Insiders Threaten to Subvert Your Financial Crimes Controls

External threats dominate our concerns as financial crime control professionals. Incoming money launderers are hopefully identified through thorough and timely KYC. If that KYC fails, transaction monitoring provides additional safeguards. Likewise, fraudsters are hopefully trapped before they can steal clients' or someone else's money through KYC, account access controls, or fraud monitoring as a backstop. As those controls harden, thieves seek other routes. These routes include collaboration with bank employees to defeat our controls.

In this blog post, I explore the urgency of addressing insider threats as part of an effective financial crime control program.

The Enemy Within

Each year, employees are trained on anti-money risks and controls. For most employees, this training provides helpful reminders of the controls they should follow and the risks they mitigate. For miscreants, it is another opportunity to explore control weaknesses for personal gain.

Your employees know your financial crime program's strengths and weaknesses. Weaknesses are opportunities. KYC and Enhanced Due Diligence (EDD) delays can allow bad actors to transact before they are thoroughly vetted. Flawed cash or monetary instrument log reporting invites money mules. Even static transaction monitoring scenarios can serve as a manual for those same criminals, guiding them on how much to deposit and when to do it to avoid detection through transaction monitoring alerts.

The Past is Prolog

Insider-facilitated financial crimes are nothing new, and historically, in-person banking facilitated money laundering as the only way to get specific jobs done.   When I began my banking career in 1987, the 1985 Bank of Boston case was still fresh news. In that case, employees helped a notorious organized crime figure, Gennaro Angiulo, launder up to $2 million through his local branch in Boston's North End. Reportedly, willing and apparently naïve tellers and managers handled and received cash paper bags, even going so far as to assist in carrying the bags into the branch. After congressional hearings and a $500,000 fine paid by the bank, the industry slowly began restricting criminal access to the banking system.

However, as controls strengthened over the next thirty years, thieves evolved their techniques. Their schemes often still involve collaboration with complicit or willfully blind bank employees.

Most recently, TD Bank’s historic $3 billion fine was rooted in the undetected, insider-facilitated laundering of more than $500 billion, executed by two unrelated financial criminals and enabled by either willing participants or poorly trained staff. 

Among the issues noted by the US Department of Justice (DOJ) was a Chinese drug trafficking group that bribed bank employees and was ultimately able to launder more than $470 million in cash linked to the sale of fentanyl and other illegal drugs. In another incident, cited by the DOJ, five TD Bank employees conspired with criminal organizations to open and maintain accounts at the bank to launder $39 million to send to Colombia ultimately.

Unfortunately, TD is not an outlier. In the following noteworthy cases, insiders played critical roles through complicity or inattention:

1. Danske Bank's Estonian branch processed approximately €200 billion in suspicious transactions linked to Russian clients from 2011 to 2015, resulting in significant regulatory scrutiny and ongoing investigations, as insiders allegedly colluded with clients to obscure the purpose of transactions and ignored red flags and failed to report suspicious activities.

2. HSBC was found to have allowed $881 million in drug trafficking proceeds to be laundered through its U.S. operations, leading to a $1.9 billion settlement with U.S. authorities, with insiders neglecting warnings about suspicious transactions and inadequate anti-money laundering controls.

3. Wachovia (now part of Wells Fargo) processed $378 billion in wire transfers from Mexico without proper oversight between 2004 and 2007. This resulted in a $160 million fine for failing to maintain an effective anti-money laundering program. Insiders facilitated these transactions despite knowing their potential links to illegal activities.

4. Goldman Sachs was implicated in misappropriating billions from the Malaysian sovereign wealth fund 1MDB, leading to over $5 billion in global fines due to its involvement in laundering activities. Bank insiders reportedly colluded with officials to bypass regulatory safeguards and misappropriate funds.

Addressing the Threat

The first step is determining whether your institution has an insider threats program.  Over the past few years, such programs have become commonplace in cybersecurity programs.

If you don’t have an existing insider threats program, create one.  The basic structure of such a program includes:

1. Formalized Program Structure: Establish a defined Insider Threat Program with governance, policies, and organization-wide participation from departments like IT, HR, and legal.

2. Risk Assessment: Conduct regular risk assessments to identify vulnerabilities and potential insider threats.

3. Training and Awareness: Provide comprehensive training for all employees on recognizing and reporting insider threats and specialized training for key stakeholders.

4. Technical Controls: Use strict access controls, multifactor authentication, and data loss prevention solutions.

5. Positive Reporting Culture and Incident Response: Create a culture that encourages reporting suspicious behavior without fear of retaliation and a clear incident response plan for addressing detected threats.

6. Behavior and Sentiment Analytics: As a best practice, more sophisticated programs should incorporate behavior analytics tools for anomaly detection and sentiment analysis to monitor employee morale.

An Integrated Program 

If your institution has created an insider threat program, it's time to integrate it into your anti-financial crime program. This should begin with an integrated risk assessment that identifies products vulnerable to insider-assisted financial crimes, particularly those related to cash and cash-equivalent deposits.  Such assessment should focus on mitigating preventative and detective controls, whether automated or manual. The evaluation should focus on control effectiveness as judged by management self-assessment and second and third-line testing and regulatory examinations. Additionally, the assessment should identify insider-linked suspicious activity report (SAR) indicator vulnerabilities in SAR filings.

Financial Crimes Insider Threat Surveillance 

Advanced technologies, including artificial intelligence and other advanced analytics, can potentially enhance the detection of financial crimes related to insider threats. A non-exhaustive list of detective controls might include:

• Graph analytics to identify transaction patterns, specifically those indicating connections among individual employees within a small network.

• Behavioral analytics to identify employees who may be more vulnerable to specific threats, including issues related to personal credit, violations of conduct codes, feelings of workplace isolation, and indicators of antisocial behavior.

• Advanced analytics techniques, including clustering algorithms, should be used to identify hidden transaction patterns. These patterns should include patterns within transactions and transaction monitoring alerts that may indicate facilitation by individuals or networks of employees.

• Communication surveillance is also a potential support when legally permitted.  Commonly used to identify securities-related trading violations, these tools and models can be trained to detect insider complicity in the furtherance of non-securities-related crimes.

Training

Research suggests that training can be the first defense against insider threat risks. For example, cases indicate that successful financial criminals often manipulate employees to participate in unethical behaviors, convincing them to ignore or rationalize their actions. This scenario is similar to behavioral patterns seen in bullying and other abuses, where individuals might start by engaging in minor infractions that gradually escalate over time.

To mitigate such behavior, effective training programs can remind employees of the red flags that indicate potential misconduct.  Such programs help to identify when employees engage in unethical actions before they escalate. Behavioral science teaches that the most effective deterrent is to foster a supportive environment to prevent these issues from developing in the first place.

For more research on using behavioral science to address insider threats, see:

1.     Why do employees commit fraud? Exploring the psychological and behavioral factors driving employees to commit fraud, developing a scale of employee fraud motives.  Link

2.    Impact of Applying Fraud Detection and Prevention Instruments in Organizations- This study discusses fraud detection tools, emphasizing the importance of internal controls and monitoring to mitigate risks.  Link

3.    Preventing Fraud with Internal Controls - An overview of internal control measures organizations can implement to prevent fraud, the significance of disciplinary actions, and continuous process improvements.  Link

Conclusion

Integrating robust insider threat programs with financial crime prevention measures is an essential safeguard. It starts with a holistic risk assessment that identifies the insider threats impacting financial crime. Mitigating controls should include fostering a positive reporting culture, providing comprehensive training, and progressively developing and deploying models leveraging sophisticated behavior analytics and communications surveillance. Creating a supportive, vigilant, and secure environment will deter unethical behavior and enhance the institution's integrity.