A former bookkeeper and operations manager of the Bank of Colorado was sentenced in June to 40 months in federal prison for bank fraud. Prosecutors said Patricia Cabano, 56, of West Sacramento, Calif., abused her position to make numerous unauthorized electronic transfers from customer accounts to her own accounts and accounts of her favorite customers and family over a four-year period. Also last month, a former Bank of America teller, Jeffrey C. Gautreaux, 26, of Peabody, Mass., was sentenced to 41 months in prison for
The cases are among several recent incidents that illustrate the ongoing problem of insider fraud in the financial industry. Insider fraud is a ubiquitous problem affecting all industries, but the risk is heightened in financial services, said Jodi Pratt, principal consultant at Jodi Pratt and Associates, an Aptos, Calif.-based consulting firm that specializes in fraud and operating risk management for the financial services industry.
At a bank, internal fraud can take place in so many places -- accounting, the general ledger and customer-facing areas. "Call centers, for example, are a key place where fraud rings like to embed people because they have access to the bank's entire database of customers," she said.
Financial institutions have a lot of policies and procedures to thwart insider fraud, but several vendors offer technology designed to help combat the problem. Seattle-based Attachmate Corp. recently announced Luminet, an enterprise fraud management tool that tracks and captures user activity across mainframe applications as well as Web-based and client-server applications.
Luminet uses passive network capture technology like a network sniffer to capture all the activity between the user and applications in real time, said Michael Miller, director of business development and strategy at Attachmate. The tool gives fraud analysts the ability to search, retrieve and replay each screen and keystroke to see what an end user was doing, he said. Analysts can customize the rules that Luminet ships with in order to create alerts for particular activity, such as a user logging in after normal business hours or simultaneous logins.
Other vendors offering insider fraud detection tools include companies that supply enterprise fraud management technology such as NICE Actimize Inc. (a NICE Systems company), Memento Inc. and Norkom Technologies.
The market for internal fraud detection isn't all that hot, but it should be, said Avivah Litan, vice president and distinguished analyst at Gartner Inc.
"Any way you look at it, insider fraud is a problem, whether it's employees or contractors," she said. "We do get calls about it, but not as often as we get about [calls about] external hackers. [Enterprises] don't want to admit the problem."
There are different kinds of insider fraud, and technology offered by enterprise fraud management vendors are good at finding employees using existing applications to move money or steal information, Litan said. However, they won't catch internal fraud perpetrated by privileged users, such as database administrators, and enterprises that need data loss prevention systems to catch data uploaded to a USB drive or misappropriated through email or file transfers.
For Luminet, Attachmate OEMs technology from Intellinx Ltd., which Litan said provides the only internal fraud detection product that conducts surveillance on IBM mainframe traffic. Intellinx has the potential to catch fraud by privileged users, she said.
For financial institutions, regulatory compliance -- in addition to preventing financial and reputational damage -- is a driver for implementing mechanisms to detect insider fraud, said Paul Henninger, head of product management at New York-based NICE Actimize. A section of SOX requires that banks are responsible for making sure employees aren't committing crimes that impact shareholders and customers, but some banks have interpreted this to mean more than cooking the books, he said. And the Office of the Comptroller of the Currency (OCC) has become more aggressive in examining banks' methods for detecting employee fraud, he added.
The Actimize Employee Fraud solution is both an analytics and rule-based transaction monitoring system that looks for suspicious patterns of activity. It examines employee behavior in the context of employees with similar job functions and identifies suspicious behavior, such as a call center worker who changes three times more passwords than anyone else in the center, Henninger said.
The Actimize system also correlates employee fraud activity with external fraud activity to identify workers with an unusual rate of interaction with accounts that experienced fraud.
Henninger said a big focus for Actimize is providing business users with the ability to add their own logic to the system in order to address a changing fraud and regulatory environment without having to go through an elaborate IT migration process.
Pratt said employee fraud detection tools can operate as a safety net because it's impossible for banks to visually monitor for fraud today, unlike the past when banking payments were structured, limited and involved in face-to-face activity. "The more you have to depend on technology and networks to get information back and forth, there's more opportunity for folks to insert themselves into the process," she said.
But J.J. Thompson, a partner at Rook Consulting, a San Jose-based IT risk management advisory services firm, said the insider threat -- which the firm considers the "biggest single point of failure in an organization's internal controls" --is a human challenge, not a technology problem. "Any technology should be evaluated as one component to an overall solution," he said.
When enterprises replace security staff, especially executives, they should look for "renaissance security professionals -- those with experience and knowledge in security, IT, finance, marketing and psychology," Thompson said. "This gives them more perspective on the human challenges and how to bring forth positive changes in their firm."