The banking industry talks a good game about preventing fraud and protecting people and businesses from bad actors, but my personal experiences illustrate how the quality of such efforts can vary dramatically from one bank to the next.
On discovering that one of my checks, thought to be “lost in the mail,” had been cashed at the intended recipient’s branch, I contacted my bank, Bank A. Its fraud investigation department acted quickly, and after examining the cashed check, found that the signature had obviously been forged. The amount of the check — $1,500 — was immediately refunded to my account, and I was asked to write another check, marking it “replacement check.” Bank A settled the issue promptly and efficiently, and I was able to discuss what had happened with the fraud investigation team.
That could not be more different from the treatment I and others at a business, which we’ll call A Jones LLC, received from Bank B. One of our company’s directors apparently had her email account hacked, and an invoice was sent to her long-standing client requesting payment for services rendered. The client was expecting the invoice, so the requested fee of $109,000 was promptly paid by wire transfer to A Jones LLC, but sent to a different account with a different bank than the usual one. As soon as the CEO of A Jones LLC learned that the expected fee had been paid into an account at Bank B, he contacted the relevant branch. Bank B’s staff refused to provide any information to the CEO, because his company did not have an account with Bank B. Documentary evidence, the invoice and the international wire transfer, were provided.
The CEO then took the matter up with the local police. Their investigation uncovered that the name of the company associated with the account number on the client’s invoice was, in fact, not A Jones LLC. A complaint was made to Bank B’s Enterprise Complaint Management Office. The reply stated, “Based on our research, we’ve determined that your account was handled appropriately.” But I’d argue that the fault is quite clear.
Copies of the invoice sent to A Jones LLC’s client were provided, as was the wire transfer, which gave the name A Jones LLC, along with the address of Bank B and an account number there. The payment was put into the account number provided on the invoice. But the name on that account certainly was not A Jones LLC. That should have been entirely plain to the Complaint Management Office. It is hard to see how the investigators in that department could have missed the discrepancy or how they could fail to understand the significance of the error.
It is a clear red flag if the name of the intended recipient of the wire transfer does not match the name associated with the account number where the payment is sent. Plainly a very basic step in fraud prevention — checking that the intended recipient and the actual recipient have the same name — did not happen.
Furthermore, the police investigation revealed that the funds were withdrawn immediately upon receipt. Another red flag.
The FBI also conducted a limited investigation, but declined to take the matter any further, because, we’re told, the amount of the transaction was not high enough to warrant the additional effort.
Letters were sent to Bank B’s CEO, its chairman and its newly appointed head of compliance. All of these and other senior appointments had been made to restore Bank B’s reputation and to ensure an improvement in its regulatory compliance. None of these letters received a reply.
It was all too easy for Bank B to wriggle out of its obligations. On one level, an error was made, and that should have been acknowledged and settled. On another level, more serious questions require an answer.
Bank B makes a great show of its know-your-customer requirements for opening a business account on its website. The process involves in-person meetings at the branch with the need to disclose details about the directors of the company, including confirmation of identity, and the need to provide documentation of the business’ registration at state level. But, in this case, the company holding the account, the recipient of the wire transfer intended for A Jones LLC, does not even appear on the state’s list of licensed businesses.
Banks receiving wire transfers should be obliged to check the account name and number. Banks might complain that manually checking discrepancies would take too long, but IT resources of all kinds are now available to raise red flags when such discrepancies appear. A bank like Bank B would then find it much harder to ignore theft by accounts created with the purpose of stealing money or engaging in other criminal activities.
Bank B continues to refuse to investigate further or to take any action toward restoring the stolen funds.
As a former financial regulator, I’m more than disappointed. Behind every red flag are real people and legitimate businesses in danger of getting hurt by scammers. For many of these would-be “targets” — perhaps most — $109,000 is a meaningful amount of loss.
If banks can protect them by merely checking that the names match when a wire transfer is sent — and surely banks not only can, but should — then there should be no acceptable excuse not to do so.
