Internal Fraud - Elevated Reputational Risk for a Financial Institution

Firms need to apply robust controls to monitor and prevent internal fraud

A branch manager in the capacity of a Vice President, for a leading financial institution - TD BANK, on May 16th, 2024, pled guilty to fraudulently devising schemes to siphon the funds from an elder account.

U.S. District Court for the District of New Jersey heard the case - United States Vs James Gomes, and based on the guilty plea, TD BANK reimbursed the estate of the victim the loss amount of USD 203, 938.68.

The defendant - James was directly charged for the violation of wire transfer and in the manner of the scheme to defraud.

The defendant's Modus operandi was - while maintaining the elderly person's account in his branch, he applied beautifully crafted techniques to take over the account. He enabled online banking services, which further gave freedom for him to add his mobile number.

With these basic setups, the branch manager James conducted nearly 22 ACH transfers, between Jan 2020 to April 2020, to the tune of USD 203, 938.68. The victim an elderly person coincidentally passed away in April 2020 and even after that James was attempting to conduct transactions. James even went to the extent of creating a fake email ID in the name of the victim and directly conversing with his branch people as if the emails were from the elderly client.

This case-in-point draws a lot of basic queries on the process and the technology gaps existing among the banks in 'how to efficiently protect the customer's accounts and their trust with the banks'?

Some thoughtful questions for introspection to understand the gaps in both non-transaction and transaction monitoring:

• How did the branch manager James use his position to enable an online banking account for the elderly victim's existing checking account?
• Are there any controls to cross-verify whether the request has come directly from the customer or not?
• Why on earth does an elderly person suddenly request an online banking service?
• Is the elderly person accompanied by any of their relatives to the bank for any transactional issues to be addressed at any point in time?
• How did the addition of the mobile number get approved without any back office processing team's attention or the front office supervisors?
• Why there are no alerts in the fraud platform triggered when 22+ ACH transfers happened in a span of 1 or 2 months to the tune of more than U$200K?
• How could the fraudster (aka Branch Manager- James) continue to operate the account when the victim passed away? Won't there be any checks & balances to make the account inoperative or deceased, (assuming the bank has come to know the elderly person's death)?

Top 5 red flags in this case-in-point, which the bank could have identified:

1. Why does an elderly person urgently/suddenly register for online account services, when his profile is not aligned to be techno-savvy?
2. Why sudden account modifications on phone number and email address, when the victim does not access email or phone for banking services, considering the pattern of his historical transactions?
3. What was the sudden reason for the 22+ ACH transfers, considering there are no historical ACH transfers in his account, except for cheque transactions?
4. Whether the beneficiary of the ACH transfers is related to the elder or what was the reason?
5. For what reason did the funds get debited from the victim's account and transferred to the external personal brokerage account?

Do we have to blame the banking processes or identify faults with the way the platforms are configured? Assuming the banking process is robust in controls, then the question is why on earth the systems were not triggering the alerts for the above-mentioned red flags?

Our point-of-view would be to upgrade the fraud engine and improvise further in addressing the platform gaps:

1. Reconfigure the systems to monitor any changes in non-monetary or monetary transactions.
2. Introduce new or upgraded fraud scenarios covering the elderly segment.
3. Focus more on the elderly behavioral parameters like AGE, days between change in the mobile number and ACH transfer initiation, Non-monetary transaction request, Transaction in the dormant account, deviation in the account, etc,
4. Revisit the data model to validate whether all the data tables of interest are included to monitor the scenarios and correct data attributes focussed on the
5. elderly community.
6. Finally, conceptualize a robust data model and a flexible fraud model addressing the mitigation of the elderly segment

Our domain & consulting and engineering team have developed certain AI models focused in addressing the elderly financial fraud exploitation issues.

Reference: Order of Prohibition against James Gomes, former Branch Manager at a New York, New York, branch of TD Bank, N.A., Wilmington, Delaware (occ.gov)

District of New Jersey | Bank Manager Admits Using Position to Steal Hundreds of Thousands of Dollars from Customer | United States Department of Justice

TD bank employee accused of helping clients skirt controls in new U.S. money-laundering case - The Globe and Mail