Enforcement Actions Against Individuals 2005: A Year in Review
This is the third and final article in a series addressing insider fraud and enforcement actions. The first article1 presented an overview of the enforcement action process; the second2 presented two enforcement action case studies. This article will present details on a calendar year of enforcement actions against individuals, focusing on the losses to institutions and the importance of oversight at all levels of a financial institution as a deterrence to insider fraud. Some representative fraud cases are included to illustrate how fraudulent activities have been carried out for a number of reasons, including personal gain, to conceal the deteriorating condition of a bank customer, or to protect an individual's position in the financial institution. Fraud has been a contributing factor in many bank failures, as financial institutions are not always able to recover from fraudulent activities.3 This article will look at the importance of board oversight of senior bank management,4 who were responsible for 80 percent of the fraud losses5 identified in these enforcement actions in 2005.
Overview of Enforcement Actions Issued in 2005
In 2005, the Federal Deposit Insurance Corporation (FDIC) issued 84 enforcement actions against individuals. The enforcement actions included Orders of Removal/Prohibition, Orders to Pay Civil Money Penalty, and Orders to Pay Restitution. Some respondents were issued an Order of Removal/Prohibition with a joint Order to Pay Civil Money Penalty or Order to Pay Restitution. Of the enforcement actions issued in 2005, 63 percent were stand-alone Orders of Removal/ Prohibition and 5 percent were stand-alone Orders to Pay Civil Money Penalty. A total of 32 percent of the Removal/ Prohibition cases involved either a joint Order to Pay Civil Money Penalty or a joint Order to Pay Restitution.
The individuals against whom the FDIC issued enforcement actions in 2005 caused 68 financial institutions to incur a combined total loss of $67 million.6 The following comments present the FDIC's 2005 removal/prohibition action cases with a focus on loss to financial institutions. The cases are divided into three categories to show the loss impact of fraudulent activities perpetrated by individuals subject to the enforcement actions.
2005 Removal/Prohibition Orders Classified by Loss
The enforcement actions issued in 2005 (with the exception of the stand-alone Orders to Pay Civil Money Penalty) are grouped into categories on the basis of the gross amount of loss to the financial institution:
Category 1: losses totaling $1 million or more
Category 2: losses totaling $250,000 to $999,999
Category 3: losses totaling $249,999 or less. This category also includes cases with no loss to the bank, but in which the institution's depositors were or could have been prejudiced7 or the respondent received financial gain or other benefit.
The categories also contrast the various factors related to the enforcement action cases and highlight the impact of fraud perpetrated by senior bank management. Table 1 provides a breakdown of the categories and the resulting losses.
Removal/Prohibition Orders Classified by Loss 2005
a Personal gain refers to the total loss amount of each category that was used for the personal benefit of the respondents. b Discovery refers to the date the misconduct was discovered. Fraudulent activities have been discovered by bank personnel, auditors, and FDIC examiners. c Recovery of loss refers to recovery from restitution or bond claim payment as of the date the enforcement action was issued.
With total losses of approximately $54.5 million, the enforcement action cases in Category 1 represented the greatest loss to financial institutions. It is notable that most cases in Category 1 were perpetrated by senior bank management, including board chairmen, presidents, and internal directors. This category includes fraud schemes that were carried out by more than one insider and for which the FDIC issued Orders of Removal/Prohibition against each respondent. Some fraudulent activities involved both the chairman of the board and the president. The most significant loss in this category was approximately $34 million, which led to the bank's insolvency and eventual merger into another financial institution. Excluding this case, the total loss for Category 1 is approximately $20 million, and the average loss adjusts to $2.3 million. While the Category 1 median misconduct period is 5.3 years, two cases at the upper limit are a misconduct period of 14 years with a bank loss of $1.5 million, and a misconduct period of 20 years with a bank loss of $1.6 million. There are also cases in this category that occurred within a one-year period and still resulted in significant loss to the financial institution. The median age for Category 1 respondents was 56; no respondent in this category was less than 40 years of age. Approximately half the total losses in Category 1 were used by respondents for their personal benefit. The remaining losses were primarily loan losses suffered by the institutions as a result of the fraudulent insider activity.
Category 2 involves 20 cases and a total loss of approximately $8.6 million. While only two cases in this category involved senior bank management, the remaining cases included various other levels of bank management, including assistant vice presidents, vice presidents, assistant cashiers, branch managers, senior loan officers, and loan officers. As with Category 1, the fraudulent activities of individuals in management positions caused the greatest financial loss. The youngest respondent in this category was 30 years of age; the median age of the respondents was 47. The highest loss of the category, $800,000, occurred over a ten-year period, and the insider responsible for the loss was the bank's president. As with Category 1, funds used by respondents for their personal benefit represented approximately half of the total losses in Category 2.
This category includes 39 cases with a total loss of approximately $4.1 million. Category 3 also includes nine enforcement action cases in which there was no monetary loss to the financial institution. However, the no-loss cases resulted in personal gain or benefit to the respondents, and the institutions' depositors were or could have been prejudiced. Most of the no-loss cases involved senior bank management. The respondents in Category 3 ranged from a chairman of the board to a teller/proof operator. The youngest respondent was 23; the median age was 43.
Senior Bank Management The Primary Cause of Fraud-Related Losses
The total loss to financial institutions resulting from the conduct of individuals against whom the FDIC issued enforcement actions in 2005 was approximately $67 million. Senior bank management was responsible for 80 percent of those losses. Clearly, the significance of those losses emphasizes the need for strong board oversight of senior bank management, including fellow directors. Insiders in senior management positions have perpetrated fraudulent schemes for personal gain, to conceal the deteriorating financial condition of loan customers, and to protect their positions. The following examples illustrate some of the fraudulent activities conducted by senior bank management.
A former director, president, and chief executive officer (respondent) presented a $500,000 construction loan to the board, and the loan was approved. The respondent diverted more than $200,000 of the line of credit to himself (personal gain) and to friends for speculative business transactions. The respondent also released the guarantor of the loan. When the respondent presented the loan to the board for renewal, the loan was unsecured; however, the respondent did not disclose the unsecured nature of the loan to the board. The respondent repaid the diverted funds; therefore, the bank did not suffer a loss on the credit. However, the respondent received economic benefit from the balance of the diverted funds. The respondent was able to commit the fraud primarily because of the lack of appropriate disclosure to the board of directors and the lack of verification requirements for loan disbursements.
A former director (respondent) used business checking accounts that he controlled at the bank and at a second financial institution to carry out a check kiting scheme between the two institutions. The respondent's transactions were included in the bank's kite suspect report; however, due to poor internal controls, the situation was never reported to the board. The two banks suffered a combined loss of $1 million on the overdrawn balances (respondent's personal gain). The respondent eventually made full restitution for the loss.
A former director, president, chief executive officer, and chairman of the bank's loan committee (respondent) extended loans totaling more than $5 million to one borrower in violation of the bank's internal lending limit. The respondent exceeded the lending limit by dividing the loans among various relatives of the borrower; however, proceeds of the multiple loans were funneled to one deposit account. The respondent did not disclose to the board that the loans were for the benefit of a single borrower or that the source of repayment for all loans was the same. The respondent substituted loan customer names on bank records so that it appeared the bank was complying with its lending limit. The respondent also falsified loan documents and failed to inform the board of the true purpose of the credits. As a result of poor internal controls, the respondent was able to fund loans in excess of his authorized lending authority without prior board approval. The bank suffered a loss of $1.4 million on the loans; the respondent had no personal gain.
A former director and executive vice president (respondent) embezzled funds by issuing cashier's checks and making offsetting entries to a general ledger receivables account. The respondent then deposited the cashier's checks into his personal accounts at another financial institution. This process was repeated numerous times. The respondent concealed the growing receivables account by manipulating bank records before the end of a calendar quarter, at month-end, and before a regulatory examination. During these periods, the respondent would clear out the receivables account with offsetting false entries to both legitimate and fictitious loan accounts. The respondent was able to conceal the fraud activity due to the bank's internal control deficiencies and his management position. The bank suffered a loss of $1.6 million and personal gain to the respondent was the same.
A former chairman of the board and a former president (respondents) engaged in hazardous lending practices in the bank's automobile financing portfolio. Due to weak internal controls, the respondents circumvented the bank's normal loan procedures and the bank's loan policy. The respondents acted outside of the bank's loan policy, as they were the only approving officials on the subject loans. The respondents funded the loans without the appropriate documentation to support a funding decision, and funding was provided without confirming a borrower's ability to pay. The bank suffered a loss of $1.3 million. One respondent, who had a financial interest in the business that benefited from the loans, obtained personal gain.
A former chairman of the board/ majority shareholder and a former president/chief executive officer (respondents) engaged in a nominee loan scheme that exposed the bank to losses of more than $30 million. The former president/chief executive officer originated the nominee loans knowing their true purpose, and the respondents presented the loans to the board of directors without disclosing their true nature. The proceeds of the nominee loans were used to make a fraudulent capital injection into the bank and to refinance nonperforming loans. Even though limited financial information was presented for these loans, the board approved many of them on the basis of the respondents' recommendations. The respondents were able to conceal the true purpose of the loans because the former chairman of the board dominated the affairs of the bank. Loans referred to the bank by the respondents were almost always approved regardless of their lack of documentation, financial analysis, or appropriate underwriting. The more than $30 million in nominee loan losses caused the bank's insolvency.
Oversight The Deterrence to Insider Fraud
Ultimate responsibility for preventing fraud rests with the board of directors, which must create, implement, and monitor a system of internal controls and reporting. The board also appoints executive officers, who share the responsibility for the financial institution's well-being. As demonstrated above, the most significant losses have been perpetrated by senior bank management; therefore, the board must ensure that appropriate controls are in place throughout the institution and must actively review the activities of senior management. Most of the cases described above reflect the lack of appropriate board disclosure, poor internal controls, or dominance of the board by a single individual. As stated in the first two articles of this series, bank employees in positions of trust can exploit internal control weaknesses to conduct improper activities. Strong management oversight and thorough audit and loan review programs are essential to identifying and deterring wrongdoing.
Although not all fraud can be prevented, procedures should be established whereby suspicious activity of any insider is reported to senior bank management and the board. Refer to the text box for key directorate responsibilities. In addition, the board should develop operational policies and require management to adhere to the policies. For example, deviations from the board's approved loan policy, which generally provides guidelines regarding officer lending authority and loan documentation requirements, should be approved by the board, or an individual or committee designated by the board. Most important, the board should question and investigate the actions of insiders that do not conform to the board's policies, or that are of a suspicious nature.
A board of directors' primary responsibilities are formulating sound policies and objectives for the bank and effectively supervising the bank's affairs and welfare. The circumstances surrounding each of the 2005 enforcement actions issued by the FDIC indicate that an estimated $67 million in losses might have been avoided or reduced by sound board oversight and supervision and strong audit programs.
Key Director Responsibilities in Deterring Fraud
Internal Controls and Audit Program. Establish a strong audit program. Sound internal controls and audit functions are essential to inform the board of the adequacy and effectiveness of accounting, operating, and administrative controls of ongoing operations. The Winter 2005 issue of Supervisory Insights8 discusses the components of a strong internal audit program. In addition, the FDIC's Director's Corner Web site provides access to various guidance and resources on auditing and internal controls.9
Director Supervision. Establish procedures that require operational information to be reported to the board in a consistent format and at regular intervals. Board-requested information should include, but is not limited to, reports of internal and external audit, general portfolio composition, capital growth, loan limits, loan losses and recoveries, and policy exceptions. In addition, the board should establish committees such as a loan or audit committee to supervise key operations more closely and report to the board.
Institution Culture. Establish a culture of open communication between the board, management, and bank employees. In such a culture, a bank employee may inquire about a suspicious activity of senior management and have an avenue to report the situation to the board, whether directly or through a fraud hotline.10
Suspicious Activity Reports. Report to the board any Suspicious Activity Reports (SARs) filed and record the SAR filing in the board minutes. SARs play a crucial part in the removal/prohibition of insiders who have committed frauds against financial institutions. Part 353 of the FDIC's Rules and Regulations requires banks to file a SAR with the Financial Crimes Enforcement Network (FinCEN) when insider abuse is suspected, regardless of the amount involved. The SAR must be filed no later than 30 calendar days from the date the suspicious activity was detected.
Director Training/Education. Directors should participate in appropriate training to expand their knowledge of the various banking areas and stay current with changes in banking laws and regulations. Directors are encouraged to participate in the FDIC's Director's College Program, which provides training in director responsibilities. The Director's College Program is held several times a year, at various locations nationwide. The FDIC Director's Corner Web site provides information on the Director's College Program and other resources for bank directors.11
4 For this article, senior bank management includes the following positions of director, chairman of the board, president, chief executive officer, and chief financial officer.
5 For this article, loss is the gross loss to the bank from fraud and/or misapplication of funds, before any reimbursement such as restitution or a blanket bond payment.
6 The loss amounts discussed in this article represent only losses related to enforcement actions the FDIC issued in the 2005 calendar year, not industry-wide fraud-related losses to financial institutions.