Giving'em "the right stuff' to fight fraud: an interview with Michael Collins

Like many cities, Philadelphia is a blend of the historic and the modern--in architecture, in values and principles, and in thought. Just a few blocks from Independence Hall and the Liberty Bell sits the streamlined headquarters of the Third District of the Federal Reserve Bank. The Fed remains true to its 1913 mandate to provide the nation with a safer, more flexible, and more stable monetary and financial system. But in 2003 the Fed is investing heavily in technology and training to further strengthen its people and to broaden its understanding of products in a rapidly changing industry. Charles Taylor and Beverly Foster spoke with Michael Collins, SVP and lending officer at the Bank, about examiner training and the Fed's role in helping banks to outsmart the bad guys.

RMA Associate Michael Collins is SVP and lending officer at the Federal Reserve Bank of Philadelphia. He provides administration and oversight of the discount window and oversees the supervision of financial holding companies, bank holding companies, and state member banks in the third district. He also chairs the Staff Development, Utilization, and System Performance Subcommittee for the Federal Reserve System's supervision function. He ensures that the Fed's training remains current and relevant and that examiners have the technical and behavioral skills to do their jobs. It takes three to five years of a core curriculum plus on-the-job training to be commissioned by the Board of Governors as an examiner.

Getting the Right Stuff

The core curriculum's 10 courses include training in internal controls and fraud, both by type of activity and by exposure. "Our trainees gain an understanding of these activities early on, and then we expect them to continue to progress in their comprehension and application of analysis, synthesis, and evaluation," says Collins. "That's where critical thinking and judgment skills come into play, and we expect our people to be able to apply them at that level."

Training does not end there. After commissioning, continuing professional development supports examiners as they take a more self-directed approach to their learning. "Of course, supply and demand play a part, and career consultations do point out opportunities--those areas where skill gaps exist in the Fed System," says Collins. Still, examiners can chose a wide variety of specializations and, for example, can pursue deeper knowledge of credit or market risk management, work toward becoming capital market experts, or seek to become certified fraud examiners.

Tools of the Trade

Alongside more traditional teaching methods, online learning has taken hold in the Fed System through a tool developed by the Federal Reserve Bank of St. Louis. "It's a modular approach in which examiners learn initially to identify red flags for poor governance and internal controls," says Collins. "It helps them identify possible weaknesses and to test whether the weaknesses are more apparent than real in the context of a particular organization. If there is a real problem, later training modules help them understand their options--how to expand the scope of their examinations to include additional testing and, if need be, how to build a case for a criminal investigation."

Beyond training, examiners are supported by system-wide Video conferencing, first used at the Philadelphia Federal Reserve Bank, spreads news and the expertise of specialists to others throughout the U.S. in real time. 'We don't have to wait for a trend that began, say, in San Francisco to reach Philadelphia before we prepare our local examiners to deal with it," says Michael Collins. knowledge sharing. Video conferencing, first used at the Philadelphia Federal Reserve Bank, spreads news of any new developments and brings the expertise of specialists to others throughout the U.S. in real time. "In this way, we don't have to wait for a trend that began, say, in San Francisco to reach Philadelphia before we prepare our local examiners to deal with it," says Collins.

Then there is the Fraud Information Network--coordinated out of Washington--of subject matter experts, investigators, attorneys, and policy analysts across the System. The Network has its own Web site through which they share information about trends and practices with field examiners nationwide. And this staff can be mobilized at a moment's notice to supplement specific examination teams when complex, novel, or large-scale fraud is suspected.

Finally, the Fed's examiners benefit from expertise elsewhere in the Federal government, including:

* The other banking agencies, such as the FDIC, OTS, and 0CC.

* Law enforcement agencies as members of the the Bank Fraud Working Group.

* On occasion, the Justice Department and other law enforcement agencies.

Dangerous Times

"Our infrastructure for developing and supporting examiners is especially important at this stage in the economic cycle," says Collins. "In many banks, the recent decade of economic growth masked control weaknesses exacerbated by cost-cutting and now frauds are surfacing and spreading rapidly."

The Association of Certified Fraud Examiners completed a study in 2002 estimated that 6% of revenue of all types of businesses in the U.S. would be lost to occupational fraud and abuse--$600 billion when considered as a percentage of GDP. Over half of the frauds identified caused losses of at least $100,000, and one in six frauds caused losses of in excess of $1 million.

"During past cycles, overheated real estate markets and banks flush with liquidity led to widespread appraisal and other real estate frauds," says Collins. "This time, the dot-coin expansion ended in corporate losses and accounting irregularities. New, more complex products once again got ahead of controls: thorough underwriting is hard to square with the three-minute mortgage. It has been difficult to turn away attractive but poorly understood opportunities in these hard times. But the fact is that with weak internal controls or inadequate governance, you are asking for problems."

Over the past seven years, suspicious activity reports (SARs) for check fraud, kiting, and counterfeiting on average exceed 20% a year. Credit card fraud is up 25% a year (See Figure 1). For the first five months of 2002, 108,153 SARs of all kinds were submitted to the U.S. Treasury. The top five categories for SARs in 2002 were:

1. 56%--Bank Secrecy Act, structuring, and money laundering.

2. 11%--check fraud.

3. 11%--other.

4. 5%--credit card fraud.

5. 5%--counterfeit checks.

Of course, some of this increase may reflect more complete reporting, especially since SARs have been used in the war on terrorism. But the growth rate is high enough to underline the fact that times are indeed challenging for banks.

Detecting Fraud

Of the 11 bank failures nationwide in 2002, five were attributable to fraud: Hamilton Bank, where there were fictitious loans and money laundering; Bank of Sierra Blanca and Oakwood Deposit Bank, both of which were crippled by large embezzlements; and Connecticut Bank of Commerce and Farmers Bank and Trust, which were brought down by loan fraud. The typical perpetrator was a first-time offender, according to the ACFE 2002 study, and the average scheme lasted 18 months.

Fraud detection by the regulators begins with a bank license application, although it is unusual to detect fraud at that stage. Evidence of misleading information does occasionally prevent an application from moving forward but most people who might think of opening a bank know that they will undergo an exhaustive background check first, and crooks usually think twice about subjecting themselves to detailed federal investigation.

Fraud, misrepresentation, or irregularities are more commonly unearthed during surveillance or on-site examinations. Examiners look for the weaknesses in the internal control environment that create the opportunity for problems. "There have been some public enforcement actions recently that show the effectiveness of examinations assessments related to strong risk management practices, corporate governance, and internal controls," says Collins. "In the PNC action, the bank got the sign-off from its accounting firm to take things off-balance-sheet but were obliged by Fed action to put them back on to more accurately reflect risk. The risk management infrastructure was a key issue in the Fifth Third action. And, in the AllFirst case, there was fraud and a more egregious shortfall of governance and control. We didn't have a bank fail in any of these instances, but we did see a lack of management thoughtfulness and critical thinking that we think our examiners helped unearth.

"Still, you can't legislate integrity," he continues. "Senior management has to set the tone. They must understand their fiduciary responsibility to shareholders, employees, their communities, and the broader financial markets. They must establish a culture of openness that welcomes penetrating questions and challenges--from the board and from their employees, too. They need to recognize and reward those whose vigilance protects the interests of all the bank's stakeholders."

The ACFE 2002 study showed that the most common sources of information about fraud in progress were employee tips, anonymous sources, whistle blowers, and hotlines. Openness pays.

Mitigating Fraud

If you look at the statistics, it's the fat-tail events--low frequency but huge impact--that can cost the franchise and create systemic risk. A single trader brought down a 200-year-old bank. (1)

"It's the small-volume but more frequent gray areas, however, that can have long-term debilitating effects on a company's performance and reputation," says Collins. "You certainly don't want a culture where people think it's okay to hedge a little here and take a little there. There must be checks and balances, good processes, and assurance that the people you hire understand the mission you've envisioned. There is a cost attached to something as small as employees taking six tablets for their kids to use at school or pens for themselves. Such feelings of entitlement are a cultural issue that must be addressed."

Mitigating fraud within an institution, then, begins with the right environment. A strong board of directors will understand the risk and the fiduciary responsibility around operations and ensure that the bank sets appropriate policies, has the right structure, and creates a culture in which all activity--internal or outsourced--can be conducted with confidence.

Internal controls should ensure regular reviews, independent reporting lines, and accurate, timely, and relevant information reporting up to senior management and the board. Employees should take a full two weeks of vacation to lessen the opportunity for fraud. Internal audit must review and test many aspects of the bank's affairs including out-sourced and other third-party arrangements. "So while there is a technical component involved in these controls," says Collins, "there also must be a cultural component that creates the conditions for integrity in operations. When examiners go into banks, we of course look to see that the internal control environment is sound and effective."

The USA PATRIOT Act also helps banks fight fraud. The banking industry had a leg up over mutual funds, brokerage firms, and insurance companies in implementing this Act because of its precursor, the Bank Secrecy Act. Now banks are investing to stay ahead. For example, the Office of Foreign Assets Control (OFAC), a division of the U.S. Treasury Department, administers and enforces sanction programs primarily against countries and groups of individuals, such as terrorists and narcotic traffickers. OFAC periodically distributes lists of such countries and individuals, and many banks are now incorporating this information into their own internal databases to more effectively monitor their customer base. "I am aware of only one recent enforcement action where the PATRIOT Act was cited," says Collins. "However, failures of bank secrecy have led to enforcement actions repeatedly. Banks would be well served to pay attention to this area."

The new requirements in the Sarbanes-Oxley Act of 2002--curtailing loans to insiders and requiring attestation to the quality of controls in the audited accounts of publicly traded companies--are not that new for banks. Collins feels that Sarbanes-Oxley recodifies Section 36 of FDICIA (2), which governs such activities as independent audits and certifying statements. "Banks already had many of those practices in place," Collins says, referring also to Regulation 0, which governs loans to insiders, implements section 22 of the Federal Reserve Act, and has been enhanced many times over the years. "The real impact of Sarbanes-Oxley is likely to be more in rethinking the quality aspect," says Collins. "My advice to banks, then, is that in complying with the technical aspects of the law, focus on the quality of each aspect. How does the board actually operate? Is the corporate governance really sound?"

Community Banks

"Smaller banks are getting better at fraud mitigation," says Collins. "Although larger banks still have the advantage, tools for combating fraud are becoming more affordable and effective to small banks too. And, the things that make community banks successful--knowing your customers, personal service, understanding and even having face-to-face contact with people--can help in uncovering such things as check kiting."

On the Radar Screen

"As we look ahead, accounting transparency and irregularities will continue to be points of focus until confidence is restored in the marketplace," says Collins. "Special purpose entities and securitizations--off-balance-sheet activities--and their structures will continue to be closely monitored. And corporate governance will continue as a strong issue because of Sarbanes-Oxley. We really want people to stay on top of that. Longer term, even as we develop better ways of preventing and mitigating old frauds, we can be sure that new frauds will arise. Banks are too tempting a target, and there is no doubt that fraud will provide banks and their examiners with continuing challenges."

Figure 1

Frequency Distribution of SAR Filings by Characterization of Suspicious
Activity

for the period April 1, 1996 through October 31, 2002--

Violation                            1996    1997    1998    1999

BSA/Structuring/Money Laundering    21,655  35,625  47,223  60,983
Bribery/Gratuity                        94     109      92     101
Check Fraud                          9,078  13,245  13,767  16,232
Check Kiting                         2,902   4,294   4,032   4,058
Commercial Loan Fraud                  583     960     905   1,080
Computer Intrusion                       0       0       0       0
Comsumer Loan Fraud                  1,190   2,048   2,183   2,548
Counterfeit Check                    2,405   4,226   5,897   7,392
Counterfeit Credit/Debit Card          391     387     182     351
Counterfeit Instrument (Other)         219     294     273     320
Credit Card Fraud                    3,340   5,075   4,377   4,936
Debit Card Fraud                       261     612     565     721
Defalcation/Embezzlement             3,286   5,284   5,252   5,178
False Statement                      1,880   2,200   1,970   2,376
Misuse of Position or Self Dealing     952   1,532   1,640   2,064
Mortgage Loan Fraud                  1,318   1,720   2,269   2,934
Mysterious Disappearance             1,216   1,765   1,855   1,854
Wire Transfer Fraud                    302     509     593     771
Other                                4,836   6,675   8,583   8,739
Unknown/Blanck                       1,539   2,317   2,691   6,961

Violation                            2000    2001     2002

BSA/Structuring/Money Laundering    90,606  108,925  126,971
Bribery/Gratuity                       150      201      331
Check Fraud                         19,637   26,012   26,170
Check Kiting                         6,163    7,350    7,686
Commercial Loan Fraud                1,320    1,348    1,571
Computer Intrusion                      65      419    1,293
Comsumer Loan Fraud                  3,432    4,143    3,644
Counterfeit Check                    9,033   10,139   10,198
Counterfeit Credit/Debit Card          664    1,100    1,050
Counterfeit Instrument (Other)         474      769      659
Credit Card Fraud                    6,275    8,393   12,347
Debit Card Fraud                     1,210    1,437      975
Defalcation/Embezzlement             6,117    6,182    5,101
False Statement                      3,051    3,232    2,995
Misuse of Position or Self Dealing   2,186    2,325    2,217
Mortgage Loan Fraud                  3,515    4,696    4,617
Mysterious Disappearance             2,225    2,179    1,869
Wire Transfer Fraud                    972    1,527    3,293
Other                               11,148   18,318   25,346
Unknown/Blanck                       6,971   11,908    6,753

Source: The SAR Activity Review: Trends, Tips & Issues, Issue 5,
February 2003; page 11; published under the auspices of the Bank Secrecy
Act Advisory Group; available online at
http://www.fincen.gov/sarreviewissue5.pdf.

Notes

(1.) A trader was supposed to be exploiting low-risk arbitrage opportunities that would leverage price differences in similar equity derivatives on the Singapore Money Exchange (Simex) and the Osaka exchange. "In fact, he was taking much riskier positions by buying and selling different amounts of the contracts on the two exchanges or buying and selling contracts of different types. Thanks to the lax attitude of senior management, Leeson was given control over both the trading and back office functions. As Leeson's losses mounted, he increased his bets. However, after an earthquake in Japan caused the Nikkei Index to drop sharply, the losses increased rapidly, with Leeson's positions going more than $1 billion into the red. This was too much for the bank to sustain; in March of 1995, it was purchased by the Dutch bank ING for just one pound sterling." www.erisk.com/portallreference/case/ref_case_barings.asp.

(2.) In 2001, the FDIC Board of Directors formalized its long-standing interpretation of the Federal Deposit Insurance Act (FDICIA) regarding what it means to be "engaged in the business of receiving deposits other than trust funds."

[c] 2003 by RMA. Charles Taylor is director of Operational Risk at RMA--The Risk Management Association; Beverly Foster is editor of The RMA Journal.

Contact Taylor at

ctaylor@rmahq.org.

COPYRIGHT 2003 The Risk Management Association
COPYRIGHT 2005 Gale Group