Banking on Safety at Financial Institutions
Christine, Brian, Risk Management
FINANCIAL INSTITUTIONS can be victimized by a wide variety of criminal acts, including bank robberies, check fraud and money laundering schemes. However, at the 1993 American Bankers Association ABA) National Security and Risk Management Conference held in Orlando, Florida on February 7-10, financial institution security specialists, as well as agents for the Federal Bureau of Investigation (FBI), discussed three other perennial security concerns for risk managers: white collar crime, private branch exchange (PBX) fraud and automatic teller machine (ATM) robberies. In their presentations, the speakers offered various security strategies that can help risk managers of financial institutions decrease the incidence of these crimes - and thereby reduce their companies' losses.
White Collar Crime
BECAUSE FINANCIAL institutions manage and transact enormous sums of money, white collar crime is a prevalent problem in the industry, said Joseph K. Judge, special agent for the FBI. To illustrate how serious these crimes can be for a financial institution, Mr. Judge described how a team of white collar criminals set up a sophisticated dummy loan scheme at a Florida bank that ultimately led to the bank's collapse. "In this scheme, the criminals bribed the bank president to pass about 60 loans, all of which were fraudulent."
The plan was devised so that the loans flowed through about 30 intermediaries, each of whom was working for the criminals. "A simple background check of the borrowers would have revealed that all of these loans were going to only four addresses," said Mr. Judge. "To prevent this from happening, banks should always run UCC checks on borrowers."
Risk managers should also look for other indications of illicit activities, said Mr. Judge. "The sale of a bank to people who are highly leveraged should put up a red flag," he said. "Other activities that should arouse suspicion include loans that have interest reserves set aside for an extended period of time, such as 12 to 18 months." Mr. Judge also recommended that bank officials examine the collateral that is used for loans. "At the Florida bank, the dummy loans were backed by fraudulent collateral, such as apartment buildings that were nonexistent," he said. "Banks should always check the collateral to determine its authenticity, instead of relying on the photographs of it provided by the borrowers."
Whether the suspected crime is a fraudulent loan scheme at a bank or the embezzlement of funds from a corporation, white collar crime represents a big part of the FBI's caseload, said David Gomez, supervisory special agent for the FBI. However, the FBI offers assistance for companies attempting to deal with white collar crime. "For example, we can help a company perform an analysis of a particular crime, develop an investigative strategy and provide them with techniques for interviewing suspects." And, if a case comes to trial, the FBI can help the company develop a prosecution strategy, and sometimes even provide expert witness testimony, he added.
INCREASINGLY, BANKS and other companies are facing enormous losses from the theft of telephone services by hackers, said Herbert W. Whiteman Jr., vice president and security advisor at the Federal Reserve Bank of New York. "Toil fraud is the theft of long distance telephone service codes from companies or individuals by criminals," he said. "These individuals access the codes through the company's PBX, then sell them for profit on the underground market."
The problem has become particularly acute since the breakup of AT&T in 1984, said Mr. Whiteman. "Before 7984, toll fraud was the phone company's problem," he said. "They supplied all the equipment and were responsible for enacting the necessary security measures." However, today companies must purchase their own telephone equipment from a wide variety of vendors, and are therefore responsible for developing their own security procedures. "Also, companies are now liable for their own losses," he said. "As a result, they must solve the problem by themselves."
Criminals can access a company's phone codes in a number of ways, said Mr. Whiteman. "One way is for criminals to 'shoulder-surf'- or look over the shoulder of a salesperson or some other employee using the company calling card," he said. "The number can also be stolen by making a video of the person dialing the number, and then playing it back to reveal the number dialed."
Other ways to illicitly obtain phone numbers include unscrupulous employees selling company codes for profit, a hacker or "phone phreak" using a personal computer to randomly dial access codes into the company's PBX system until valid codes are bund, or thieves searching through a company's trash in order to obtain carelessly discarded access code numbers.
TO PREVENT CODES from being stolen, companies should attempt to safeguard them to the highest degree possible, said Mr. Whiteman. "First, authorization codes should be randomly assigned," he said. "For example, the codes should never be matched to an employee's badge number or to a department's number." For companies that use a call accounting system, Mr. Whiteman suggested not printing authorization codes on the call record. "Also, always delete all codes no longer in use."
As an additional safety measure, risk managers should create a policy for dealing with employees who leave the company. "When employees who have remote access privileges leave the firm, ensure that their authorization codes are deleted, and any relevant barrier codes are changed," he said. "Also, institute a regular schedule for changing barrier codes as frequently as possible."
When authorization codes are created, they should contain the maximum number of digits in order to reduce the likelihood'that hackers will be able to break into the system. "The minimum ratio of valid authorization codes to possible numbers should be equal to or greater'than one in 10,000," he said. "For example, if you need one valid code, the use of four digits will provide you with 9,999 possible codes."
ATMs and Crime
ALTHOUGH ATMS ALLOW banks to provide quick and efficient service for their customers, they also create a crime exposure problem for the banking industry, said Mr. Barry Schreiber, professor of criminal justice at St. Cloud State University in St. Cloud, Minnesota. "A study by the Bankers Administration Institute and the ABA revealed an incident rate of about one crime for every 3.5 million transactions," said Mr. Schreiber. "However, a California Bankers Association study found a one in 1 million rate."
Regardless of the severity of these statistics, banks have an obligation to protect their customers, said William R. Wipprecht, vice president and director of security for the Wells Fargo Bank, N.A. in San Francisco, California. And although banks have tried a number of security measures to ensure the safety of ATM stations, including the use of locks, bulletproof glass, closed circuit videocameras and by maintaining adequate lighting, ATM crime is a difficult problem to contend with, said Mr. Wipprecht. "Since ATM is a street crime, we cannot reduce it until we see a reduction in street crime itself," he said. "And we haven't seen street crime decline at any time over the last 20 years."
As a result, some states have passed legislation designed to increase the safety of ATMs. "In New York City, an ATM security bill passed last year went into effect on the 13th of February," said Mr. Schreiber.
Major components of the bill include the establishment of minimum lighting requirements, the use of closed-circuit TV cameras both inside and outside ATM vestibules, the requirement that all vestibule walls be transparent, and the provision of a written warning that all transactions are videotaped. "New York banks say that it will cost between $50 million to $60 million to comply with the bill," said Mr. Schreiber.
This past year, the state of California also passed ATM legislation, which will go into effect on July 1 of this year, said Mr. Wipprecht. "The law requires banks to adopt the same minimum lighting standards as in New York's bill, and also requires banks to distribute ATM safety bulletins and develop procedures for evaluating the site safety of individual ATMs," he said.
However, instead of relying exclusively on the legislative requirements, risk managers can institute their own safety programs, declared Mr. Wipprecht. "Install ATMs in well-traveled areas that are easily seen by passersby," he said. "The site should not be obstructed by signs, columns, or bushes and, if in a vestibule, should contain a door that locks."
Each ATM should also have adequate lighting. "Both the New York and California bills have strict lighting requirements," he said. "The laws require light of a minimum of 10 footcandles up to five feet from the machine, a minimum of two footcandles from up to 50 feet from the machine, and a minimum of two footcandles within 60 feet of a defined parking area," said Mr. Wipprecht.
It is also important to ensure that the ATM's lighting system is independent of the bank's electrical circuits, added Mr. Wipprecht. "Otherwise, if the bank's lighting system goes out, the ATM will be covered in darkness." Video cameras should also be installed in ATMs. "The cameras should be able to produce a quality image at a depth of three feet," said Mr. Wipprecht."…
Questia, a part of Gale, Cengage Learning. www.questia.com
Publication information: Article title: Banking on Safety at Financial Institutions. Contributors: Christine, Brian - Author. Magazine title: Risk Management. Volume: 40. Issue: 4 Publication date: April 1993. Page number: 92+. © 1999 Risk Management Society Publishing, Inc. COPYRIGHT 1993 Gale Group.
This material is protected by copyright and, with the exception of fair use, may not be further copied, distributed or transmitted in any form or by any means.