Lessons Learned from How a Scam Closed Down a Bank – A Discussion with Peter Tapling of PTap Advisory, LLC & NICE Actimize

Scams are nothing new to fraud strategy and banking fraud risk appetites—what’s clearly changing is the amount of consumer loss, and it is staggering. As an example, the FBI’s Internet Crimes Complaint Center (IC3) reported investment scam losses to be $3.31 billion, and investment scams were the most common type of scam reported to IC3 in 2022.¹  Scam losses are driving changes in regulations, such as the ample amount of discussion in market on the UK PSR’s pending APP fraud liability shift for Faster Payments, as well as considerations and effected plans at payment-network levels (P2P particularly) that also affords some level of additional consumer scam protection, but those protections are not widely adopted.

We sat down with Peter Tapling, the former Chief Revenue Officer (CRO) for Early Warning Services during the launch of Zelle™ and Steering Committee member for the Federal Reserve’s Secure Payments Task Force and current Board member for the US Faster Payments Council to discuss the extreme case of Heartland Tri-State Bank, a small regional bank in Kansas which was seized in July, 2023 when regulators discovered Heartland’s CEO was ensnared in a multi-million dollar international cryptocurrency investment scam.²

While an extraordinary case, the Heartland Tri-State Bank collapse is an important reminder for banks and financial institutions (FIs) to improve their own scams-risk posture – to protect consumers and businesses alike. Cryptocurrency investment scams like Pig Butchering are overwhelmingly targeted at regular consumers, but Peter Tapling also calls our readers’ attention to recognize the additional concerns in industry with regards to the successes of social engineering and especially, business email compromise and other business-targeted scam typologies, where the account holder has much fewer regulatory protections to shift fraud liabilities when scammed. 

The Heartland Tri-State Bank CEO’s involvement in a cryptocurrency investment scam, using the bank’s own funds is an extreme example of this scam type, but what are your immediate impressions? What broke down in this case organizationally speaking that would be examples of areas of best practice improvement for all businesses?

The lack of internal controls is fundamental to this story, and a major breakdown in these controls led the CEO in this case to believe he could play with the piggy bank. Let’s take the $12 Million loan he asked one of the bank’s clients to cover, and that request ultimately led to the CEO being caught, as well as the unfortunate closure of the bank. Without looking at the specific assets of Heartland Tri-State Bank, if it had approximately $500 million in assets, that makes it roughly about a $30 million a year business. $12 million dollars would be close to half of Heartland’s business each year? This is just an illustrative example; we don’t know how much was lost in this instance. Regardless, the CEO should have had to get board approval for the use of the bank’s money. 

Shifting to scams prevention from a general perspective, what do you see as the most important ‘line of defense’ for banks to consider in protecting consumers and businesses from scams?

Scams are all about the receive-side of the transaction and so the front line of defense against the scam is the party sending the money. It’s your customer – the bank should be educating both their retail and business customers about the prevalence of scams, and on the business side the education must have nuance in specific education around social engineering and business email compromise. It’s not just education, it’s confirming the education was delivered and the understanding of scam risk is explicit to the account agreements. Specific to the transaction-side, controls should be focused on large and unusual transactions, especially for businesses. Industry news loves to report on headline-grabbing Grandparent scams, but how often do we recognize the businesses that are closing because they were scammed? It is important to emphasize that in the noise of consumer complaints, we may not be fully recognizing the true growth of loss for scams over recent years in commercial channels. 

If the Heartland Case has taught us anything, if a multi-decade experienced, professional banker can get scammed, we all can be scammed. You spoke about the importance of both the sending and receiving side considerations of the scam transaction, and we spoke to what banks can do to address the scams issue. What can the industry do best to gain better traction against, and transparency into this problem?

So much of our fraud fighting efforts over the past few decades have been focused on preventing the initiation of unauthorized transactions. We have great tools to do that. The shift to scams requires the industry to add a focus on the “intent” of the person making the payment. One of our challenges, particularly in the press, is that fraud and scams are typically used interchangeably. While a scam is certainly a form of fraud, the ways we will fight scams are different.

First, education will continue to be important. We have done this before for everything from reminding people to wear seat belts, looking for the lock icon displayed on web browsers, and to not click on links in unsolicited emails.

Second, we manage what we measure. And in order to measure scams we must rely on common definitions, like those recently published by The Knoble™. The Federal Reserve has recently announced an industry-recommended definition for scams and is also working to publish a classification tool for scam typologies in 2024.

Third, to emphasize what I spoke about earlier, we need to come together to identify the nefarious actors on the receive side of these transactions. That’s where the bad guys live. This will require structured case management using the definitions agreed upon and, ideally, some form of information sharing to alert other payment system participants of potential risks. The Fed recognizes this and also has an effort open currently on scams information sharing.

Creating an integrated view of customers, at onboarding, transaction initiation and money movement calls for integrating all of the fraud fighters across the organization. 

To learn more about how NICE Actimize prevents scams and the money muling losses and protects our partner institutions, click here.

¹ Department of Justice: Justice Dept. Seizes Over $112M in Funds Linked to Cryptocurrency Investment Schemes, With Over Half Seized in Los Angeles Case (2023)

² American Banker: Small Kansas bank failed because its CEO fell for a crypto scam: Report (2023)