Loading...
LTC 009-2017 Report regarding the theft of funds from a City bank accountMIAMI BEACH OFFICE OF THE CITY MANAGER NO. LTC # 009-2017 LETTER TO COMMISSION TO: FROM: DATE: SUBJECT: Mayor Philip Levine and Members of Jimmy L. Morales, City Manager January 9, 2017 Report regarding the theft of funds fr e City Comm sion a City bank account The purpose of this Letter to Commission is to provide a more detailed report to the City Commission regarding (i) how the funds were stolen from the account, (ii) the steps*we are taking to recapture the funds, and (iii) the steps we have taken to ensure that our internal controls and cash management procedures provide the highest level of protection going forward. In preparing this report, I am being careful not to discuss information that could in any way compromise the criminal investigation that the U.S. Attorney's office, the FBI and Miami Beach Police are spearheading. Explanation of the theft The account in question is the core account in the system of the general depositary account that the City maintains with SunTrust Bank (the "Account").1 The. Account dates back to 1995, and was most recently renewed pursuant to a competitive RFP in 2012. The average daily balances in the Account range from $46 million to $144 million. This account is where all funds received by the City are deposited daily either from a direct deposit or from an overnight sweep from five (5) receiving sub-accounts (Parking, Resort Taxes, Liens, Red Light Camera and Parks & Recreation) Although most of the transactions in the Account consist of deposits to the Account, there are some disbursements from the Account to third parties (approximately 300 monthly), mostly consisting of electronic transfers to other governmental entities and fees and charges paid to banks for credit charges and related items. When the City has to pay vendors for good and services, payroll and claims, funds from the Account are transferred to the applicable zero balance account (ZBA) disbursement account for payment therefrom. The web of accounts that collectively comprise the City's general depository account has approximately 1,500 incoming transactions and 1,100 outgoing transactions per month. The theft in-question took place pursuant to the electronic-transfer of funds under the Automated Clearing House (ACH) system. Under that system (regulated by Federal statute), correspondent banks engage in electronic funds transfers on behalf of their customers. All requests have to be processed within 24 hours. If you have ever authorized the electronic transfer of funds from your checking account to pay a utility bill, 1 The City maintains 27 accounts with SunTrust, including the Account. The average daily balance in all accounts with SunTrust is approximately $171 million. for example, you recall that you provided the account number and the A.B.A. routing number for your account (often by a cancelled check that contains said information) and the required authorization form for the electronic debits. What occurred in this instance (and apparently is a fairly common and widespread form of fraud) is that third parties obtained the account number and A.B.A. routing number for the Account. They then provided that information to various vendors, and represented that this was their bank account. The vendors then provided this information to their respective banks, and when the time came to pay invoices, those banks sent electronic requests for funds transfer to SunTrust, believing that the Account was actually the account of the customer of the vendor in question. SunTrust processed the request and electronically transferred the funds to the banks in question. This took place over a six month period with numerous transactions, resulting in the transfer of over $3.6 million in funds from the Account. Finance department staff discovered the transfers in December, and I learned of these transfers on December 19th. As a result of the mechanism utilized, we actually know specifically which banks requested and received the transfers, and which bank customers (vendors) had initiated the request for transfers. We also have alleged names for the individuals or entities that provided the false account information to the vendors. All of this information has been provided to law enforcement and they are investigating. Finance staff also alerted SunTrust, who immediately stopped any further electronic transfers under the ACH system for our accounts. We have since reviewed all activity in the Account, as well as all our other accounts at SunTrust and other financial institutions, and we have not identified any other fraudulent activity. The activity appears to be limited to the Account. One question that comes up is how the Account information became available to the third parties that perpetrated the theft. While the criminal investigation may shed light on that (including whether any City employee was complicit in this fraud), it is also possible that we may never truly know. Bank account numbers and A.B.A. routing numbers are usually in the possession of a wide array of individuals. Any check ever written contains the information. Any wire transfer sent/received contains the information. Any valid electronic transfer sent/received contains the information. Given the level of activityln the Account and the age of the Account, the number of individuals that have, at some point, had access to the information is too large to measure. Another question is whether this has had an adverse impact on the ability of the City to provide services, maintain its operations or meet financial obligations (including bonds and pensions). The answer is no. The City's Pension Funds, for example, are held with the pension trustees in different bank accounts. They were not impacted. It is also important to_ note that bond proceeds for funding capital projects (including the MBCC) are not held at SunTrust but in protected investment accounts at other institutions and considered to be fully secured. The impact of this fraud does not affect the City's ability to pay obligations and fund payroll pursuant to the approved fiscal budget. Until it is returned to the City, the $3.6 million is deemed to have been removed from the City's contingency funds, which currently has a balance of approximately $48 million. 2 Efforts to Recapture the Funds Once I learned of the theft of our funds, we immediately contacted Miami Beach Police to investigate the fraud. Within 24 hours, we met with police and the FBI, and staff has been working with those agencies, providing information as requested. I have also been in communication with the US Attorney's office on several occasions to discuss the case. While the goal of any criminal investigation is to identify and bring the culprits to justice, we also anticipate that information gathered therein will assist us in recapturing funds and/or assets. SunTrust also initiated the claims process under the federal statute governing ACH transactions. Under that statute, if a bank that transfers electronic funds subsequently discovers (within 60 days from the transfer in consumer cases and 2 days in non- consumer cases) that the request was not valid, it is entitled to file a claim with the bank that originated the request. The statute provides that the originating bank shall, within ten (10) business days of the request, either provide documentation evidencing that the transaction in question was properly authorized or, if such documentation is not available, it must return the funds. SunTrust has filed claims with respect to all the electronic transfers out of the Account. Since none of the bank customers in question were vendors of the City or in any other way in any relationship with the City, we believe that there is no way that any documents will be produced that evidence authorization of withdrawal from the Account. To date, pursuant to the process and also pursuant to due diligence by the City, $691,770 has been returned to the Account. We are in constant communication with officials at SunTrust and are cooperating with them in the effort to recapture the funds from the banks that received them. I have met twice with senior officers of SunTrust, including the South Florida President, and they are cooperating with the criminal investigation as well as conducting their own internal analysis of the transactions. The goal, of course, is to recapture as much of the money as humanly possible. Much work remains to be done in this regard, and all the parties in question are working collaboratively to reach that goal. Depending on the results of that effort, we will, of course, examine any other remedies available to us. Ensuring the security of City funds going forward Just as important as recapturing the dollars is making sure this never happens again. The steps we have taken include: • Opened new general depository bank account with SunTrust and in process of closing current one. Given the number of accounts that pay into the Account, we cannot just simply close it without a transition time during which we provide notice to third parties that pay into the account. • Implemented ACH Fraud Control on the new and existing account which allows the City to set parameters for which ACH transactions are allowed.2 This gives 2 Unfortunately, the last time the Account was renewed in 2012, ACH Fraud Control was made available by SunTrust at no cost to the City, but the Finance staff at that time elected not to apply it to the Account. The protection was only applied to our disbursement accounts. 3 the City the tools needed to monitor electronic payments and block unauthorized ACH debits before they post to our account.3 We have similarly made sure that all other accounts that might be a target also have ACH Fraud Control or some similar protection. Set up UPIC, a unique account identifier issued by financial institutions that allows organizations to receive electronic payments without divulging confidential banking information. Unless pre-authorized, discontinued ACH payments for good and services Discontinued ACI with MasterCard payments. Instituted a daily review and reconciliation of all non-check disbursements. Accepted the resignation of the Treasury Manager and the Accounts Payable Director.4 As I have indicated publicly, while the theft may not have been entirely preventable, the amount could have been mitigated by better performance of the treasury management and account reconciliation process.5 I am continuing to examine how we could have minimized the extent of the theft and further personnel decisions may be necessary. Obviously, if the criminal investigation identifies any employee-related issues, those will be addressed as well. As I reported to you last week, I used my emergency procurement authority to retain the accounting firm BDO to conduct a review and risk assessment of our internal controls and procedures in our Treasury management and disbursement function. We will be working with both the New York and Miami offices. They also have a cyber security department that can assist with any issues that may arise with respect thereto. The goal is to ensure that our internal controls represent best practices going forward. We anticipate that the review will be completed in 4-6 weeks. I have personally spoken with our financial advisor to determine if she thought that this event would have any impact on our bond ratings, and she was of the opinion that since the funds in question do not impact our debt coverage ratios or the City's economic forecasts, there should be no impact. Finally, I met with our outside independent auditing firm and have asked them to provide me a time and cost estimate with respect to expanding the scope of future annual audits to include the effectiveness of our internal controls with respect to cash management. This is not something that is required by Florida with respect to the audit of municipal financial statements, but is something that is done with respect to publicly traded companies. If you have any questions, please feel free to contact me. 3 In fact, the ACH Fraud Control program already prevented an unauthorized ACH transfer last Friday. 4 The Treasury Manager had been with the City for 14 years and had served as Treasury Manager for the last 10 years, The Accounts Payable Director similarly served in that capacity for the past 10 years. 5 We are in the process of hiring a new Treasury Manager who comes to us with many years of experience as a Finance Director in two other municipalities in Miami-Dade County. 4