Citi was recently fined $500,000 by the Financial Industry Regulatory Authority (FINRA) for its failure to pick up on an employee skimming over $750,000 from the accounts of 22 Citi customers over the last eight years .

When I first read the headline, my initial thought was that this was yet another unfortunate example of an organization not having set-up or maintained appropriate access controls (to grant access to only those who really need it) and that lacked visibility into what activities are actually happening.

Turns out, my initial thoughts were wrong.  As part of her job, the employee needed access to the information.  And it also sounds like the fraudulent activity should have been visible to Citi:

“FINRA said its investigators had determined that Citi failed to detect or investigate a series of so-called red flags that should have alerted the bank to Moon’s fraudulent use of customer funds.

The red flags included exception reports that highlighted conflicting information in new account applications, as well as customer account records that reflected suspicious funds transfers between unrelated accounts.”

It sounds like that with the systems and exception reports Citi already had in place that they should have detected the suspicious activity involving transfers and disbursements in the accounts.

This is a reminder that simply investing in technology isn’t good enough.  Successful deployment must include not only training for the IT department on how to properly install and configure, but also training for end users that are responsible for consuming and acting on the information provided by the system.