The news reports of bank losses serve as both cautionary tales and teaching moments: no bank wants to find its name included in headline-grabbing stories of bank employee misconduct. Monitoring employee accounts for fraud and malfeasance is a regulatory expectation and a best practice for fraud prevention. While regulators may not have specified particular types of monitoring requirements regarding employee accounts, it is evident that account monitoring parameters targeting high-risk employee transactions can have a greater chance of catching employee fraud than general non-risk based monitoring.
To be clear, the Federal Reserve does not suggest or require the review of every employee account. However, it does recommend that banks institute an employee account monitoring policy that is intended to detect risky behavior. Section 3000.1 of the Commercial Bank Exam Manual recommends that as a matter of bank policy, employee accounts should be specially encoded for ease of identification, and that banks should engage in periodic internal review. Bank examiners are instructed to review bank procedures and practices related to management and monitoring of employee accounts, and to “take appropriate measures where warranted.” These instructions leave a great deal of latitude to bank examiners concerning how to evaluate and deal with a bank’s employee account monitoring practices.
Other regulators, such as the FDIC and the OCC, do not expressly require employee account monitoring as part of their exam processes. However, in a 2004 Enforcement Action with Town-Country National Bank in Camden, Alabama, the OCC included a provision under “Internal Controls” requiring the Bank to adopt and implement employee account monitoring processes, by the use of reports on employee accounts with a large number of large-dollar transactions. While this precedent has not translated into OCC-mandated monitoring requirement, a failure to monitor for such activity could be construed as a potential indicator of larger overall internal control issues. Further, the “Fraud” section of the FDIC’s Risk Management materials highlights 50 examples of insider transactions as “warning signs” of insider abuse and fraud. Examiners are instructed to be alert for these activities, such as large transactions or frequently overdrawn accounts. Such “warning signs” can often be detected and insider abuse avoided by regular employee account monitoring.
Additionally, financial institutions are required to have a Bank Secrecy Act/Anti-Money Laundering (BSA/AML) compliance program, which includes appropriate policies, procedures, and processes for monitoring, detecting, and reporting suspicious activity. While the BSA itself does not require employee account monitoring, all transaction accounts, including those of employees, should flow through the financial institution’s AML software. Any employee accounts should also be readily identifiable as such through coding within the core transaction system and/or AML software. If the bank detects suspicious activity that involves an “insider” (which includes all directors, officers, employees, agents or other institution-affiliated parties) in ANY amount, the BSA requires the bank to file a SAR.
Employee transaction monitoring can take many forms and goes beyond just basic employee account activity monitoring. The amounts, types, and frequencies of transaction activity that might be suspicious for an employee are quite different from general AML scenarios captured in the bank’s AML monitoring system due to the insider access that financial institution employees have to transaction systems, networks, and cash. Clearly, engaging in periodic employee account and transaction monitoring can be useful in detecting and preventing employee theft, and should be part of a financial institution’s fraud prevention toolkit. Additionally, it can be useful as a regulatory shield.
Cathleen D. Wyatt