Two TD Bank Insiders. Two Fraud Schemes. One Massive Blind Spot

Two former TD Bank employees. Two separate fraud schemes. More than $9 million in combined losses. Both prosecuted by the U.S. Department of Justice. Both carried out by insiders who had every right to be in the systems they abused.

‍

These aren't isolated incidents. They're the same problem showing up twice, and they raise an uncomfortable question for security and fraud teams everywhere: if this happened at a major financial institution with substantial security resources, what's happening inside your organization right now?

‍

‍

When Legitimate Systems Become Fraud Tools

‍

Insider fraud rarely requires hacking. Most of the time, employees misuse systems they're already authorized to access, and the activity never shows up in the places security teams are trained to look.

‍

Think about what that actually looks like in practice. A bank employee uses approved software to search for high-value accounts. A customer service rep pulls records that have nothing to do with their assigned work. A healthcare worker views patient files outside their responsibilities. An insurance employee opens sensitive claims data repeatedly with no business reason behind it.

‍

None of those actions would raise a flag on their own. The user is authenticated. The application is approved. The access is permitted. Everything looks normal from a technical standpoint.

‍

But normal access and legitimate access aren't always the same thing. The employee navigating to specific account types, running searches to surface high-value targets, reviewing data they have no reason to see, doing it session after session — none of that shows up in an access log. None of it triggers a firewall alert. From the outside, it just looks like someone doing their job.

‍

The Proprietary System Problem

‍

Things get harder when fraud happens inside proprietary or internally developed applications, which is often exactly where the most sensitive data lives.

‍

Many organizations run custom-built portals and line-of-business systems that have no connection to third-party security tools. Standard DLP solutions have no visibility into them. Fraud detection platforms have no context for what's happening inside them. A SIEM might record that a user logged in, but it has no idea what that user did next.

‍

When an employee misuses something inside one of these systems, running an unauthorized search, pulling restricted record types, or simply reading information off the screen and passing it along without ever downloading a file, there may be nothing reaching the security stack at all. No alert. No log entry. No indication that anything unusual happened.

‍

That kind of activity doesn't leave a trail. And the absence of a trail is exactly what makes it dangerous.

‍

Why Traditional Fraud Controls Miss This

‍

Most fraud detection platforms are built around completed transactions. Most DLP tools are looking for data moving through email, web uploads, cloud storage, or removable media. Security monitoring focuses on logs, authentication events, and network indicators.

‍

All of those things matter. But insider fraud often starts well before any suspicious transaction happens, and well before any data leaves the organization in a way those tools would detect.

‍

An employee spending weeks gathering account information for future misuse won't trip a transaction monitoring alert. Someone repeatedly reviewing sensitive customer records won't generate a DLP event. A person working entirely within an authorized application, reading data off a screen and passing it along verbally or through a personal device, won't look suspicious to any of the standard controls.

‍

By the time a fraudulent transaction finally occurs, the groundwork may have been laid over months.

‍

What Actually Happened at TD Bank

‍

The two DOJ cases show how different insider fraud can look in practice, and how similar the underlying conditions are.

‍

In the first case, former employee Cheungkin Lam, also known as Kelvin Lam, pleaded guilty on May 28, 2026 to accepting bribes and abusing his bank position to identify customer accounts with large balances. He passed confidential customer information to external fraudsters, enabling schemes that resulted in more than $3.4 million in losses. He also helped bribe an employee at another financial institution to falsify records as part of a separate fraud effort.

‍

In the second case, former retail banker Leonardo Ayala was sentenced on June 10, 2026 to two years in prison for accepting bribes and laundering more than $5.5 million to Colombia. Between June and November 2023, Ayala opened fraudulent accounts, issued over 150 debit cards to shell companies, and unblocked cards that TD Bank had already flagged and restricted due to suspicious activity. Those accounts and cards were used to make more than 12,000 ATM withdrawals in Colombia. He collected more than $6,000 in bribes from his co-conspirators.

‍

One employee quietly gathered data and handed it off. The other manipulated the bank's own systems, including the controls meant to stop him. Different approaches, but both relied on the same thing: authorized access, institutional knowledge, and enough cover of routine activity to avoid detection.

‍

Detecting Fraud Before the Transaction

‍

The early signs of insider fraud usually don't show up in transaction records or network logs. They show up in how people use applications, in the small behavioral patterns that look routine in isolation but tell a different story when you can see the full picture.

‍

InnerActiv provides that visibility. Rather than focusing only on completed transactions or data movement, InnerActiv monitors how users actually interact with applications and on-screen content, including inside proprietary and internally developed systems that other tools can't reach. It can capture on-screen activity, identify misuse of specific application components, and flag behavioral patterns that suggest elevated risk, even when nothing has been downloaded, transferred, or flagged by existing controls.

‍

In practice, that means catching things like:

• Repeated navigation to high-value account types within an authorized portal
• Unusual use of search functions or filters designed to surface sensitive records
• On-screen viewing patterns that fall outside a user's normal responsibilities
• Behavioral anomalies within proprietary systems that have no third-party integration
• Information-gathering activity that precedes fraud but generates no traditional alert
• Account or card activity patterns that diverge from an employee's established baseline
  ‍

The TD Bank cases are a useful reminder that insider fraud doesn't follow one script. But in both cases, the warning signs were in the behavior, not the transaction record. That's where detection has to start.

‍

See What Your Security Stack Can't

InnerActiv gives security and fraud teams visibility into the activity that traditional tools miss entirely. By monitoring user behavior at the endpoint and application level, including inside proprietary systems with no third-party integration, InnerActiv surfaces early warning signs of insider fraud before losses occur.

If the TD Bank cases raise questions about what's happening inside your own systems, we'd like to help you find out. Learn more at inneractiv.com.

‍