Dealing with an Embezzlement Investigation
Answer by Dana Turner, BOL Guru Guru Bios
Question: I'm my institution's Security Officer and we just discovered our fourth embezzlement this year. I really don't know how to handle these investigations and I can't find any guidance that really helps. The local cops aren't much help, either. What do you suggest?
Answer:
First -- you're not alone. Embezzlement involving financial institutions increased an average of 400% per year from 2004-2007. 2008 looks like a 1200-1500% increase for that year alone. This information comes from your peers and my peers and I don't expect 2009 figures to decrease. If you can't prevent the crime, I suggest that you follow these guidelines for conducting an embezzlement investigation -- recognizing that not all of the steps may apply to your case:
The primary purpose of any investigation is to obtain the information necessary to resolve issues. The investigator gathers this information from victims, witnesses, informants, suspects and accomplices -- or other persons with whom he/she comes into contact during the investigation. An investigator is responsible for:
Gathering information;
Evaluating the information gathered;
Drawing conclusions based upon that information; and
Acting -- or making recommendations for actions to be taken by other persons.
An investigator is not, however, responsible for judging guilt or innocence in the criminal law sense -- that is the responsibility of a court of law. Investigators are responsible for determining how a particular act occurred -- and whether a particular individual is responsible for committing that act.
An investigator first investigates the circumstances surrounding an event. If the investigator determines that the event may also be a policy violation or a crime, he/she then narrows the focus of the investigation to prove or disprove that:
A policy violation or a crime has been, is now, or is about to be committed; and
That this is the person responsible for committing the act.
If a potential or actual crime -- the crime of embezzlement is used for this example -- is discovered, the investigation should advance according to a predictable series of events. Use the following information to plan how a "perfect" embezzlement investigation should progress.
The investigator who discovers or is made aware of a potential embezzlement should:
Immediately begin documenting the event, obtaining a report number and entering appropriate information on the report log -- even if the initial information proves unfounded:
Immediately interview the person who reports the embezzlement; or
Immediately review all available supporting evidence if the investigator discovers an embezzlement independently;
Determine what elements exist that demonstrate that a specific action was taken and that indicates who is responsible for the action -- and then decide if this event could be a violation of a policy or procedure, or a crime:
If this is a policy or procedural violation, determine if the elements of the violation exist in the same way as you would a criminal violation;
If this is a crime, determine if the elements of the criminal violation exist in the same way as you would a policy or procedural violation;
Conduct an initial damage assessment and determine whether the suspect could have accessed other functions and caused additional or collateral damage;
Contact the senior officer who has overall responsibility for the suspect employee's department or function -- and advise him/her of the investigation;
Remove the suspect from his/her normal worksite pending further investigation, if it's appropriate;
Determine whether it may be appropriate to implement temporary operating policies and procedures -- based upon the on-site damage assessment. Examples of temporary operating scenarios include:
Close the facility, office or department -- and temporarily re-assign employees and customer service functions;
Open the facility, office or department on a limited basis -- and advise personnel and customers appropriately; or
Open the facility, office or department on a full-service basis;
Determine the appropriate emergency response level to use -- based upon the on-site damage assessment. Examples of emergency response levels include:
Minimum: Use internal resources only;
Medium: Use internal and local law enforcement agency resources only; or
Maximum: Use internal, local and federal law enforcement agency resources and -- if they are necessary and available -- other regulatory agency resources;
Meet with the institution's administration to discuss your initial damage assessment; preliminary investigative strategy and your recommendations;
Meet with the institution's auditor to discuss your initial damage assessment and preliminary investigative strategy -- and request assistance if it's required (the meetings with the administration and the auditor may be combined);
Notify the institution's legal representative of your initial damage assessment and preliminary investigative strategy -- and request assistance if it's required (in some cases the legal representative may take control of the investigation); and
Notify the institution's regulators of any critical impact to -- or a necessary restriction of -- routine operations.
Before the investigator contacts any person involved with the event other than the person reporting it, he/she should:
Develop an investigative outline to identify, classify, prioritize and address the primary investigative concerns, including:
People: Employees, customers and other persons to be interviewed or interrogated;
Places: Crime scenes and other areas where evidence or assets may be located; and
Things: Known or suspected evidence items;
With the auditor and legal representative, create an appropriate investigative strategy;
Meet with the institution's administration for guidance, direction and support;
Arrange for and coordinate available investigative resources -- based upon the appropriate response level;
Secure appropriate functions, departments and facilities -- to prevent potential compromise by the suspect; and
With the auditor acting as the investigative assistant, implement an appropriate personal contact strategy.
During contacts made with any person involved with the event, the investigator should:
Initiate activity and contact logs for all persons contacted;
Initiate an evidence log for all evidence collected;
Conduct and document all interviews:
Collect, preserve and mark all evidence; and
Collect written statements and admissions;
Conduct and document all interrogations:
Collect, preserve and mark all evidence; and
Collect written statements and admissions.
After all contacts have been made with persons involved with the event and all known evidence has been collected, the investigator should:
Recommend disciplinary action if it's appropriate (this decision should be made in consultation with the institution's Security Committee), including:
Suspension with pay (preferred);
Suspension without pay; or
Termination;
If the person is to be suspended or terminated, remove the suspect from his/her work area and notify an appropriate Human Resources representative to assign a temporary replacement;
Collect all institution-owned property (e.g., keys, access codes, combinations, computer programs, equipment and original records) in the suspect's possession:
If the investigator believes that institution property or other evidence is stored at a non-institution location controlled by the suspect, he/she should request the suspect's permission to retrieve the property or evidence;
If the suspect grants permission, he/she should sign an appropriate waiver and accompany the investigator and another witness to the location to retrieve the property or evidence; or
If the suspect refuses to grant permission and the investigator believes that institution property or evidence has been concealed, he/she should contact the institution's legal representative and the appropriate law enforcement agency for guidance;
Either arrange to have the appropriate law enforcement agency arrest the suspect -- or escort the suspect from the premises, advising him/her not to return;
Arrange for a complete audit of the suspect's areas of responsibility and other appropriate areas of the facility in which the suspect was employed -- and perform another complete audit at the end of the next business day;
Arrange for locks, access codes, combinations and other appropriate security devices to be changed if any function, department or facility has been compromised;
If the suspect was listed with the institution's security alarm company, advise the company to remove the suspect from the list;
Consider recommending a shift of affected functions to the designated recovery site(s) while a complete audit is conducted -- if the data processing facility has been compromised;
Arrange to have the institution's legal representative conduct a damage assessment -- if any records or assets have been compromised;
Arrange to have the institution's insurance representative conduct a damage assessment -- if the suspect's actions may result in an insurance claim;
Make appropriate notifications to regulatory agencies and insurance carriers if this has not already been accomplished; and
Prepare all evidence items and write the necessary reports:
Distribute reports to all appropriate persons and agencies; and
Store all original items and other evidence in a secure location -- and store photographs of items and copies of reports stored at a secure, off-site location.
Based upon continuing damage assessments, progress reports and other investigative efforts, the investigator should:
Conduct a de-briefing and critique with the institution's administration immediately following the resolution of the investigation;
Advise the Board of Directors of the resolution of the investigation, it it's appropriate;
Determine which interim policies and procedures should be temporarily retained, if any;
Continue the restoration efforts of any compromised functions, departments or facilities;
Notify the appropriate regulatory agencies and insurance carriers of the return to routine operations -- or of the continued restricted activities, if it's appropriate;
Arrange for the preparation of internal and external information releases -- to be delivered to employee groups and the media:
Contact department leaders of employee groups and distribute -- and explain the information release statement; and
Initiate a press conference to be conducted by the institution's media representative, if it's appropriate -- and distribute and explain the press release; and
Instruct all appropriate managers to immediately submit written follow up reports, if it's appropriate.
Based upon the final damage assessment and a review of operational policies and procedures affected by the event, the investigator and the auditor should:
Determine which policies and procedures:
Contributed to or allowed the event to occur;
Were effective and ineffective in reducing the risks associated with the event; and
Should be developed and implemented to reduce the likely occurrence of similar events;
Meet with the institution's administration and advise appropriate persons of the results of the operations audit;
Make recommendations to revise policies and procedures, if it's appropriate;
Notify the appropriate regulatory agencies and insurance carriers of continuing recovery efforts and a summary of actions taken, if it's appropriate; and
In consultation with the institution's legal representative, decide upon the most appropriate prosecution strategy, including:
Civil prosecution to recover money and request damages;
Criminal prosecution to request criminal penalties; or
Both civil and criminal prosecutions simultaneously.
BankersOnline is a free service made possible by the generous support of our advertisers and sponsors. Advertisers and sponsors are not responsible for site content. Please help us keep BankersOnline FREE to all banking professionals. Support our advertisers and sponsors by clicking through to learn more about their products and services.
Print Friendly!
Email This Article!
Discuss NOW!
