Financial services institutions are learning the hard way that threats don't just come from the outside. Bad-apple employees can be even more damaging than external threats. A new database designed to track rogue workers gives financial institutions a protective edge. Plan to add this resource to the enterprise's hiring toolkit.

The Threat From Within

The common assumption that most security threats to financial services organizations come from the outside has been shattered:

• Statistics from Deloitte show 35% of companies were attacked by an internal source in 2004, up from only 14% in 2003.
• In April 2005, Bank of America and Wachovia were among the high-profile victims of an identity theft scam that exposed the confidential information of almost 700,000 clients. Of the nine people arrested, eight were bank employees.

Info-Tech concludes that banks must address the internal threat on a priority basis or risk high-profile exposure.

Fraud-Artist Employees Losing Ability to Hide

Up until now, employees dismissed under a cloud of suspicion from one institution could easily apply to work anywhere else. Because of technology limitations and privacy concerns, banks did not share background information on suspicious employees. Tracking past history of employees suspected of defrauding other institutions was difficult to impossible to perform.

Although employers have traditionally caught potentially troublesome hires through criminal background verification, employee-related frauds that did not result in criminal prosecution would end up below a prospective employer's radar.

Database to the Rescue

The non-profit industry group, BITS, is building a consolidated resource that will allow its member institutions to share information on potential hires. The consortium is made up of 100 of the largest financial institutions in the U.S., including JPMorgan Chase and Wachovia. The self-described goal of BITS is to leverage the expertise of financial services CEOs to address emerging issues where financial services, technology, and commerce intersect.

The new database will contain information on financial institution employees who were fired because they either compromised client data or willingly caused legal exposure and financial losses. The database will go live around mid-2006.

Info-Tech believes the stage has been set for future legal challenges revolving around criteria for adding employees to the database. False-positive cases could potentially result in legal exposure for involved institutions. Database security given the database's availability to the broader financial community will be another significant concern.

Recommendations

1.Identify sensitive roles and areas. Not all jobs within the organization touch client data. Increased rigidity should apply only to those roles that come into contact with personal information. Ensure this is categorized within each job description in the enterprise.

2.Review current hiring verification steps. All financial services institutions should already be conducting at least basic background checks on all employees who will be working with client data. Criminal background checks should include fingerprinting and related screening methods.

3.Look at current staff. If existing staff in sensitive roles have not yet been subject to basic background verification, do so immediately.

4.Challenge contractors. Firms that supply temporary contract labor should subject their employees to the same level of scrutiny that the bank applies to its own. Firms that fail to do so must be dropped from consideration.

5.Assess weaknesses. Determine where potential gaps in oversight and control can be found. Enlist data security experts to re-evaluate efforts from an internal perspective.

6.Identify additional business benefits. Increased verification rigidity at hiring time increases the likelihood of successful employee integration into the firm. Reduced churn can significantly reduce staffing costs and minimize productivity hits to the enterprise.

7.Identify costs of failure. Damage to the institution's reputation in the event of a breach could far exceed already-high quantifiable costs.

Bottom Line

Enemies don't just exist outside the enterprise firewall - they work in the cubicles down the hall as well. Be prepared to implement the new BITS database as soon as it is available in mid-2006.