Articles on fraud prevention have been on my mind for a while. Every time a mention of another credit union fraud is published or a national study on fraud is released, it raises the issue again. Over the past few years, the expansion of the philosophy of the need for risk assessments as an analytical tool continues to increase, especially for financial institutions. Annual risk assessments are now required for Bank Secrecy Act and Automated Clearing House procedures. The NCUA's examination procedures require time for analyzing and assessing transaction risk, credit risk, interest rate risk, compliance risk and reputation risk. Then within smaller breakout areas, such as investments and lending, you have diversification, pricing, default, liquidity and Asset Liability Management matching risks, and risk-based lending and concentration risk to name a few. With all the risk analysis being performed, why not a strong analysis of fraud risk?

In discussions with directors of the Office of Small Credit Union Initiatives at the NCUA, it has been stated that one of the leading causes of liquidation of small credit unions is fraud. Current NCUA Board Member Mark McWatters earlier this year has stated that agency data showed approximately 58% of share insurance fraud losses over the past five years were attributable to fraud. NCUA CFO Mary Ann Woodson indicated that for 2014, this figure was 94%. Michael E. Fryzel, former NCUA chairman, has questioned why more is not being done in this area. The NCUA has added procedures for fraud into the examination scope for small credit unions, which may help if the red flags identified are properly investigated and or addressed.

In the most recent 2014 Association of Certified Fraud Examiners annual “Report to the Nation on Occupational Fraud and Abuse,” losses due to fraud for all businesses were estimated to be 5% of gross revenue. Carried to the bottom line, this would cause most credit unions to operate at a loss. Financial institutions once again lead the way with the highest number of cases. This could be somewhat skewed because of the regulatory requirements to file Suspicious Activity Reports that other industries do not have regulations for. The number of SARs filed on employees of credit unions continues to increase at alarming rates.

Some may argue that these observations appear to be a small credit union problem, because, one, they do not have the human and technical resources or quality of personnel to establish effective internal controls; two, are more susceptible to management override due to a lack of adequate segregation of duties and or controls; three, do not have an internal audit function and use less qualified individuals to perform audits or agreed-upon procedure exams; and four, do not have board of directors and supervisory committee members who recognize the potential higher risk of fraud in their credit union. We can argue what the asset cut-off size a small credit union should be, but for the purpose of this article we will use the new NCUA figure of $100 million.

To provide a frame of reference, an analysis was prepared on all the articles on embezzlement and fraud that have been published in CU Times over the past 15 months. To this figure, bond claims that I have filed for credit unions that never made the press or are currently being handled by the FBI were added. The sorting and analysis of this information has provided some surprising, but not necessarily unexpected results. This selection process provided a total of 63 credit unions; 16 were more than $100 million in assets and 47 were under. The total losses were estimated to be $181.7 million, ranging from a low of $25,000 to $25.3 million, with 22, or more than one-third, exceeding $1 million. The breakout for small credit unions was $143.8 million for an average of $3.1 million, and $37.9 million for large credit unions with the average being $2.4 million. The average length of time that the embezzlement took place before being discovered, was 5.75 years for small credit unions and 4.50 years for large credit unions. You would think that in the small credit unions, that length of time for the fraud to be ongoing would be higher but the loss amount would be lower. These averages were somewhat similar. However, the most telling result was that for the larger credit unions, zero were merged or liquidated. For 21 or 45% of the smaller credit unions, the fraud resulted in the elimination of the credit union through either liquidation or a merger. While the impact for a smaller credit union is more devastating, this is not just a small credit union problem. It also points out that if red flags are identified, they are being ignored.

Even if the NCUA should not require credit unions to perform this assessment, it would be hard for a supervisory committee to justify not including this review as part of their internal audit procedures, or at a minimum as a topic added for discussion at a committee meeting. The committee could have a brainstorming session to identify fraud risks. If an internal audit function is in place, it might pose the following questions:

1. What fraud risks are being monitored by the internal audit team? How were these risks determined? What is the policy for the continuous auditing of these credit/lending and fraud risks?

2. What specific procedures does the internal audit perform to address management override of internal controls? Does this include looking at internal security policies to look at separation of duties, access controls and authorization controls?

3. Has anything occurred that would lead internal audit to change its assessment of the risk of management override of internal controls?

4. Is anything done for additional monitoring when an employee appears to be living beyond their means, exhibits financial difficulties, or does not take appropriate vacations?

5. Is appropriate screening of staff occurring prior to be hired? Are insurance bond ability checks and fingerprinting taking place?

The committee could look into the three elements of the fraud triangle: Incentives/pressure to commit fraud, opportunities and attitudes/rationalizations, and determine where their credit union stands.

Fraud triangle checklists are available, which can be tailored to the credit union industry to consider: Incentives or pressures on management within their job, opportunities that staff and or management can exploit, and attitudes or rationalizations exhibited by management.

For more on the fraud triangle, see this short video. Pages 7-5 of the NCUA Examiners Guide also has a list of fraud red flags as they relate to management, which can be reviewed as another aide. Examiners also have a short red flags checklist.

Checklists are also available from the Federal Financial Institutions Examination Council, Association of Certified Fraud Examiners and American College of Forensic Examiners Institute. While none of these checklists are banking or credit union specific or directly related to a fraud risk assessment, they could be adapted with the assistance of a forensic specialist.

One process or procedure will not fit all credit unions, as the internal control system and overall credit union philosophy will differ. A member of the supervisory committee or an outside professional versed in these procedures would be recommended for the initial assessment. Fraud prevention is an ongoing, dynamic progress that will require continuous evaluation and improvement. If you do not proactively identify and manage your fraud risks, would your credit union be able to absorb the fallout? If management does not agree or does not see the need for a fraud risk assessment, does this not by itself raise a red flag?

David Legge is president/CEO at Legge Group. He can be reached at 703-257-1364 or [email protected]. Check out part two of his series on internal fraud, “Tools for Preventing Internal Fraud,” in the July 29, 2015 issue of CU Times.

Complete your profile to continue reading and get FREE access to CUTimes.com, part of your ALM digital membership.

Your access to unlimited CUTimes.com content isn’t changing.
Once you are an ALM digital member, you’ll receive:

  • Breaking credit union news and analysis, on-site and via our newsletters and custom alerts
  • Weekly Shared Accounts podcast featuring exclusive interviews with industry leaders
  • Educational webcasts, white papers, and ebooks from industry thought leaders
  • Critical coverage of the commercial real estate and financial advisory markets on our other ALM sites, GlobeSt.com and ThinkAdvisor.com
NOT FOR REPRINT

© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.