Form Without Function
Payments Process Less Than a Year Old Fails Costly Stress Test
NOTE: A final update to this piece - including a quote from City Manager Michelle Crandall - follows the original conclusion.
The judgement of an internal investigation within the City of Hilliard’s finance department has resulted in changes to its policies and procedure concerning electronic-fund transfers, also known as ACH, in the aftermath of a phishing attack in December which resulted in the theft of almost $219,000.
But some Hilliard City Council members are not yet satisfied with the administration’s explanation of the incident while former Hilliard Finance Director David Delande, whom Hilliard City Manager Michelle Crandall terminated as a result of the financial misstep, is asking the city for consideration of a severance package with health benefits.
According to a Hilliard Division of Police report, a suspect posing as an executive of Strawser Paving Company, a known city vendor, sent an email to an accounting assistant using an email address “similar to the actual company’s email.”
The suspect asked to have the vendor profile updated and submitted a signed form authorizing the city to initiate ACH payments, according to the police report.
The document provided the same vendor number as the authentic Strawser Paving Company but with a different routing and account number.
On Dec. 20, a payment of $218,992 was issued.
According to the police report, the accounting assistant, after becoming “more suspicious,” called Strawser Paving Company and discovered the city was the victim of a scam.
Finance department employees learned that the money had been routed to a different financial institution and into an account established the day prior to the deposit.
According to the police report, city employees were initially told by an individual on the fraud team at the second financial institution that the money remained at its bank and a hold had been placed.
But another employee later told finance department employees that the money had in fact been routed in separate amounts to yet two other banks - each different that the first two, according to the report.
Delande reported the theft to Hilliard police on Jan. 6, according to the report.
However, Crandall was not aware of the theft until Jan. 31, when informed by Delande, according to David Ball, director of community relations for Hilliard.
In his letter to the City Council, Delande wrote it was a conscious decision to wait to inform Crandall at a scheduled meeting Jan. 31 about the ongoing investigation into the theft.
Delande was terminated Feb. 13 and an accounting assistant in the city’s finance department resigned Feb. 15, Ball said.
Each had been placed on administrative leave Feb. 6 by Crandall.
Karrie Martin, a fiscal officer in the city’s finance department, is the acting finance director, according to Ball.
Hilliard only began using ACH in June 2022.
“At that time, procedures were put in place in the finance department detailing how ACH were to be set up for vendors and how account changes would be handled. These were the procedures that were not followed by a staff member in December. These were also the procedures that staff reviewed and made more stringent in February.”
David Ball - Hilliard Community Relations - March 21st
“Internal procedures like these are an administrative function and as such would not require any council action,” Ball said.
As part of its internal investigation, the city performed a comprehensive review of its internal policies and procedures related to ACH and as a result, “adjustments have been made and staff has received additional training to prevent any similar situation from happening in the future,” Ball said.
But citing security measures, Ball would not comment on the specifics of the previous or revised ACH policies and procedures.
The city’s annual audit, an external audit by Wilson, Shannon and Snow, is to begin in April and is to take another look at the same policies and procedures, Ball said.
Meanwhile,
Delande, in a March 10 letter to Hilliard City Council and copied to Crandall, the former finance director with 29 years of service to the city, appealed to the city for consideration of a severance package while laying out the groundwork of mitigating factors concerning the phishing attack.
The facts outlined by Delande conflict with other accounts of the incident, according to City Council President Omar Tarazi.
There are “factual inconsistencies,” Tarazi said, including specifically whether the deputy finance director, who remains employed at the city, had any knowledge of the ACH request between the times it was received and executed.
Councilman Les Carrier also said he is concerned about conflicting accounts of the incident as well as unanswered questions concerning policy and procedure.
“The community still has no idea how one person apparently caused the loss. How the suspect knew whom to pose as, how one person had the ability to wire $219,000, and what controls were not followed, are several such questions,” Carrier said.
In his letter to the City Council, Delande wrote, “I acknowledge and accept responsibility for not notifying Crandall earlier,” while providing an explanation.
Delande wrote that a financial assistant received a request on Dec. 19 from Strawser Paving to switch to ACH payments but did not obtain proper verification; rather he processed it and forwarded it to the city’s deputy finance director who likewise “failed to follow the written guidelines and did not verify that a voided check or deposit was provided,” Delande wrote.
“Neither employee obtained any approval from me. The entire transaction was completed without my knowledge,” Delande wrote.
Delande wrote the accounting assistant informed him on Dec. 28 of discrepancies in the ACH transfer and that he immediately contacted the city’s financial institution to request they issue a stop payment but learned the funds were at the bank where they had been transferred. That institution told him the ACH had not been completed and that it would take 10 days for the city to receive the funds back.
On Jan. 5, a follow-up call revealed the funds had in fact been transferred out, Delande wrote.
“(The bank) gave us conflicting information.”
On Jan. 6, Delande called Hilliard police and subpoenas were subsequently issued to three different financial institutions that allegedly received the funds from the city’s financial institution, Delande wrote.
His letter subsequently summarizes his accomplishments in 29 years of service and seeks consideration of a severance package with health benefits.
While the city charter vests the city manager with the power to hire and fire department directors, Delande is not seeking to recover his job, but rather post-employment compensation and benefits, something Tarazi said are in council’s domain to consider.
But the City Council has asked for advice from the city’s law director concerning the issue, Tarazi said.
Other council members say any response to the letter should come from Crandall.
“Per the charter, all directors are appointed by the city manager and serve at the pleasure of the city manager. In this case, the decision belongs to (Crandall) and falls outside the domain of City Council. As with any other issue, city council members may share their thoughts, but it is ultimately her call. The majority of City Council is supportive of her decision-making since we hired her with the trust to handle these situations as she sees best based on her experience and knowledge,” Councilmember Pete Marsh
Ball said the city administration has no further comment other than what he and Crandall shared in a Feb. 13 press release in which the city publicly announced the incident and actions.
UPDATE: Just after posting this piece I received a strong disputation of Delande’s account from City Manager Michelle Crandall who offered the following:
“His letter is not at all factual,” Crandall stated.
“Our Deputy Director of Finance had no awareness that an ACH form had been submitted by the individual posing as the President of Strawser Paving. The Finance Assistant informed no one of the receipt of this form or that he changed the bank routing numbers based on the fraudulent request and ACH form submission,” Crandall said