[batmenace]

At the very least they should be aware enough of potential wrongdoing to raise questions, and do so in written form. When you write exceptions that specifically only benefit one party and no others, there is always a reason to at least be suspicious.

[cookingmyserver]

What I’m struggling with is that what was done is not illegal in its self. It’s not necessarily suspicious in itself (from the perspective of a single dev working on tasks), unless you assume fraud. Of course we know fraud occurred so we can look back on it and have our perception of the request tainted.

If my boss came to me and said, “continue showing customer funds sent to our “sister” investment company in the staff dashboards” I wouldn’t find that suspicious. I would probably push back and say that might be confusing unless we separate out that amount and rename the total to something that denotes part of this value is with our sister company. But I would assume design incompetence and not fraud.

But then again if I was just one of a handful of devs that worked with the company I would probably find it suspicious, as I would confidently know that nowhere else in the codebase do we support a close integration with our sister investment company and should therefore know we shouldn’t treat them any differently.

Also the modification to exempt the investment company from risk rules does seem suspicious, unless again you believed there was an integration somewhere and believed investment risk mitigation rules were handled on the other platform or something.