SHANGHAI • A UniCredit SpA employee in China allegedly siphoned off about 100 million yuan (RM61 million) of clients’ money over three years by taking advantage of shared passwords and other internal security loopholes, according to people familiar with the matter.
Local police and the China Banking and Insurance Regulatory Commission (CBIRC) were informed late last year, and the regulator will levy a penalty in the coming months, the people said, asking not to be identified because they aren’t authorised to speak publicly.
The CBIRC has shared information on the matter with other banks, one of the people said.
“UniCredit regrets this incident and apologises to those affected.
“The safety and security of our clients’ assets is our primary concern and all efforts have been made to ensure that a similar malicious incident cannot reoccur,” a spokesman for the bank said, though he didn’t provide further details.
“The group strictly complies with all rules and regulations in each market where it operates,” he added.
The CBIRC said in an emailed reply to queries that it has uncovered an incident involving a foreign bank employee misusing their position and powers of employment for embezzlement.
It didn’t identify the bank or the individual, and said it will disclose details and punishment at a later time.
The alleged fraud — one of the biggest among foreign banks in China — could become the latest headache for the Italian lender’s CEO Jean Pierre Mustier, who took over about three years ago and inherited issues including a pile of bad debt and possible sanctions violations.
UniCredit’s employee in China allegedly used a group supervisor’s password to access clients’ accounts without authorisation and fabricated transactions, the people said.
The employee used the money to buy apartments in countries including the US, Greece and Japan, and intended to flip them at higher prices to repay UniCredit without raising any red flags, they said.
The employee allegedly confessed to the police after the bank detected that money was being illegally routed, they said. The people said while Chinese banks have installed fingerprint and iris recognition technology, in addition to password authorisations, UniCredit was still using only passwords.
While such a high-profile case is unusual for foreign lenders in China, their local counterparts have also seen recent scandals.
State-owned Postal Savings Bank of China Co was fined more than 90 million yuan last year when a branch manager misused three billion yuan of wealth management funds.
An employee at a rural bank in the northern Jilin province embezzled 2.5 million yuan from seven clients to buy lottery tickets, according to the CBIRC.
The regulator’s chairman, Guo Shuqing, last year intensified his campaign to root out wrongdoings among the nation’s over 4,000 lenders by imposing record firms and removing senior executives.
The agency had mostly focused on Chinese lenders. — Bloomberg