Thursday, November 21, 2024

March 2023 OBA Legal Briefs

  • Reputation risk and theft
  • Deposit mismatches and liability

Reputation risk and theft

By Andy Zavoina

I think I’ve always been fascinated by “the con” and the way some people will steal, and others will be gullible. That fed a degree of interest and intrigue in me for many years and led me to a hobby of magic (where lying and stealing is for entertainment) and my first job in law enforcement. I was then involved in security at my bank, but my full-time duty was compliance. In the bigger picture, however, as an officer of the bank, my first responsibility was to the bank. That means I was always interested in the safety and soundness and reputation of the bank. I believe all our readers share those same interests and all of this was the inspiration for this month’s Legal Briefs. First, we’ll take a deep dive into much of the information available to you in several court cases and enforcement orders and then we’ll use the pertinent facts to provide the information needed to assist in improving policies and procedures in your bank to avoid similar instances, when warranted.

Maguire: On the 24th of February 2023, the United States Attorney’s Office for the Northern District of Florida posted a notice about Nicole Maguire. She was just sentenced to three years in federal prison after she pleaded guilty to conspiracy to commit bank fraud, bank fraud, and aggravated identity theft charges. That issue would involve the safety and soundness of the bank. The fact that I also had it show up in my alerts because there was also a story about her in The News & Observer, and I’m certain many other online and paper-based publications also ran the story, made it a bank reputation-related issue.

Nicole Maguire sold the names of bank customers, their identification card numbers, and bank account numbers to others who then stole more than $125,000 from those customers, and ultimately from the bank, in 2019. Yes, the wheels of justice turn slowly. But I’m sure the case is still of interest to customers of Regions Bank in Florida, Alabama, Iowa, and Missouri where the victims were.

Maguire was obviously not alone in this. Her co-defendants were Desmond Brannon, who was sentenced to four years in prison after pleading guilty to conspiracy to commit bank fraud and bank fraud charges; Steven Mussington, who was sentenced to 1 year and 1 day in prison for conspiracy to commit bank fraud and bank fraud charges; and Chelsie Worthen, who pleaded guilty to conspiracy to commit bank fraud, bank fraud, and aggravated identity theft charges. Then there were co-conspirators Darrell Wells and Georgia Ward who both reside in New York and were or are being prosecuted in the Southern District of New York under a separate but related indictment. Ward pleaded guilty to conspiracy to commit bank fraud and was sentenced to time served and an additional nine months of home confinement. Wells is awaiting trial on charges of conspiracy to commit bank fraud and aggravated identity theft.

The FBI and police departments in Florida, Iowa, and Missouri, along with the bank’s security investigators, were all involved in the case as well. It was far-reaching and I’m certain complex to unravel. At the end of the day, the short story is Maguire was the insider who sold the IDs and information and another woman had fake IDs made with others’ photos and the customers’ information to make withdrawals. They also passed some fake money orders and checks.

When a Regions customer, especially those in the four states specifically mentioned in this case, reads this story they will do one of three things— check their own accounts and worry about the security of their money, know this person was caught and that no customer lost any money, or worry that next time the perpetrator won’t be caught and the customer will be unaware of a loss from their own account. In any scenario, we do not want customers to worry. And while I said “no customer lost money” that is a supposition. There was no statement from the bank for whatever reason.

If your bank were to suffer such a loss, the bank should have a reaction plan in place. You should be able to fill in the blanks and put together an official statement in short order to demonstrate control of the situation and to instill confidence in the public and your customers. The bank should always look to emphasize that the bad actors were caught, and that no customer has lost money, not one dime. There are customers and customers-to-be who may need to be reassured.

This is the most recent case I have read about. But there are many others, and we want to explore some of those this month. When we pay particular attention to what happened, how and sometimes why, we learn valuable lessons about things that can be done in our own banks to avoid such problems. One common fact we see in internal cases is that they can take years to discover. This is especially so when the thief is going to “take a little, leave a little” and has the knowledge and authority, to cover their tracks. This is a key reason areas like security and audit need unfettered access when it comes to internal audits and investigations and staff need to speak up when they see transactions outside the ordinary. It is also a reason your bank should have a vacation or “period of absence” policy that will take a person away from their desk and out of control of internal accounts for a period long enough for discrepancies to show up. Those discrepancies should not be explained away but understood, accepted, or corrected. Questioning transactions and documents should be viewed as a constructive and protective act. If nothing wrong is found, it is a reassurance, and if something is amiss, the review is money saved overall and an opportunity to improve procedures.

Torgerson: In another recent case, Brady Daniel Torgerson from Beulah, North Dakota, was sentenced in February 2023 to two years in federal prison, three years of supervised release and a $200 special assessment. Torgerson pleaded guilty to two separate counts of bank fraud against financial institutions located in Beulah. This case also went back to 2019 and extended to 2021. Torgerson was employed as the president of First Security Bank-West and separately as a loan officer at the Union Bank. He used these positions of authority to conduct transactions that caused harm to both the banks he was working at and their customers.

While employed at First Security Bank-West, Torgerson funded loans which should have raised red flags with the most basic of controls. These questionable loans lacked necessary financial information, security interest documentation and even promissory notes. He created deceptive transactions by falsifying records in the bank’s computer system, increasing loans which then exceeded the original approved loan amounts, and extended maturity dates of loans to keep them off the past due listings and therefore anyone’s radar.

When he was working at the Union Bank, Torgerson created fraudulent loans in the amounts of $225,487.44 and $225,487.45 in the names of three separate individuals who neither knew about these loans nor received the funds. Torgerson had three co-defendants who were sentenced to both short jail terms which included one day of time served and a year of supervised release plus a monetary fine for each and $98,ooo restitution from one. I believe one of these was his father and the other two likely friends. You can almost hear the offer of something for nothing and them making a quick buck to help him out.

Anything that is transacted on the bank’s systems should be traceable to an employee based on logon credentials. An employee doing account maintenance at the direction of a superior should remember what was done and why, and their credentials should never be shared. When someone leaves a terminal, they should sign off. This helps protect everyone and promotes the integrity of the systems in place. Similarly, when loans are funded and booked without the standard security agreements and collateral documentations, and especially without executed note forms, questions must be asked, and the notification chain accelerated upward as that is a serious issue that would be difficult to explain.

On that same note, I remember “back in the day” when I was on the loan desk. This was at a military bank and predated internet banking. A young lieutenant who banked with us called from a large city about three hours away. He had found a car he just had to have. I got the necessary information from him and already knew his father was a retired colonel and his grandfather was a retired general, both West Point graduates. Of key interest was that fact that he would be back in town in two or three days, and he promised to come in and sign his contract. I provided the dealership with draft instructions so I as good as made the loan. I proudly informed my boss because I knew this was excellent customer service and would help build loyalty of this up-and-coming military officer. Unfortunately, after day three I had not heard from him. I waited nervously on day four and called him on day five. Even after all these years, I still remember his answering machine as he introduced himself and he said he was “either out rescuing a damsel in distress or a cat from a tree.” I just knew at that moment I had a nutcase for an almost borrower. But he came in shortly thereafter, the paperwork was done, and the loan paid as agreed. I never did that again. But it would explain what happened and there was no loan being booked without a note and collateral.

Seck: A case as recent as we can get was published February 27, 2023, by the U.S. Attorney’s Office, District of Maryland. In this case Diape Seck, of Rockville, Maryland, was at the time of the bad acts a customer service representative at a bank. He and his eight co-conspirators stole or attempted to steal almost $2 million by fraud, including by stealing checks from the mail of churches and religious institutions. Seck was the ringleader.

Seck fraudulently opened bank accounts using fake identities. He took cash bribes for his efforts. Among other illegal acts, his accomplices then deposited stolen checks from churches and other religious institutions into the fraudulent new bank accounts. The co-conspirators withdrew and spent those funds as compensation for their efforts.

There were more than 400 accounts opened in just over a year beginning in January 2019. Identification relied on was often Romanian passports and driver’s license information. Generally, the deposits were made to ATMs the bank owned. From those deposits cash withdrawals would be made and debit cards associated to the fraudulent accounts would be used for purchases.

Seck’s sentencing is scheduled for June. He faces up to 30 years in prison. The accomplices generally are facing three to five years each. One in Dania Beach, Florida, and another in Baltimore are the only two facing restitution with each exceeding $1 million. Raise your hand if you think the restitution will actually be paid. I’m not raising mine.

What might have helped stop this sooner than a year into the scheme? Sending new account verification letters could have helped alert an auditor that an address was bad if that was the case here. So would address scrubs where the bank compares accounts with the same address and different owners. That could show as an example multiple owners using the same post office box address.

Schroeder: Let’s turn our attention to Ronald Wayne Schroeder and the Bank of San Antonio where he was the bank president. His crime dated back to before 2020, but it was August 2022 when he was sentenced to 97 months in federal prison as his fraudulent activities cost the bank $13 million.

Schroeder himself took nearly $3.2 million. He and his co-defendants conspired to defraud various banks of money through the factoring of false and fraudulent invoices.  They began with Southwest Bank, then included Schroeder’s bank, Bank of San Antonio, and finally included the TransPecos Bank.

Schroeder sent false and fraudulent invoices of companies owned or controlled by the other defendants in the case, to be factored by these financial institutions.  This is a process where a company sells its receivables to a third party, in this case the victim banks. Factoring is intended to provide a quick capital injection into the business selling the receivables as they are sold at a discount which provides an immediate short-term gain and allows for a profit margin to the buyer as the receivables pay back over time. Schroeder and other co-defendants would then use that money for their own personal enrichment or to pay off old invoices owed to the banks much like a Ponzi scheme where money from new investors is used to pay old investors. Schroeder used his $3.2M to buy a beach house, airplane, boat, and vehicles.

Schroeder and the others obviously knew what they were doing. It was a definite abuse of authority by Schroeder and that certainly would have influenced the first bank they factored with. Once they got the first bank in place, they were able to leverage credibility and get a second and then a third victim bank. Like all Ponzi schemes it would reach a point where there was not enough money coming in to support the debt already established. When the receivables stop paying and they are discovered to be fraudulent, the house of cards falls and, in this case, there were $13 million of them.

As you can imagine, based on this case and others, an abuse of position was a contributing factor. Staff must be able and willing to question transactions, loans, and arrangements where the bank is paying some high-ranking officer or board member or someone or a company associated with that person. When it is an unusual arrangement, it deserves to be questioned and that person, if legitimate, really should not mind so everything is transparent and above reproach.

Romero: Orlando Romero worked at Deutsche Bank as a client service specialist. Always wanting to improve his position he was seeking employment opportunities in the banking field. He received a written employment offer from another bank. While that offer was good, he knew he could do better. He decided to look within his current bank, and he doctored that offer by adding to the salary the competitor bank was offering him. He presented this “modified” offer to his supervisor at Deutsche Bank who agreed to meet that offer and Romero received a $28,000 increase to his annual salary. One might believe the bank must have been under-compensating him to provide such a hefty increase all at once. But Romero left Deutsche Bank some thirty months later when his prior deception became known. Romero was deemed By the Federal Reserve to have violated the bank’s internal policies and committed violations of law or regulation, unsafe or unsound practices, or breaches of fiduciary duty. He was ordered to cease and desist and has been banned from banking.

Many are of the opinion that the bank made the decision to pay him presumably what he was worth as an employee. But the way he went about it was deemed unacceptable. Staff needs to be aware that ethics policies do have teeth.

Ratcliff: James Ratcliff worked at the First National Bank and Trust Company of Vinita for 20 years. He was an executive vice president and vice-chairman and chairman of the board at his bank at different times. Abusing his position, he had the bank engage and pay entities owned by him as third-party vendors. This in itself is not the violation, but the manner in which the relationship was handled was. He set up financial arrangements between the bank and the entities he owned. There should have been someone else managing that relationship just as tellers should not complete transactions for relatives. Work was not tracked or verified but was paid for. There was little evidence that what was billed for was actually done, which causes doubts as to the validity of the billing. Because of his insider status and long standing at the bank, he was not sufficiently challenged by others in management. He failed to ensure employee compensation was commensurate with the employees’ responsibilities and actual work performed for the bank.

Ratcliff also directed employees and contractors to perform work for the entities he owned, at the bank’s expense. He made unsafe and unsound loans. The OCC noted in its consent order that delinquent borrowers were instructed to form new entities and Ratcliff had the debt transferred to that new entity without correcting the problems leading to the delinquency, which only hid those past due accounts from accurate recordkeeping., These loans were also made without sufficient documentation such as financial statements.

Ratcliff was handed a $100,000 civil money penalty and was banned from banking. Here again, we see officers in high positions run a bank as though it was their personal piggybank and they had unfettered control. That is not how it should ever appear and internally the bank requires a culture of separation and transparency.

Fritz: Ratcliff was not doing everything alone at First National Bank and Trust Company of Vinita. Tony Fritz was the former chief lending officer and a director at the bank.

Fritz was cited for failing to ensure that credit administration and risk management practices and controls were effective and commensurate with the risk and complexity of the loan portfolio. He failed to develop a system to ensure ongoing monitoring of complex commercial credits and to ensure the bank kept adequate loan documentation. He failed to formalize loan review and approval processes and failed to properly document lending decisions. He failed to provide credible challenge to members of senior management who maintained loan portfolios and failed to maintain adequate oversight over their portfolios. Fritz approved and/or originated multiple unsafe or unsound loans that were liberally underwritten and included inaccurate credit memorandums containing insufficient financial statement and cash flow analysis. He originated loans to cover customers’ overdrafts and overdraft fees. He extended additional loans to borrowers who were not creditworthy, sometimes through creating new entities, in order to make payments on such borrowers’ non-performing loans. In short, Fritz was a key officer whose authority and duties were in part to balance the scale for what others might do and to ensure controls were in place and functioning as they were designed to. That did not happen in this case. Sometimes staff can only do so much, and when bad acts are committed willingly by the most senior of officers, the regulators take action. Fritz was cited with a $20,000 civil money penalty.

While these last two enforcement orders from late 2022, the bad acts were from years before. BancFirst purchased this bank early 2021.

Deposit mismatches and liability

By Andy Zavoina

Continuing with the theme of fraudulent transactions but changing to liability, let’s review a new case that screams “what you do know, can hurt you,” especially if a bank turns a blind eye to the obvious.

This is a legal case, Studco Building System U.S., LLC, plaintiff, V. 1st Advantage Federal Credit Union,  (Studco) Civil Action No: 2:20-cv-417 in Virginia. This case began about August 2018 when 1st Advantage opened an account for an individual. In the court documents he is referenced as “John Doe.” The court does not know who the actual account holder is. With Bank Secrecy Act regulations, 1st Advantage would have had to follow basic requirement to know the customer. But it did not verify John Doe’s identity, physical or mailing address, prior banking history, whether John Doe was eligible to be a member, nor did it verify the source of funds intended for the account.

This is not a case of an account takeover but a BEC or Business Email Compromise. The end result is similar, as the scammer gets the victim’s money. But in a BEC there is hacking or social engineering to get into a corporate email account. Once inside, the scammer looks for some discussion about a project and bill for that project that is due or will be soon. Studco Building Systems sounds like a company that would buy large amounts of materials and then pay the large bills they receive for them. Once he finds one of those the scammer is halfway there.

In this case, about two months after opening his account, Doe impersonated Olympic Steel out of Ohio. He sent Studco instructions to make an ACH payment to the 1st Advantage account he opened. 1st Advantage received those funds and was aware that Olympic Steel was not a depositor of theirs.  Beginning in October 2018, Studco sent one ACH to 1st Advantage to the account number of Doe in the amount of $156,834.55. That transfer identified Studco as the originator and Olympic Steel as the intended receiver. This did not match any account holder with 1st Advantage. The ACH credit identified a personal account number, but the transfer was coded commercially as a “CCD” meaning it was a “Corporate Credit or Debit.”  In this case NACHA rules require CCD payments to be restricted to transactions that involve only businesses. Any CCD payments directed to personal accounts are required to be rejected by the receiving bank. In this case 1st Advantage did not do that. A short time later 1st Advantage accepted three more large commercial ACH credits for Doe’s personal account totaling nearly $559,000.

Doe wasted no time as he began transferring the funds out. Typically, when these funds reach John Doe’s account, the valid originating bank’s customer and the originating bank have to take fast action as Doe will be getting that cash out of the account. Doe’s goal is to beat any reclamation claim by the originating bank or the company paying its bill. Sophisticated scammers may send these funds through several banks and then convert it to crypto or have it sent to a foreign bank. In this case, Doe was taking the funds incrementally — all $559,000 — and he did it in person and with the assistance of 1st Advantage staff. It took him more than a month as 1st Advantage employees issued thirteen cashier’s checks and wire transfers to move the funds out. Nine of the thirteen withdrawals were reportedly to an individual or entity known to the 1st Advantage staff who assisted him. This added validity to his transfers.

When there is a BEC you may find yourself with many of the same questions you would have for a takeover:

  • Who may be responsible for the loss?
  • Did the bank that sent the funds following the company’s orders (Studco) follow the instructions precisely?
  • Was this an unusual transaction for Studco?
  • Is Studco liable for the loss, what were their actions, and how did they protect themselves?
  • Was the hacker using an actual vendor’s system, and if so, does that vendor have liability?

The FBI in Rochester, New York, initiated the investigation. During the investigation, Studco alleged that 1st Advantage intentionally concealed, and continued to conceal, material information from Studco related to John Doe and the account. That both hindered the investigation and aided John Doe in his theft. Studco initiated actions against 1st Advantage in November 2019.

You may be surprised how the Virginia court ruled in this case. 1st Advantage, the credit union that received the funds, would have liability under Article 4A of the UCC. The credit union had AML software and that software provided alerts on mismatch between the account name and the name in the ACH transfers, but no one acted on those alerts. 1st Advantage certainly did not follow BSA requirements to know its customer. There was no indication that 1st Advantage had actual knowledge of John Doe’s illegal activities. But the court found that there was certainly an inference the bank should have made, as its AML software generated several alerts pertaining to account discrepancies, fraudulently diverted payments, and withdrawals by the John Doe himself. There were many indications that the account was being used for fraudulent purposes.

The court’s order effectively said there exists a “should-have-known” standard under the relevant provision of UCC Article 4A, but this is in contrast to many other court decisions that required proof of actual knowledge by the receiving bank of the discrepancy between named payee and actual account holder at the time the payment was credited to the account. Other courts have yielded to part of Article 4A stating, “If the beneficiary’s bank has both the account number and name of the beneficiary supplied by the originator of the funds transfer, it is possible for the beneficiary’s bank to determine whether the name and number refer to the same person, but if a duty to make that determination is imposed on the beneficiary’s bank the benefits of automated payment are lost.”

The court hearing the Studco case reviewed both the UCC and NACHA rules requiring a commercially reasonable manner or exercise of ordinary care when processing ACH payments. The court held 1st Advantage fell short of this standard in the way it opened the account and ignored red flags generated from its own software. The court stated that 1st Advantage “did not maintain reasonable routines for communicating significant information to the person conducting the transaction. If 1st Advantage had exercised due diligence, the misdescription would have been discovered during the first ACH transfer.”

Finally, while it is an unusual finding, it is one that bank customers would likely agree with. The red flag warnings would have been triggered based on criteria 1st Advantage defined, yet it failed to do anything when the alerts were generated.

Let’s look at a basic argument that many banks rely on — if we have a valid account number, deposit the funds. We in the Compliance team hear this question regularly and thoroughly expect to again this year as tax refunds begin to be deposited. What do you do when there is a known mismatch in a tax refund between the name in the direct deposit ACH record and the name of the account holder? This is sometimes complicated because the person named on the deposit may be a convenience signer on the account, but not an owner. They may be a known associate of the owner, but not an owner. Could this person be hiding assets from a creditor and shielding those funds in an account that could not be touched legally because that person is not the account owner? What if the account owner takes the funds? Technically the funds are their property, but does the bank want to be involved in that? What if the account owner is served a garnishment and the other person’s funds are taken as a result? Again, it is their property by virtue of account ownership, but does the bank want to be involved? Would it not be more responsible to require that even with personal accounts, the account number and name in the deposit record must match? Based on this Studco opinion, could your bank find itself with liability? And lastly, how much is the bank willing to spend to find out?