SRC Insights: Second Quarter 2003

Not Just Your Customer: Know Your Employee

by Frank A. Germano, Supervising Examiner

Bank Fraud…The phrase conjures up visions of shady characters and desperate situations that are dramatically depicted on the movie screen. If life were as predictable as it is in the movies, we would be able to recognize criminal activity as soon as it starts and bring it to a screeching halt. But we all know that's not the case.

The sad truth is that a large percentage of fraud is committed by individuals that we would not suspect—the long-term, experienced company officer that everyone gets along with, the bookkeeper who has spent his or her entire professional life with the organization, or the new hot-shot programmer who has an answer for everything. Almost anyone, depending on the circumstances, is capable of committing fraud.

Bank fraud is not something that happens only in foreign countries or large domestic banks. All institutions, regardless of location and asset size, could become victims of bank fraud if their internal controls are not strong. In addition, since internal controls can be overridden by management and, even in some cases, employees, the internal controls are only as strong as the underlying ethical culture.

A Case Study
In the early 1990s, a de novo Third District community bank was the target of a fraud that was so extensive and pervasive that it eventually resulted in the closing of the bank. In this situation, one of the main participants was a seasoned, well-respected bank officer—the bank's President—who no one would have expected to be involved.

This small community organization was, for the most part, "invaded" by a shady borrower from out of the bank's normal market area. This borrower was able to present a steady and copious stream of fraudulent documents to support an extensive volume of borrowings that were never to be repaid. The fraud was aided, perhaps unintentionally at first, by the well-respected President who did not verify the legitimacy of the documents presented and who, at the end of the scheme, hid information from the bank's directors.

The fraud began slowly with two or three sizeable loans to the out-of-market borrower and two of his companies. The borrower's financial information appeared to show a stable, well-to-do individual who owned various real estate properties and a few profitable businesses. In the economy of the late 1980s and early 1990s, these "high quality" loans were a windfall for the President of this de novo bank, who jumped at the opportunity to make the loans. The President did check the legitimacy of the companies at first, but not the validity of the financial information. He also relied on associates of the borrower to verify real estate lien positions instead of contacting an independent organization.

As time went on, additional companies affiliated with the borrower began to emerge, other family members were introduced, and there were more and more borrowings. Before the President knew it, the bank's exposure to the borrower, his companies, and his family exceeded the bank's capital. Not knowing how to extricate the bank from the relationship and perhaps to save face with his Board of Directors, the President began hiding additional borrowings from the Board of Directors and started soliciting Loan Committee approvals over the telephone.

The situation came to a head when the borrower incurred a large overdraft in one of his checking accounts. Unable to cover the overdraft, the pyramid of loans collapsed and the small bank was left holding the bag.

Lessons Learned
The President was the senior and only lending officer of the bank. In this capacity, he was responsible for verifying all of the documentation received in support of loan applications. Since the borrower lived and worked far away from the bank, it may have been inconvenient for the President to find or contact independent organizations in the borrower's area. It is still not known why the President relied on the borrower's recommendations regarding people and businesses from his area that could verify the information provided in support of the loan requests. As it turned out, these people and businesses were established by the borrower for this specific purpose. Because the President was trusted completely by the Chairman and the Board members, he was able to get loan approvals over the telephone with very few questions asked.

Not only did the President underwrite the loans, he also was responsible for overseeing backroom activity and funds disbursement. As such, he booked the loan, ordered the funds, and signed the check, all without meaningful third party operational oversight.

One of the primary breaches of security within the bank was to invest the President with full and complete access to all of the computer systems and programs. The rationalization was based on the size of the institution (less than $50 million), the limited number of employees, and the trust placed in the individual, since he was one of the founders of the bank. However, the Chairman of the Board, the other founder of the bank, was salaried, active in bank management, and presumably worked closely with the President. Shared access, or joint access, with the Chairman might have prevented some of the President's covert actions.

Where Were the Internal Controls?
Several internal control deficiencies contributed to the fraud and the ultimate failure of the bank. As stated in the recently released Interagency Policy Statement on the Internal Audit Function and its Outsourcing, effective internal control is a foundation for the safe and sound operation of a banking organization.¹ The board of directors and senior managers of an institution are responsible for ensuring that the system of internal controls is effective and this responsibility cannot be delegated.

Segregation of Duties. Segregation of duties is one of the basic and most successful methods of achieving internal control. Because the bank was small (under $50 million in assets), it reasoned that it did not have the depth of employees to effectively segregate duties. However, it appears that there were no effective processes or procedures implemented to segregate any duties or authorities related to loan underwriting, documentation, and disbursement, allowing the fraud to continue and grow.

Internal Audit. The Interagency Guidelines Establishing Standards for Safety and Soundness, issued pursuant to section 39 of the Federal Deposit Insurance Act (FDIA) (Appendix D-1 to Regulation H, Membership of State Banking Institutions in the Federal Reserve System), require each state member bank to have an internal audit function that is appropriate to its size and to the nature and scope of its activities.² In those situations where the institution is small, is not a public company, and staff resources are limited, as was noted in this case, management is encouraged to follow the same requirements applicable to larger public institutions, balancing cost and risk. When properly structured and conducted, internal audit will provide directors and senior management with vital information so that management can take appropriate and timely remedial action when needed. Further guidance for administering both internal and external audit programs can be found in The Sarbanes-Oxley Act of 2002.

Guidance on Internal Controls. While by no means all inclusive, §1010.1 of the Federal Reserve's Commercial Bank Examination Manual discusses the objectives of internal control, director and senior management responsibilities related to internal control, and means to ensure the adequate functioning of internal controls.³ Even a cursory review of the guidance in the Commercial Bank Examination Manual would uncover many more breakdowns in the internal control environment in the case study. The Commercial Bank Examination Manual will soon be updated to reflect the recently released Interagency Policy Statement on the Internal Audit Function and it Outsourcing, discussed above, which supercedes some previously issued guidance.

Why Fraud Occurs When Internal Controls Are Strong
Even companies that have strong, effective systems of internal controls are sometimes targets of fraud, whether by insiders or customers. Three factors contribute to the commission of a fraudulent act—situational pressure, opportunity, and personal integrity. Situational pressure could be internal to the perpetrator, such as financial pressures, or could be from an external source, such as pressure to achieve unrealistic financial results. Likewise, opportunities can be self-created, such as when the perpetrator actively seeks ways to defraud the company, or can be created by an environment of weak internal controls. Finally, people with low personal integrity, put in a pressure situation and given the opportunity, will more likely commit fraud than people with high personal integrity.

In the case study, the confluence of the situational pressure to rapidly increase the asset size and earnings of a de novo bank, the opportunity for the President to control the entire underwriting and loan disbursement process, and a crack in the President's personal integrity lead to the President's participation in a fraud that resulted in the failure of the bank. It is presumed that, in the borrower's mind, the high growth situational pressure on a de novo bank presented the perfect opportunity to relieve the borrower's personal situational pressures, weak finances.

While strong internal controls can aid in the deterrence of fraud, detecting fraud is particularly difficult when an insider in a position to conceal his or her actions is one of the participants. Therefore, every financial institution should institute specific controls designed to deter internal fraud, which could include the following.

Requiring employees to avoid and disclose conflicts of interest
Requiring employees to follow a code of ethics
Requiring employees to maintain good credit ratings
Requiring adherence to policies for rotation of duties and mandatory vacations
Requiring use of employee identification cards for access to secure areas
Restricting access to controlled areas
Developing and implementing computer security techniques

Reporting and Investigating Fraud
Once fraud has been committed, it is critical that it be quickly detected and promptly investigated to minimize loss. This is no easy task, particularly when the perpetrator is an insider. One tool to aid in the investigation of suspected frauds and the prevention of future frauds is the Suspicious Activity Report (SAR). Section 208.62 of Regulation H discusses the requirements for completing and filing SARs with the Financial Crimes Enforcement Network (FinCEN). Ensuring that bank management and staff are aware of the requirements of §208.62 allows for the prompt and correct reporting of known or suspected violations of Federal law and/or suspicious transactions. It also puts management and staff on notice that by filing a SAR they are complying with a Federal law, and not merely telling tales on a co-worker, supervisor, or customer.

In the case study above, as the prospect of fraudulent activity became apparent during the examination, bank management was directed to prepare a Suspicious Activity Report to document the suspicious activity of the borrower. This was but the first step in the investigation and prosecution of those involved.

The Final Lesson
The over-riding lesson from the failure of this de novo institution is that a strong system of internal controls is a critical element in ensuring the health, if not the very existence, of a company. Internal controls coupled with a strong ethical environment not only protect the company, they also serve to protect staff. Internal controls provide a blueprint for acceptable and unacceptable behavior and are a tool for employees to refer to when considering the appropriateness of their actions. Neither the size of the company nor the trustworthiness of staff should be used to rationalize weak controls.

In addition, no matter how much management trusts and believes in staff, experience shows that people do not always follow established procedures, whether intentionally or inadvertently. Therefore, compliance with internal controls cannot be taken for granted, and bank management must ensure that management, internal audit, and external audit all review compliance with and the effectiveness of the system of internal controls. Only then can fraud be detected, if not completely deterred.

If you have questions about the application of internal controls in a financial institution, please contact your primary banking regulator. If you are supervised by the Federal Reserve Bank of Philadelphia, please contact your institution's central point of contact or assigned manager at the Reserve Bank. Alternatively, you can contact Frank Germano, Supervising Examiner at (215) 574-4154, Jennifer M. McCune, Examiner at (215) 574-7214, or Jacqueline P. Fenton, Assistant Examiner (jacqueline.p.fenton@phil.frb.org) at (215) 574-6234.

¹ The press release and the Interagency Policy Statement on the Internal Audit Function and Its Outsourcing .
² Appendix D-1 to Regulation H, Membership of State Banking Institutions in the Federal Reserve System .
³ Commercial Bank Examination Manual

The views expressed in this article are those of the author and are not necessarily those of this Reserve Bank or the Federal Reserve System.

SRC Insights: Second Quarter 2003

Not Just Your Customer: Know Your Employee

In This Issue

Contact Us