Five Tips Can Help Prevent Theft from the Inside
By Hagai Schaffer
Banks are experiencing an epidemic of robberies, according to a recent New York Times article.
However, unlike the old days when gun-slinging bank robbers barged in, the perpetrators of today are low-paid bank tellers who attack their victims while sitting behind their counter. Tellers have ample opportunities to sell customer information for thousands of dollars, drain money from accounts and order debit cards, checks and credit cards in customers’ names.
Bank tellers in New York stole millions of dollars from hundreds of their customers’ accounts, according to the state’s attorney general after an investigation. In Manhattan alone, prosecutors file numerous monthly cases against bank tellers suspected of stealing depositors’ financial data or using it for fraudulent purposes.
Don’t let your financial institution be victimized from the inside. Here are some steps that banks can take to protect their assets and reputation.
- Implement an Anonymous Whistle Blower Program
The latest report from the Association of Certified Fraud Examiners concluded that tipoffs from employees are one of the most effective detection methods for internal fraud. More than 40 percent of all cases were detected by a tip — more than twice the rate of other detection methods. Employees should be encouraged to report information on breach events even if they perceive it to be small or inconsequential. Reassure them that they can do so securely and anonymously. Some people are afraid of repercussions and despite their best efforts to support company policies, they can distrust their employer and prefer to report their findings to an independent entity. Implementing an independent external hotline is a good way to alleviate those fears.
- Employ Controls That Limit Opportunities to Commit Fraud
Employees intent on defrauding will seize any opportunity they can. By anticipating their methods you can add preventive measures. For example, segregating cashiering duties is an important first step. Tellers should not be allowed to initiate and complete processes that can result in money leaving the bank in any shape or form, including cash, credit cards, checks or money transfers. The same person who opens an account or makes changes to a customer’s address, email or phone shouldn’t be authorized to approve an instrument to withdraw funds from that account. Tellers should have standard, detailed procedures regarding deposits, transfers and withdrawal of all types. To safeguard cash funds, tellers should have personal accountability for the processing of each transaction.
In addition, no teller should be allowed to reign over his or her station unmonitored. Banks should enforce a policy requiring tellers and other employees to take 10 consecutive days of vacation so any irregularities on their accounts can be flagged at this time, reducing their isolated and uninterrupted control of accounts.
- Educate (and Re-educate) Tellers About Bank Policies
If tellers are continuously reminded about the security policies that are put in place, they will be significantly less likely to attempt to commit fraud. All tellers should receive full training regarding bank policies and customers’ rights to privacy as part of new-employee orientation with periodic refresher courses. Results of audits measuring compliance should be shared internally. In the event of a breach, any corrective action taken should be presented as proof that bank management is serious about preventing fraud.
- Monitor Teller Activity to Keep Them Accountable
The New York attorney general’s office makes specific recommendations for monitoring tellers’ activities to prevent teller fraud. They stipulate that banks should ensure tellers and other employees only access personal financial data when there is a legitimate business purpose.
A system should be implemented that allows you to monitor which screens and functions tellers are accessing and for how long during the process of doing typical job functions. By doing so you’ll build a catalog of profiles that can be used as a baseline to identify suspicious online behavior. Systems should also generate alerts when there is potentially fraudulent behavior, such as when tellers seek information about accounts not directly related to their job function.
- Think One Step Ahead to Proactively Prevent Attacks
In addition to monitoring compliance with policies, it’s important to think like a fraudster and be on the lookout for special measures dishonest tellers might take to stay below the radar. For example, it is important to raise a red flag if a teller consistently performs transactions just below the threshold amount allowed without a second approval. Pay special attention to dormant accounts, as well as accounts of elderly depositors, which are popular targets for fraudsters. It is also important to monitor and correlate activity between employees to flag when there is possible collusion. A teller who is not authorized to make account changes can work with an employee in the back office to make the changes.
Criminals are becoming increasingly sophisticated and will continue to discover new methods for stealing from bank customers. In order to avoid becoming victims, financial institutions need to guard their customers’ funds as well as their reputations by clearly communicating data protection policies and monitoring employee behavior.
Hagai Schaffer is senior vice president of Bottomline Technologies. For more information, visit www.bottomline.com.