The threat from within: Managing insider...

By Dale Kasprzyk, Matthew Haslinger and Eric Wischman

Banking is a relationship business. Whether it’s working with customers face to face in a branch or supporting their needs via a mobile application, one of the most important factors customers consider is the trust they place in our financial institutions (FIs) to address their needs with professionalism and an inherent sense of responsibility.

Although most employees recognize the important role FIs play in communities and the importance of their trusted relationships with customers, FIs are at risk of insiders [1] taking advantage of the access, data and tools at their disposal and in doing so engaging in illicit activity.

Insider threats may be one of the most insidious risks facing banks today. Although FIs have invested in systems designed to detect and prevent threats emanating from external illicit activities, the threat from within is often underestimated.

Recent enforcement actions related to Bank Secrecy Act/Anti-Money Laundering/Countering the Financing of Terrorism (BSA/AML/CFT) have revealed that insider threats can undermine even the most robust anti-financial crimes programs. Insiders with deep knowledge of banking processes coupled with access to sensitive systems and data can facilitate or conceal illicit activities, highlighting the importance for FIs to develop the capabilities necessary to manage insider threats.

What are insider threats?

Employees serve as the backbone of our FIs. The execution of responsibilities and tasks inevitably exposes the FI to issues and risks. While it’s typical that human resources works closely with FI management regarding employee performance issues, many FIs rely upon conduct/ethics functions, often residing within HR, risk management or combination thereof, to address conduct and ethical issues that require additional attention.

These violations of the FI’s code of conduct often consist of risks that are more nuanced and require independent evaluation, such as potential conflicts of interest review of employee political activities, and improper usage of FI-owned electronic devices. Although any employee issue could lead to an insider threat investigation, in most cases, employee performance and conduct/ethics issues do not rise to the level of an insider threat.

An insider threat incident is a willful or intentional action by an employee, board member, contractor, or affiliated party that exploits access to FI systems, processes, facilities or data resulting in financial crime, such as committing fraud or facilitating illegal activity or illicit activity. Insider threat issues that make the leap from unethical to illegal represent operational, reputational and/or regulatory risk and represent the most severe forms of employee misconduct on the spectrum. Examples of insider threat activity include:

Fraud and theft;  money laundering and sanctions violations; bribery and corruption; misconduct that enables information security leaks; and sanctions violations.

The FDIC definition of “insider abuse” in the context of filing a Suspicious Activity Report (SAR), provides the closest regulatory definition,[2] “whenever the bank detects any known or suspected federal criminal violation, or pattern of criminal violations, committed or attempted against the bank or involving a transaction or transactions conducted through the bank, where the bank believes it was either an actual or potential victim of a criminal violation, or series of criminal violations, or that the bank was used to facilitate a criminal transaction, and the bank has a substantial basis for identifying one of the bank’s directors, officers, employees, agents, or other institution-affiliated parties as having committed or aided in the commission of the criminal violation, regardless of the amount involved in the violation.”

Insider threats within FIs can take many forms, presenting significant risks due to the privileged nature of the insider’s system access and knowledge of internal processes. These are categorized as: malicious, compromised, and/or negligent:

Malicious insiders. Intentionally misuse their access to steal data, disrupt operations, or harm the organization. They may be disgruntled employees, corporate spies, or those manipulated by external adversaries, intentionally misusing access for harm (e.g., fraud, espionage). In some instances, this may be the result of an employee being under personal financial strain.

Compromised insiders. Those with legitimate access whose credentials or devices have been seized by external attackers. These attackers use the compromised insider’s access to infiltrate the organization and execute malicious activities while posing as authorized users.

Negligent insiders. Unintentionally and unwittingly cause security breaches due to recklessness or lack of awareness, such as succumbing to phishing attacks, inadvertently disclosing sensitive information on public platforms, or using weak passwords.

Common typologies

Once predominantly viewed as a cybersecurity or physical security issue, insider threat risks have evolved to include significant financial crimes related risks for FIs due to the increasing complexity and sophistication of internal misconduct driven by advancements in technology and connectivity of people through the internet and other electronic platforms.

Employees with increased risk include those with high turnover that allow for regular customer interaction, such as branch personnel, who frequently handle sensitive customer data and have access to critical systems. All employees in such roles are more likely targets for external bribery or manipulation by virtue of this access.

Further, the growing prevalence of remote work has increased the risk. With employees working from dispersed locations, banks face challenges in monitoring access to sensitive systems and detecting unusual activities. Physical separation from workplace controls, such as supervised environments and secured networks, increases the risk of unauthorized data access or theft. Remote work also heightens the potential for employees to misuse confidential information, as they may have access to critical systems from less secure settings, personal devices or networks. Additionally, reduced face-to-face interaction can weaken workplace culture and employee accountability, potentially leading to disengagement or resentment that may serve as motivating factors for misconduct. Examples include:

Risk mitigation dtrategies

Training and tone from the top. Senior executives and directors play a pivotal role in setting expectations for ethical behavior and fostering a culture of transparency and accountability. Leadership and tone from the top ensure an appropriate level of focus and resources are applied to addressing insider threats at a FI. When insider threat prevention is prioritized, it sends a clear message that protecting the bank’s assets, customers, and reputation is a shared responsibility. This commitment must be reflected in consistent policies, adequate resources for detection and prevention programs, and visible support for employees reporting concerns. A strong tone from the top also builds trust, ensuring employees understand the seriousness of insider threats and feel confident that leadership will address issues fairly and decisively. This alignment between leadership and action strengthens the bank’s resilience against internal risks.

By implementing robust training, FIs equip staff with the knowledge to recognize potential insider threat indicators and emphasize the importance of the “see something, say something” principles, clear direction on where to report unusual or suspicious activity, and ensures those who may engage in such activities are reminded of expectations and consequences.

Ownership. Insider threat risks span various control channels at financial institutions, including cybersecurity, conduct and ethics functions (e.g., employee hotline), human resources, fraud monitoring and prevention, BSA/AML/CFT, physical security, and business operations. As the ownership of critical functions being siloed across an FI, designating an owner who is responsible for implementing an enterprise-wide approach deemed appropriate to manage insider threat risk serves as a critical initial step. The owner should have the authority to assess risks and control coverage across departments and advocate for necessary control enhancements. The owner ensures a unified strategy, fostering collaboration and promoting the implementation of robust, organization-wide control enhancements. Ambiguous ownership increases the risks of insufficient communication, education, governance, transparency and prioritization of enhancements.

Communication protocols. Cross collaboration is essential. A hub and spoke communication model will likely serve as a highly effective design for fostering strong communication between various stakeholders. (See below: Insider threat hub and spoke communications model):

This concept centralizes the investigation function (the “hub”) while also leveraging the specialized identification practices, knowledge and data from key stakeholder areas (the “spokes”). By breaking down silos and promoting a unified strategy, the hub and spoke model improves the detection and mitigation of insider threats, ensuring that risks are identified and addressed more comprehensively. [3] This also allows standard risk management practices to take hold and support the structure, such as procedures across all stakeholder functions that provide clarity on roles and responsibilities and the types of behaviors or typologies that require notification to a centralized investigation function.

Identification and monitoring. All stakeholders play an important role in the identification of and monitoring for insider threats by serving as critical referral sources for investigation. It is essential that there is a workflow in place to receive and process referrals quickly and that investigations are completed within an established timeframe.

Examples include:

By closely observing behavioral patterns, both through systemic monitoring and concerning behaviors, organizations can identify potential risks before they escalate. Common red flags for insider threat include:

• Access and security bypass attempts. Repeatedly access sensitive or irrelevant data outside their job function, disabling security alerts and fraud detection controls to evade monitoring, ignoring or bypassing IT security protocols and protections.
• Behavioral changes. Negativity toward the FI, financial stress, avoidance of management
• Collusion and employee manipulation. Coordinated fraudulent activity between employees and attempts to recruit colleagues by requesting login credentials or encouraging security violations.
• Unauthorized data transfers. Printing, downloading or emailing to external addresses large amounts of sensitive data without justification, sending customer information to personal email accounts or external storage.
• External communication. Use personal devices and encrypted messaging apps to communicate with external parties.
• Collusion and unusual transactions, frequent small withdrawals, large cash transactions, repeated wire transfers inconsistent with normal behavior, or customer complaints about unauthorized account changes can indicate insider threats.

Irresponsible handling of access and data. This includes sending confidential customer or company information to the wrong recipient, storing sensitive data on unsecured devices, or sharing credentials with unauthorized users. Accidentally posting internal documents, customer information, or trade secrets on social media, personal websites, or public forums. Using weak or reused passwords, failing to update credentials after security incidents, ignoring security training, and neglecting to report lost or stolen devices all weaken an organization’s defenses against cyber threats. These vulnerabilities are compounded by careless actions such as leaving company laptops or documents in public places, allowing unauthorized individuals into restricted areas, or improperly disposing of sensitive paperwork.

Phishing and social engineering attacks. Clicking on suspicious links, downloading attachments from unknown senders, providing credentials to fraudulent emails, ignoring security warnings, or engaging with unsolicited messages can lead to data breaches and compromised accounts.

When issues are identified

Centralized investigation function. Given the complexity of insider threat risks, it is highly recommended that the owner or a team is designated as the central point for all insider threat investigations. The investigations team needs to have full access to information regarding these employees and various stakeholders will need to support their investigation activities. This team would reside in the area where it best fits in an organization. Options include BSA/AML/CFT investigations, fraud investigations, operational resilience or conduct and ethics teams. Although this function may be part of a larger team, the person or team needs to operate separately from the rest of their group (e.g., separate case management access, separate network drives) to maintain discretion given the sensitive nature of insider threat investigations.

Critical to investigation efforts is the availability of comprehensive audit data across core accounting systems. This data provides a detailed and objective record of employee actions, enabling institutions to detect anomalies, trace unauthorized activities, and ensure accountability. Without such visibility, critical warning signs may go unnoticed, leaving institutions vulnerable to internal risks that could undermine their operations and compliance efforts.

External reporting. Financial institutions have an obligation to file Suspicious Activity Reports (SARs) on insiders engaging in unlawful activities or even lawful activities that may unjustly benefit the individual. More specifically, banks are required to file SARs whenever they detect suspicious activity that involves potential “insider abuse”, such as fraud, embezzlement, or misuse of an insider’s access to sensitive financial information or systems for personal gain, regardless of the size of the personal transaction.4 Filing SARs on insider abuse helps ensure compliance with BSA/AML/CFT regulations and supports law enforcement in investigating and preventing financial crime.

In addition to the federal reporting requirements, FIs should be mindful of state laws, such as the obligations of New York State FIs to file Reports of Apparent Crime and Misconduct with the New York State Department of Financial Services (NYDFS) in response to certain insider threat events.

Law enforcement engagement. The relationship between FIs and law enforcement is crucial. FIs must take all subpoenas and other direct referrals from law enforcement involving employees very seriously as these are instances where law enforcement is already investigating the employee. Law enforcement expects FIs to work with them in support of their investigations. It is recommended that when an FI chooses to file a SAR on an employee, law enforcement is contacted, underscoring the intent of the FI to work closely on these matters. Separate from coordination that occurs during the normal course of investigations, it is recommended that FIs develop relationships with law enforcement, better understanding their needs and opening the door to improved communication.

Internal reporting and transparency. Executive leadership and the board should be appraised of insider threat investigation volumes, employee SAR filing and the specific details and outcomes of investigations. While this ensures transparency at the appropriate level, the investigations and outcomes should remain highly confidential within the FI and remain shared with others only on a “need to know” basis.

Final thoughts

An insider threat event may have far-reaching negative consequences, which include:

• Direct losses to the customer and FI;
• Reputational risks, as customers, investors, and the community may lose confidence in the FIs ability to protect sensitive information and manage internal and customer data, resulting in loss of revenue;
• Regulatory risk, as failure to detect and prevent insider threats can lead to heightened scrutiny from authorities, potential sanctions, tighter oversight and lead to safety and soundness concerns;
• Compliance violations, such as breaches of anti-money laundering (AML) or data protection regulations, can lead to penalties, legal settlements and increased operational costs; and
• Erosion of employee trust and and harm to the organization’s culture.

Regulatory enforcement actions, citing weaknesses in internal controls or insider collusion, underscore the critical need to address insider risk explicitly. By integrating insider threat detection and investigation into a coordinated and well-communicated process, FIs reduce the risk stemming from insider threats. Addressing insider threats requires a comprehensive approach that combines strong leadership, robust controls, and an informed, proactive workforce. By implementing these best practices, financial institutions can better safeguard themselves against the risks posed by insider threats, ensuring compliance and protecting both customer trust and institutional integrity.

Dale Kasprzyk is the Head of the BSA Financial Investigations Unit (FIU) at M&T Bank. Dale oversees all FIU operational areas including Transaction Monitoring Investigations, Complex Investigations, FIU Fraud Investigations, Insider Threat, Targeted Analytics and Support teams (Quality Assurance, Training and SAR filing).Before joining M&T Bank, Dale worked as a Special Agent with the Drug Enforcement Administration (DEA). His career with the DEA included assignments as a Special Agent, Group Supervisor and as the Resident Agent in Charge of the DEA Office in Buffalo, NY. While working in Federal Law Enforcement, Dale often partnered with other law enforcement agencies on investigations targeting the distribution of heroin, cocaine, prescription drugs and other controlled substances. Reach him at [email protected].

Matthew Haslinger is Chief BSA/AML and Sanctions Compliance Officer at M&T Bank. He is an experienced attorney with a demonstrated history of working in the financial services industry, particularly as it relates to Bank Secrecy Act and OFAC operations and management, legal compliance, banking, arbitration, law enforcement, and trial practice. He is also Co-Chair Greater Buffalo ACAMS Chapter. Matthew holds a Doctor of Law (J.D.) focused in Criminal Law from George Mason University School of Law. Reach him at Linkedin.com/in/matthew-haslinger-esq-cams-06a6796a/.

Eric Wischman is an Executive Vice President at M&T Bank, serving as its Climate Risk Officer and Conduct Risk Senior Director. In his 24 years with M&T Bank, he has served in various risk management roles, including BSA/AML/OFAC Officer and Enterprise Risk Director responsible for developing and implementing the Bank’s risk framework. His experience includes working closely with the Risk Committee of the Board of Directors and members of executive leadership. Eric is a member the Risk Management Association (RMA) Climate Risk Consortium, Bank Policy Institute Climate Working Group, ABA Climate Task Force, RMA Conduct and Culture Working Group and the Federal Reserve Bank of New York Financial Services Industry Culture and Behavior Risk Forum. He has a Bachelor of Environmental Science and MBA from St. Bonaventure University. Reach him via email at [email protected] or by telephone at (716)984-2028.

Endnotes

1. Bank’s directors, officers, employees, agents, or other institution-affiliated parties

2. https://bsaaml.ffiec.gov/docs/manual/regulations/12CFR353.htm

3. Rikkf Snyder, “Starting the Journey into Insider Threat: Essential Resources and Guidance,” LinkedIn, February 2025.

4. See 31 USC 5318(g), 31 CFR 1020.320 and FinCEN’s SAR Filing Instructions

Resources

Center for Development of Security Excellence – Insider Threat Awareness Toolkit
cdse.edu/Training/Toolkits/Insider-Threat-Toolkit/

Cybersecurity and Infrastructure Security Agency – Insider Threat Mitigation Resources
cdse.edu/Training/Toolkits/Insider-Threat-Toolkit/

Training: Reg O
aba.com/training-events/online-training/loans-insiders-reg-o-for-compliance-professionals