Fraud Prevention Has Limitations: Companies Should Take Measured Approach to Employee Surveillance
March 3, 2008
Financial companies should take precautions to protect themselves from fraud from within and without, but companies should be careful not to cross the line and start spying on employees.
Cybercriminals can strike in a wide range of ever-evolving methods, but fraud and corruption can, inevitably, occur from within a company's walls.
A few weeks ago, Societe Generale's rogue trader Jerome Kerviel rang up more than $7 billion in losses by placing unauthorized bets on European stock indexes. More recently, a trader at New York-based MF Global Ltd., Evan Dooley, whose name emerged at deadline, perpetrated $141.5 million in losses by bypassing an entry-order system designed to block the trader's efforts.
"All of us have been surprised when something happens that's totally unexpected," said Joan Down, chief compliance officer for Boston Financial Data Services Inc., at the National Investment Company Service Association's 26th annual conference in Miami in February.
"We need to identify and deter fraud so we can avoid being the next headline," Down said.
Companies should get to know their employees and contractors by doing credit checks and background checks on applicants, said April Lemay, a principal at Deloitte & Touche LLP.
Many corporations - particularly those in the financial service industry - do credit checks on job applicants and won't hire an applicant if they have bad credit. "You should do background checks to find out if an individual has not been completely forthcoming on their resume," Lemay said.
Lemay said many companies hire outside security firms to do threshold tests and periodic audits on their operations and staff. These audits can detect and identify any fraud motivators, such as someone with a criminal background or a history of suspicious behavior.
"Employers have no place probing the private lives of employees," said Jay Stanley, a privacy expert and spokesman for the American Civil Liberties Union. "Background checks and credit checks can be legitimate in some cases, but it can be over-used."
Stanley said the routine monitoring of corporate e-mail accounts is acceptable so long as employees are aware of the monitoring, but there are limits to what can be done in the name of security. Excessive surveillance includes monitoring private, non-corporate e-mails of employees and searching an employees' MySpace, Facebook or personal webpages to see if they're speaking ill of the company or the boss.
Firing or reprimanding an employee because of a personal blog is a violation of their First Amendment rights, Stanley said. Employees should have freedom of speech unless it directly interferes with their job performance or other the job performance of other employees.
"The First Amendment applies to government, not to private companies, but it can become an abuse of corporate power," Stanley said. "Electronic surveillance needs to be narrowly tailored, or else it becomes a tool for spying on employees."
Congress is currently considering new surveillance legislation that would require private companies to turn over information to the government.
President Bush said the threat from cyberterrorism is real, and every day Congress delays in passing this legislation could put the country in danger.
Global criminal activity is highly organized and automated, according to a Federal Bureau of Investigation agent who identified himself as Mike McKeown.
"Cybercrime has no geographical boundaries," McKeown said. "In some cases, we have brought our FBI laws to other countries that didn't have cyber crime regulations, like Estonia. A lot of Internet fraud and social engineering is coming from Romania."
McKeown said an example of sophisticated fraud technology is a PDF attachment in an e-mail message that when opened, downloads a keystroke logger and records everything you type. Other cybercrooks will sit in a business center and steal credit card numbers over the wireless network. They will then trade that credit card information with other crooks, McKeown said.
Companies should be careful not to get complacent with fraud protection technology and should consider making an ongoing investment to protecting against fraud, said Charles Hawkins, vice president and senior director of the regulatory management department of the transfer agency division for PFPC Inc.
"As soon as you think you have it down, you are falling behind," Hawkins said. "If you think you have it nailed, you don't."
(c) 2008 Money Management Executive and SourceMedia, Inc. All Rights Reserved.