A report from the Platte County auditor released early this week detailed the mistakes made in a fraudulent wire transaction that led to the loss of more than $48,000 in funds late last month.
Forensic specialists assisting in the investigation identified the origin of the scam email as coming from an outside source, and they concluded the email system, computers and servers were not compromised. However, the auditor’s report recommends a change in policy to help prevent further mistakes involving taxpayer money after Platte County treasurer Rob Willard initiated a rarely used transfer method to wire the money from the county’s UMB Bank account to a Wells Fargo bank account in Florida on Friday, May 27.
The county has since recovered about $28,000 of the lost funds and remains active in attempting to fully recoup the total sum.
Platte County auditor Kevin Robinson recommended at the end of an eight-page report that the treasurer draft procedures for all forms of electronic fund transfers. He also advised the county to adopt a policy of “no token wire transfers,” the form of transfer used to wire out the $48,220 in question, and advise UMB Bank of the change.
According to the audit report, UMB’s electronic fund transfer process requires two authorized representatives to initiate a transfer.
However, Willard detailed during a public meeting Wednesday, June 1 how a spoof email account sent messages to him purportedly from Platte County presiding commissioner Ron Schieber. The emails asked him to send the $48,220 to pay a “tax consultant” just hours before the start of the Memorial Day weekend.
A later call to Schieber led to the realization the transaction had been a scam, one attempted on multiple counties in Missouri that day.
UMB’s representative assigned to the county’s account took a call from Willard, who was transferred to the wire department per procedures. Necessary information was obtained, and as required, the bank then called back for a second authorization on a token wire transfer.
Willard then realized the second person in the office needed to initiate the transfer was not available that day.
UMB then switched the request from a “token wire transfer” to a “no-token request,” which requires a commercial loan officer to verify the request and to call the organization and obtain a six-digit code given to the requester by the wire department. The UMB commercial loan officer called Willard to obtain the digital code.
At this time, the officer questioned the transfer when it was stated that it was an email request.
Willard advised he verified the transaction with Schieber, having only done so through the series of messages with a spoofed email account. Schieber noted during a special meeting Monday, June 12 to review the auditor’s report that he doesn’t have authority to initiate such a transaction by himself.
Upon the validation of the digital code, the wire received the second authorization from the bank.
“From the process provided by the bank, their internal controls and procedures were followed,” Robinson’s report said. “The bank verified authenticity and credentials of the person making the request for a wire transfer, and confirmed the necessary code information known only by the county.”
However, Robinson did say the bank deviated from its own procedure by initiating a same-day wire after its stated 2 p.m. deadline for origination.
Willard and his chief deputy treasurer, the second authorized representative, routinely make electronic transfers and payments using the “token” process. However, those transactions generally follow the county auditor’s recommended “Accounts Payable Policy & General Process,” updated in 2014.
This policy outlines the work flow and identifies the segregation of duties within an office and provides segregation of duties, which internal and external audits have confirmed as “a process which provides adequate control to mitigate risk and prevent internal modification of a warrant or recipient, thus minimizing risk to the county of fraudulent actions.”
Generally, the process of paying out funds includes a verification of accounts with the auditor’s office followed by receiving authorization from two of three commissioner signatures. The auditor would then receive the request again to perform a double-check before any funds were wired.
Willard admits to bypassing that procedure in this case due to the implied urgency of the transaction denoted in the scam email, and without the second authorization from his deputy treasurer, he initiated the no-token transfer, which has been used only twice in the past 12 months.
On Dec. 1, 2015, a no-token wire was processed as payment for the Shiloh Springs Golf Course management contract with Kemper Sports. According to the auditor’s report, that payment included a supporting contract and certification of available funds.
The May 27 fraudulent wire using the no-token system had no supporting documentation, certification of funds or commission authorization.
According to the auditor’s report, the account payable policy and an accompanying flow chart were included as part of the preparation and training of county employees and office holders on the use of the system. The policy, practice, compliance and segregation of duties in the workflow have been annually reviewed by external auditors.
This includes annual testing with a random selection of warrants, deposits and contracts to ensure the intended recipient of a payment receives the contracted amount due. Testing also confirms that no change is made to the payment amount or vendor.
“Internal and external audits have found no evidence of tampered payments or of a vendor receiving an amount other than the indicated amount due,” the report said. “Further, no electronic payments have been identified or released from a county bank account without proper documentation and approval.”
An additional 24 months of wire payment history has been requested from UMB for review.
In wake of the fraudulent transaction, UMB asked Wells Fargo to reverse the wire transfer, a process which apparently led to the partial return of funds last week. Officials have also made claims with the county’s insurance company and Willard’s private bonder, used to cover errors and omissions, about alleviating the county’s liability.
Elected in 2012, Willard recently filed to seek a second term in office. No other candidates filed for the August primaries.