An appropriate fate — Ocean Bank fined $11 million for poor controls in latest fraud case
As my grade 11 accounting teacher used to say, “It all comes out in the wash!” And he was right. Sooner or later, things have a way of “righting” themselves. When you’re in a tough situation and life doesn’t seem fair, this statement is not always easy to believe. But in my experience, somehow, in due time, fate seems to find a way to resolve matters or shine a light on the truth to bring some form of due justice.
Such is the case of Ocean Bank, a Florida-based financial institution, whose fraud detection measures were so poor in 2009 it cost one of its customers more than $360,000. Well, Ocean Bank is involved in another fraud investigation. The FDIC teamed up with other crime-control agencies to fine Ocean Bank almost $11 million in AML fraud violations. This time, Ocean Bank is accused of failing to detect suspicious transaction activity within their systems, having “insufficient policies, procedures and systems in place to assess and mitigate the risks.” In addition, Ocean Bank failed to train staff appropriately in fraud detection.
If you’ve been following news and happenings in the online fraud and cybercrime space (or reading my blogs), you may recall that a court ruling determined Ocean Bank was “not guilty” in the original, highly publicized ACH fraud case. While the judge concluded Ocean Bank had not deployed appropriate security measures to protect their clients, he indicated that Patco Construction, Ocean Bank’s client, was ultimately responsible for the more than $360,000 fraud loss.
To me, and many others in the industry, this seemed dead wrong. Even though the judge conceded that Ocean Bank had poor security measures — “The Bank would have more effectively harnessed the power of its risk-profiling system if it had conducted manual reviews in response to red flag information instead of merely causing the system to trigger challenge questions.” — he still ruled that Patco had “agreed” to the bank’s poor security measures when it signed the contract. I think it’s quite sad when people expect small businesses to be experts in cybercrime security and a judge rules caveat emptor.
It’s encouraging to see the story didn’t end there. That perhaps fate had been running its course. While it’s unfortunate that financial organizations such as Ocean Bank are reluctant to invest in effective security systems to protect their customers and address compliance laws, it’s comforting to know regulators are doing their best to enforce the law. It will, however, be interesting to see how Ocean Bank’s FFIEC audit goes in January.