In our firm’s recent assignments, we’ve faced several fraud schemes at our client companies because of poor bank account management. We’ve been amazed at the lack of internal controls. We observed these frauds on several continents, regardless of the maturity of company internal controls. In some cases, companies have lost a great deal — in finances and reputation. Executives in these companies, including the boards, have, of course, reacted strongly.
Here I’ll share the “best of breed” cases, the schemes to credit the accounts and best practices to mitigate the risk of fraud occurrence.
Cases involving unofficial bank accounts, hidden accounts and guarantees
Unofficial bank accounts
During a fraud examination, we found several “unofficial bank accounts” at a client’s firm. The firm’s corporate treasury team members and the new local management said they knew nothing about the accounts.
The former managing director of our client, whom the company terminated before our field work, had created the accounts with customer payments that he skimmed or to which he’d added VAT (value-added tax) reimbursements. The former managing director used the funds mainly for private expenses. We observed strong collusion between the managing director and the bank sales representative.
Indeed, the former managing director secretly owned other companies; the bank also managed those accounts. The financial turnover of those companies was significant; therefore, the bank considered the managing director an important customer.
The client’s bank refused to give us information about the accounts despite appropriate proxies signed by the group CEO. Also, we were puzzled that the bank ignored our requests to change the list of bank signatories for the official bank accounts.
The challenge for the client’s new management has been to take the control over the bank accounts (official and unofficial) because the bank hadn’t considered and activated the signatories’ updates for the previous year.
Hidden accounts
In another case, during a cross-inventory of bank accounts in which we compared lists provided by banks and group branches, we detected that many banks’ corporate treasury departments weren’t aware of several hidden accounts created by branch CEOs that only they could control. Some of these CEOs also acquired shares in real estate (e.g. parking space) and credited the rent (a few thousand euros annually) in the bank accounts. Some of the CEOs had resigned, but the accounts were still active, and the signatories were also obsolete. Management had to take control over all the bank accounts to ensure such risk wouldn’t occur again.
Bank guarantees
Finally, in several cases, we detected high financial risks due to bank guarantees — assurances that banks would meet debtors’ liabilities.
We observed that the local management of our clients had requested bank guarantees without authorization. In some cases, personnel who lacked proper bank authority requested the guarantees. An employee can commit fraud if they request a guarantee, ask the bank to credit any bank account (ideally, an individual one) and then withdraw money.
A fraudster will use unofficial bank accounts to:
- Build a cash reserve that the company doesn’t control. The perpetrators use the reserve for inappropriate or personal expenses (gifts, travels, entertainment), including kickbacks in kind (hotels, airline tickets) or in cash.
- Increase the profit-and-loss margin by performing professional expenses, which aren’t accounted for in the company statements. We observed significant amounts allocated for purchasing of stationery or to throw parties for employees and customers. Some employees were paid additional “salaries” in cash, or in vouchers, by using cash from those unofficial petty cash accounts.
Common schemes using unofficial accounts
VAT reimbursement: Say the VAT administration requests the company to pay 100 euros in VAT. The fraudster pays 120 euros and claims a month later that the company mistakenly overpaid and demands 20 euros back, which he deposits into an unofficial bank account.
Forged letter: A fraudster will forge a letter to the bank purportedly from the tax administration office that requests an additional payment to the fraudster’s unofficial bank account.
Customer payments: We faced this more complex scheme in companies that had decentralized governance. Here, the managing directors would take the direct responsibility of contract writing and negotiation. The company bank account must be written in the contract and can’t be changed for its duration. However, the managing director would provide his own unofficial bank account in the contract. Some customer payments are then deposited into that personal account.
Common schemes for retrieving cash from official bank accounts
During these company reviews, we also identified various schemes to retrieve cash from official bank accounts, which the fraudsters sometimes credited afterwards in the unofficial bank accounts. Though most of the clients’ countries enforce cash regulation laws, we noticed significant recurrent credits and debits in cash in bank statements unbeknownst to bank representatives.
Ghost employees scheme: Fraudsters use names of fictitious employees to credit unofficial petty cash but also some unofficial bank accounts.
Currency exchange scheme: While traveling, a managing director would withdraw a small currency amount from an official bank account. When they were back home they’d submit only the bank withdrawal receipt because they’d know that upper-level management wouldn’t review their expense reports. We discovered that they’d only use a part of the currencies for travel expenses.
Hotel invoice scheme No. 1: Customers in some hotels might request cash from the reception desks in countries where ATMs aren’t numerous. Withdrawals would then appear in hotel invoices. However, a fraudster submits only the first page of the invoice in their expense report, which wouldn’t include the cash withdrawal.
We’d require the full hotel invoices and compare them to those that the employees had attached in their expense reports. What a difference!
Corporate customers’ strong relationships with their banks are as important as strong internal controls, if not more."
(Some of the fraudsters had changed customer names on the forged hotel invoices, but that’s another story.)
Hotel invoice scheme No. 2: A fraudster would make an early payment to a hotel abroad but would purposely give an amount much higher than the final hotel invoice. At the end of the stay, the fraudster would ask the hotel for reimbursement of the difference by cash or wire transfer to an unofficial bank account. The fraudster would attach the original wire transfer receipt instead of the final invoice to the expense report.
We discovered this scheme when we requested detailed hotel invoices from a client company. The fraudster gave the excuse that he’d used the extra money for taxis or other business expenses.
Detection methods
We detected unofficial bank accounts and related schemes by using variations of methods found in the ACFE Fraud Examiners Manual.
We conducted several interviews in relaxed, comfortable environments during lunch. For example, the accounting clerks at the client firm in the opening fraud examination in this column eventually felt relaxed enough to report their fraud “wonders.”
In one case, bank representatives had mentioned in telephone conversations the existence of other bank accounts. However, the bank wasn’t aware that those accounts weren’t unofficial because they’d been opened under the legal entity name. They shared with us that they sometimes mistakenly received statements from the unofficial accounts.
We began this fraud examination after we observed some of the fraudster’s mistakes during bank reconciliations. For example, to hide an overdraft in an official bank account, the fraudster had to perform a wire transfer from the unofficial bank account, but both bank accounts had the same legal entity name.
During other fraud examinations, we often find unofficial paper folders when we inspect file cabinets. In another case, the fraudster had kept all his documents in just one paper folder. However, a staff member in charge of processing the payments — but not complicit in the fraud — decided to copy eventual evidence, which included unofficial bank receipts.
Recommendations and best practices
After the close of our fraud examinations, we offer to management best practices and suggestions for strengthening internal controls.
Corporate relationships: Companies should define their corporate relationships to their banks to prevent collusion and ensure adequate management. They should devise and implement controls to prevent and detect conflicts of interest and communicate to employees adequately and regularly. Also, a company’s corporate treasury should ensure that representatives to local banks are regularly rotated.
Bank signatories: Companies’ banks’ signatories should be a mix of local employees and corporate representatives, especially when bank accounts are abroad, to prevent collusion and unexpected delays when banks request updates about signatory lists and powers.
Knowledge of all bank accounts: A company should ensure that each framework agreement signed with its banks include an annual report of all bank account details. When possible, it should also ensure that the banks inform it each time a bank account is created with the name of one of its legal entities.
Bank powers’ restriction: Companies should define signatories’ restrictions such as when, how and how much cash they can withdraw; plus when and how they can request payment cards, check books, guarantees on debts, e-banking access, etc. A double-signature process should govern all withdrawals and payments.
Sales-skimming prevention: A bank should regularly and randomly review customers’ contracts by people outside the local branch, including account details in the customer’s contracts and invoices.
Cash credit and debit restriction: Companies and their banks should detect and justify cash movements. We encourage the restriction of cash transactions as much as possible.
Closing of bank accounts: Companies must close inactive accounts. Moreover, when a company renames a bank account’s name because of brand changes it must change all related bank accounts. We often find many active accounts with the former name of the legal entity that should be inactive.
Centralization of bank-guarantee management: Only two bank employees — under CFO direct management — should manage bank guarantees. If possible, those people shouldn’t have any other powers, such as wire-transfer cash withdrawal capabilities.
Strong bank account management and supervision
We’ve been surprised that these problems in banks and their corporate customers have led to fraud. Strong and efficient internal controls and bank account management, as always, can help prevent the types of frauds we describe here. However, corporate customers’ strong relationships with their banks are as important as strong internal controls, if not more. It might be difficult for a bank to detect an unofficial account created by an official bank signatory who’s also the managing director of the branch. Therefore, top executive bank management, including boards of directors, must be confident that they are doing all they can to keep tabs on all their accounts.
Damien Chaminade, CFE, is senior manager at Mazars Consulting in France. He can be reached at: https://fr.linkedin.com/in/damienchaminade.