An article in the Summer 2005 issue of Supervisory Insights presented an overview of the enforcement action process as it relates to individuals and provided the statutory basis for administrative enforcement actions.1 The article focused on fraud-related cases and noted that these cases generally fall into one of two categories: embezzlement or loan fraud. Although personal financial gain often was the motivating factor, a common aspect of a number of loan fraud cases was the desire to hide delinquencies or declining credit quality. The second in this series of articles builds on this information and presents two case studies that illustrate how embezzlement or loan fraud can occur, the effect it can have on an insured depository institution, and the importance of effective controls and oversight in helping prevent internal malfeasance.
Embezzlement Facilitated by Inadequate Internal Controls
A retail institution in a small city held less than $500 million in assets. The bank was consistently profitable. During a two-year period, a senior executive officer ("the officer") exerted significant influence over the loan function as well as the bank's operations. He had an authoritarian management style and was responsible for administration of more than half of the loan portfolio. The bank's board of directors had granted authority to the officer for a very high lending limit. Furthermore, the board usually reviewed and approved loans only after the fact, and delinquent-loan reports provided to the board were manually prepared by bank staff and subject to the officer's manipulation. The effects of the bank's inadequate internal controls and ineffective internal audit program were exacerbated by the officer's intimidation of employees and the bank's level of staffing, which did not keep pace with significant asset growth. Moreover, although senior management officials began to notice irregularities in the officer's activities, they failed to notify the board of directors, regulators, or law enforcement authorities in a timely manner, allowing the misconduct to continue.
The officer engaged in unsafe and unsound practices and breached his fiduciary duty to the bank. He committed a series of improper transactions involving customer loan or deposit accounts to fund his personal assets, improve his cash flow, and conceal his improper activities. The examples below describe a few of the instances of his misconduct.
- The officer extended a new loan to an existing bank customer to refinance a legitimate debt the customer owed to the bank. The settlement statement provided at closing was inconsistent with the amounts actually disbursed; that is, the statement reflected a loan payment that exceeded the actual amount paid. The officer used this difference and others to issue a cashier's check deposited in his account. The officer later used the proceeds to pay a personal debt and expenses, fund investments, and provide a loan payment for another borrower. All this was done without the first borrower's knowledge.
- The officer established an unauthorized loan in the name of an exist-ing bank customer and apparently forged the customer's signature. The officer used the loan proceeds to make a payment on a personal debt, pay personal expenses, make deposits in his personal accounts, and obtain cash.
- The officer made unauthorized advances on customers' legitimate, existing lines of credit. He advanced the unauthorized funds to make a deposit into one of his accounts and pay other personal expenses.
- The officer misappropriated funds from customer deposit accounts by transferring funds from a customer's account or depositing customer checks into his own account. The officer later reversed the misappropriations by transferring other, illegitimately obtained funds into the customers' accounts.
Through his misconduct, the officer acquired personal benefit of more than $1,000,000. However, the officer's misconduct combined with his efforts to conceal his activities resulted in losses of nearly $5,000,000 to the insured institution. Moreover, his departure left a significant void in management. Subsequently, the bank merged with another institution and no longer exists as an independent entity. The officer pled guilty to violations of Federal law, including embezzlement and misapplication of bank funds. The FDIC issued an Order of Prohibition against the officer to help ensure he does not participate in the affairs of another insured institution.
Loan Fraud Went Undetected Due to Lax Audit Function
Another consistently profitable retail institution in a small urban area held less than $500 million in assets. For nearly three years, a management official ("the officer") was alleged to have engaged in unsafe and unsound practices and to have breached his fiduciary duty to the bank by committing a series of improper transactions involving customer loan accounts. He initiated these transactions to cover delinquencies and credit problems.
The alleged misconduct involved hundreds of instances where loan accounts received illegitimate payments from improperly obtained funds. The bank's ineffective internal controls were a key contributing factor to these irregular activities. The officer was a trusted, long-time employee of the bank with reasonable lending authority; the seriousness of the situation was compounded by lax bookkeeping and scrutiny by one customer whose accounts he targeted. The officer initiated the advances and posted payments with only his signature and was authorized to correct "accounting errors." The bank's audit function failed to detect the alleged misappropriations in a timely manner.
Although the officer targeted one legitimate borrower for most of the wrongful advances, he used more than a dozen accounts as sources of funds. His scheme worked as follows. The officer made an advance from a current, performing loan (typically for less than $1,000) and applied the proceeds as payments to delinquent credits. The officer made improper advances of more than $150,000. The officer targeted one borrower who he knew had an active line of credit and did not scrutinize his transactions closely. When the targeted borrower questioned an advance, the officer blamed it on an "accounting error." He would then draw from another borrower's line of credit to cover the questioned advance. The delinquent borrowers who had payments applied to their loans apparently had no knowledge of the officer's activities.
Although this officer did not personally benefit from his wrongdoing, other than possibly maintaining his position at the bank, the insured institution incurred credit losses and costs for investigating the misconduct. The problem credits paid off through the misappropriated funds required extensive collection efforts because the bank had previously released any collateral when the loan was fraudulently extinguished. In addition, by making improper payments on the delinquent loans, the officer prevented the bank from recognizing the borrowers' problem status and taking remedial action. These illegitimate payments also resulted in inaccurate financial statements and erroneous regulatory reports. The FDIC issued an Order of Prohibition against the officer, preventing him from moving to another institution.
The Bottom Line
These case studies illustrate what the FDIC may face as it carries out its supervisory obligations. Although the two officers' motivations differed, the effect was the same — both financial institutions suffered monetary losses and investigation costs. Long-time bank employees in a position of trust exploited internal control weaknesses to conduct improper activities. This situation was exacerbated when one employee was able to intimidate other employees into cooperating. Proper controls and oversight must be in place to help prevent internal malfeasance, and timely response by management is needed to limit the impact. An effective audit program (components of which appear below) can help identify and deter wrongdoing.
Scott S. Patterson
Review Examiner
Internal Audit
The internal audit function is a critical element in assessing the effectiveness of an institution's internal control system. The internal audit consists of procedures to prevent or identify significant inaccurate, incomplete, or unauthorized transactions; deficiencies in safeguarding assets; unreliable financial reporting; and deviations from laws, regulations, and institution policies. When properly designed and implemented, internal audits provide directors and senior management with timely information about weaknesses in the internal control system, facilitating prompt remedial action. Each institution should have an internal audit function appropriate to its size and the nature and scope of its activities. The FDIC has adopted minimum standards for an internal audit program.2
In addition, The Interagency Policy Statement on the Internal Audit Function and Its Outsourcing3 discusses, among other things, key characteristics of the internal audit function. Although the board of directors and senior management cannot delegate responsibility for an effective internal control system and audit function, they may delegate the design, implementation, and monitoring of specific internal controls to lower-level management and the testing and assessment of internal controls to others. An institution's internal audit function should address the following.
Structure — The internal audit function should be positioned within an institution's organizational structure to allow staff to perform their duties impartially. The audit committee4 should oversee the internal audit function, evaluate performance, and assign responsibility for this function to a member of management (the internal audit manager). The internal audit manager should understand the internal audit function, but have no responsibility for operating the internal control system. For example, the internal audit manager should not approve or implement an institution's operating policies. Ideally, the internal audit manager should report directly to the audit committee about audit issues and administrative matters (e.g., compensation or budgeting).
Management, Staffing, and Audit Quality — The internal audit function should be supervised and staffed by employees with sufficient expertise and resources to identify the risks in an institution's operations and to assess the adequacy and effectiveness of internal controls. The internal audit manager should oversee audit staff and establish appropriate internal audit policies and procedures. The internal audit manager is responsible for the following:
- A control risk assessment documenting the internal auditor's understanding of significant business activities and associated risks. These assessments typically analyze the risks inherent in a given business line, the mitigating control processes, and the resulting residual risk exposure.
- An internal audit plan responsive to results of the control risk assessment. This plan typically specifies key internal control summaries within each business activity, timing and frequency of internal audit work, and the resource budget.
- An internal audit program that describes audit objectives and specifies procedures performed during each internal audit review.
- An audit report presenting the purpose, scope, and results of the audit. Work papers should be maintained to document the work performed and support audit findings.
Scope — The frequency and extent of internal audit review and testing should be consistent with the nature, complexity, and risk of an institution's on- and off-balance-sheet activities. The audit committee and management should conduct a cost-benefit analysis to determine the appropriate extent of the audit function. A small institution without an internal auditor can maintain an objective internal audit function by implementing a comprehensive set of independent reviews of significant internal controls by person(s) not responsible for managing or operating those controls. At least annually, the audit committee should review and approve the internal audit's control risk assessment and the scope of the audit plan (including any reliance on an outsourcing vendor). The audit committee also should periodically review the internal audit staff's adherence to the audit plan and consider requests for expansion of audit work when significant issues arise or when substantive changes occur in an institution's environment, structure, activities, risk exposures, or systems.
Communication — Internal auditors should immediately report internal control deficiencies to the appropriate level of management, and should report significant matters directly to the board of directors or the audit committee and senior management. The audit committee should give the internal audit manager the opportunity to discuss his or her findings without management being present, and the audit committee should establish procedures allowing employees to submit concerns about questionable accounting, internal accounting control, or auditing matters confidentially and anonymously.
Contingency Planning — Insured institutions should develop and implement a contingency plan to address any significant discontinuity in audit coverage, particularly for high-risk areas.
1 Scott S. Patterson and Zachary S. Nienus, "Enforcement Actions Against Individuals in Fraud-Related Cases: An Overview," Supervisory Insights, Volume 2, No. 1 (Summer 2005).
2 12 CFR Part 364, Appendix A, FDIC Rules and Regulations, Interagency Guidelines Establishing Standards for Safety and Soundness.
3 FIL-21-2003: Financial Institution Letter, "Interagency Policy Statement on the Internal Audit Function and its Outsourcing" (March 17, 2003).
4 Depository institutions subject to Section 36 of the Federal Deposit Insurance Act and Part 363 of the FDIC's regulations must maintain independent audit committees composed of directors who are not members of management. The FDIC encourages the board of directors of each depository institution not required to do so by Section 36 to establish an audit committee consisting entirely of outside directors.