Training Risk Management Heroes, Part 1: Banking on the Frontline
I’m sure you’ve heard a story of a teller saving an unsuspecting customer from cashing a fraudulent check and wiring the money to scammers in a foreign country. The frontline is trained to protect both the institution and its customers by identifying fishy transactions.
But bank and credit union staff are capable of going further when it comes to guarding against risk. Many bankers start out as tellers, learning the importance of accuracy, following processes, collaborating, reading people, upselling, and customer relationships. When risk management is emphasized in their training and workflows, it creates a culture of risk management from the bottom up.
As the talent from the frontline rises through the ranks, they bring their awareness of risk management with them.
That’s not to say that risk management isn’t just as critical at the front line. A savvy employee who isn’t afraid to speak up when something doesn’t seem right is a fantastic risk management control.
Stopping a $500 million fraud
Just ask HSBC. A teller in one of the bank’s London branches was able to do what Angola’s government couldn’t: recognize a $500 million scam.
An accountant came into the branch asking to transfer $2 million to an account in Japan. The teller was surprised to see a $500 million account balance, and asked a few questions of the customer. Unsatisfied with the answers, she declined the transfer and alerted her bosses, according to an investigation in The Wall Street Journal.
It turns out the money came from Angola’s central bank reserves. Scammers with fraudulent documents convinced the government to transfer the funds as part of the fees to form a $35 billion investment fund. The scammers never intended to create the fund and were planning to steal the $500 million by collecting “fees” for their work, the WSJ reports.
Catching this scam never should have been the job of a teller. The Angolan central bank transferred the money to the account of the company allegedly setting up the fund, but the large transaction didn’t trigger any checks, the WSJ reports.
“The central bank’s Swift message code indicated—inaccurately—that the money was for intrabank business with HSBC rather than headed to an HSBC customer,” the paper reported. “HSBC noticed the discrepancy later, when it started probing the transfer.”
A cybersecurity expert interviewed described this as “a hole in the international financial system.”
Fortunately for Angola, a smart teller was there to plug the hole.
Catching a tax cheat
Our second shout-out goes to the director of risk management at NorthCountry Federal Credit Union in Vermont. Police uncovered a $15,000 tax fraud with the help of an observant credit union employee who noticed four state tax refund deposits over four months totaling $15,733 all made into the account of Chelsea Hoadley. She would then write a check to herself and deposit it at another institution, according to the local news.
It would be unusual to get two tax refunds, let alone four. NorthCountry noticed this oddity and reported it to the state tax department, which eventually turned its investigation over to police. It turns out Hoadley, a 26-year-old tax examiner with the Vermont Tax Department, used her access to tax records to allegedly increase the withholding on a friend’s 2012 tax return three times and once on his 2015 tax return and pocketed the gains. The friend was unaware of the scam.
Hoadley, who faces up to 52 years in jail, pled not guilty.
An oldie but a goodie
Employees at a Long Island community bank also had a hand in uncovering the prostitution scandal that brought down former New York Governor Eliot Spitzer. It filed a suspicious activity report after three wire transfers to a single company, that added up to around $10,000, raised concerns that someone might be trying to avoid the $10,000 transaction threshold for reporting, according to The New York Times.
The paper noted that the bank used more stringent rules since the governor was considered a more high-risk customer requiring extra due diligence as a political figure. FinCEN didn’t do anything with the report until HSBC made a report after noticing several similar transactions made to shell companies where due diligence was lacking.
“The bank found that the due diligence was not done — there was no Dun & Bradstreet, no documentation, almost nothing in the file,” a source told the paper. “They probably got scared and said, ‘Uh oh, one of our bankers didn’t follow our protocol.’”
What can a financial institution do to make its frontline and other staff engage in risk management?
If you see something, say something. If something doesn’t feel right, speak up. Don’t be afraid to ask questions or alert someone higher up.
Address risk management in policies and procedures. When risk management is built into polices and procedures, it ensures that employees are helping mitigate risk with their everyday actions. Be thoughtful in determining how risk management can be applied to help the institution stay within its overall risk tolerance.
Adhere to policies and procedures. Mistakes slip through when policies and procedures aren’t rigorously followed. Communicate why policies and procedures exist and train staff to follow them.
Follow up if policies and procedures aren’t followed. Audits are key to uncovering fraud and oversights. Ensure staff has the tools to record and track activity.