Insider Threats: Great and GrowingInstitutions Don't Want to Admit Internal Corruption
"The very nature of employee fraud makes it very difficult for banks to detect," says Shirley Inscoe, director of financial services solutions at Memento, and a former risk management executive at Wachovia. "Employees use the same skills, knowledge and system access they need in order to perform their jobs to commit fraudulent acts."
Institutions don't focus on ledger activity, she says. Instead, they often trust the employee who initiated the transactions, without spending significant time examining the transaction's legitimacy. Also, monitoring employee access to customer data is often overlooked.
"We work in environments where we are trusted and respected by our peers, and people are hesitant to think the worst of others," Inscoe says. "Therefore, banks don't prioritize putting in systems to detect such activity. They just don't believe it could happen in their bank."
Inscoe is the author of the book "Insidious: How Trusted Employees Steal Millions and Why It's So Hard for Banks to Stop Them." In an interview with BankInfoSecurity's Tracy Kitten [transcript below], she points out several hurdles institutions face when it comes to internal fraud. One of the biggest: Employees are often so well-versed in the systems and processes that it's hard to detect fraudulent activity.
"Because employees know the systems and processes so well, they are hard to spot," Inscoe says. "It's critical to have deep subject matter expertise, the ability to model different employee behavior and forensic research tools that allow investigators to really research and view all of the activity of a suspect employee."
During this interview, Inscoe discusses:
- Why fraud monitoring plays a critical role in detecting suspicious employee behavior;
- Three rules every banking institution should adopt in order to curb internal fraud;
- How fraud and security departments can use recent events, such as the Citi embezzlement scheme, as ways to leverage more funding for internal-fraud detection systems within their own organizations.
"There's a long history of banks being very protective of lost data and fraud incidents, which is really understandable," Inscoe says. "Unfortunately, these large losses caused by employees keep hitting the headlines and seem to be more and more commonplace in recent years. The first step is for banks to admit there is a problem before they can address it, and many bankers are still in denial."
Inscoe, a 29-year banking veteran, is a recognized expert in helping financial institutions apply innovative technology and forward-thinking strategies to address dynamic and costly fraud challenges. As director of financial services solutions at Memento, Inscoe guides the company's strategy and ensures that institutions derive maximum value from their loss-prevention efforts. The former senior vice president of enterprise payments strategy at Wachovia, Inscoe is an industry leader who has served on many influential boards and associations, including the BITS Fraud Reduction Steering Committee and the American Bankers Association's Deposit Account Fraud and Payment Systems committees. She also served as a founding member of the Identity Theft Assistance Center.
Challenges of Internal FraudTRACY KITTEN: As a former banker yourself, you've seen firsthand how damaging internal fraud can be. In fact, seeing those threats spurred you to write a book about the problem. Why is finding internal fraud so challenging for financial institutions?
SHIRLEY INSCOE: The very nature of employee fraud makes it very difficult for banks to detect. Employees use the same skills, knowledge and system access they need in order to perform their jobs to commit fraudulent acts. Transaction volumes in banks are typically high, so the employees are able to hide the unauthorized activity in the normal workflow. We work in environments where we are trusted and respected by our peers, and people are hesitant to think the worst of others. Bankers are the same. Lastly, when bankers hear of these cases where employees stole millions, the common reaction is, "That could never happen in my bank. Our employees would never do such a thing." Therefore, banks don't prioritize putting in systems to detect such activity. They just don't believe it could happen in their bank.
KITTEN: How can the industry do a better job of convincing banks that they should not be reluctant to report fraud, especially insider fraud? I know a lot of institutions say that they want to keep that under wraps. They think that would mar their image in some way.
INSCOE: Absolutely. Banks never want the public to know they experience fraudulent incidents, whether they involve an employee or not, because they don't want the public to lose confidence in their institution. There's a long history of banks being very protective of lost data and fraud incidents, which is really understandable. Unfortunately, these large losses caused by employees keep hitting the headlines and seem to be more and more commonplace in recent years. The first step is for banks to admit there is a problem before they can address it, and many bankers are still in denial.
Top Three Overlooked IssuesKITTEN: What do you see as being the top three to five issues banks and credit unions overlook or choose not to focus on when it comes to insider threats?
INSCOE: Many banks don't consider the theft of confidential customer data to be as serious as it is because they cannot point to specific dollars lost at the time of the incident. Some bankers claim there's no value in detecting such activity, but the customers who later become identity theft victims would sure disagree. And if the resulting external fraud losses were booked as internal, the total employee fraud losses would be much higher. Accessing customer data with no business purpose would definitely be in my top-three list.
Also, I would say there needs to be much more focus on general ledger activity. With today's downsized workforce, it's often the case that people who are proofing general ledger entries trust the person who initiated them, with very little time to really examine the legitimacy of any particular transaction. In banks using automated general ledger systems to initiate entries, human approvals aren't even required under certain dollar thresholds, and employees usually know what the threshold is.
The third item on my list is really enforcing employee time off and ensuring that the employees totally disengage during that time away. Many banks don't delete employee system access when they're on vacation, and with the ability to access banks remotely, employees don't even have to drop by the bank anymore to continue their fraud schemes while they're on vacation.
KITTEN: That's an interesting point that you note there. So you're saying that if institutions are very strict about enforcing their employees to take vacation, this would actually give them time to check and balance the activity of an employee.
INSCOE: Absolutely. Employees generally who are running long-term schemes have to keep those schemes going, and if they're away for an entire week or even two weeks, certainly then most schemes are going to come to light.
KITTEN: If you had to rate insider threats and internal fraud with other fraud challenges financial institutions face, where would you place internal fraud?
INSCOE: That's really a complicated question. The annual losses suffered by banks due to employee fraud aren't nearly as high as the losses experienced from debit card, credit card or check fraud losses, partly because many financial institutions fail to classify internal losses correctly. But the reputational damage from an incident like this, when it hits the press, is just enormous. According to the FBI, employee fraud is one of the fastest growing types of fraud in the country, so that moves it up the list in terms of the need to address it.
Lastly, I point out that these kinds of payments fraud that I mentioned are all revenue generators for the bank. In other words, you make profits on debit cards, so there's profit to offset those losses. Unfortunately, when losses are created by corrupt employees, the loss hits the bottom line directly. Many executives really aren't going to take action until losses are much higher. I remember a March 9 article in the Star Tribune. The article talked about federal prosecutors charging a dozen people in Minnesota, California and New York in connection with a highly organized fraud ring that relied primarily on bank employees, runners and many others to steal over $10 million from several of the country's largest banks. As more cases such as that are detected and prosecuted, I hope it will help bankers recognize the internal and external fraud connection, as well as the growing need to monitor employee behavior.
Challenge of Internal Fraud Prevention InvestmentsKITTEN: That's a good point. Now in your book, you note several hurdles institutions face when it comes to internal fraud. We've talked about several of those already. One of the most striking is the inability of fraud and security teams to convince upper management that investments in detection solutions that pick up on internal fraud are necessary. You've touched on this a little bit, but why is this so challenging?
INSCOE: It's very challenging because, like all businesses, banks must invest where there's the greatest need. And as I mentioned previously, many also believe employee fraud just won't happen in their institution. One gap that investigators may understand better than executive management is that there is often that link between a bad employee and external crime, but the losses are all booked as external. As an example, without a system to help find the bad apple in the employee ranks, the bank doesn't realize or can't prove that an employee fed all the confidential data needed to the external crime ring that took over dozens of accounts. The links between external crime and employee facilitators are very difficult to detect without automation.
Finally, because employees know the systems and processes so well, they are hard to spot. It's critical to have deep subject matter expertise, the ability to model different employee behavior and forensic research tools that allow investigators to really research and view all of the activity of a suspect employee.
KITTEN: What recent events might CISOs at financial institutions use as leverage when it comes to convincing management or boards of directors that investments in stronger systematic monitoring would pay off in the long run?
INSCOE: As long as executives are naive enough to believe that these incidents could never happen in their bank, I'm not confident things will change. Many bankers know that such monitoring is needed, but they just can't cost-justify addressing it with so many other needs taking priority. The truth of the matter is that when a top-five bank takes a multimillion dollar loss, it's just a rounding error. The customers and stockholders are the ones most negatively impacted. But the good news is that there are rating institutions that have taken a stand against employee fraud, and they're seeing the benefit of improved protection for their institution and their customers.
Lessons Learned from Recent BreachesKITTEN: Looking at some of the recent incidents that we've seen, such as the Citi embezzlement scheme that exploited wire transfers, what lessons should banks be learning or heeding?
INSCOE: One thing I saw over and over throughout my banking career was that the higher the level of the employee committing the fraud, the larger the losses that resulted. There are many reasons for that, and yet even banks that are monitoring employees tend to focus most of their efforts on lower-level employees, such as tellers or call center representatives. As seen in this case, a person such as this finance executive was able to steal millions of dollars over several years without being detected. Monitoring ACH and wire payments is becoming much more critical in recent years to protect against both internal and external threats.
KITTEN: How could transaction anomaly systems or behavioral monitoring of employees benefit institutions when it comes to finding this type of fraud before it gets out of hand?
INSCOE: As I mentioned earlier, much of the external crime had an internal link, such as an employee feeding account numbers and balances to a check counterfeiting ring, or ordering unauthorized debit cards for a fraud ring to use. Monitoring employee actions can help reduce internal losses, protect the bank's reputation and help reduce external fraud losses in many instances. In the case of transaction monitoring, any anomalous activity, whether originated by a fraudster that has taken over an account or by a rogue employee at the financial institution, should be alerted. Proper follow-up with the account holder can ensure that the money doesn't leave the bank. And that is, after all, the goal in payments fraud: to prevent the money from leaving the bank.
Top Three MistakesKITTEN: I'm going to go back and ask you to give us a top-three again. This time, though, I'm going to ask you to provide the top three mistakes banks and credit unions often make when it comes to detecting or predicting internal fraud.
INSCOE: In my opinion, the top three mistakes would include misclassification of some external fraud due to failing to detect the internal connection, underestimating the mistrust of the industry these large internal cases are causing among the general public and allowing crooked employees to continue their schemes for years, thereby stealing millions of dollars.
KITTEN: In closing, what advice could you offer to security and fraud departments that are interested in gaining more insight into steps that they could take to curtail internal fraud and the losses the accompany it?
INSCOE: The reality is that banks have had to cut back on some internal controls due to the economy. I would highly recommend, in that kind of environment, that they consider monitoring employee behavior and actions in order to protect the institution against the actions of bad employees, protect against reputational risk and perhaps reduce external losses as well. Just like one bad apple can ruin the entire barrel, one undetected bad employee can also influence others. We've literally seen several instances where the staff of an entire branch had to be released when misbehavior was detected. My recommendation is to catch fraud early and shut it down.