So how could a bank employee steal $29 million over three years without someone noticing?
That's the question bank authorities and security consultants were asking Tuesday after a KeyCorp executive was charged with fraud and embezzlement.
The case is the largest bank embezzlement case in local history, according to the U.S. attorney's office.
The KeyCorp executive, David Verhotz, 56, remained in the custody of federal marshals Tuesday, pending a bond and probable cause hearing on Thursday. He is accused of embezzling in his role as the senior vice president who ran KeyCorp's global trade services unit and provided loans to foreign banks.
Meanwhile, court records from Verhotz's August divorce reveal he earned $110,000 a year and that his wife asserted he regularly visited a girlfriend in New York City while they were still married. According to the FBI, Verhotz used some of the money he allegedly stole to buy a $5.7 million home on Long Island in New York.
A bank employee should never be able to pull off a scam for three years without detection, said security expert John Christman of Security Management Consultants in California.
"All I can say is, the bank must have a lousy accounting system," Christman said.
Banks are supposed to have "a system of checks and balances and periodic audits when you have those sums of money involved," he said.
Further, banks should periodically run background checks on employees who have access to large amounts of money, Christman said. "You can run checks to see whether people are living beyond their means," he said. Certainly, a credit check would have revealed large credit-card bills that were being paid off mysteriously, and property records would have shown the $5.7 million New York home, he said.
Bank security expert Bill Hawthorne of Maine agreed that banks should have mechanisms to find out whether a modestly paid employee "is suddenly living in the style of a person making a million a year."
Even more elementary, Hawthorne said, banks must comply with numerous security procedures mandated by federal regulators. "These are not voluntary," he said.
Some types of bank transactions are supposed to be authorized by more than one person; other types are supposed to be audited or checked by another person.
Even a high-level executive shouldn't have totally free rein over millions of dollars - or even $10, Hawthorne said.
"What you described should not happen," he said. "There should have been a red flag."
A high-ranking executive might be able to pull off a scam for a short time, Hawthorne said, but not for nearly three years. "It wouldn't necessarily be caught within the hour, but there are various measures that should have caught this."
Key spokesman Mike Monroe said that the Cleveland bank doesn't yet know how an executive could pull off a three-year scam and that officials don't yet know whether any procedures will be changed.
"Our current controls and practices are stringent," he said, but "we're determining how he was able to do what he did."
A year ago, Key entered into a memorandum of understanding with the Federal Reserve Bank of Cleveland and a consent order with the Comptroller of the Currency to strengthen its anti-money-laundering controls and other compliance measures. Key wasn't fined.
The National Association of Securities Dealers fined Key last year for "failing to establish and maintain supervisory procedures" at McDonald Investments, its subsidiary.
Other local banks, meanwhile, said Tuesday that they have various security procedures that should deter fraud or embezzlement - even by the chief executive.
"You have checks at every level," said Monica Martines, spokeswoman at Third Federal Savings in Cleveland. "It should be very hard for someone to do something by himself without other people involved. Somebody is always checking."
One small policy practiced by Third Federal and some other banks: Employees who handle money or accounts must take their vacation in a block that's at least one week long. The reasoning: If they're running a scam, it might be detected if they are away from the office for a week.
National City Bank has numerous stringent security procedures that serve as checks and balances on employees, said spokeswoman Kelly Wagner Amen. She declined to provide details, citing security. "Many of our practices are unique to National City," she said.
Key said Tuesday it has made certain changes to Verhotz's accounts and passwords to prevent anyone - whether Verhotz or any cohort - from accessing anything. "All of that has been blocked," Monroe said.
The FBI said it's up to Key whether to change future procedures. For now, said Jack Sammon of the U.S. attorney's office, "Key is working around the clock to make sure their assets are protected."
Authorities are also freezing Verhotz's assets in hopes of recovering the money they say he stole. All but $4 million to $8 million has been accounted for.
According to divorce court records, he earned $110,280 last year with a $25,000 bonus. He contributed $6,500 a year to his 401(k), and his retirement accounts are worth $318,444.
Verhotz and his ex-wife, Sharon, married in 1981 and had four children, two now grown. She works as a public health nurse.
Verhotz was ordered to pay her $1,040 a month in child support and $1,025 in alimony.
In a transcript from a May 27, 2005, hearing regarding support, her lawyer said David Verhotz "spends a considerable amount of time with a female companion in New York City on weekends." He moved out of the family home in Hudson in December 2004.
Plain Dealer news researcher JoEllen Corrigan contributed to this story.
