Bank fraud: No loopholes in the system, problem lies with people

In a recent move, the police arrested 10 people for allegedly trying to embezzle a large amount of money from two bank accounts belonging to the Walton Group and United Group. The criminals reportedly forged signatures and information of the account holders by manipulating the electronic funds transfer system, called Real-Time Gross Settlement (RTGS). This type of crime has the potential to become a common threat to banks in the future.

TBS talked to Mahbubur Rahman Alam, Associate Professor at Bangladesh Institute of Bank Management, for insights into how such crimes are committed and how to prevent them.

What are the threats to the electronic funds transfer system?

There are no loopholes in the electronic money transfer system. The problem lies with the people involved in the transaction, they might overlook the necessary security procedures. For example, what happened in the cases of the Walton and United Group accounts?

In reality, It was a fraud attempted by criminals who were in cahoots with a few bank employees. They tried to steal the money through unscrupulous means but their attempt was foiled by other bank officials, who snuffed them out during the verification process. Generally, bank staff monitor the entire money transaction and verification process. But unscrupulous bank officials might attempt fraud by manipulating other staff involved in the process.

When a large amount of money is transferred from one bank to another, the customer [payee] receives a phone call from the bank. This is a part of the verification process and is guided by Bangladesh Bank.

When fraudsters fail to manipulate the key stakeholders in the verification process, the act of fraud gets revealed during the cross-check. For example, a crucial phone call by the bank manager exposed the unauthorised money transfer request made during the aforementioned attempt to steal from the two bank accounts.

Such security threats remain in the money transaction process if the verification chain becomes corrupt. For example, take the manipulation of an automatic cheque clearing. If the presenting bank sends a scanned copy of a false cheque and the document is cleared by a paying bank officer and both are members of a crime syndicate, and the real account holder is being scammed.  This is an example of 'syndicated crime'.

How can bank security threats be kept in check?

If the concerned authorities want to address these threats, first of all, they need to ensure tight monitoring. For the clearance of any transaction, authentication by the makers-checkers-authorisers is mandatory.

The officials who fill these roles are crucial to the transaction process. One initiates the transaction, one checks [authenticates] the transaction cheque and finally one authorises the transaction. Illegal money transactions will not be checked if those three people manipulate the entire process. That's why monitoring the activities of each officer involved in the process is important. When one or two officer(s) instead of the recommended three manage the entire process, it generally, creates a loophole .

Monitoring can be done through the security operating system. When a transaction of a big amount of money, i.e. more than Tk1,00,000, is initiated, it can be tracked by the security operating system. Designated officers should verify the bank-to-bank transaction step-by-step. Otherwise, any misstep will create many problems.

The Money Laundering Prevention Act and several guidelines of Bangladesh Bank describe how to verify transactions of large amounts of money. If officers do not follow the guidelines and give cheque clearance without confirmation, there is the possibility of fraudulent activities taking place.

What should be done ideally? The transaction initiator should investigate whether instruction is genuine or not simply by making a phone call to the account holder. Banks must ensure the accuracy of KYC information by means of  proper verification. There is a maker-checker-authoriser concept in the verification process. If the verification guidelines are followed thoroughly, the chances of fraud are nil.

Is tight monitoring possible in the Real Time Gross Settlements (RTGS)?

If an account holder applies for RTGS personally, he or she (gets notified about the transaction through SMS) can track the transaction. Bank officials are instructed to verify the documents before initiating the transfer. Because faulty verification leaves scope for fraud during the RTGS process.

In that case, if the account holder can detect any suspicious transactions, s/he should inform the originating bank about it. Then the originating bank should communicate with either the receiving bank or the Bangladesh Bank as soon as possible. If they move swiftly [originating bank] the money transfer can be blocked.

If the communication gets delayed and the money is withdrawn from the receiving bank, what can the central bank do?

If the money has been withdrawn, the central bank has very low chances of doing anything. But the account holder can seek legal support and the originating bank can file a case with the local police station. The receiver can be held responsible. But if the transaction or money withdrawal has been manipulated by any bank official, the receiver can deny responsibility. Then the central bank can take necessary steps to freeze the account and the issue now becomes complicated as well. From here on, only police can investigate and arrest the frauds.

In the last couple of years, crime syndicates have committed financial crimes with the help of foreign nationals. How do you assess this trend?

Without the help of either internal bank staff like IT officials, authorisers or other relevant parties like vendors, getting past the existing bank security system, devised using modern technology, is seemingly impossible. Even the receiver could be involved in such crimes. A criminal working alone cannot do anything.

If the KYC (Know Your Customer) form is filled up incorrectly or contains false information, account holders can make illegal transactions. In most instances of bank fraud, KYC forms containing incorrect information have been a common finding. The unscrupulous account holders did not provide accurate contact info.

The bank authority should verify the KYC before opening an account. Currently, the NID number is a requirement for opening a bank account. But if the designated bank officer does not conduct the NID verification properly, it is tough to identify the fraudsters.

As I said before, rigorous surveillance is a must. For example, the monthly transaction from a particular branch of a scheduled bank is generally not more than one crore. But if that branch suddenly handles five crore in a particular month, the regulatory bodies should cross-check the extraordinary transactions.

Here, a smart bank manager can create awareness among the subordinates through regular consultancy and motivate them to follow good banking practises. Moreover, the central bank can host training sessions for bank officials on the anti-money laundering act(s) on a regular basis.

Mahbubur Rahman Alam. Sketch: TBS