In the wake of the incident at Morgan Stanley, where a former employee allegedly stole client data, experts suggest credit unions must revisit everything from how they screen potential candidates for hire to the policies in place when an employee is terminated.
Numerous acts of fraud, embezzlement and even outright criminal violence have been committed by employees against current and former companies — and such acts of malfeasance can prove costly, even when no lives are threatened and no data is actually released.
For example, financial services giant Morgan Stanley recently faced the potential nightmare of 350,000 of its wealth management clients having their personal financial details out in public after it emerged that a terminated financial adviser named Galen Marsh had stolen some of their account information.
Luckily for Morgan Stanley, they found no evidence that any of their customers lost any money. For his part, Marsh did not intend to sell the information he had illegally obtained, according to his attorney.
In the credit union community, a number of institutions have endured acts of larceny, embezzlement and even robbery committed by their employees.
According to data from the Association of Certified Fraud Examiners 2012 Global Fraud Survey, the banking/financial services sector suffers from the highest number of internal incidents of fraud among the 23 industries it surveyed.
Interestingly, the bulk of these criminal activities are carried out by long-tenured, higher-salaried, senior-level employees rather than by greener, low-wage newer workers.
"They [senior workers] may be leveraging greater knowledge, more access to funds, more authority, and perhaps a higher level of trust throughout the organization," CUNA Mutual Group explained.
Most often, such acts are being committed while the employee is still with the credit union, but there have been instances where it is a former employee seeking revenge after having been terminated.
Case in point: in July 2009, as the San Francisco Chronicle reported, a young woman named Angelica Sagote and two of her relatives were sentenced to federal prison terms after they robbed the Pacific Postal Credit Union, a $204-million institution based in San Jose, of more than $76,000. Sagote took revenge on the credit union after they had terminated her from her clerk position over some missing money which was later found at her desk.
How can such incidents be avoided or at least mitigated?
It starts even before someone is hired, much less fired, according to Joette Colletts, senior manager of risk management at CUNA Mutual, who said that credit unions can take a number of preventative steps to deter criminal or fraudulent activity by fired employees.
"It should begin right at the hiring process," she said. "Credit unions should conduct a thorough background check, including a survey of the prospective employee's previous criminal record (if there is one) and they should also make sure that their resumes are accurate and truthful."
Staging more than one interview and applying some in-house personality tests could also weed out potential bad actors, she said.
A credit check on the applicant can also provide additional helpful information. "If a job applicant has a history of, say, filing for bankruptcy or failure to pay bills on time, that would definitely raise a red flag on someone who could potentially manipulate accounts or embezzle funds to their own benefit," Colletts added.
Another big red flag is if there's evidence of a gambling problem.
Colletts also recommends that for certain "sensitive" jobs within a credit union — such as those involving close monitoring of member accounts, loans and credit card accounts — they may want to consider filling these positions with people from within, rather than outsiders. "I think this would greatly lessen the chance of internal fraud and embezzlement," she said. "Hiring an outsider and giving them access to sensitive information on members' financial accounts could raise the risk of wrongdoing."
Like banks and many other institutions, credit unions are also advised to disable the computer/account passwords and user names of terminated employees in order to block any unauthorized future cyber-access to account information.
However, even after an employee is terminated — a process that is highly stressful and unpleasant for all parties involved — credit unions could still enact steps to prevent future criminal or violent acts by the fired worker. "Employers should remain calm and respectful during the firing process and also provide the person not only with a severance package, but also with off-site help, including resume improvements and counseling," Colletts said. "It would also be beneficial to have more than one employee, perhaps security on stand-by, be present during the termination, to dissuade any potentially violent episodes."
A fired employee may have difficulty taking legal action against the credit union if he or she had been made earlier to sign an anti-fraud policy document (i.e., one that clearly spells out what kinds of activities represent fireable offenses).
Colletts stated that credit unions need to impose a zero tolerance attitude towards any fraudulent activities by its workers, and that should come from the very top.
But there are other ways for disgruntled ex-workers to harm their former companies — some ways that cannot be easily prevented.
Christopher T. Marquet, CEO of Marquet International Ltd., a Boston-based investigative, litigation support and security consulting firm, told Credit Union Journal that he has known of cases where a fired employee will seek to cheat his former company by colluding with someone still working on the inside.
In addition, a fired employee could easily and anonymously post negative comments about his former firm on social media and blogs — such malicious remarks, if seen by enough people on the web, could hurt the reputation of the targeted company or institution.
Of course, even honorable and otherwise law-abiding employees could turn to crime out of desperation — something that a pre-screening test probably could not detect.
Adam Levin, chairman and founder of IDT911, and an expert on identity management, fraud and privacy, told Credit Union Journal that when it comes to employees, "trust must be earned and constantly verified," underlining a "zero tolerance" stance on inappropriate behavior and conduct.
Levin recommends credit unions maintain very strict policies on employee conduct with a special focus on controlling and limiting their access rights to company files and information. "The company's networks should be regularly audited, logins and passwords should be periodically changed, among other measures," he said. "Whenever someone is fired, all logins and account access codes should be immediately changed."
Levin believes credit unions should have employees sign agreements at the beginning of their tenure which makes clear the punishment for fraudulent acts (including termination and lawsuits, etc.) as a deterrent for such behavior.
Also, since it would be impossible to prevent all criminal acts by disgruntled employees, a company should always be in a "damage control mode," Levin added.
In addition, Colletts noted that smaller credit unions — which tend to have few employees — should be particularly vigilant about potential acts of fraud given that the sparse staffing makes separation of duties difficult to implement. "Unlike in larger credit unions, in smaller institutions you might have one person doing multiple jobs, which grants them access to more account information," she said.
On the whole, Marquet said that smaller institutions may be more vulnerable to fraud because of less oversight and a more fragile control structure. "Stakeholders need to engage more in order to deter potentially malicious acts by terminated employees," he said.
Colletts cautioned, however, that "fraud does not discriminate" — it can occur in big or small institutions, and the perpetrators can range from chief executive officers to the clerks, spanning both men and women.
Another aspect to 21st Century corporate fraud has to do with technology — corporations are upgrading their internal security infrastructure, but criminals and hackers are also getting more bold and sophisticated on their own (witness the recent immense hacking of the giant Sony company, for example). Levin commented that the "bad guys" are winning the technology race.
Finally, considering that a huge international corporation like Morgan Stanley (which presumably enjoys an extremely sophisticated internal security system) can witness one of their own fired workers so easily steal information on thousands of clients, it would behoove smaller institutions, like credit unions, to exercise ever-more vigilance about such crimes.