By Evan Schuman
The case of two JP Morgan Chase personal bankers allegedly stealing $400,000 from 15 bank patrons—some of whom were dead—illustrates the profound fraud risks posed by a company’s own employees.
When this can happen to Chase, a company that reported $23 billion in revenue last year and employed some 265,000 people, consider how exposed a small community bank or credit union must be.
Brooklyn (N.Y.) District Attorney Ken Thomas last month announced indictments against Jonathan Francis, 27, and Dion Allison, 30, two personal bankers who worked at a Chase branch office in Bedford-Stuyvesant. Two other men who did not work for Chase also were charged; all four with larceny, conspiracy and records fraud.
Free resource: How to build customer loyalty by keeping data secure
The co-conspirators allegedly made ATM cards and letters granting themselves power of attorney, after Francis and Allison falsely claimed the customers had requested the cards or documents. No one at Chase checked the documents nor the letters, which is the biggest hole that inside fraudsters crawl through: inadequate supervision.
Darren Hayes, an assistant professor who directs cybersecurity at Pace University in New York City notes that banks pay $100 billion in fines every year. “A bank’s No. 1 priority is regulation and risk,” Hayes says. “That is their priority. Not security.”
Keeping tight tabs
Yet, preventing insider theft requires close supervision. The challenge faced by financial services companies of all sizes: how to balance efficient use of employees’ time and implementation of security controls.
Assigning a supervisor to double check all aspects of a teller’s work can be cumbersome and costly. And it merely shifts the fraud opportunity from the teller to the supervisor, rather than blocks it.
Many small and mid-size organizations “have not found that correct balance” between ease of business and security controls, says Chris Richter, senior vice president of Global Security Services at Level 3 Communications. “They have not gone through the discipline of risk analysis.”
Psychology plays into it. Many company decision-makers suspect that they need to spend more on security, Richter says, but they also must deal with limited budgets. They are reluctant to do a formal risk study—because they fear the answers.
“Once you do a risk analysis, you identify the risk and the cost can be high. If you don’t take action after you have done the analysis, you can be found negligent” if something later happens and the company is sued, Richter says. “They don’t want to know what they know they don’t want to know.”
Preventing thefts like the Chase inside job requires two people validating the actions of the other—and new ongoing employee education programs to do it correctly, observes Tim Sloane, vice president for payments innovation at the Mercator Advisory Group.
The temptation can be for an organization to make a one-time investment in nifty new data security technology, rather than add to ongoing payroll and training expenses.
But technology has its limits. Technology, in fact, can create more opportunities for insider theft by increasing automation and reducing human controls, Sloan says.
The human touch
Humans working together, on the other hand, can reduce fraud potential, as they mutually monitor and analyze output from the technology—and one another. The problem with humans is that they need to be evaluated periodically.
Some experts argue that employee assessments should extend beyond the hiring process and annual reviews, since changes in an employee’s personal situation can change a low-risk worker into a mid-level-to-high-risk worker.
Hayes, for one, encourages companies to routinely run credit checks on employees to detect whether they’ve stopped paying their bills. “Employees who come under financial duress are much more likely to be an insider threat,” Hayes says.
Mandating vacations also can be tactical. It allows management to examine an employee’s work files and office space for clues suggesting improper conduct. And fraudulent patterns are sometimes unearthed by turning over an employee’s daily work records to another employee.
Although these suggestions apply to all kinds of small businesses, many apply particularly to community banks, which run into similar issues that Chase faced—but with far fewer resources.
Mercator’s Sloane says the biggest takeaway he found in the Chase indictment involved the thieves’ focus on customers who routinely received Social Security payments.
“I remember reading it and my logic got stuck on how screwed up the feds are,” Sloane says. “One, they can’t figure out how to stop criminals from receiving tax refunds that aren’t theirs. And two, they can’t figure out when a person has died, which in part causes No. 1.”
This article originally appeared on ThirdCertainty.com.