In recent years, fraud committed by insiders has exposed insured financial institutions and the deposit insurance funds to significant potential or actual losses. Fraud proved particularly costly to a few institutions, as evidenced by one failure and one near-failure. The FDIC, through its examination program, promotes sound internal control structures that help banks detect and prevent fraud. However, the FDIC recognizes that insider fraud will always present a risk to financial institutions.
Banks can mitigate exposure to fraud loss by discovering schemes early, taking aggressive corrective actions, and carrying adequate fidelity insurance. In addition, the FDIC, through the efforts of its Division of Supervision and Consumer Protection (DSC), can minimize exposure by pursing appropriate enforcement actions. The importance that the FDIC places on combating fraud is underscored by the fact that of the 65 removal/prohibition actions issued during 2004, 61 (94 percent) involved fraud against a financial institution.
This article is the first in a series relating to fraud and other misconduct by insiders that resulted in FDIC enforcement actions. It reviews the enforcement action process, identifies recent trends in the number and type of actions, describes the most prevalent types of insider fraud, and summarizes insured institution weaknesses that contribute to the perpetration of fraud. The box at the conclusion of the article provides an overview of the statutory authority and policies that form the basis for FDIC enforcement actions.
The Enforcement Action Process
Often the FDIC learns of insider misconduct during an examination. In other instances, the misconduct is brought to the FDIC's attention by bank management or through the filing of a Suspicious Activity Report.1 After learning of misconduct, DSC examiners conduct an extensive review of the alleged activities to determine if grounds exist to pursue an enforcement action and obtain evidence to support the action. The FDIC's Legal Division will become involved during the investigation to help focus the examiners' inquiries and identify necessary documentation.
The FDIC and other Federal banking agencies have broad discretion in determining the appropriate enforcement remedy to address fraud and other misconduct committed by insiders against insured depository institutions. In determining whether and what kind of enforcement action(s) is appropriate, the FDIC has traditionally considered whether the proposed remedy is likely to achieve the particular supervisory objective. Because cases are fact-specific and present unique circumstances, the administrative remedies are determined on a case-by-case basis. The FDIC Board of Directors has delegated authority to the DSC to issue Notices or Orders against institution-affiliated parties (IAPs) for removal/prohibition actions, for assessments of civil money penalties (CMPs), and for restitution. The use of the full range of enforcement tools is particularly appropriate in cases involving insider fraud.
A common remedy is action under Section 8(e) of the Federal Deposit Insurance Act (FDI Act). A prohibition order issued under Section 8(e) has been interpreted to impose an industry-wide ban, preventing the individual from moving on to another institution and repeating the same or other forms of fraud.2 A CMP removes the incentive for financial gain from an individual's misconduct. It punishes the particular offense, deters similar abuses by the individual being penalized, and, by its public nature, deters others in the banking industry. Remedial action by the institution may be warranted to address internal control weaknesses. In addition, reimbursement of losses or disgorgement of unjust gains by the individual may be appropriate.
The Investigation Phase
When examiners believe that matters are being misrepresented or documentation is inadequate, especially where evidence is in the possession of third parties outside the bank, the FDIC may initiate an investigation under the powers conferred by Section 10(c) of the FDI Act. These powers include the ability to subpoena witnesses, administer oaths, take and preserve testimony under oath, and require the production of records.
The investigation may be conducted simultaneously with a criminal investigation by the U.S. Department of Justice (DOJ) or State criminal authorities. In the case of a parallel criminal proceeding, the FDIC will coordinate with the respective criminal authority and seek to obtain a stipulation to a prohibition action (and to a CMP or restitution when appropriate) as part of any criminal plea agreement. Where the criminal prosecutor has made no formal request to defer administrative action, the FDIC will determine which enforcement action(s) to pursue and the timing of the case after evaluating a variety of factors, including what criminal penalties might likely be imposed. It is FDIC policy to cooperate fully with the criminal authorities. The FDIC normally will delay its enforcement action in favor of the criminal action if the DOJ formally requests it.
Supervisory and Legal Division staff in the FDIC's Regional Offices review the findings of the investigation and decide whether to proceed with an action. When a case is to be pursued, Regional Office staff forward a recommendation memorandum to the Washington Office for review and action. Under current delegations of authority, generally only the Washington Office may issue enforcement actions against individuals.3 As shown in the next section, enforcement action activity has been ratcheting upward in recent years.
Enforcement Action Activity Continues to Increase
The number of administrative actions issued by the FDIC has increased since fourth quarter 2002, almost doubling between 2003 and 2004 (see Table 1).
| Table 1. FDIC Enforcement Actions | |||
|---|---|---|---|
| 2004 | 2003 | 2002 | |
| Removal/Prohibition Actions Issued | 65 | 35 | 21 |
| Civil Money Penalty Actions (number/amount) | 40/$457,000 | 42/$1,892,737 | 29/$5,411,500 |
| Restitution Actions (number/amount) | 1/$22,142 | 1/$1,400,000 | 2/$34,000,000 |
Of the 40 CMP actions issued during 2004, 22, involving penalties totaling $290,000, were associated with a companion removal/prohibition action. Of the 18 cases not associated with a companion removal/prohibition action, none principally involved fraud. Half the actions not associated with a companion removal/prohibition action were against members of an institution's board of directors who failed to provide proper oversight of individuals involved in misconduct. The remainder involved regulatory violations where no fraud was involved-typically, violations of regulations governing insider lending or legal lending limits.
A Focus on Fraud-Related Prohibition Actions
Of the 65 removal/prohibition Orders or Notices issued during 2004, 61 (94 percent) principally involved fraud against one or more financial institutions; however, not all of the cases involved a criminal prosecution, primarily due to the lack of substantial loss to the bank. Of the fraud-related actions, the individual committed fraud against the employing bank in 57 cases. Three individuals committed fraud against one or more insured depository institutions, and one individual was a bank employee who committed fraud against two other institutions.
Our review of the fraud-related prohibition cases during 2004 identified common trends and characteristics. The individual's specific motivation (other than apparent greed) could not be identified in every situation; however, our review did reveal situations in which individuals were motivated by the desire to conceal loan problems in a branch or portfolio, or by a financial vulnerability, such as lifestyle expenses, debts from a divorce, or gambling debts. In attempting to hide the misappropriations, the respondents (a respondent is the individual against whom the FDIC issues, or seeks to issue, one or more enforcement actions) would typically manipulate various bank records (usually general ledger accounts). In most cases, manipulation of bank records was discovered within a relatively short time, usually by internal auditors or bookkeepers but often by bank employees, including subordinates, who became suspicious of the respondent's transactions. However, several frauds were conducted over five to ten years. Our review noted some relationship between the amount of funds embezzled and the duration of the fraud; in most cases, gains to the respondent exceeding $100,000 occurred over a period of several years.
Generally, fraud-related cases fall into one of two categories-embezzlement and loan fraud. While the instances of fraud being committed by outsiders (a bank employee against a non-employing bank) were not as prevalent as insider fraud, the losses to institutions in two of the three cases (one case had two respondents) were extremely large, and in one instance contributed to the failure of the bank.
Embezzlement
The embezzlement cases involved respondents misappropriating or misapplying bank funds for personal gain. Respondents often targeted high-volume accounts or transactions, apparently in the hope that the relatively small fraction of fraudulent transfers would go unnoticed. Most respondents targeted deposit accounts from which to transfer funds and then laundered the proceeds through false entries to various accounts. Respondents made false entries to various general ledger accounts, but no particular account appeared to be more at risk than others.
In other instances, respondents attempted to misappropriate, or skim, funds due the bank by diverting fees or other income into a personal account. One respondent stole cash from the bank's vault by falsifying records concerning shipments of mutilated currency to the Federal Reserve Bank.
Loan Fraud
Loan fraud cases involved respondents originating nominee loans (a nominee loan is a loan in which the borrower named in the loan documents is not the party receiving the use or benefit of the loan proceeds), originating loans to fictitious entities or unwitting borrowers, failing to properly record collateral that allowed the transfer of the property to another party and left the bank's loan unsecured, or altering the terms of a loan. While the motives discussed previously would also apply to loan fraud, certain motives were specific to this type of fraud, including gaining access to loan funds, making existing loan terms more favorable to family or associates, or concealing poor performance at a branch or in a loan portfolio. Respondents often failed to disclose receiving an economic benefit from loans they originated to borrowers with troubled financial positions who likely would not have qualified for or been granted credit. Such loans were made outside the bank's policy requirements and were a contravention of safe and sound banking principles.
Respondents usually attempted to conceal illegitimate activity by making fraudulent account entries, including unauthorized or unrecorded advances and fictitious payments. Nominee or fictitious loans were often originated to provide funds to make payments on other illicit loans so that such loans would appear performing and legitimate. Inflated appraisals or other collateral manipulations were sometimes used to allow advances greater than justified.
Insured Institution Weaknesses
Certain financial institution weaknesses were apparent in the fraud cases, with the overarching weakness being lax internal controls. Many banks lacked proper segregation of duties, and individuals were able to process a transaction from start to finish. One individual could initiate, approve, and possibly reconcile a transaction without the involvement of another bank employee. Respondents often functioned without proper supervision, either by their immediate supervisor or by management and the bank's board of directors in general. Several of the respondents were longtime employees who, even if they had not achieved management positions, had established a level of trust that appears to have given them the leeway to commit fraud. Respondents who held senior positions may have been able to avoid oversight or misuse their authority to ensure that their subordinates unknowingly aided the fraud.
Conclusion
Is insider fraud always preventable? Probably not. However, the early detection of fraud is key to limiting risk to an insured institution and the deposit insurance funds. Prevention and detection of insider fraud are possible only through the vigilance of financial institution management and employees, examiners, and external auditors. The FDIC's zero tolerance policy toward insider fraud is evidenced by its continuing efforts to protect the industry through the use of administrative remedies to punish the perpetrators of fraud and to deter other insiders from attempting fraud.
Subsequent articles in this series will feature case studies of enforcement actions issued against individuals for misconduct that involves fraud or other violations of law. These articles will highlight the critical role that enforcement actions play in the FDIC's, and the banking industry's, continuing efforts to combat fraud.
Enforcement Actions Against Individuals: Statutory Authority and Policies
The FDIC uses various enforcement powers to protect the deposit insurance funds, punish perpetrators, and deter others from attempting fraud in insured depository institutions. This discussion outlines the FDIC's enforcement action powers and policies.
Statutory Requirements
The statutory authority and requirements for the FDIC to issue certain administrative enforcement actions against individuals are contained in Section 8 of the FDI Act.4 The FDIC exercises supervisory authority over institution-affiliated parties (IAPs) at insured institutions for which it is the primary Federal regulator. An IAP includes a director, officer, employee, or controlling shareholder of or agent for the institution as well as an independent contractor (such as an attorney, appraiser, or accountant) who knowingly or recklessly engages in a violation of law or regulation, breach of fiduciary duty, or unsafe or unsound practice that caused or is likely to cause more than a minimal financial loss to or a significant adverse effect on the insured depository institution.
Removal/Prohibition Authority
The FDIC's removal and prohibition authority is found in Section 8(e)(1) of the FDI Act. An order issued under this Section removes an individual from office if he or she is currently an IAP at a state nonmember bank, and it prohibits that individual from holding office in or participating in any manner in the affairs of any insured depository institution. This prohibition also applies to any insured credit union, Farm Credit Bank, Federal depository institution regulatory agency, Federal Housing Finance Board, and any Federal Home Loan Bank. This remedy has been interpreted to impose an industry-wide ban designed to protect the banking industry. To issue an Order against an individual, the FDIC must establish three separate grounds: misconduct, effect of the misconduct, and culpability for the misconduct. Each of these grounds has multiple elements; at least one element of each of these three areas must be alleged and proven for a removal/prohibition action to be issued.
Misconduct
- Violated any law or regulation, cease-and-desist order that has become final, written agreement, or condition imposed in writing by a Federal banking agency in connection with the granting of any application or other request by the institution;
- Engaged or participated in an unsafe or unsound banking practice; or
- Committed or engaged in any act, omission, or practice that constitutes a breach of fiduciary duty.
Effect
- Institution has suffered or will probably suffer financial loss or other damage;
- Interests of the institution's depositors have been or could be prejudiced; or
- Individual received financial gain or other benefit.
Culpability
- The individual exhibited personal dishonesty; or
- The individual exhibited a willful or continuing disregard for the safety or soundness of the institution.
Civil Money Penalty Authority
The FDIC's authority to assess CMPs is found in Section 8(i)(2) of the FDI Act. A CMP removes the incentive for financial gain from an individual's misconduct. This punishes the particular offense and deters similar abuses by the individual being penalized and, by the public nature of the action, deters abuses by others in the banking industry. CMPs are divided into three tiers with increasingly higher penalties for more egregious misconduct.
- Tier 1 CMPs may be imposed for violations of law, regulation, final order, condition imposed in writing, or written agreement. A penalty of not more than $6,500 per day may be assessed for each day the violation continues.
- Tier 2 CMPs may be imposed for any Tier 1 violation, engaging in an unsafe or unsound practice, or breach of fiduciary duty, whereby the violation, practice, or breach presents a pattern of misconduct, causes or is likely to cause more than a minimal loss to the institution, or results in personal gain. A penalty of not more than $32,500 per day may be assessed for each day the violation continues.
- Tier 3 CMPs may be imposed for violations, practices, or breaches for which Tier 1 or 2 penalties may be assessed where the respondent knowingly or recklessly causes substantial loss to the institution or realizes substantial personal gain. A penalty of not more than $1,250,000 may be assessed for each day the violation continues.
The FDI Act requires the FDIC to consider four mitigating factors in determining the appropriateness of a penalty-the size of the financial resources and good faith of the person charged; the gravity of the violation; the history of previous violations; and such other matters as justice may require.
Restitution Authority
The FDIC, under Section 8(b)(6)(A) of the FDI Act, may issue a Cease and Desist Order requiring an IAP to make restitution if the IAP was unjustly enriched or the violation or practice involved a reckless disregard for the law, applicable regulations, or prior order of the appropriate Federal banking agency. When the statutory criteria are met, the FDIC will consider pursuing restitution and will regularly encourage the respondent to make voluntary restitution to the bank. If restitution is appropriate but the respondent cannot pay both restitution and CMPs, FDIC policy generally favors having the respondent pay restitution to the institution. In some cases, restitution may not be sought if the respondent has already made restitution or likely will be ordered to do so through criminal proceedings, the institution recovered its loss through a blanket bond claim, the loss to the institution is deemed inconsequential in relation to its financial resources, or the respondent's financial condition precludes the ability to make restitution.
Issuance of Enforcement Actions
Enforcement actions issued by the FDIC may be either consensual or contested by the respondent. The FDIC attempts to obtain consent agreements to the issuance of enforcement orders, as a stipulated action saves the FDIC and the respondent the cost and time of litigating a contested case. In a stipulated case, the respondent agrees to the issuance of an order, and the FDIC issues a final, enforceable Order of Removal and/or Prohibition from Further Participation, Order to Pay, and/or Order for Restitution.
If the respondent chooses to contest an action, the FDIC issues a Notice of Intention to Remove and/or Prohibit from Further Participation (and notices related to CMPs and/or restitution, as appropriate), which details the FDIC's case and provides notice of a hearing to be held before an Administrative Law Judge (ALJ). The respondent's failure to answer the Notice within 20 days or failure to appear (either in person or by duly authorized counsel) at a scheduled hearing constitutes a default, and the FDIC may petition the ALJ to issue a default judgment. After receiving the ALJ's recommended decision, the FDIC Board of Directors may then issue a final order(s) against the respondent. In a CMP proceeding, the failure to timely request a hearing results in the Notice becoming a final and unappealable Order.
Scott S. Patterson
Review Examiner
Zachary S. Nienus
Financial Analyst
1 A Suspicious Activity Report is a standard form used by all Federally insured financial institutions to report suspected criminal violations of Federal law or suspicious transactions potentially related to money laundering activities.
2 An IAP subject to a Section 8(e) Order can petition to lift or modify the Order.
3 Current delegations of authority to issue enforcement actions can be found at https://www.fdic.gov/resources/regulations/.