For credit unions, dealing with fraud is not unlike giving a child the keys to the car for the first time. Both can be dangerous, stressful, and costly. And for both, it’s best to have a plan to minimize and manage risk.
“You have a lecture about driving under the influence, you have a lecture about wearing your seatbelt, you have a lecture about being alert and not using your cell phone,” says Mike Sacher, a CPA with more than 30 years experience working with credit unions. “You do all the things you can to minimize the risk, but you always live with it.”
But not all risks are justifiable; especially those that leave credit unions vulnerable to internal fraud, which can have harmful consequences.
In 2014, $28.6 million of the $30.4 million in losses to the National Credit Union Share Insurance Fund from the 12 credit union failures were related to internal fraud, according to a statistic from Mary Ann Woodson, the chief financial officer of the NCUA. Although this is not a large percentage of the overall NCUSIF portfolio, internal fraud exposes credit unions to several kinds of risk, among them financial and reputational. Fortunately, there are several responsive controls credit unions can use to mitigate the harm.
Financial And Reputational Risk
Internal fraud complicates credit union operations in two ways, Sacher says. The losses can affect the institution’s bottom line and can damage a credit union’s reputation; resulting, in some cases, in members departing the credit union.
In September 2014, a former executive with SchoolsFirst Federal Credit Union admitted to embezzling nearly $2.7 million throughout more than a decade. Although the California credit union says no members lost money and personal information was not compromised, the event was widely reported. Fortunately for the $10 billion institution, it suffered minimal financial risk from the losses and was able to manage the reputational risks.
At smaller institutions, however, the harm caused by an internal fraud of several million dollars could be the end of the game. The importance of fraud controls at these institutions cannot be overstated.
“It’s important that the small and medium-sized credit unions pay attention to fraud because they are more vulnerable,” Sacher says. “They have the fewest number of employees, the least amount of segregation of duties, and the most risk.”
Preventive And Detective Controls
Any size organization — whether credit union, bank, or Fortune 500 company — can use two basic, affordable mechanisms to battle internal fraud: preventive and detective controls.
“It doesn’t take huge resources to implement a reasonable level of control,” Sacher says.
Preventive controls combat fraud before it occurs by attempting to deter those who would commit these acts. Examples of preventive controls include installing video cameras in the teller areas and limiting employee authority or physical access to do harm, although Sacher concedes the latter is not a realistic way to run a business.
“You’ve got to give people authority to run the organization,” Sacher says.
Detective controls, on the other hand, attempt to limit exposure and uncover the perpetrator of a fraud. Well-designed detective controls should recognize bad things happen and timely detection helps a credit union deal with fraud before it gets out of hand, according to Sacher.
Petty cash processes showcase both controls at work. Access to petty cash allows secretaries and tellers at many credit unions to do their jobs effectively. Proper detective controls include keeping a list of employees with access to petty cash, asking employees to document petty cash withdrawals, counting petty cash at regular intervals, conducting surprise cash counts, and capturing behavior on cameras.
Controls that allow the institution to physically limit an employee's access to commit fraud.
Once fraud occurs, detective controls seek to limit losses and to uncover the problem.
Restricting employee computer system access; eliminating teller's access to petty cash.
Suprise cash counts; video camera in high-trafficked area; independently reviewing new loans and other sensitive transactions.
According to Sacher, internal fraud at credit unions is frequently the result of poorly designed preventive controls.
“Internal control systems have not kept pace with the advances in complexity of products and services,” Sacher says. “Now that we have these products and services, what are the internal risks that are present and how have we updated our internal control procedures to implement the right balance of preventive and detective controls?”
Developing Controls And Crafting A Response
Assessing risk is the first step in developing fraud controls. Credit unions of all sizes and risk appetite must identify the amount of potential losses required to pose a significant impact to the bottom line.
“Someone in the organization has to continually ask: What are the risks and how are we managing them? What is our appetite?” Sacher advises.
Sacher also suggests credit unions institute ongoing risk management, whereby an independent third party with governance awareness and technical training reviews decisions and records to assess weaknesses in processes and enterprise risk. Smaller credit unions might consider bringing in an outside processional once a year to jump-start this process, Sacher says.
Although it is impossible to completely prevent fraud, Sacher says credit unions can detect common examples of internal fraud — such as the origination of unauthorized loans or unauthorized share deposits — and mitigate losses if they have an appropriate segregation of duties that allows for the sufficient review of each approved loan prior to funding.
It's important that the small and medium-sized credit unions pay attention to fraud because they are more vulnerable. They have the fewest number of employees, the least amount of segregation of duties, and the most risk.
From there, preventive due diligence controls include reviewing for common fraudulent tactics. For phony loans, typically someone will change the payment due date to a future date so it will not come up in the internal system as delinquent. One way to prevent that from occurring is to have credit union employees look at files to see which loans are being advanced and which have gone delinquent.
“You’ve got to have someone involved in an independent review of sensitive transactions,” Sacher says.
If an employee discovers or suspects fraud, they need to inform the appropriate people in the organization. Depending on who might be involved, that person could be the CEO, the supervisory committee, an outside professional, or the credit union’s auditor.
As it’s often an emotional experience for employees, reporting on fraud can prove difficult. It can be helpful for credit unions to adopt an anonymous reporting mechanism, which has both preventive and detective benefits. If everyone knows the tool is in place, then the person who would otherwise commit a fraud might be less likely to do so. And if they do commit the fraud, chances are the credit union is going to uncover it in a timely manner. As an added benefit, anonymous reporting makes employees who would otherwise not report more comfortable doing so.
“You can’t change human behavior,” Sacher says. But credit unions can change the way they prepare for and respond to it.