After several years of investigating fraud, I have come to the realization that in many cases, internal staff are involved in one way or the other. It is so difficult to pull off a fraud without involving an insider.

When it comes fraud examination, everyone is a suspect until proven otherwise. I have found it important to take everyone’s statement to account for their time, roles and activities immediately before, during and after the fraud or theft incident.

Looking carefully through those statements, you get to realize how some of their information is inconsistent either in an attempt to protect their colleagues or outright lies. And it is these small inconsistencies that solve the case.

When it comes to fraud, finding the ‘smoking gun’ is never easy. That is why digital forensics, on its own, is useless. You have to put it into context, within the entire fraud examination process.

When doing an assignment, we looked everywhere and could not find the missing link. The dots just could not connect.

This changed once we decided to interview the office cleaners. They told us everything we needed to know. The cleaner was able to tell us how the credit officer comes very early in the morning, and ensures the cleaner opens the door for him instead of using his own access pin code! This information helped punch holes in the statement of the manager that he had come to office at 9:00 am; and had given us a printout of the access log to prove the point. The cleaner also revealed that the loan officer accesses the archives room in the evenings.

Case study

If you’ve worked in a bank, you know that most people there have some bank loans as they come at preferential interest rates. These staff loans are of course ‘insider lending’ and must be kept at a minimum.

Some people are so shrewd that they have multiple loans.

Others understand the system so much they see no reason in obtaining an official loan. That is how one of the staff in the operations department decided to ‘give themselves’ free money. Welcome to the staff loan fraud.

Here is how it was done:

  1. This fraud involved several loan officers.
  2. They obtained loans through fictitious clients’ accounts.
  3. The loan officers would make a fictitious client, complete the loan application documents, and submit to the bank for approval.
  4. Since the fraudulent staff is also the reviewer of the loan application, the loan would be approved. Thereafter, funds would then be advanced or disbursed to the fictitious bank clients. You guessed, small loan amounts were involved; they had no genuine collateral security. The fraudsters were so smart that they would make these applications at up-country branches where majority of the people lack land tittles. So what they would do, is to forge an LC 1 letter, and move around the village take photographs of the farm and house and attach to the loan application! The fraudulent loan officer would sign on the application and approve, certifying to have visited the land, and that it has no title.
  5. The loan staff would then access the funds by using the fictitious bank client’s signed cash withdrawal slip.

Just to recap the above, loan officers in a bank created fictitious loan applications, got the loans and withdrew the money. This kind of scheme involving “stealing in small amounts, over a long period of time” is usually difficult to discover. Before we get to how we uncovered it, here is more background

This fictitious loan fraud was so good that it would have continued, had it not been for a disgruntled whistleblower, who had been part of the scheme but later left the company. Of the 12 people in the credit department, four knew about the scheme, including the assistant overall manager.

When you apply for a loan in a bank, a credit officer will evaluate your credit worthiness.

Many, if not all, banks have a template against which your business/ profile is scored to assess your overall risk so as to determine the size of the loan and the applicable interest rate based on the assessed risk of your capacity to repay.

The double jeopardy

In this bank, a bonus was being paid out to those loan officers/ marketing people who brought in more business (based on the amount of loans disbursed). This encouraged the loan officers to create more fictitious claims.

After months of analyzing records covering five years, we noticed an interesting pattern. For every 6 or 12 new ‘genuine’ loans any of these four officers brought it, the 7th or 13th would be fictitious. At least a fictitious scheme would be after six or eight successfully disbursed loans.

This worked like magic. It also happened to have been within the bank’s accepted default target – a default of 5% of the value of the loans written.

So, your typical auditing methodology of sampling and materiality could not pick up such a fraud, despite the frequency Internal Audit reviewed the loan files.

The bank lost twice – paid out bonuses to the loan officers for bringing more business, yet some of it was fictitious. it is for this reason that as a manager, you need to get concerned of people who keep in groups, work late in the night without clear targets or making on-going accountabilities and are living beyond their means or trying to appear to be living too much below their means! These are red flags and you need to follow up on them. Also, be keen on some exceptions, if in the bank everyone seems to take a staff loan, be concerned when others ignore it completely.

How it got exposed

After three years of working, the architect of the scheme, loan officer 1, resigned his position and moved on. I am sure, he had made good money, as some staff were questioning why of all people, that loan officer never had a staff loan. Shortly after his exit, another of his colleague inducted a new officer into the scheme. After the induction, loan officer 2, also left. However, he had an agreement with three of the remaining colleagues to keep giving him his cut.

They gave him the cut for about three months, and became greedy. They suddenly stopped paying his cut of 20%, on the basis that they had stopped the scheme. They warned him to stop bothering them else they will report it.

He decided to blow the whistle to the internal audit team.

Officer 2, called the manager internal audit and told him about the scheme, saying that “he noticed some unusual behavior among his colleagues, and that is why he resigned. He told them to look carefully at the signatories of certain bank accounts.”

Of course the fraudsters were smart. In the past, they enlisted the help of their friends and family. However, once the main architect of the scheme left, the guys took it a notch higher by using down town street vendors. Once the loan is disbursed, they would wait for them outside the branch, share the money and close the deal.  For the next loan, they would use new people.

Also read: Everyone is a potential fraudster. Here is why

The investigation

Working with the bank’s internal audit team and the bank’s security staff, I was retained to provide high-level investigations strategy to help the team solve the case. The following were the investigation objectives:

Undertake predication of the whistleblower’s information

Identify the possible suspects and their accomplices

Gather evidence for recovery of the lost amounts and or possible prosecution of the culprits

Predication is the process of determining whether any information provided by whistleblowers hold water or not. This is usually a desktop review of analyzing the facts at hand and making an informed judgment of their accuracy considering the circumstances. In this particular case, it was clear that something was not right. The overall control environment within the credit department left a lot to be desired. Following a one-on-one chat with the head of credit department, it was clear that she had limited faculties to run the office. I noticed, during the discussion, one of his staff brought loan approval papers and she just signed as our discussion went on!

She had no time for the details yet the credit department is one that require folks that are attentive to detail, including requiring physical visitation to client sites and making other independent unannounced visits just to be sure whether the property or home indicated is theirs or not.

The fact finding strategy

Fraud examination is a business of no sampling, no materiality. Everything matters. With this in mind, we decided to review all loans in the department since the suspicious characters joined. That meant a review of loans over a five year period.

We extracted all loan applications that were non-performing i.e. defaulting.

After a careful analysis, we had a print out of all loans that were questionable. The total amount of the loss went up to Ugx. 840,302,100 (US $311,223) over a period of five years, loan amount and interest. This was an equivalent of an average loss of Ugx. 14m per month! Which we thought was on a higher side. The first step was to contact each and every loan account holder to confirm the genuine ones.

We needed evidence that the loan applicants were non-existence.  We got printouts of each loan from the information that had been captured in the system. Before heading into the archives to review the loan application files, we reported a police file.

This was to ensure the evidence we collect on the case is not challenged as ‘illegally obtained evidence.’ With a case file open and a police officer assigned to the case, we were ready to go.

Based on the system records, we discovered many loans for which not even a single repayment had been made. Once the loan was disbursed, and the money obtained, the account became idol. Loan collectors had reported that some of the phones indicated were not going through.

We tried calling the indicated lines, without success.

After this tedious sorting exercise, we had about Ugx. 531,004,300 principal and interest unaccounted for.

The first step was to make an appointment to take an account of what happened (witness/ suspect statement) from the loan officers who had disbursed this money.  Three of them were still with the bank. It was easy to take their statements with the help of the police officer. Two of the officers involved in the generation of the client had left, and it was difficult to trace them.

At least we had 3 suspects with us.

We asked for an account of how the loans were disbursed then, and why the indicated physical addresses were not accurate. And why the mobile phones were off. One by one, we took their statements. Each denied knowledge.

“I don’t know what happened. I worked with ‘xx’ and he was the final person with the file. He was my supervisor. I don’t know whether he changed the information we had indicated.’ They took advantage of the fact that two of the suspects had left the bank and were unavailable.

With the statements in hand, we traced the staff that had left. We obtained their personnel files, and took note of the contacts indicated as their next of kin. We also obtained a court order and took it to the National Social Security Fund (NSSF) to obtain the suspect’s indicated contact details, and whether they are working elsewhere.

With this, we most of the information we needed about the suspects. We made the call to the suspect, but refused to turn up. He said he was busy and that he had handed over officially. He added that had forgotten anything to do with what we were talking about. We decided to call his wife, whom he had indicated as his next of kin. This call changed everything. A short while later, the suspect called, giving us an appointment and also advising us “to leave my wife out of this.”

This was a good progress on our part. We knew the man’s soft spot was his wife. And so, we had him in our palm. The case was on track.

We promised not to bother his wife, if he cooperated. The second deserter was not cooperative either. However, we noted down our phone discussions and filed.

All we needed was evidence that the suspects occasioned loss to the bank.

The physical loan files and client visitations

The next stop was in the bank’s archives. We had a list of the loan files we were looking for, having got a print out from the system. One by one, we searched for the loan file documents in vain.

Any scheme involving missing records or documents is very complicated to uncover.

For this reason, once a loan is approved, the supporting documents must be submitted to the archives and kept lock. No unauthorized person should be allowed to access the archives. Any access to the records/ archives must be duly documented and a chain of custody or document movement clearly kept. This helps prevent unauthorized discovery (by copying) or destruction of records.

We reviewed the filling procedures of the bank, and noted several weaknesses.

There was no security camera at the entrance to the archives room. Even then, we noted that the CCTV camera footage at the ATMs and banking hall are archived for just four months and then overwritten, as the bank could not invest in a data center and bulk storage system.

Without the loan files, we could not determine the particular staff who visited the clients, did loan vetting and signed on the loan. It was so annoying that all the suspected fictitious loan files were missing in the archives. It appears this was a highly sophisticated scheme involving several people.

We suspected that the fraud could have been much bigger. However, in absence of the original records, we could not go far.

Without critical evidence, we re-interviewed the suspects. They insisted that they were not aware of the scheme. Even the person that had raised the red flag, later changed his statement.

Enroll for: Certified Fraud Forensics Professional



Share this



Related Articles

Managing risk amid COVID-19: Part 3

Managing risk means more than protecting value. It is about creating value through viewing risk management as an aid to building credibility and achieving

Banking sector report 2019

UGANDA’S economic weather tends towards extremes. During the Financial Year 2018, five (5) banks were loss making. Bank profits were slumped due to the

Effective strategy formation and development at Uganda Protestant Medical Bureau (UPMB) by Summit Consulting Ltd

This is to certify that Summit Consulting Ltd was engaged by Uganda Protestants Medical Bureau (UPMB) to facilitate the formulation of six years UPMB

ITU Telecom World 2014 highlights innovations, technologies, and ideas shaping future of ICTs

DOHA, Qatar, 10 December 2014 / PRN Africa / — ITU Telecom World 2014 closed its doors today following four busy days of high-level

About Author