Internal Fraud and Dollar LossesResearch Suggests Banks Don't Catch Most Internal Fraud Schemes
Julie McNelley, a senior analyst with Aite Group and author of the report, "Internal Fraud: The Devil Within," says internal fraud damages an institution's reputation, is often difficult to detect and is getting more prevalent, now that organized crime has figured out how easy it is to "plant" employees who are more than willing to steal internal information.
"Banks and credit unions need to invest more in detection technology," McNelley says, adding that internal fraud at most banks and credit unions is under-reported, if detected at all.
McNelley's research found that institutions that rely on detection systems to catch internal fraud report higher losses, averaging about 10 percent, while institutions relying on manual techniques say internal fraud losses account for only about 4 percent of overall losses. "I think the number is probably closer to 10," McNelley says. "Those that use technology are catching more."
During this interview, McNelley discusses:
- Legal responses to internal fraud;
- Communication among financial institutions about problem employees; and
- The benefits of layered security and automated detection systems.
McNelley is a senior analyst at Aite Group LLC who covers banking and payments fraud. She has more than a decade of hands-on product management experience working with financial institutions, payments processors and risk management companies. McNelley most recently served as senior vice president of product management with Golden Gateway Financial, where she developed and managed new financial services lines of business. Before joining Golden Gateway, she was vice president of product solutions with Early Warning Services, where she managed a suite of fraud prevention services. Under McNelley's leadership, Early Warning launched multiple new solutions to successfully detect and prevent fraud; further, she was a key member of the team that facilitated the spin-off of Early Warning Services from First Data Corp. to Bank of America, JPMorgan Chase, Wells Fargo, and BB&T. She also led operational process improvements for NextCard, identifying points of compromise and implementing solutions to reduce fraud and operational expenses. She began her career as a research analyst at E*Offering, where she analyzed online financial services and risk-management firms.
Defining Internal ThreatsTRACY KITTEN: How threatening is internal fraud? A new Aite research report says it is more damaging than many financial services companies realize. I'm here today with Julie McNelley, a senior analyst with Aite Group and author of the new Aite report, "Internal Fraud: The Devil Within."
Julie, Aite, for purposes of this financial-services study, how does Aite define internal fraud? As the research reports notes, internal fraud comprises a wide range of criminal behavior perpetrated by employees and/or contractors.
JULIE MCNELLEY: Tracy, we divide it into three broad categories. Internal fraud includes someone that is stealing from a customer; someone that is abusing their position, which is more minor, like forgiving fees for themselves or family; and then people that are stealing from the financial institution itself.
KITTEN: What are some of the over-arching themes of this survey, where internal fraud trends and internal controls are concerned?
MCNELLEY: There are really three over-arching themes. The first is that internal fraud is today a significant issue and will continue to be so into the foreseeable future. Understanding the scope of internal fraud is a challenge for financial institutions, because the legacy systems that many of them rely upon don't accurately track the fraud. And then the lack of prosecution is a challenge for the industry; obviously, financial institutions don't want to be in the headlines every other week prosecuting their employees for fraud. But that leads to the issue that the perpetrators are free to go and continue perpetrating fraud at other financial institutions.
Internal Fraud: Fraud with Lingering EffectsKITTEN: In the report, "Internal Fraud: The Devil Within," you base the survey on information collected from 35 fraud and product executives at North American financial institutions between November and December of last year. Now, this survey found that institutions rarely seek legal action, which you noted earlier; I guess they are more concerned about reputation damage. But how damaging is internal fraud, when it comes to an institutions reputation, and is the lack of prosecution or legal action actually fueling the fraud?
MCNELLEY: Well, financial institutions build their brands on trust, so the banks and credit unions don't want to appear in the headlines every other week with some report of an employee that has perpetrated fraud against them or against their customers. That said, these people will continue to perpetrate their fraud and they will jump from institution to institution. We discuss some of that within the report. The industry has adopted mechanisms to deal with this. There are databases that track some of the individuals involved, but if a bank or credit union isn't a participant in these databases, then they are susceptible to these folks that are perpetrating fraud along the way.
KITTEN: And would these be databases that are overseen by any type of association, or is it just something that is handled bank to bank or credit union to credit union?
MCNELLEY: Well, there is one in particular that is sponsored by BITS and is run by a private company, Early Warning Services. That seems to be the focal point of the industry's efforts today. There are 30 large financial institutions that participate in it, but there are upwards of 9,000 financial institutions in the country, so that leaves a lot of financial institutions that don't have the benefit of that database.
KITTEN: Sure. And when we talk about internal fraud, how prevalent is this type of fraud, relative to other fraud financial institutions are currently facing?
MCNELLEY: Well, the report found that, on average, internal fraud represents 4 percent of financial institutions' recorded losses. However, a number of institutions reported that internal fraud made up as much as 10 percent of their total losses. Ten percent of total losses is pretty substantial, and the interesting thing was that the folks that were saying that internal fraud was 10 percent of their losses tended to be those that had more sophisticated case management solutions in place that allow them to better track their fraud. They also had more employee-monitoring solutions in place, which allowed them to better catch their fraud.
One of the conclusions I came to in the report is that 4 percent is probably a low number, and those that have the more advanced technology are actually finding the fraud and recording the fraud that probably exists in most of the other institutions.
KITTEN: And those that have the more sophisticated technology, do you think they are catching all the fraud that is going on, or is some still slipping through the cracks?
MCNELLEY: Some is absolutely still slipping through the cracks. It is very difficult to say that you are always catching all of the fraud, because fraudsters are very creative and they figure out ways around defenses as soon as the defenses are raised.
KITTEN: And I can imagine someone who is inside the organization probably has a better idea of how to slip through those cracks than someone on the outside.
MCNELLEY: Depending on their position, potentially, although the technologies are pretty sophisticated themselves. I think that they are catching a significant amount of the fraud, but I just don't think you could say they are catching all of the fraud.
Internal Fraud: A Growing ConcernKITTEN: And why, Julie is internal fraud such a problem? Why do you see it growing? Are institutions just not doing a good enough job of screening employees during the hiring process?
MCNELLEY: Well, internal fraud tends to grow during times of recession, as people get financial pressures put upon them. They tend to do things that they might not do otherwise; really, there are two issues. Organized crime also is increasingly realizing that planting people in institutions or coercing or bribing people that are in positions of trust is a great way to get access to personal information, confidential information. In terms of what the financial institutions are doing during the hiring process, background screening is a great tool; and I think it could be more effectively deployed at a lot of institutions by doing things like repeat credit checks on a yearly basis or on a periodic basis, just to make sure that there are no lifestyle changes that could be indicative of somebody that is coming under financial pressure or is in a different place in their life.
But, as I said earlier, the lack of prosecution is also an issue. If somebody is not prosecuted when they have perpetrated fraud at a financial institution, that internal fraud won't show up on a background check when they go to get a job at a new institution.
KITTEN: Right. As you noted earlier, some steps are being taken by financial institutions to help detect and prevent internal fraud; but, overall, what are you seeing them do? Are they working with groups? Are they trying to train other employees to "blow the whistle," if you will, if they notice fraudulent behavior?
MCNELLEY: You know, there is some of that training; and policies and procedures definitely help, and a lot of folks have those in place. Technology solutions can really help, but technology solutions can be more expensive as you get into the smaller institutions. So, it is really, depending on the size of the institution, applying a layered approach. Every institution, pretty much, does background screening of one form or another, because regulations demand it; but what are you looking at in those background screens? Could it more effective? Things like the 'negative database,' which is accessible to any financial institution, why wouldn't you inquire into something like that? And then in terms of the monitoring solutions, which are so valuable, it is a matter of, if you are a smaller institution, figuring out if you can get access to it through your core banking systems or something like that so that you can do it in an affordable way. But, regardless of size, you still have protect yourself, because fraud will go where the guard dog is the smallest or where there is no guard dog at all.
Understanding and Classifying Internal Fraud: The First StepsKITTEN: And in closing, Julie, what recommendations can you offer financial institutions about curbing internal fraud trends, based on the research you have conducted?
MCNELLEY: Well first institutions need to understand how they are classifying their fraud. It is tough to fight a problem if you don't know how big it is. The research found that a number of institutions really aren't sure how big their issue is because of the classification issue. Then, once you do understand the scope and the size of the problem, there are a lot of solutions out there, both technology-based and policy-and-procedure-based to address the issue; so, it is a matter of taking that layered approach and not relying on just any one mechanism to prevent the fraud.