Private-Bank Internal Controls

The fraud: A private-banking assistant steals more than US$600,000 from an inactive account.

The method: The assistant had virtually unlimited access to active, inactive, and dormant accounts so it was easy for her to transfer funds to relatives' personal accounts in other banks.

The fraud examination: The bank detected the fraud after another bank at which she had worked had opened a criminal case against her. An audit showed that she had made 12 illegal cash transfers on one inactive account.

Lessons learned: The bank is establishing new internal controls: "four-eyes" review, limited account access for assistants, control listings now sent in protected PDFs, embedded IT controls, and more.

Stella, an assistant at an exclusive Switzerland private bank, had unlimited access to accounts - active, inactive, and dormant. Unfortunately, that little privilege cost the bank more than US$600,000. Learn how it established strict internal controls that could deter other fraudsters like Stella.

Stella Inmany's position as a private-banking assistant in Switzerland was based on trust. Her wealthy clients depended on her to discretely manage their accounts. But auditors later found that nobody should have ever trusted Inmany.

During the 13 months she worked at Zellon Bank in Geneva - from September 2006 through October 2007 - she had transferred more than US$600,000 from a large inactive account directly into her relatives' personal accounts in other banks. Zellon only detected the fraud because another bank, Stella's former employer, had opened a criminal case against her. (All names and dates in this article have been changed.)

Private banks, unlike retail banks, offer top-quality services for very wealthy clients. They target clients with large accounts who want their money invested and managed for the long term. Private banks don't specialize in mortgage business and merger and acquisition activity and don't offer checking accounts.

A private-banking assistant is responsible for administering the relationship between the bank and particular clients. He or she handles money transfers, buying and selling of financial products, foreign exchange transactions, fiduciaries, credit card management, and opening and closing of accounts, among other tasks. A private-banking assistant usually reports to a relationship manager who's mostly focused on client acquisition, development, and money management.

Relationship managers and their assistants perpetrate most of the internal private-bank frauds because they personally know their clients and have gained their trust. Moreover, these employees often have full powers to invest and transfer money on behalf of their clients from their accounts.

Private-bank executive managers often feel that they can't touch relationship managers, especially if they hold senior positions, because they reap large profits. So, banks often quietly resolve internal fraud cases without telling even their employees.

FRAUD RISKS IN PRIVATE BANKING 

Private-banking activities are susceptible to fraud because:

• Clients of a private bank are always wealthy clients. Most private banks in Switzerland refuse to open accounts for less than US$500,000.
• Some clients are very old and might have hidden their accounts from their family members. Sometimes they even forget they have these accounts.
• Numerous accounts are inactive or dormant. A dormant account shows no activity and the bank can't find the client. An inactive account shows some transactions and the bank can still reach the client.
• The client can ask the bank to hold all mail for him or her such as portfolio valuations, account statements, and payment notices.
• Most clients seldom visit the bank because they're often from another country, and most accounts are for long-term savings.

The famous 1934 Swiss Banking Secrecy Act makes private banks very attractive to foreign customers because it requires that banks protect their client's personal information. The relationship between a client and its Swiss private bank is similar to the one between a patient and his doctor. In most Swiss private banks, records of numbered accounts and their owners' names are kept in a highly secure area accessible to only a few employees. Clients' names are important assets; their security and confidentiality is the guarantee of a good reputation.

Obviously, such banking privacy can create conditions for fraud. Here are the most frequent internal fraud schemes found in Swiss private banks:

• Asset embezzlement: Fraudsters can make unauthorized transfers of clients' cash and/or securities to personal accounts inside the bank or to external accounts in other banks and illegally withdraw cash. 
• "Cavalry" or fraudulent transfers of money between accounts: An inside fraudster does this to conceal the theft of money from a client account - the private-banking version of "robbing Peter to pay Paul." 
• Check and credit card fraud: A fraudulent bank employee might use a new bank credit card before giving it to the rightful owner. 
• Fraudulent securities loans: An employee working in the securities lending department could easily lend clients' securities without the clients' authorization. Of course, the fraudster transfers the commission received for the loan to her or his account. 
• Front-running: This is the illegal practice of a trader, who works for the private bank, placing his financial interest above the client's. For example, a stockbroker could insert a personal "buy" or "sell" transaction before executing an important client's order that could influence the stock market price. Front running also refers to a trade based on non-public, confidential information. 
• Unfair management: A private-bank employee doesn't comply with the bank's agreements with clients. For example, a disloyal relationship manager could buy and sell large amounts of risky or exotic financial products to try to cover losses or the bad performance of a client's portfolio.

Theft of clients' money through embezzlement, wire transfer fraud, and check and credit card fraud occur relatively frequently, but banks rarely, at least in Switzerland, make them public or release the news to the media because they're afraid of bad publicity and their impact on banks' reputations.

INTERNAL-CONTROL WEAKNESSES 

Stella Inmany, the private-banking assistant, started embezzling money as soon as she began to work at Zellon Bank and continued during her entire stay. After 13 months, she told her superior that she wanted to have new experiences abroad and left the bank. None of the bank's internal controls managed to discover the fraud. (The bank eventually filed a criminal complaint against Inmany for "breach of confidence" and "unfair management." The court convicted her, she spent a few months in jail, and she has to reimburse the money she stole.)

Let's take a closer look at the control weaknesses that gave Inmany the opportunity to embezzle money unnoticed by the bank's control entities.

• One of the assistant's main tasks was to transfer money after a client's spoken or written order. When she would take an order from a client over the telephone, she used the bank's dedicated IT application to enter the details of the transaction and validate it to make the cash transfer. This system gave Inmany the freedom to invent nonexistent orders. 
• Inmany had the authorization to make cash transfers for more than US$200,000. She would select an inactive account codified as "hold mail," enter the client's number, the amounts to transfer, and the destination such as her personal account in another bank. She would validate the transaction and the money would vanish. Simple segregation of duties could have prevented the fraud. 
• The assistant had full access, and was able to make cash transfers, to all accounts managed by her relationship manager even if they weren't under her direct administrative responsibility. 
• The daily control cash transfer list was sent directly to Inmany, who had the responsibility to present it to her relationship manager for verification. Obviously, she would remove the pages that showed fraudulent transactions she had made on the inactive account before transmitting the list to her boss. 
• The bank had no particular warning control on dormant and inactive accounts. An account could have been dormant for 50 years and suddenly "wake up" with numerous cash transactions, and nobody in the bank would receive a warning signal that a fraud could be in progress.

LESSONS LEARNED 

After this fraud case, the bank made these improvements in the internal control system:

• A "four-eyes" controls was added; a second person now has to validate any transaction for US$40,000 and over entered by an assistant or a relationship manager. 
• Assistants were reclassified with the information system security principles of "need to know" and "need to do." Full access to clients' accounts was only granted to employees who have direct responsibilities and who really need these accesses to perform their jobs. 
• The control listings no longer were sent on paper to the business units but e-mailed in a protected PDF format directly to each relationship manager. This guarantees that an employee can't modify the listings to hide fraudulent transactions. Also, duplicate encrypted PDFs of the controls listings files are stored in a Windows server. 
• The IT application, which the bank used to make cash transfers, was modified to integrate an embedded control. All cash transactions made from a client's account to an employee's account are automatically blocked and can't be completed without an internal account code. 
• The Risk Management Department improved its information system tools. It developed a program to detect potential fraudulent transactions and unfair management in wealth-management activities. The bank analyzed the contents of its "data warehouse" and built indicators and reports for every kind of unusual banking transactions in clients' portfolios: trading transactions, internal and external cash transfers, cash withdrawals at the cashier, and high or low performance, among others. Moreover, it developed dedicated indicators to monitor dormant and inactive accounts especially for accounts that a debit transaction "woke up." The Risk Management Department is now responsible for monitoring these indicators.

GRATITUDE TO MS. INMANY? 

In some ways, the bank should be grateful to Inmany because her fraudulent activities revealed a lack of internal controls. Unfortunately, we often have to pay a heavy price for our mistakes, but we also can use others' painful experiences to improve ourselves. The bank is slowly implementing the changes within a secret and restricted system, but it will take time as it works to guarantee clients total security.

Laurent Moreschi, M. Sc., CFE, CISA, CSSI, is a Swiss banking auditor and expert specializing in fraud detection and investigation. 

Bank Environments Present Unique Risks 

According to the ACFE's 2008 Fraud Examiners Manual (1.901), a bank is defined as an organization engaged in any or all of many financial functions, such as receiving, collecting, transferring, paying, lending, investing, dealing, exchanging and servicing (safe deposit, custodianship, agency, trusteeship) money and claims to money, both domestically and internationally.

International bank activities are complex, highly diversified, and often involve huge amounts of money. As defined by the Basel Committee on Banking Supervision (also known as Basel 2) in 2004, the banking economy faces five types of risks:

• Market risk: the risk that the value of an investment will decrease due to moves in financial market 
• Credit risk: the risk of loss due to a debtor's nonpayment of a loan or other line of credit 
• Liquidity risk: the risk that an institution will be unable to meet its obligations as they come due because of an inability to liquidate assets or obtain adequate funding 
• Reputation risk: the risk of damage to an organization through loss of its reputation 
• Operational risk: the risk of loss resulting from inadequate or failed internal processes, people, and systems, or from external events. These include but aren't limited to risks in: human resource management, accounting and financial disclosure risk, technology, physical security, natural hazard, environmental, internal and external fraud, legal, and political.

Basel 2 committees recommend the amount of capital that banks need to put aside to guard against financial and operational risks.

United States Urges Switzerland to Exchange Tax Information 

On Jan. 23, 2003, the United States and Switzerland entered into a mutual agreement "to facilitate more effective tax information exchange between the two countries," according to the U.S. Department of the Treasury.

The agreement emphasized the need to apply Article 26 on Exchange of Information of the Income Tax Convention between the Swiss Confederation and the United States signed on Oct. 2, 1996. Article 26 reads that the two countries will exchange information that's necessary "for the prevention of tax fraud or the like in relation to the taxes which are subject of" the Convention.

"This arrangement," said Kenneth W. Dam, then acting secretary and deputy secretary of the U.S. Department of the Treasury, "is important to the administration and enforcement of the tax laws of each of our countries and complements the substantial cooperation between our two countries to combat criminal activities in other fields such as money laundering and terrorism financing."

Dam said the mutual agreement "is a significant step in our efforts to ensure that no safe haven exists anywhere in the world for the funds associated with illicit activities including tax evasion."

A Nov. 12, 2008, article in the online edition of The New York Times by Lynnley Browning reported that a senior Swiss executive at the banking giant UBS had been indicted for allowing American clients to evade taxes by hiding assets overseas in accounts that went undeclared to the U.S. Internal Revenue Service.

The U.S. Justice Department contends that UBS, based in Zurich, illegally helped up to 20,000 American clients hide $20 billion in offshore accounts, thereby evading $300 million a year in taxes from 2000 to 2007.

An attorney for the accused, according to the article, said the indictment was "totally unjustified and without factual basis." The attorney said the indicted executive denied "any suggestion that he was aware of, engaged in, or tolerated any illegal conduct in the operation of UBS's U.S. cross-border business."

Sources: [Some links are no longer available. —Ed.]

www.treas.gov/press/releases/kd3795.htm
www.treas.gov/press/releases/dam.htm
www.treas.gov/press/releases/mutual.htm
www.nytimes.com/2008/11/13/business/worldbusiness/13ubs.html  

The Association of Certified Fraud Examiners assumes sole copyright of any article published on www.Fraud-Magazine.com or ACFE.com. Permission of the publisher is required before an article can be copied or reproduced.