ST. PETERSBURG, Fla. – An employee approaching the celebration of her 10-year anniversary with PSCU Financial Services has confessed to helping defraud 66 PSCU member credit unions for $1.6 million over a few months earlier in 2003. The St. Petersburg, Florida, firm has 550 member credit unions that process their card transactions through First Data Corporation. PSCU will reimburse all of the credit unions entirely, even though its insurer has initially denied its first claim. “My board backed me up solidly on this,” said PSCU CEO David Serlo. “It was our mistake; we ought to pay for it.” The cooperative intends to fight its insurer, AIG, on the issue, and Serlo said that PSCU has adequate reserves to cover the loss. He anticipated the credit unions will be completely reimbursed before the end of November. The fraud was of the identity hijacking type. The PSCU employee conveyed the card and identity information for a total of 184 accounts, obtained at work, to the ring. The theft organization then contacted PSCU, claimed to be the cardholder and changed the accounts’ addresses, claiming to have moved. The thieves then tried to get PSCU to issue new plastic for the accounts. This generally failed since PSCU has an overall rule which prevents new credit cards being issued to accounts which have changed their address in the last 45 days. But the thieves also approached the card issuing credit unions and the credit unions themselves were the ones to issue the new cards to the fraudulent addresses. “I think some of the very things that make credit unions as successful as they are also make them vulnerable,” Serlo said. “I think that credit unions can get so caught up in making sure that every member has a quality service experience in every call that some might have neglected their card security procedures,” Serlo said. The fraud was detected by Postal authorities, in whose jurisdiction this sort of fraud falls, when they began to get fraud reports from credit unions. After six credit unions which were PSCU members stepped forward with fraud complaints, authorities came to see him, Serlo explained. “I had to be 300% sure it was one of ours,” Serlo said, explaining that immediately PSCU hired anti-fraud professionals to help detect the problem and software to help keep better track of which employee did what on the PSCU system. Through a combination of the professional’s expertise and the software, Serlo explained, they were able to narrow the field of possible suspects. The employee confessed as soon as authorities confronted her, Serlo said, and has been cooperating with authorities. Altogether 96 credit unions had had accounts compromised by the fraud scheme. Thirty of the credit unions suffered no losses at all, and 30 others had losses of less than $10,000, Serlo explained. “It came like a punch in the gut,” Serlo said of when he was informed of the most likely suspected employee. “I had just signed the certificate congratulating her and celebrating her 10 year anniversary with us.” Serlo said that nothing about the employee’s history with the firm had given any signal that she might be susceptible to this kind of theft. Speaking about the situation to other PSCU staff on November 14, Serlo reiterated that if they were having any sorts of financial or personal trouble in their personal lives, or if something had not been going well at work, they should approach him or someone else in the cooperative to help resolve it. “We have a top-notch HR staff that has been trained to help in many situations,” Serlo said. PSCU has declined to reveal the employee’s name and said only that she had been working in the cooperative’s contact center. Other employees were very surprised and some a little shocked to find about the situation, according to Merry Pateuk, spokeswoman for the cooperative. The organization already screens job applicants’ backgrounds, Pateuk said, but in a situation like this nothing in the employee’s background indicated any vulnerability. Serlo said that PSCU has not been given a copy of the woman’s statement and has no direct knowledge about why she might have sold the information she did. All PSCU had been told, Serlo said, was the ring had not made the woman rich for her cooperation. “As far as I have been told, they just gave her crumbs compared to what the ringleaders were making,” he said. “And now she has gone and ruined her reputation and is facing time in a federal prison, because this is a federal crime,” Serlo added. PSCU said that it is putting into place various procedural, educational and technologic approaches to guard against this from happening again in the future. The approach the cooperative is taking is akin to the one taken by the Tylenol manufacturer after its landmark product tampering challenge, Serlo explained. “We are taking responsibility for what happened and putting into place procedures to try to keep it from happening again,” he said. First, the firm is putting procedures into place which will generate letters sent to both the old and new address whenever new plastic is issued to a new address, whether or not PSCU plays a role in issuing the new card. “We want a cardholder to be able to get a letter than says `if you have not recently moved to Miami, call this hotline immediately’,” Serlo said. Second, PSCU is leaving in place the software it used to track employee activity in its system when investigating the fraud. The cooperative will also point that software at First Data and will make it available to its member credit unions as well. “After all, it was our turn to have a dishonest employee,” Serlo said. “Next time it could be a credit union’s turn to have one.” Third, PSCU is making “summits” on fraud prevention available to its member credit unions as well as other credit unions. “It’s our position that this is not just our problem, but an entire credit union card industry problem,” Serlo said. “We believe education will play a key part in prevention.” -