So you think all is well with your compliance/AML system…Your deflector shields are up and on maximum. OFAC – check; Patriot Act – check; BSA – check; Green lights across the board…check – check – check. You are sure all is well, perhaps you can now even relax, put your feet up, take off early, hit the shore, have a Mai Tai. Unfortunately, you should have left the blackberry home as it is now begins to scream and work harder than an immigration lawyer in a Home Depot parking lot! The world as you know it is about to change. An employee has been implicated in a major identity theft and money laundering operation. Uh Oh…
It appears that a person who works at a call center soliciting and developing credit card accounts has compromised your institution to the tune of a several million dollars. That, of course, is just what the authorities are aware of. (There is usually more money involved that goes undetected) The news has hit the media and it’s time to circle the wagons and do a whole lotta damage control. Your first thought is, “how could this be?” Well, actually, your first thoughts are, “why me?…What the heck did I do to deserve this?” “I’m a good guy…I gave to the ASPCA.” “I wonder if that job at X bank is still available?..and finally, “How can I blame this on that intern?”
As you move into disaster mode you find out some of the facts of the current crisis. A person working at a call center in India has sold customer information to an identity theft ring. But that is only phase one. The ID theft operation also dabbles in credit card bust outs and, most certainly, it just would not be complete without being able to launder some of that new found cash via your credit card processor. Oh lordy lordy, this is going to be a bad day!
How could this have happened? All the boxes on your best practices checklist have been ticked off. What gives? Well…you have been victimized by what I refer to as “Voo-due Diligence.” Voo-due Diligence is the magic welding, spell casting, potion drinking, and doll pricking method of conducting a background investigation. Unfortunately, more realistically, it is lame, pathetic and an unprofessional attempt at a background check. If any checks took place at all during this non-investigation, or voo-due diligence, they may have been conducted by persons of unknown integrity, honor and/or ability. They may have been conducted by persons of unknown origin, education and experience.
When you subcontract out to someone who subcontracts out to someone who subcontracts out, don’t be surprised when you get burned. In this case, your institution hired an outside agency to provide customer services and/or call center operations. They in turn hired a company from a foreign country, who hired a local firm to provide manpower. Background checks on the employees? Oh did you really expect that to happen? What rules do they have to follow in country X. If someone did conduct some type of background check, would it be completed proficiently and be trustworthy enough? Did you just assume that every employee along the way in this quasi six degrees of separation model would be screened like a visitor to the oval office? In the days of know your customer rules and know your customers customers rules, you further need to know your employee and also, know your employees employees.
Let’s see now, it was cheaper to set up operations in a foreign country and use their local workers. How ya feeling about that now? Don’t get me wrong, I’m not saying that there is any problem with foreign workers. Heck, the jails here in the US are full of local knuckleheads who tried to get over on the system. What I am saying is this; the further away an employee is from the actual mother institution, the greater the chance of things going bad. Your institution loses more control of the situation with each succession of levels away from home base.
Here’s a case that I handled when I was working in the squad just before my money laundering days. (No names revealed to protect the honor of the victim)
Homicide – The perpetrator’s car breaks down (which by the way was stolen) and he goes looking for a replacement. He finds an elderly female working in her garden and he pushes her into her house where he stabs her repeatedly with a large carving knife. She died at the scene. The perpetrator is caught several days later. Our investigation revealed that the perpetrator was currently on probation and living in a halfway house. He had a job working at a call center. In fact just about everyone working at this call center was on the rebound from some intimate tours of the correctional system. The call center had many different clients, some banks, some department stores and a slew of others which quite frankly, I don’t recall. Did any of these companies inquire as to background of the call center employees? Did these companies know exactly who they were contracting with? Consequently, all of these call center employees were asking callers or receiving from callers some form of personal data and information. By the way, one of the crimes that sent my perpetrator to prison before they allowed him out on parole was drugs and credit card fraud.
Now there are two types of people who are reading this article. One is the person who believes that someone who is out of jail has paid his dues to society and deserves a second chance. The second person is the person who believes that a leopard doesn’t change its spots. Which one are you? Which one should you be if you are in the AML/compliance/due diligence field? Which one should you be if you have your financial institutions reputation at stake?
The moral of this story is that there was a complete and total breakdown of any sense of due diligence with reference to hiring employees. This is an example of Voo-due Diligence.
So how can you avoid the voo-due hex?
Your situation is much stronger the closer you are to the undertaking. If you have your own due diligence unit and they are under direct control of the financial institution, then you are much better off. You will have direct control over manpower, accountability and policy and procedures.
If you contract your due diligence then you must know who you are contracting with. Who are they? What is their reputation? What are their hiring practices? Are they going to do the task or will they sub contract?
What is through due diligence when it comes to hiring? Let me provide you with a checklist of a through due diligence on a prospective employee:
• Written application form containing pedigree information, jobs in the last 10 years, address in the last 10 years, and all schools from high school on.
• Release of information forms –
• Drug usage
• Credit Report
• Criminal History
• References – more than likely the references that he supplies will be softballs, so make sure you contact people that he did not expect.
Verify everything that he supplies. For example, college degrees and transcripts are not that difficult to counterfeit. If he says that he’s a Harvard grad, make sure you check it out by contacting Harvard yourself.