Although banks have invested in systems designed to detect and prevent threats emanating from external illicit activities, insider threats often are underestimated.
Insider threats — from negligent behavior to malicious intent — demand a coordinated response to detection, escalation and mitigation, according to experts. A session at the upcoming ABA Financial Crimes Enforcement Conference will explore how financial institutions are integrating anti-money laundering, fraud, cyber, and conduct risk insights to detect behavioral red flags, manage insider risk and foster a culture of compliance.
According to Matthew S. Haslinger, EVP and chief BSA/AML and sanctions compliance officer for M&T Bank and session panelist, insider risk has evolved from negligent or rogue employees to complex, organized collusion, and remote work has expanded the threat.
“Larger banks tend to have more robust insider threat programs, but smaller banks can be more agile,” Haslinger said. “Midsize institutions often struggle with resource constraints. That said, the risk is present across all sizes [of institutions], but impact and detection capabilities vary. Smaller banks may face higher risk due to limited monitoring tools. Overall, this is a risk that all banks need to be thinking about and addressing through a risk-based approach.”
Haslinger said one of the biggest misconceptions among banks is that insider risk only involves intentional misconduct — like employees stealing money, selling customer data, or colluding with criminals.
“In reality, insider threat is often just as much about negligence or human error as it is about malicious actors,” he said. “For example, employees mishandling sensitive data, failing to follow AML procedures or clicking on phishing links can create the same level of regulatory, reputational and financial exposure as deliberate misconduct.
Another popular misconception is that insider threats are rare or limited to a few bad actors.
“In truth, every employee, contractor or third-party partner has the potential to become an insider threat under the right circumstances — whether through financial stress, coercion, lack of training or even burnout,” he explained.
Banks should be engaged in proactive detection and cross-departmental collaboration, Haslinger said, and it’s something they often aren’t doing or don’t realize they should.
“Banks often silo human resources, security, compliance and IT monitoring,” he explained. “Few have a centralized insider threat program that integrates behavioral red flags, access logs, policy violations and financial stress indicators. Many banks focus on fraud or data theft, but they don’t connect insider risk to failures in suspicious activity reporting, know-your-customer remediation, or sanctions screening. Recent enforcement actions are a reminder that insiders can directly undermine AML programs.”
Haslinger said banks need to understand that risk is a people problem and not just a technical one.
It’s a financial crimes compliance risk that Bank Secrecy Act and fraud officers need to work together to address.” He said. “Prevention requires culture, training and visibility. Don’t wait for a breach — proactive detection and continuous education are key.”
Editor’s note: Haslinger recently co-authored an in-depth article on bank insider risk for the ABA Banking Journal.
