Closing Windows of Opportunity for Embezzlement
by Genilee Swope Parente, managing editor
Embezzlement is "one crime that is nearly 100 percent preventable," according to Dana Turner, security and training consultant, American Business Resources. Yet it occurs with astonishing frequency.
Turner, who has spoken at ABA's Security School and recently produced a set of ABA Skylink tapes, estimates that four percent of the nation's employees are acknowledged embezzlers that have either not been discovered, have not been prosecuted or have moved on and managed to avoid having their records move with them.
"By the time they are apprehended, most embezzlers have already been caught, but not prosecuted by their last four employers," Turner says.
To combat the problem, security officers must learn to put themselves in the shoes of potential embezzlers.
Most don't start out as criminals, he explained. They may need money for some legitimate short-term need and embezzling is the easiest way to get it. They don't think of themselves as crooks, and many intend to repay the money. They misuse the funds, and "if we could stop the problems of misuse, we could stop embezzlement," he added.
As it is, many of these employees discover how easy it is and go on to become professional embezzlers, moving from company to company. To catch them requires a certain mindset.
"Just think like a liar, a cheat and a thief and develop an effective offensive/defensive strategy based on the windows of opportunity your particular financial institution leaves open to crime."
Banks should base their own strategic plans against embezzlement on the strategies of embezzlers, he says.
"Generally, embezzlers' priorities are to employ the techniques easiest to use that offer the greatest potential for success and profit and guarantee the least amount of risk," he says.
To guard against losses, financial institutions must adopt the same attitude of prevention and methods of reasonable care for internal risk that they adopt for external risk, Turner says. Developing an institution-wide program has a dual benefit: the same loss prevention techniques used for external crime can be used for internal crimes because embezzlers often use the same techniques as street criminals.
An Analysis of Risk
The first step in creating a prevention program is to analyze the loss risk an institution faces. Common denominators exist within institutions that are victims of embezzlement, Turner says. The safety and soundness of an institution are more at risk with the presence of each denominator, he explains. "An effective risk assessment device is an essential tool for security officers in determining an institution's vulnerability," Turners says.
"One of the first tasks in getting rid of embezzlement is to examine every facet of your organization, using such a device, to find the windows of opportunity," Turner says.
"The next task should be to close those windows," he added.
By an effective assessment tool, he says he means a loss prevention audit that categorically itemizes potential risks to each branch, department or function. Such an audit is invaluable because:
- It determines appropriate operational and behavioral standards.
- It establishes procedures and guidelines enforced by policy.
- It tests the effectiveness of the overall program.
Areas of Risk
Turner says embezzlers look at five areas of the bank that present windows of opportunity including:
- Culture of the organization
- Personnel policies
- The institution's documents, computers and records
- The facilities
Embezzlers prey on weaknesses in each of those areas and have an informal list of circumstances that create opportunities for embezzlement.
"Your institution's strategic plan should use the same check list as an embezzler's," Turner says.
Sales vs. Operations
Embezzlers look first at an organization's culture and definition, Turner says.
"Is your organization salesor operations-oriented," he asks.
A sales culture focuses resources on getting new business, Turner says, while an operational environment is one that focuses on the "how to's" of running a bank.
The sales environment is considerably more vulnerable, he added.
"Sales is generally an ego type of business," Turner explains. "And while ego is what gets you in the door, experience is what sustains you when you arrive," he said.
The training budget in a sales culture is on sales, not security procedures, and a sales culture is often deficient in written operational manuals, he says.
In an operations environment, the emphasis is on customer service operations, and security is part of that service. The people in an operations-run institution think more realistically and place emphasis on sound business decisions.
Embezzlers will look next at an institution's written procedures to find the weaknesses they can exploit.
Turner challenged financial institutions to look at whether their banks have:
- Operations manuals and controls in use for all the financial institution's functions.
- A written and approved security program under Bank Protection Act mandates.
- Established training guides and component programs.
- Review mechanisms in place for testing and compliance.
- Documentation devices such as the new Suspicious Activity Report.
- An independent audit committee.
- An employee handbook and a sign-off procedure for that handbook.
- A written code of conduct and mandatory training for all employees and directors.
- A policy regulating searches of institution-owned property and the regulation of giftacceptances in compliance with the Bank Bribery Act.
Embezzlers will look next to the personnel department for windows of opportunity, Turner says.
Embezzlers will look at whether banks have:
- Position descriptions and qualifications for every job function.
- Established signing authority and limits for all positions.
- Effective safeguards against insider abuse.
- A mandatory and irregular rotation of tasks and vacations.
- Established reporting standards and routing guides.
- Requirements for initial collection and periodic review of employee photographs, handwriting, fingerprints, credit checks and account monitoring.
Next, embezzlers will check whether institutions have:
- Special monitoring for some new accounts, particularly employee accounts.
- Policies prohibiting removal of original documentation from the premises, particularly signature cards and loan documents.
- Photocopies of original documents and identification documents.
- Power of attorney to control any account relationships.
- Regulations on the use of facsimile signatures.
- Red ballpoint pens to create original documents.
- Independent reconciliation of accounts and deposit records.
- A policy on accepting authorization notes such as a note on a company's letterhead that reads, "give this person $500 for petty cash," or whether policy is to accept only UCC documents such as checks.
- Less-cash deposits, which are commonly used for split-deposit forgeries. Turner says he's been encouraging banks not to accept cash-back deposits from any type of commercial accounts.
- Policies and procedures for documents that have been altered or modified.
- A check printer insert indicating the institution's name and logo on all imprinted documents, such as expense checks, drafts, money orders.
Last, embezzlers will take an institution's facilities into account. They check whether the organization has:
- A policy requiring at least two employees to open and close a facility.
- Electronic key or card access.
- Effective key and combination control.
These facility protections are needed because most embezzlers get too busy during working hours to take money, Turner points out. Instead, they come in early or stay late, and banks need a way to track early arrivals and late departures. Embezzlers also check for:
- Appropriate cash vault security.
- Mandatory branch countdowns within 24 hours of suspicious circumstances or replacement of operations officers or branch managers.
Security officers should be aware of the many resources available to help them when faced with embezzlement, and should learn how to use them before an incident occurs.
From the legal end, security officers can rely on their own legal counsel, on-staff human resources professionals, the U.S. and state attorneys' general offices, and the local district attorney's office. From the law enforcement side, security professionals should establish relationships with local police and sheriff's offices, the local prosecutor's office, and the special agent in charge for the Federal Bureau of Investigation in their districts.
They also should pay attention to the news and join local focus groups and business/ law enforcement co-ops, attend conferences, discover what's available on-line, and read publications from American Bankers Association and other professional trade associations.
"The most successful embezzlement prevention program combines general loss prevention techniques designed for daily operation with specific techniques designed to prevent losses by employees," Turner concludes.
Copyright © 1995 Bank Security & Fraud Prevention. Originally appeared in Bank Security & Fraud Prevention, Vol. 2, No. 12, 12/95
First published on 12/01/1995