In one of the easiest thefts I’ve read about, a nonprofit administrative officer wired $6.9 million from an Ohio bank account to another account in Austria. The wire transfer originated with the fax of a letter (which took less than an hour to create). Since the officer was authorized to make wire transfers, no one at the bank questioned the transaction–until it was too late. The fraudster landed in Austria, called his wife and said, “I’m not coming home.” Interestingly, the wife called the police and turned her husband in; he later came back to the states of his own volition (after his wife gave him an earful). He went to jail. I guess, after a few boat rides down the Danube, he missed his family.
Wire Transfer Theft is Easy
It’s easy for an accounting clerk (or other authorized company official) to wire funds and to cover their tracks with a journal entry – too easy in many cases. If a company accountant or official has the ability to (1) wire funds by himself and (2) make journal entries without a second-person review, then the organization has left the fraud door wide open. Such a situation is not uncommon in small businesses, nonprofits and governments.
As you think about wire transfers, consider that they can be originated with a fax, a phone call, a personal visit to the bank, or a computer. Determine how your bank handles wire transfers and craft your internal controls based on those dynamics.
Wire Transfer Internal Controls
Organizations should do the following to mitigate wire transfer fraud:
- Require the bank to limit daily wire transfer amounts (e.g., $25,000 per day for each employee)
- Require two persons to consummate all wire transfers to external parties (the most important control in my opinion)
- If the wire transfer request is by phone or by fax, require the bank to call your organization back before the wire transfer is consummated
- The bank should require the use of unique passwords to access wire-transfer software; consider using a bank that provides bank token keys (small hand-held devices that generate unique identification numbers; these numbers are keyed into the bank software as a part of the transfer request)
- Restrict the bank accounts from which a wire transfer can be made (the organization may want to limit external wire transfers to just one bank account)
- Restrict certain bank accounts so that wire transfers can only be made to other bank accounts of the organization (e.g., transfer from operating bank account to payroll bank account)
- Have someone peruse the daily bank account activity (using online access); at a minimum, reconcile bank statements in a timely fashion (large organizations should consider reconciling bank accounts more frequently than once a month; some reconcile daily)
- Require sufficient documentation for all wire transfer journal entries; require a second-person review of these journal entries
- Consider using a dedicated computer for all wire transfers; do not use this computer for any other purpose (malware is often picked up by computers as they visit Internet websites)
- Use all bank-provided wire transfer controls
- Any transactions over a certain high dollar amount (e.g., $50,000) must have the approval of the business owner/CEO
Use Fraud Prevention Controls Offered by Banks
Not using controls offered by banks may make your organization liable should funds be stolen by hackers. One company sued its bank when hackers took $440,000 from its bank account with a wire transfer; the judge ruled against the company because it had opted out of control procedures offered by the bank. Also make sure your company uses appropriate firewall and antivirus protection.
If one person can make external wire transfers and journal entries to record those transactions, you have the makings of wire fraud–soon you may see that employee on Facebook, riding down the old Danube.
Video from Gary Zeune
You can see a news video about the nonprofit fraud mentioned above at Gary Zeune’s website: The Pros and The Cons. (If you have not heard Gary speak about fraud, you should do so. He does a great job.)