FORENSIC EXAMINATION REPORT INTO AN

ALLEDGED STAFF FRAUD AND MISAPPROPRIATION.

BACKGROUND

Mr. Jay Mathews has been working with ABCX Bank since 2000. He has been working in the Operations
Department of the Bank and has been responsible for reconciliation of ATM record with the Journal. In May
2010, a Brokerage firm, which is a subsidiary of ABCX Bank reported large value transactions in an account,
which is owned by Mr. Mathews. An initial review by Internal Audit indicated that Mr. Mathews had managed to
open 3 customer accounts at ABCX and successfully misappropriate a total sum of KD 1.2 million from ABCX
Bank. While Audit report confirmed the fraud and the misappropriation of funds, the report did not endeavor to
carry out a forensic review of the processes to identify the weaknesses / control failures in the various processes
and departments.

As Head of Compliance, I was tasked to carry out a detailed forensic review of the case and to assess the
efficiency and effectiveness in the related processes, including KYC procedures, transaction reviews, AML
system effectiveness, internal reports handling and other control weaknesses leading towards the failure in
identification / detection of such frauds.

SCOPE

The scope of my review included the following areas:

1. A process journey review, commencing from KYC procedures through to its final reporting / detection
mechanism, [restricted to the procedures involved with the 3 accounts opened by Mr. Mathews] to identify
failures of non compliance with related bank procedures and controls.
2. Review of the AML system rules and its effectiveness.
3. Review of the ABCX’s AML & Compliance unit’s processes and identify gaps against management
expectations.
4. Review of the Brokerage Company’s Compliance department’s processes relating to AML and verify if their
processes had identified the transactions in the customer’s account.

It is to be noted that the above scope was limited only with regard to the procedures relating to this particular case
and is based on our discussions with Internal Audit and AML & Compliance units in Kuwait. Based on the above
scope, the results of our review are as under:

1. Process Journey

We carried out detailed process review with the relevant departments to understand the complete journey
starting from account opening until transaction processing and its eventual monitoring controls within the
Bank. Based on our review, we noted the following Key processes that are relevant to our review.

a. Account Opening – KYC Customer Due Diligence procedures.

b. ATM Card and PIN Issuance
c. Transaction Processing
d. Reconciliation
e. Transaction Review and Monitoring
f. Reporting / Whistle blowing misses
g. Record Keeping
The various control procedures in each of the above mentioned key processes was further analyzed for its
effectiveness, and their overall results were as follows:

a. Account opening review: We identified five key control procedures that are involved in this process,
viz. Customer identification procedure, Verification of Original IDs, Signature verification, Name
Verification in the AML system, and Branch Manager review. Of these 5 control procedures, we noticed
that the control tests on the first 3 procedures failed as the subject accounts were opened without the
customer’s presence or the verification of the Original IDs, and the customer’s signature.

b. ATM Card and PIN Issuance: This process involves two key control procedures, i.e. ATM card delivery
and PIN Number delivery. We noticed that both these controls were compromised in the case of these 3
accounts that were opened by Mr. Mathews. He could use his personal influence with the relavant staff
and obtain the ATM Card and PIN directly from them.

c. Transaction Processing: There were two key control procedures to review in this process. Viz.
Authorization for Dual Access control at the BTM, and Segregation of duties - Maker & Checker control.
We noticed that both these controls were again compromised as Mr. Mathews could obtain authorization
granted from the Business Unit Head.

d. Reconciliation: This process involves 2 key controls. Reconciliation between the Cash replenishment
and the ATM Journal Rolls, and another reconciliation between ATM (Bancs) and ATM Rolls. While the
reconciliation between cash replenishment and ATM Journal Roll had worked effectively, we noticed that
the 2nd reconciliation of reconciliation between ATM (Bancs) and ATM Rolls was being carried out be Mr.
Mathews. Hence, he successfully managed to hide the reconciliation differences.

e. Transaction Review and Monitoring: The following four key detective control procedures were
reviewed:

i. All transactions above KD 3000 are to be reviewed by the Branch Manager on a daily basis from the
'Cold' System. - We noticed that the Branch manager delegated this responsibility to a personal
banker. The review process failed, as the personal banker did not raise any suspicion to the branch
manager.
ii. Alerts are appropriately reviewed and cleared in the AML system in a timely manner by the
Relationship Officer. – There were 14 alerts that were generated for review through the AML system
between 27 December and 20 January 2011. We noticed that these were neither reviewed nor cleared
by the Relationship manager until May 2011. The Compliance Department cleared the same in May
2011, which is not an acceptable practice.
iii. Compliance oversight and follow up for review and clearance of alerts – We again noticed a
compromise of control here since the Compliance department staff had reviewed and cleared the
alerts, instead of following it up with the Business Unit Head.
iv. Appropriate Rules are built in the AML system to identify and alert High value transactions. - The
system failed to generate any alerts for non-cash deposits in "Individual" Accounts, and the same was
not detected by the Compliance Unit.

f. Reporting / Whistle blowing misses: The Head of AML Unit received a call from an other Bank
enquiring on Mr. Mathew’s account conduct and his transactions. This should have created a Red flag
alert for the MLRO to further investigate his account, or report the matter to Human Resources, for their
investigation. Unfortunately, this process was not followed by the MLRO and consequently, he failed to
blow the whistle in this case.

g. Record Keeping: Three control procedures relating to the case were reviewed. Viz. Authorization form
for ATM Card and PIN collection, Transaction vouchers processed by Operations staff, and the AML
system maintain log of actual date of Alert clearance. We noticed that the Authorization letter for PIN and
 ATM card collection missing for 1 account, Internal vouchers missing for total transaction value of KD
9,500/-, and the AML he system does not maintain adequate log to identify the actual date of clearance of
alert.

The detail of various processes highlighting the control effectiveness / failures in various areas, is shown in
Appendix 1. In summary, the table in Appendix 1 highlights 9 preventive controls, 7 detective controls and 3
are classified as audit trail related issues. While the above control lapses / compromises highlights a
significant number of control test failures throughout the processes, we believe that majority of control
failures are primarily due to internal staff’s involvement with a deliberate intent to defraud the Bank. The
control failures may not be the actual reflection of control weaknesses under normal circumstances.

We noticed that KYC procedures were severely compromised in this particular case, where all the 3
accounts were opened without meeting the customer face to face. Mr. Mathews also successfully
managed to obtain ATM Card and PIN directly from the relevant staff the same day, without
customer’s physical presence. This Key control failure had opened the gateway for Mr. Mathews to
subsequently abuse the weaknesses in the controls in his and other related areas of operation, due to his
familiarity of the control weaknesses in these areas.

In addition to the above, the detective control mechanisms of reviews through Cold system reports, & the
AML system alerts too failed due to failure of adequate review of the cold system by the branch manager and
the timely review of alerts and non generation of specific alerts. Finally, the Head of AML & Compliance
unit head failed to blow the whistle or initiate any investigation following an enquiry from Burgan Bank,
received about a month earlier.

2. Review of AML system Rules and & its effectiveness

Currently, the ABCX AML system has 9 active rules as listed in appendix 2. Of these, the key rules are:

Rule no. 328 - Alerts for cash transactions exceeding KD 3,000/- for ‘Individuals’
Rule no. 327 - Alerts for all transactions exceeding KD 30,000/- in value for ‘Individuals’.
Rule no. 276 - Alerts for cash transactions exceeding KD. 3,000/- for ‘Corporate’ customers; and
Rule no. 315 - Alerts for non-cash credits exceeding KD 50,000/- for ‘Corporate’ customers.

Prior to the introduction of rule no. 328, there was rule no. 324 introduced on 27 October 2010 and active
until 12 February 2011. This rule identified all deposits (cash and non-cash) above KD 3,000/- in ‘Individual’
accounts. However, this rule alone generated large number of alerts within a short period of time (approx
16,800 alerts over 76 working days), and resulted in high accumulation of pending alerts.

On 25 January, 2011, a request to review this Rule no. 324 was received by Group Head of Compliance from
ABCX Head of Internal Audit following an internal discussion with Head of AML & Compliance and DCEO
– Risk, Compliance and Operations. This was then discussed over phone with Head of Internal Audit and
Head of AML & Compliance. Head of AML & Compliance advised that the Relationship Officers review the
‘Cold’ system on a daily basis for all transactions above KD 3,000/- and this rule was duplicating the efforts
and increasing the number of alerts to an unmanageable level and was extended beyond the desired audit
recommendation, which recommended consolidation for cash transactions, in particular. Head of AML &
Compliance therefore suggested that this rule be restricted to Cash transactions only on a cumulative basis.
Accordingly, the proposed modification to rule no. 324 was discussed with Head of Internal Audit and
thereafter advised via an email with copy to DCEO – Risk Compliance and Operations, Group Head of Audit,
and Head of AML and Compliance in ABCX, prior to modification. The modified rule [Rule no. 328]
therefore identified all cash deposits on a cumulative basis above KD 3,000/- in value.
 However, we now noticed that both the daily transaction review process on the cold system failed to raise any
suspicion and also the AML system failed to generate relevant alerts subsequent to the above rule change.
This warrants a need to revisit the modification of Rule 328, and revert back to its earlier status.

In addition to the above, an additional rule [Rule no. 327] to identify all transactions exceeding KD 30,000
was created in consultation with the Head of AML & Compliance. However, this rule failed to generate the
intended alerts, and the same was not identified & alerted by Kuwait Compliance. This rule needs an
immediate rectification to ensure that alerts are duly generated.

Alerts Generation and its Clearance

The AML system generated a total of 14 alerts on the subject 3 customer accounts against rule no. 324 for
values totaling KD 15,660/- during 28 December 2010 and 21 January 2011. However, these alerts were
never reviewed by the Relationship Officer and remained outstanding until early May 2011, when the same
was cleared by the Compliance Department post review by Head of Compliance, and without any
consultation with the Relationship Officer. This has impaired compliance independence and created a conflict
of interest scenario for the Compliance department.

Compliance Department has been strictly advised not to clear the alerts on their own and instead follow up
more vigorously with the business units and use other escalation tools to enforce a timely clearance of alerts.

One key system limitation noticed is that the AML system does not maintain an audit trail of the actual date of
alert clearance. This is a key concern and the same has been raised with the IT project manager and the
vendor for an immediate review and to provide an appropriate solution.

3. Review of ABCX AML & Compliance Unit

ABCX AML & Compliance unit has 3 staff as detailed below:

o Mr. Zaki Mohammed– Head of AML & Compliance Unit

o Ms. Mona Ramzi – Assistant manager, Compliance, and
o Heba Ashoor – Administrative Secretary.

Whilst Mr. Mohammed has vast experience from his earlier role in the CBK inspection department, and is
complimented with his awareness of the CBK regulations, he and his staff do not possess any professional
qualification, such as CAMS (Certified Anti Money Laundering Specialist) or other similar courses in AML /
Compliance. Further, over the past few years, the AML and Compliance function roles has been fast evolving
as a highly demanding function which requires an active participation and a more proactive and swift
approach. The key gaps noticed in the current unit vis-à-vis our requirements are:

1. Group Compliance had prepared a Compliance Monitoring program, which was approved by the Audit &
Compliance Committee for implementation. Yet the Compliance unit continues to adopt the earlier
checklist approach and failed to implement the Compliance monitoring program.

2. Even the checklists approach is not effectively and efficiently managed with the overall turnaround time
for the obtaining the completed checklists extends close to around 5-6 months.

3. The reliance of support from the Group Compliance is too high, including assistance with reports for the
pending AML alerts and its follow-up, documenting procedures and coordination with Kuwait IT for data
related issues.

4. The Head of AML & Compliance had failed to carry out testing of the Rules created in the AML system
and this has resulted in failure to detect any errors on the same.
 5. The overall follow up with the business units for the timely clearance of the AML alerts is not effective
and forceful, which results in huge accumulation of alerts, and delayed clearance from the Relationship
Officers.

6. The follow ups for any large value transactions enquiry is being carried out through memos and
significant timeline is provided with repeated reminders, thereby resulting in undue delays in either
closure of a case or to determine the same, if suspicious.

7. There has been no coordination between ABCX and its Brokerage Company’s compliance department,
despite the company being its subsidiary.

8. Two cases which were reported to Head of Legal in December 2010 and January 2011 as suspicious were
not reported to the public prosecution by the Legal Department, as per the procedure. Head of AML &
Compliance did not escalate the same to the DCEO, or the CMD, or the Group Head of Compliance.

9. Head of AML & Compliance received an enquiry from another bank with regard to the subject staff. This
should have raised an alert for further investigation, or reporting to the Human Resources for their in-
house investigation.

10. Besides the above, the general approach has been very passive and lacks efforts to try and understand the
functionality and technicalities of the AML system, despite Group compliance having organized a two
day workshop in 2009.

Due to the increased sensitivity of the above issues, the need for a professionally qualified and adequately
experienced AML and Compliance officer was advised to Kuwait HR in October 2010 and efforts to identify
an appropriate bi-lingual staff has been in progress. A total of 6 candidates were interviewed over the period
and 3 were shortlisted. Of the 3, two did not accept our offer and the final candidate interviewed on 18 May
2011 and immediately advised to Head of HR for follow action with regard to recruitment. This issue is
being followed up with HR.

4. Review of Brokerage Company’s AML & Compliance Unit

ABCX’s Brokerage Company’s Compliance team comprises of a total of 5 staff in total. The Head of
Compliance is Mr. Nawaf Sahar, who took charge of Compliance through an Internal Transfer with effect
from 15th May 2011 and is assisted with 2 staff handling AML and 2 other staff monitoring the limits from a
compliance perspective.

A visit to KMEFIC office was carried out 02 May 2011 alongwith ABCX Head of AML & Compliance for
introduction and necessary coordination in future. From our discussions with Mr. Nawaf Sahar, we noted that
the Compliance Unit had identified the transfers in Jay Mathews’s OLT account during the month of May and
after closely reviewing the same, Mr. Sahar had reported the case internally at KMEFIC to the Chairman and
Internal Audit on 16 May 2011, which was later reported to ABCX management.

The AML monitoring in the Brokerage Company is currently carried out through manual process, except for
name screening for which World Check has been subscribed for. Automation of the AML review and
monitoring has been on hold for the following:

1. Low transaction volume

2. High cost of implementation.
3. Core system implementation yet to be completed.
 Mr. Sahar advised that the manual process currently meets our requirements with regards to AML monitoring
and any new system automation can be considered only after the completion of the implementation of the
core IT system.

The effectiveness of the monitoring was successful with regard to the subject case, as Compliance had
identified it and duly notified to its senior management.

5. Conclusion

In conclusion, we noticed that Jay Mathews managed to successfully exploit certain weaknesses in his area of
operations and misused the trust of his colleagues thereby causing a series of systematic control failures
across the various units within the bank.

The key recommendations arising from our review for ABCX are as follows:

1. Retail Banking Division should reiterate to all its staff on the need to strictly comply with the Account
Opening procedures, in particular no Retail banking account should be opened without face to face
contact with the customer. Any exception should be formally reviewed and authorized by the DCEO of
the relevant Business unit through a formal waiver request form, as attached in Appendix 3.
2. All Branch managers to should be advised to review the ‘Cold’ system and the AML system on a daily
basis and action them as appropriate, and in a timely manner.
3. Head of Operations should review the authority levels granted to ensure appropriate segregation of logical
access to the BTM system, and the reconciliation process should be independent of the staff responsible
for transaction processing.
4. ABCX management should advise and authorize for necessary rule modification in the AML system to
include non cash transactions for “Individuals”.
5. All staff should be reminded of the Bank’s Whistle Blower policy and Code of Business Conduct and
ethics.
6. The recruitment process for the AML & Compliance Manager should be expedited by Kuwait HR.
7. Follow up with IT for the necessary system enhancements to ensure that the actual date of alert clearance
is appropriately stored in the AML system.
8. A review of existing rules across the Group entities to be carried out to ensure uniformly acceptable rules,
as a minimum standard across the Group.
9. The procedure for Rule management will be strictly enforced across the Group, with due authorization
from the respective unit DCEO for any rule changes, and the same should be reported to the Management
and the Audit and Compliance Committee, whenever affected.
 Appendix 1
ANALYSIS OF CONTROL PROCEDURES

Key Processes Control procedures Control Control Test Responsibility Comments

Type Pass Fail
Customer Identification Preventive × Personal Accounts opened without
process - Face to Face Banker meeting the customer Face to
account opening face.
Verification of Original Preventive × Personal Accounts opened on the basis
IDs Banker of photocopies provided by the
staff, without verifying the
Original IDs.
Signature Verification Preventive × Personal Presumably, the staff had forged
Account Banker the signature, as he appeared
Opening - KYC to have brought the signed
Customer Due application form and
Diligence authorization letter.
Name verification in Preventive × Personal Copies of print out available
AML system Banker with the account opening
documentation, as per the
procedure.
Branch Manager Review Preventive × Branch To a limited extent as the BM
Manager has signed off the Account
opening documents.

ATM cards Delivery Preventive × Branch ATMs delivered to staff based

Supervisor on authorization letter, which is
against the bank procedures.
Further, authorization letter for
one customer is missing.

ATM Card & PIN

Issuance PIN Number Delivery Preventive × Personal PIN delivered to staff based on
Banker authorization letter, which is
against the bank procedures.
Further, authorization letter for
one customer is missing.

Authorization for Dual Preventive × Head of Inappropriate authorization

Access control at the Operations. granted by the Business Unit
BTM. Head.
Transaction
Processing
Segregation of duties - Preventive × Head of There was no segregation, as
Maker & Checker Operations. Mr. Mathews could act as both
control. maker and checker for the
transaction.
 AL Mulla ATM Reports Detective × Head of The cash replenishment
and ATM Journal Rolls. Operations. reconciliation process is in
place.
Reconciliation
ATM (Bancs) and ATM Detective × Head of This reconciliation process
Rolls. Operations. failed and presumably this was
handled by Mr. Mathews,
without any managerial
oversight.
All transactions above Detective × Branch Branch manager delegated this
KD 3000 are to be Manager responsibility to a personal
reviewed by the Branch banker. The review process
Manager on a daily failed, as the personal banker
basis from the 'Cold' did not raise any suspicion to
System. the branch manager.
Alerts are appropriately Detective × Relationship The 14 alerts that were
reviewed and cleared in Officer generated in the AML system
the AML system in a between 27 December and 20
timely manner by the January 2011 were neither
Relationship Officer. reviewed nor cleared by the
Transaction Relationship manager until May
Review & 2011. The Compliance
monitoring Department cleared the same
in May 2011, which is not an
acceptable practice.
Compliance oversight Detective × Head of AML Compliance has reviewed and
and follow up for review & Compliance cleared the alerts, instead of
and clearance of alerts following it up with the
Business Unit.
Appropriate Rules are Detective × Head of AML The system failed to generate
built in the AML system & Compliance any alerts for non-cash deposits
to identify and alert in "Individual" Accounts, and
High value transactions. the same was not detected by
the Compliance Unit.
Head of AML & Detective × Head of AML Should have alerted HR for
Reporting / Compliance received a & Compliance further investigation.
Whistle blowing call from Burgan Bank
misses enquiring on the staff
and his transactions.
Authorization form for Audit Trail × Branch Authorization letter for PIN and
ATM Card and PIN Manager ATM card collection missing for
collection. 1 account.
Transaction vouchers Audit Trail × Operations Internal vouchers missing for
processed by Andrew total transaction value of KD
Record Keeping
Raj. 9,500/-
AML system maintain Audit Trail × IT Security / Currently the system does not
log of actual date of Compliance maintain adequate log to
Alert clearance. identify the actual date of
clearance of alert.
 Appendix 2

AML system Rules

Rule Rule Description Frequency

No
204 Credit Transactions in Charitable Organizations Accounts. KD50 and above. Daily

278 Debit Transactions in Charitable Organizations Accounts. KD10 and above. Daily

128 This Rule checks for the transactions belonging to the customers who are flagged as watch list Daily
customers.
130 This Rule checks for the customers transactions whose risk rating between given parameters Daily
(Transaction of High Risk Customers)
129 This Rule checks for the transactions belonging to the customers who are flagged as PEP customers Daily
328 "Individual" exceeding KD 3000/- on cumulative basis (Cash) Daily

327 All Transactions exceeding KD 30,000 for customer type 'Individual' Daily

276 Cash Deposit of KD3,000 and above for customer type "CORPORATE" Daily

315 Transaction (except cash) of KD 50,000 and above for customer type "CORPORATE" Daily
 Appendix 3

Account Opening Waiver Request

To: Retail Operations / CPU

From:

Date:
Account Name:
Account Number:

Account Opening procedures are in course of completion for the above named account. A waiver is requested
for the following account opening requirements.

Procedure to be Waived Reason for Waiver

(e.g. details of association)

I confirm that I am aware of the Bank’s requirements for account opening procedures and have considered the
implications of this request in accordance with the AML procedures.

Account Officer Name Signature Date

Head of Business Unit Signature Date

Approved by:

DGCEO Signature Date

File this form with Account Opening Documentation and forward copy to Compliance

Initial of staff filing document