This is what I read on employee fraud by the Financial Services Authority “one of the most serious threats”; an employee knows the inside story of process weaknesses and is often with collusion with an outsider by infiltration as in the case of BofA. Statistics indicate that 60% of frauds are by internal staff (full time employees, contractors or vendors) and in retail segment. BofA is not an exception. The worrying part is banks are doing nothing to combat this and many remain unreported. The one defence I have heard is “We do an extensive back ground check on all new employees”.

When I investigated an employee fraud I did an analysis on two dimensions

1.   Behavioural pattern with superiors and colleagues

2.   Behavioural pattern when it comes to system access.

Dimesion 1: There was a marked change in behaviour with colleagues. The employee was very nice, non-complaining, shouldering more responsibilities than necessary, to the extent, that the supervisor shared her password for approving overrides and exceptions.

Conclusion: breakdown in internal controls.

Remediation:

Bank’s Policy: Enforce existing policies more strongly. This is more of reinforcing individual compliance to policies. This may lead to recurrence of incident.

Restrict users to terminals: An advanced more expensive control not still in vogue is to continuously monitor and track the user with hardware bio metric devices while sitting in front of a computer. When the authorised user moves away the system auto locks.

Dimension (2), Patterns were detected in the access of accounts that were not operated for an extended time. This was very distinct as the employee explored potential accounts that are vulnerable and in case of withdrawal of money, will remain undetected at least in the short run. In addition, she sent out chat requests using the supervisor’s user ID for adding additional access rights.

Conclusion: Break down of internal controls. Detection of pattern in enquiring into customer accounts. Change in access controls.

Bank’s Policy: Enforce existing policies more strongly in password controls.

Exception reporting: Any user accessing not operated accounts will trigger a report to the audit and control department. If such an account is accessed more than once by the same user a ‘high alert’ report will be generated. The account will be locked down with a separate process required for activation. A mobile/email alert will be sent to the customer informing the account lock.

All user showing exception activity will be monitored closely. My recommendation included an annual back ground check for a sample of employees.

In summary, the security policies and behavioural pattern is the primary for employee frauds. 

In the case of BofA this is my analysis from the available information on the basis of some assumptions.

a.   The employee MUST have been an admin user or a ‘power’ user.

b.   The data MUST have been copied to an external device. There may have been poor scrutiny of what employees carry in and out of the office (data centre?).

c.   The Bank ‘allowed’ copy function for all data. There was no categorisation of critical and not critical data.

d.   The Bank did not have ‘copy’ alerts to senior management of critical data.

e.   The data could have been sent out by an email. The possibility is low but cannot be ruled out; as banks do not give access to online mails such as yahoo, Google etc. and all attachments are scrutinised zipped or otherwise.

f.    If it was piece meal stealing, (e ) is possibility.

g.   All requests by a customer online or offline were not alerted to the customer (s).

h.   All transactions to the account were not alerted to customer.

 I am a strong proponent of adoption of technology in banking. The best use of channels such as mobile banking, email, is to alert ALL transactions to a customer. An expensive option yes!  but a much needed one to control employee frauds. An employee when aware that alerts are triggered for all transactions, it perhaps prevent occurrence of a fraud.  

Let us not forget employee fraud is one that cannot be controlled in full measure. Process controls are the only way to reduce such frauds from organisation perspective.  It is ethics and integrity on the employees flank.One measurable and auditable, the other perceived, non measurable, binary and higly subjective.  

There is a philosophical angle that often is debated. Legalese apart, Is it ethical to monitor employees? If an organisation is perceived as 'Big Brother is watching you' type, will it attract ethical and honest employees. This will always exist. What is more important is that banks are trustees to peoples money and savings. It follows employees share the same responsibility. An employee's failing is a bank's failing.