So how could a bank employee steal $29 million over three years without someone noticing?
That's the question bank authorities and security consultants were asking Tuesday after a KeyCorp executive was charged with fraud and embezzlement.
The case is the largest bank embezzlement case in local history, according to the U.S. attorney's office.
The KeyCorp executive, David Verhotz, 56, remained in the custody of federal marshals Tuesday, pending a bond and probable cause hearing on Thursday. He is accused of embezzling in his role as the senior vice president who ran KeyCorp's global trade services unit and provided loans to foreign banks.
Meanwhile, court records from Verhotz's August divorce reveal he earned $110,000 a year and that his wife asserted he regularly visited a girlfriend in New York City while they were still married. According to the FBI, Verhotz used some of the money he allegedly stole to buy a $5.7 million home on Long Island in New York.
A bank employee should never be able to pull off a scam for three years without detection, said security expert John Christman of Security Management Consultants in California.
"All I can say is, the bank must have a lousy accounting system," Christman said.
Banks are supposed to have "a system of checks and balances and periodic audits when you have those sums of money involved," he said.
Further, banks should periodically run background checks on employees who have access to large amounts of money, Christman said. "You can run checks to see whether people are living beyond their means," he said. Certainly, a credit check would have revealed large credit-card bills that were being paid off mysteriously, and property records would have shown the $5.7 million New York home, he said.
Bank security expert Bill Hawthorne of Maine agreed that banks should have mechanisms to find out whether a modestly paid employee "is suddenly living in the style of a person making a million a year."
Even more elementary, Hawthorne said, banks must comply with numerous security procedures mandated by federal regulators. "These are not voluntary," he said.
Some types of bank transactions are supposed to be authorized by more than one person; other types are supposed to be audited or checked by another person.
Even a high-level executive shouldn't have totally free rein over millions of dollars - or even $10, Hawthorne said.
"What you described should not happen," he said. "There should have been a red flag."
A high-ranking executive might be able to pull off a scam for a short time, Hawthorne said, but not for nearly three years. "It wouldn't necessarily be caught within the hour, but there are various measures that should have caught this."
Key spokesman Mike Monroe said that the Cleveland bank doesn't yet know how an executive could pull off a three-year scam and that officials don't yet know whether any procedures will be changed.
"Our current controls and practices are stringent," he said, but "we're determining how he was able to do what he did."
A year ago, Key entered into a memorandum of understanding with the Federal Reserve Bank of Cleveland and a consent order with the Comptroller of the Currency to strengthen its anti-money-laundering controls and other compliance measures. Key wasn't fined.
The National Association of Securities Dealers fined Key last year for "failing to establish and maintain supervisory procedures" at McDonald Investments, its subsidiary.