August 12, 2011, 1:16 PM — Citigroup has made the news twice in recent week for allowing perfect strangers to walk unaccosted through banks of its data – visitations that caused a total of more than 450,000 customer accounts numbers to be taken or compromised.
Yesterday news broke that Citigroup had been fined $500,000 for negligent and lax security in allowing two insiders to walk off with a total of almost $20 million – in one case over the course of eight years
The fine comes not from the feds, but from the Financial Industry Regulatory Authority (FINRA) – an industry funded organization responsible for making sure U.S.-based securities companies stick to both federal regulations and specific guidelines on security and consumer protection.
The fine has nothing to do with the two recent data breaches, however, even though both were accomplished through heist schemes simplistic enough to have been pulled off by most household pets and which shouldn't even have been possible, let alone possible with so little difficulty.
The fines come in response to a pair of insider scams – one lasting eight years, the other involving almost $19 million – that FINRA said Citi never noticed or investigated, despite red flags that should have alerted it early on to each of them.
In one a Palo Alto, Calif. sales assistant working for Citi subsidiary Smith Barney allegedly skimmed $750,000 from the accounts of 22 customers by falsifying deposit and withdrawal records or making unauthorized trades. FINRA said the employee, Tamara Moon targeted the elderly or other vulnerable customers for more than eight years, completely undetected by Citi, despite conflicting information in account applications and suspicious fund transfers between accounts whose owners had no connection to one another.
Sounds like the kind of thing that might have been tricky to detect, but for how blatantly obvious some of it should have been:
"...In another instance, Moon created an account in the name of a deceased customer even after Citigroup had been notified that the customer was deceased," FINRA investigators reported."Moon then created a fraudulent account in the name of the deceased customer's widow. Moon transferred $10,440 from the deceased customer's fraudulent account to the widow's fraudulent account. A few weeks later, Moon had checks issued for $5,000 and $2,500 from the fraudulent account set up in the widow's name to Moon's personal bank account."
