new best friends. ...People worry a lot about credit risk, but they don't worry about much fraud. There has never been the assault from the inside and outside as there is now."
