Internal Threats to Financial Institutions (Insider Abuse)
By Special Agent James Kaiser, U.S. Secret Service
The U.S. Secret Service always has been aware that financial institution fraud exists both from external threats and internal problems.
Law enforcement efforts relating to the burgeoning problem of worldwide financial institution fraud have focused on both (1) external groups or individuals defrauding financial institutions and (2) individuals within financial institutions committing insider abuse.
These abuses are not mutually exclusive. A person committing insider abuse often is benefactor to an individual not associated with the financial institution. Similarly, a nonemployee attempting to defraud a financial institution often has a collusive individual within that institution.
Both abuses cause the financial community vast amounts of losses. This article will cover some threats from the inside.
The levels of fraud being committed by those within financial institutions poses a serious threat to the integrity of the entire worldwide financial community. Factors that contribute to that problem include the advent of accessible, user-friendly data systems, desktop publishing and employee computer access to financial data.
Areas of internal vulnerability common to all financial institutions and corporations include:
- Employees who have access to active lists of access device numbers.
- Employees with carte blanche access to theirs and other companies' computer systems.
- Employees working in company mailrooms.
- Bank employees with access to account holders' information.
- Improperly screened subcontracted personnel.
- Lack of integrity of employees at points of transaction.
- Financial institutions' loan approval/merchant agreement officers.
Each of these areas is a clear point of vulnerability.
Although it would not be practical or prudent to impose Orwellian practices over workers in financial institutions to prevent insider fraud, security personnel need to be increasingly cognizant of threats.
Employees with access
The U.S. Secret Service has uncovered significant amounts of fraud involving employees within the credit card industry and banks who sell proprietary access device account number data to individuals) outside their financial institutions.
Employees with carte blanche access
The potential for an unscrupulous individual either diverting institution funds or simply gleaning financial information for sale to other parties is ever present when an employee has access to their institution's data systems.
The Secret Service closely watches thefts committed by mailroom personnel within financial institutions. Most prevalent are the disappearances of corporate access devices issued to corporate executives, employee payroll checks and money orders.
Access to information
Financial institution employees who are tellers, customer service representatives, data entry or data analysis personnel or management have access to account holders' information. The potential for ongoing fraud loss from that access is evident and real.
The Secret Service has been involved in numerous cases over the past few years involving either security, maintenance or other subcontracted personnel employed by financial institutions. These individuals illegally glean financial data and either sell that information or use it for their own personal gain.
For example, it is relatively easy for persons assigned to late-night shifts to access account information lists.
A recent case involved a contract locksmith who was providing someone outside the bank, alarm and technical security data. The data allowed thieves to burglarize an automated teller machine to the tune of $200,000.
Points of transaction
This category of insider fraud accounts for the greatest frequency of abuse. The individuals at the point of monetary transaction are in a position to profit from the accessibility of large amounts of cash and other easily liquefied financial instruments.
Loan approval/merchant agreement officers
Insider abuse potential exists among mortgage loan officers or banking employees involved in soliciting or approving credit card merchant agreements for businesses.
Typically, institutions offer commissions or bonuses to officers obtaining merchant agreements or approving certain loans. These officers often are unsupervised and in complete control of their departments. The U.S. Secret Service has pursued several cases where large-scale embezzlement was perpetuated because of lack of oversight of some employees.
What to do
If we hope to reduce current levels of insider abuse, we need to answer the question: how do financial institutions better monitor the activities of their staff without becoming too intrusive? The answer appears to be three-fold:
First, it is incumbent upon financial institutions to properly screen newly hired employees to include background investigations.
Second, it would not seem unreasonable that financial institutions limit individual employees' access to financial data by "compartmentalizing" critical items. By this, I mean allowing account data to be utilized or released on a "need to know" basis.
Third, internal controls need to include a commingling of individual responsibilities and due diligence in the screening and approval of both loans and merchant credit card account agreements.
Copyright © 1995 Bank Security & Fraud Prevention. Originally appeared in Bank Security & Fraud Prevention, Vol. 2, No. 8, 8/95
First published on 08/01/1995