Privileged Access Anomaly: Service Account Credential Sharing
Shared service account SVCACCT-CORE detected logging in from 3 different geographic locations within 15 minutes. Credential compromise suspected.
Summary
Member Service Representative MSR-4821 processed 7 wire transfer overrides totaling $340,000 during their direct supervisor's PTO window. Combined with after-hours CRM access and 2 newly created beneficiary accounts, this pattern matches FinCEN Advisory 2025-A003 insider threat indicators.
Evidence Chain (5 items)
Processed 4 wire transfers >$25K each with manager override bypass
Source: Symitar Core Banking | Ref: WR-78291,78292,78295,78296
Direct supervisor (Branch Manager K. Johnson) on approved PTO Mar 27-31
Source: UKG HRIS | Ref: PTO-2847
Accessed 12 member profiles in CRM at 10:14 PM — none tied to open service requests
Source: Salesforce CRM Audit | Ref: AUD-E9921..E9932
Two beneficiary accounts created same day as $85K and $92K transfers
Source: Symitar Core Banking | Ref: BEN-A1104,A1105
Employee overdue on annual BSA/AML compliance training (due Mar 15)
Source: UKG Learning Management | Ref: TRN-4421