Enforcement Actions Against Individuals: Case Studies
An article in the Summer 2005 issue of Supervisory Insights
presented an overview of the enforcement action process as it relates
to individuals and provided the statutory basis for administrative enforcement
actions.1 The article focused on fraud-related
cases and noted that these cases generally fall into one of two categories:
embezzlement or loan fraud. Although personal financial gain often was
the motivating factor, a common aspect of a number of loan fraud cases
was the desire to hide delinquencies or declining credit quality. The
second in this series of articles builds on this information and presents
two case studies that illustrate how embezzlement or loan fraud can occur,
the effect it can have on an insured depository institution, and the importance
of effective controls and oversight in helping prevent internal malfeasance.
Embezzlement Facilitated by Inadequate Internal
A retail institution in a small city held less than $500 million in assets. The bank was consistently profitable. During a two-year period, a senior executive officer ("the officer") exerted significant influence over the loan function as well as the bank's operations. He had an authoritarian management style and was responsible for administration of more than half of the loan portfolio. The bank's board of directors had granted authority to the officer for a very high lending limit. Furthermore, the board usually reviewed and approved loans only after the fact, and delinquent-loan reports provided to the board were manually prepared by bank staff and subject to the officer's manipulation. The effects of the bank's inadequate internal controls and ineffective internal audit program were exacerbated by the officer's intimidation of employees and the bank's level of staffing, which did not keep pace with significant asset growth. Moreover, although senior management officials began to notice irregularities in the officer's activities, they failed to notify the board of directors, regulators, or law enforcement authorities in a timely manner, allowing the misconduct to continue.
The officer engaged in unsafe and unsound practices and breached his fiduciary duty to the bank. He committed a series of improper transactions involving customer loan or deposit accounts to fund his personal assets, improve his cash flow, and conceal his improper activities. The examples below describe a few of the instances of his misconduct.
The officer extended a new loan to an existing bank customer to refinance a legitimate debt the customer owed to the bank. The settlement statement provided at closing was inconsistent with the amounts actually disbursed; that is, the statement reflected a loan payment that exceeded the actual amount paid. The officer used this difference and others to issue a cashier's check deposited in his account. The officer later used the proceeds to pay a personal debt and expenses, fund investments, and provide a loan payment for another borrower. All this was done without the first borrower's knowledge.
The officer established an unauthorized loan in the name of an exist-ing bank customer and apparently forged the customer's signature. The officer used the loan proceeds to make a payment on a personal debt, pay personal expenses, make deposits in his personal accounts, and obtain cash.
The officer made unauthorized advances on customers' legitimate, existing lines of credit. He advanced the unauthorized funds to make a deposit into one of his accounts and pay other personal expenses.
The officer misappropriated funds from customer deposit accounts by transferring funds from a customer's account or depositing customer checks into his own account. The officer later reversed the misappropriations by transferring other, illegitimately obtained funds into the customers' accounts.
Through his misconduct, the officer acquired personal benefit of more than $1,000,000. However, the officer's misconduct combined with his efforts to conceal his activities resulted in losses of nearly $5,000,000 to the insured institution. Moreover, his departure left a significant void in management. Subsequently, the bank merged with another institution and no longer exists as an independent entity. The officer pled guilty to violations of Federal law, including embezzlement and misapplication of bank funds. The FDIC issued an Order of Prohibition against the officer to help ensure he does not participate in the affairs of another insured institution.
Loan Fraud Went Undetected Due to Lax Audit Function
Another consistently profitable retail institution in a small urban area held less than $500 million in assets. For nearly three years, a management official ("the officer") was alleged to have engaged in unsafe and unsound practices and to have breached his fiduciary duty to the bank by committing a series of improper transactions involving customer loan accounts. He initiated these transactions to cover delinquencies and credit problems.
The alleged misconduct involved hundreds of instances where loan accounts received illegitimate payments from improperly obtained funds. The bank's ineffective internal controls were a key contributing factor to these irregular activities. The officer was a trusted, long-time employee of the bank with reasonable lending authority; the seriousness of the situation was compounded by lax bookkeeping and scrutiny by one customer whose accounts he targeted. The officer initiated the advances and posted payments with only his signature and was authorized to correct "accounting errors." The bank's audit function failed to detect the alleged misappropriations in a timely manner.
Although the officer targeted one legitimate borrower for most of the wrongful advances, he used more than a dozen accounts as sources of funds. His scheme worked as follows. The officer made an advance from a current, performing loan (typically for less than $1,000) and applied the proceeds as payments to delinquent credits. The officer made improper advances of more than $150,000. The officer targeted one borrower who he knew had an active line of credit and did not scrutinize his transactions closely. When the targeted borrower questioned an advance, the officer blamed it on an "accounting error." He would then draw from another borrower's line of credit to cover the questioned advance. The delinquent borrowers who had payments applied to their loans apparently had no knowledge of the officer's activities.
Although this officer did not personally benefit from his wrongdoing, other than possibly maintaining his position at the bank, the insured institution incurred credit losses and costs for investigating the misconduct. The problem credits paid off through the misappropriated funds required extensive collection efforts because the bank had previously released any collateral when the loan was fraudulently extinguished. In addition, by making improper payments on the delinquent loans, the officer prevented the bank from recognizing the borrowers' problem status and taking remedial action. These illegitimate payments also resulted in inaccurate financial statements and erroneous regulatory reports. The FDIC issued an Order of Prohibition against the officer, preventing him from moving to another institution.
The Bottom Line
These case studies illustrate what the FDIC may face as it carries out
its supervisory obligations. Although the two officers' motivations differed,
the effect was the same both financial institutions suffered monetary
losses and investigation costs. Long-time bank employees in a position
of trust exploited internal control weaknesses to conduct improper activities.
This situation was exacerbated when one employee was able to intimidate
other employees into cooperating. Proper controls and oversight must be
in place to help prevent internal malfeasance, and timely response by
management is needed to limit the impact. An effective audit program (components
of which appear below) can help identify and deter wrongdoing.
Scott S. Patterson
The internal audit function is a critical element in assessing the effectiveness
of an institution's internal control system. The internal audit consists
of procedures to prevent or identify significant inaccurate, incomplete,
or unauthorized transactions; deficiencies in safeguarding assets; unreliable
financial reporting; and deviations from laws, regulations, and institution
policies. When properly designed and implemented, internal audits provide
directors and senior management with timely information about weaknesses
in the internal control system, facilitating prompt remedial action. Each
institution should have an internal audit function appropriate to its
size and the nature and scope of its activities. The FDIC has adopted
minimum standards for an internal audit program .2
In addition,The Interagency Policy Statement on the Internal
Audit Function and Its Outsourcing3
discusses, among other things, key characteristics of the internal audit
function. Although the board of directors and senior management cannot
delegate responsibility for an effective internal control system and audit
function, they may delegate the design, implementation, and monitoring
of specific internal controls to lower-level management and the testing
and assessment of internal controls to others. An institution's internal
audit function should address the following.
Structure The internal audit function should be positioned
within an institution's organizational structure to allow staff to perform
their duties impartially. The audit committee4
should oversee the internal audit function, evaluate performance, and
assign responsibility for this function to a member of management (the
internal audit manager). The internal audit manager should understand
the internal audit function, but have no responsibility for operating
the internal control system. For example, the internal audit manager should
not approve or implement an institution's operating policies. Ideally,
the internal audit manager should report directly to the audit committee
about audit issues and administrative matters (e.g., compensation or budgeting).
Management, Staffing, and Audit Quality The internal
audit function should be supervised and staffed by employees with sufficient
expertise and resources to identify the risks in an institution's operations
and to assess the adequacy and effectiveness of internal controls. The
internal audit manager should oversee audit staff and establish appropriate
internal audit policies and procedures. The internal audit manager is
responsible for the following:
A control risk assessment documenting the internal auditor's understanding of significant business activities and associated risks. These assessments typically analyze the risks inherent in a given business line, the mitigating control processes, and the resulting residual risk exposure.
An internal audit plan responsive to results of the control risk assessment. This plan typically specifies key internal control summaries within each business activity, timing and frequency of internal audit work, and the resource budget.
An internal audit program that describes audit objectives and specifies procedures performed during each internal audit review.
An audit report presenting the purpose, scope, and results of the audit. Work papers should be maintained to document the work performed and support audit findings.
Scope The frequency and extent of internal audit
review and testing should be consistent with the nature, complexity, and
risk of an institution's on- and off-balance-sheet activities. The audit
committee and management should conduct a cost-benefit analysis to determine
the appropriate extent of the audit function. A small institution without
an internal auditor can maintain an objective internal audit function
by implementing a comprehensive set of independent reviews of significant
internal controls by person(s) not responsible for managing or operating
those controls. At least annually, the audit committee should review and
approve the internal audit's control risk assessment and the scope of
the audit plan (including any reliance on an outsourcing vendor). The
audit committee also should periodically review the internal audit staff's
adherence to the audit plan and consider requests for expansion of audit
work when significant issues arise or when substantive changes occur in
an institution's environment, structure, activities, risk exposures, or
Communication Internal auditors should immediately
report internal control deficiencies to the appropriate level of management,
and should report significant matters directly to the board of directors
or the audit committee and senior management. The audit committee should
give the internal audit manager the opportunity to discuss his or her
findings without management being present, and the audit committee should
establish procedures allowing employees to submit concerns about questionable
accounting, internal accounting control, or auditing matters confidentially
Contingency Planning Insured institutions should
develop and implement a contingency plan to address any significant discontinuity
in audit coverage, particularly for high-risk areas.
3FIL-21-2003 : Financial Institution Letter, "Interagency
Policy Statement on the Internal Audit Function and its Outsourcing" (March
4 Depository institutions subject to Section 36 of the Federal
Deposit Insurance Act and Part 363 of the FDIC's regulations must maintain
independent audit committees composed of directors who are not members
of management. The FDIC encourages the board of directors of each depository
institution not required to do so by Section 36 to establish an audit
committee consisting entirely of outside directors.