Copyright held by The John Cooke Fraud Report. Reprint rights are granted with attribution to The John Cooke Fraud Report with a link to this website.
By Jonathan E. Turner, CFE
Financial institutions have always faced a special risk of theft, including fraud schemes, because of the unique nature of their business. As Jesse James put it when asked why he robbed banks, “because that’s where the money is.” Today the essence of that statement is still valid. Only now, with modern banking methods, it is no longer necessary to physically hold up the bank to steal from the financial institution. This article will address the special problems facing financial institutions today and illustrate some of the more successful ways that similar institutions have been attacked. This discussion will provide insight into financial fraud styles and address techniques to detect and deter fraudsters.
Financial Fraud Schemes: As the perpetrator plots his scheme upon an institution he will direct the attempt in one of two primary directions: organizational weakness or systemic weakness. This division becomes important in addressing the means of deterrence and the methods of detection. All financial institution frauds will be conceived, planned and executed in one of these directions. An understanding of the specific requirements of each provides the means for controlling and limiting fraud.
Organizational weaknesses – those belonging to a particular institution or branch – require specific knowledge on the part of the fraudster. This means that these schemes will come from people with a close knowledge of the organization. These frauds will be conceived by insiders who have identified a weakness in the control procedures and obtained the means to exploit it. Quite often these people are “amateur” fraudsters who are simply taking advantage of a perceived opportunity. It is a mistake to assume that the institution is always the target; especially in the case of supplier and vendor frauds, the financial institution may simply be another victim.
Systemic weaknesses are those caused by the inter-relationships of financial institutions, the Federal Reserve Bank and the banking system. If these relationships did not exist, it would be possible to tighten security in a number of areas to reduce the risks. However, since financial institutions work in conjunction with many others throughout the banking community, there are areas that can be exploited. In contrast to the above scenario, the perpetrator in these instances will design a scheme that effectively abuses one area of the banking system, thereby attacking a number of institutions. These “professional” fraudsters will maximize the return at a certain location and move on when conditions shift toward exposure.
Specific Examples of Modern Fraud Styles: The vast majority of security concerns come from outsiders, including customers, suppliers, vendors and others engaged in business with the institution. Some may have little or no known connection to the financial institution. But the largest losses are due to employee-related frauds. This makes the task of protecting assets and detecting potential fraud schemes even more difficult and can give way to an “Alamo” mentality within the security and audit departments. It is precisely this mentality that can aid the organization in defending itself if it is not taken too far. The following is a presentation of specific fraud schemes, including discussion of the special risks and preventive measures for each.
Employee Frauds: Financial Institutions face a special risk of employee fraud. In this era of intense corporate competition, businesses are attempting to maximize the skills of every staff member. This can easily create an atmosphere where workers are given more authority and/or less supervision than would otherwise be expected. Additionally, this “lean and mean” environment can create resentment about wrongs – either real or imagined – on the part of employees. When these conditions exist in any organization, fraud risks increase dramatically, and in financial institutions where the only product is money, this risk is especially real.
Companies cannot function without their employees. Controlling the risks of employee fraud must be done prudently since onerous controls or heavy-handed actions will only induce resentment. Financial organizations must create a standard of control that covers all levels of employees from the lowest staff member to the highest executive. Even more importantly, the system must focus on reasonable and workable regulation. Control systems that encourage “exceptions” will also encourage abuse.
By installing systems for prompt reporting and cross controls, financial institutions will limit opportunities for internal abuse. However, this will not stop the determined thief. Once the fraudster is inside the organization, he will continue to explore until he finds a weakness to exploit. Experience shows that one of the best controls an organization can have is the stringent screening of prospective employees. By thoroughly verifying background and credential information, the organization can limit potential losses and block proven criminals from entering the organization. Additionally, properly screened employees produce a work force with reduced turnover, lower training costs, fewer lost days, and most importantly, a lower incidence of fraud.
Financial institutions face abuse by employees in a variety of areas: theft of petty cash, theft of equipment and fraud in lending, investing and letters of credit. Of these, theft of petty cash and equipment is generally the most limited in scope and the most easily controlled. It is those fraud schemes that involve lending, investments and letters of credit that provide the most exposure to the organization and are the most difficult to control.
Fraud in lending provides the greatest exposure to most institutions. Almost all financial institutions lend funds, either through direct lending to customers or through the purchase of loan portfolios. Lending officers are normally
trained by the bank that employs them. These officers have special knowledge into the procedures used by that bank to screen risks; therefore, they are in a position to use that knowledge against the organization.
In the late 1980s, there was a series of loan frauds perpetrated by a young bank officer. This man, a rising star in
the banking organization, was able to involve the bank in almost $30 million of bad and overstated construction loans in less that 2 years. He had quickly learned what the loan committees required and simply created the necessary documents “out of whole cloth.” Too often, these committees are satisfied by letters and other documents procured by the lending officer, and no outside verification is performed.
In this case, files that were found to be lacking were simply returned to the bank officer with a specific checklist of the remaining items needed for approval. When the committee was presented with a complete file, it did no further verification, and the defalcation was easy to complete. When the fraud was finally discovered, the officer had caused a nearly total loss on the above-described loans with no prospect of recovery from the borrowers. At the ensuing criminal trial, it was learned that the officer had taken only $50,000 in kickbacks for his part in a fraud that ultimately cost the bank almost $30 million.
Modern copiers and computer technology have forced banks to establish new practices. It is no longer enough to accept unverified paper documents. Now financial institutions must include specific tests in their regular audits of pending, open and closed loan files. These tests are designed to verify and authenticate important documents. Setting personal review by a senior officer at certain lending limits is already required, but now that review must be expanded to incorporate fraud control exercises in addition to quality control. Automatic computer audits set to locate loans immediately below the reporting lines can also help by revealing loans that may be a cause of concern.
Fraud in investing is an area affecting a growing number of financial institutions. It is similar to lending-based frauds but more difficult to control. The recent failure of the hundred-year-old Baring’s bank illustrates the tremendous damage to an institution that can be done by a single trader. As investing becomes more of a mainstream financial product, not limited to the private banking world, incidences of fraud and abuse will increase. This is true with the advent of bank-sponsored insurance sales as well. This marketing of these and other new financial products presents a dramatically increased risk for institutions that do not redesign their risk control mechanisms accordingly.
In one case, investment fraud cost one banking organization millions of dollars until it was determined that the new head of international investing had created his resume and had no real investing experience. In another case, collusive relationships between a developer and his bank officer created “investment opportunities” that cost the bank $3 million and landed the officer and the developer in federal prison. While stories like these abound, proper controls are still not in place in many institutions. Traditional control methods will not suffice in light of a modern electronic finance era.
Fraud in letters of credit is neither new nor particularly innovative. What is interesting is that this particular scheme is still alive and well despite having been refined over a hundred years ago. Letters of credit, once used to secure first time international commerce, have now become the standard in international business. Early frauds included falsification of amounts, fictitious letters and letters from fictitious banks. These are still the most popular frauds involving letters of credit.
One noteworthy case from the early 1990s involved a particularly enterprising fraudster working in conjunction with a lending officer. The scheme combined lending, investing and letter of credit frauds in a complex defalcation that eventually left both the bank and the investment company looking for $4 million. By depositing $4,000 in CD’s with the bank, the fraudster obtained a $4 million letter of credit. He used the letter of credit to open an investment account with an international investing firm. Soon, however, the money was gone and the questions began to stack up. Had the proper controls been used, this fraud could have be stalled at the gate. It could also have been stalled at any point in the chain if the control procedures had been designed for modern defalcations and not traditional models.
Security and audit management must provide continually evolving control procedures to prevent financial institutions from falling prey to modern fraud styles. Mergers, growth, new product lines and new ventures are the norm for the financial industry today. Control programs must meet and exceed each level of risk, or fraud incidences among employees will increase in both number and damage value.
Customer Frauds: Financial institutions deal with a variety of markets and customer types. One readily available control measure is screening of prospective customers and account holders. Unfortunately, despite this screening, many banks are victimized by frauds committed by their own customers. The predominate style of customer fraud is new accounts fraud, followed closely by check-kiting schemes. Both types of fraud require regular and constant vigilance on the part of the bank to identify, but both are controllable risks.
All institutions utilize some level of screening in opening new accounts: the type and level are dependent on the particular market and the institution’s experiences. Many institutions limit the initial screening of depositors accounts, but this is almost always a mistake. In a standard new accounts scheme, the fraudster opens an account, usually depositing a moderate amount of money drawn on guaranteed funds or cash. By assuring the bank of the value of the initial deposit he hopes to avoid close scrutiny. The fraudster then rapidly writes multiple checks against the account, whereupon the bank learns that the initial application material is at least erroneous and sometimes entirely fictitious. New accounts are often part of a larger scheme as they are used to leapfrog to other accounts within an institution.
Check-kiting schemes, on the other hand, are a much more sophisticated scheme. Here the fraudster uses multiple accounts from at least two – and often many more – banks or financial institutions to route checks around, creating the appearance of more funds than are actually available. In the standard kiting model, checks are drawn on one account in amounts that overdraw the available balance. De-posits are then made to cover the
overdrafts. However, since the deposits are made from one overdrawn account to another and vice versa, the balances transacted appear inflated, thus the “kite.” In order to maintain the kite, the deposit amounts must be in ever-increasing amounts in order to cover the shortages.
In the early days of this scheme, when checks could be counted on to “float” for several days, fraudsters often got away with substantial sums. Now, however, with the float reduced to only one or two days, this scheme has become more complicated to operate. Its effectiveness can be measured by its popularity as one of the schemes against financial institutions that is most often attempted.
The modern kiting scheme now involves multiple banks, usually at least three. At least one is a small town bank or S&L from a remote area. The accounts are generally high volume, with large numbers of checks clearing daily, and regular deposits from additional “outside” sources. These kites are often “flown” successfully despite control procedures because the fraudsters are acquainted with the banks’ reporting requirements and know enough to make sufficient deposits and provide adequate excuses to avoid scrutiny. However, all kites eventually fall, and it is the bank left holding the bag that suffers. As such, it has become more common for banks that think they might have a kite to try to extricate themselves rather than shut it down and risk a loss. This short-sighted position simply causes other banks to take greater than necessary losses and will eventually damage all of the banks.
The typical fraudster running the modern kiting scheme is a business entity or professional individual who seems above reproach. Recent cases have included lawyers, real estate professionals, and others who deal with escrow accounts, as well as large companies and corporations. There are new dangers in this type of scheme in addition to the potential losses. In Nashville, Tennessee, a recent Federal Bankruptcy Court decision held that a bank was effectively extending credit to an account holder by continually paying overdrafts despite a daily overdraft balance. The court’s interpretation, in essence defining the allowed overdraft to be short-term credit, placed the bank in the unique position of having to repay the other banks damaged by the kite. By expanding the underlying risk, this type of progressive legal decision has dramatic consequences for institutions dealing with kiting schemes.
Outsider Frauds: The final category of potential fraudsters is made up of those outside of the institution, including vendors, suppliers and others. While vendors and suppliers usually perpetrate frauds that victimize the organization, these are usually not specific fraud schemes aimed at the institution but standard payables or supply scams. When unrelated persons target a financial institution, it usually indicates a bank- or banking system-specific scheme. The most prominent of these frauds are bad check schemes.
In these frauds perpetrators steal, create or otherwise obtain checks and then circulate them for personal gain. While stolen checks used to be the most common form of the bad checks scheme, modern copiers, computers and color printers have made check reproduction and creation much more common. One fraudster was recently arrested with over 50 different check types and styles, already printed to match several local banks’ customers. These scams have been successfully perpetrated on many of the world’s largest companies. All that is needed is for the fraudster to get one check from the company and near perfect duplication is possible.
Financial institutions can control the risks of bad check frauds by working with check printers, customers and specialists in inks and dyes to provide new and innovative security devices that make the fraudsters’ task more difficult and the detection process easier. Periodically adjusting the colors, inks and paper types available on bank checks limits the fraudsters ability to develop look-a-likes. Finally, control programs should be adjusted to recognize and flag any checks with nonmagnetic ink, improper coding or extra routing codes, all of which are techniques used to cover the defalcation for a longer period.
As with other organizations, financial institutions are regularly targeted by people involved in payables and supply
scams. These are relatively easy to control, usually through established vendor relationships, and more recently through preferred vendor relationships. In these scams, the fraudster counts on the volume of the organization’s purchasing or payables to exceed tight controls. The fraudster submits exaggerated or fraudulent invoices for payment. Loose controls and similar-looking invoices insure that these scams are often successful although they often involve low dollar amounts. A common example of these frauds is the nonsanctioned yellow pages publisher who sends invoices for “the next edition.” These invoices appear very similar to real yellow pages invoices and are often paid by careless accounting clerks.
Other Risks: In addition to falling prey to the fraud schemes above, financial institutions may also come under the US Federal Sentencing Guidelines for Corporations should it be determined that the organization itself had any part in the defalcation. If this were proved, the institution would face severe fines and penalties of up to 400 percent of the fine amount.
These sentencing guidelines are a part of the legislation from the Comprehensive Crime Control Act of 1984, published in 1991. The guidelines are a relatively unknown but important part of the fraud risk equation. An organization’s lack of proper controls can expose it to fines, penalties and federal scrutiny over and above the losses incurred as a result of the scheme. To help defend against these risks, the organization must show a proactive system of detection and deterrence that is at or above current standards.
Front Line Defenses: In order to defend themselves in the information era, financial institutions must review the current security and control procedures in place for fraud detection. These controls must be evaluated in the face of current information and loss characteristics. The controls must be periodically revised and adjusted to accommodate changing conditions. All too often organizations react only to loss statistics and not to potential loss. However, rapidly evolving technology is creating the potential for vastly superior fraud schemes. Control procedures must keep pace with technology rather than with last year’s loss statistics.
Reductions in employee fraud can be achieved through real screening programs, designed to enhance the workforce and eliminate potential problems. Continuing education of employees about the need for fraud awareness provides a positive message about strict controls. Employee participation in risk reduction, through hot lines and internal improvement questionnaires, will heighten employee awareness while providing regular testing for weak controls. With stronger employee awareness and an understanding of corporate goals and benchmarks, organizations will see a reduction in fraud attempts.
Vigilance and continually evolving control procedures will provide the organization the best defense against outside frauds. There is no way to prevent all fraud schemes, but regular self-critical assessments will point out areas of concern and directions for improvement. Audits and control requirements for subcontractors, consultants, suppliers and vendors may be possible. If so, building preferred relationships with other organizations based on mutual screening criteria can produce demonstrable results.
In conclusion, financial organizations face an expanding risk of fraud. The dramatic evolution of the computer in the current and still expanding information age presents a unique challenge to an industry that has been run more or less the same way for the last century. Increased products, larger markets and an international presence will all increase the risk of fraud. The same technology that enables tremendous growth brings with it the greater challenges to security. Institutions that fail to adapt and evolve with the changing environment run the risk of becoming historical footnotes in another institution’s annual report.
Jonathan E. Turner, CFE, is a Senior Consultant with Strategic Intelligence Group based in Memphis, Tennessee. He specializes in the prevention and detection of financial fraud and can be reached via the internet at jet@stratintelgrp.com.
© Copyright 1996 Alikim Media