Internal policies provide guidance, consistency and an important layer of protection.

"It's key that if you were going to terminate somebody for this, you terminate them on a violation of a policy as opposed to, 'You committed theft,'" Veronica Madsen, CEO of the Royal Oak, Mich.-based ESTEE Compliance, noted. That could help avoid opening the credit union up to a potential defamation or wrongful termination claim, she said.

Some of the most important elements of an anti-fraud policy are details about what constitutes fraudulent activity in the first place.

"Me having a person log me in when I was in fact sick – does my policy make it clear that that is the same as pulling $5 out of the till and making a fictitious loan or things like that?" David Reed, an attorney at the Arlington, Va.-based Reed & Jolly PLLC, which specializes in credit union law, asked. "It needs to clearly indicate that that's what it is, and everybody needs to be given a copy of the policy and sign the policy."

It's also important to explain what's expected when employees witness or suspect internal fraud. "Your policy should clearly indicate that it's the obligation of everybody in our credit union that if they know something's going on, they have an obligation to tell," Reed said.

Madsen added that a non-retaliation clause can mitigate employee fears of termination or discipline if they in good faith say they believe somebody committed fraud.

Interview

One of the first things to do when someone reports internal fraud is to meet with the suspected wrongdoer, Reed said.

"You give them an opportunity to come clean," he said. "Now, don't make them any promises. Don't say, 'If you tell us what happened, we're going to ignore this.' You want them as quickly as possible to try to give you as much information as they can quite literally before they lawyer up, and we're not going to lie to them." No yelling or name-calling either, he added.

"Not to get all Joe Friday on it, but there should be a methodology of saying, 'Tell me what happened here. Just tell me what happened,'" he said. "Then also, 'Tell me, have you done it before?'" Also ask who else was involved, aware or helping, he noted.

"Certainly you're going to want to consult with an employment lawyer to make sure that you're not making allegations that are unsubstantiated, first of all," Madsen cautioned. "You have to be sensitive to that. It's always important to confer with counsel just to make sure you're not violating somebody's rights and getting yourself into legal trouble as a result."

Have a witness in the room, Reed said, and record the conversation if possible, but verify that it's legal to do so in your state.

"I would love to have them write down as much as they can and sign it," he added. "I will probably never have another chance to get their full story."

Investigate

Putting an employee suspected of wrongdoing back to work is often out of the question.

"Under most scenarios, the safest thing to do is that you put them on paid administrative leave," Reed said.

The credit union's policy should detail how that works, particularly regarding whether the employee can come on the property, access accounts, use passwords or associate with other employees during the investigation, he noted.

"Now I'm going to start looking," Reed explained. "I'm going to pull up their audits. I'm going to pull up their work papers. I'm going to pull up their file maintenance. I'm going to do anything I can very quickly to find out who else may have been involved."

Bringing in a third-party auditor is an option, Madsen said; following the methodology required for filing a bonding claim or a Suspicious Activity Report are also options.

Reed said the results are often like book reports.

"You just lay it out," he said. "What proves it? Is there film? Are there audit results? Is there a confession or statement? You do a narrative. And here's a big hint: I've done some work with law enforcement. They like a narrative in chronological order."

Report, recover and prosecute

Credit unions have 30 days to file a Suspicious Activity Report with FinCEN once they've completed an investigation, but many hesitate because they don't want to "rat out" people, Madsen said. Avoiding embarrassment is also a motivator, Reed added.

"Some people really have a negative view, and I don't disagree with them; it is somewhat Big Brother-ish, and you are making allegations a lot of times that may not be true," Madsen added. "But it's just based on the facts that you have, so there's just, I think, a reluctance to sometimes file a SAR."

But SARs have to be filed, she said. "If you were to report it to law enforcement or the NCUA, of course, they're going to find out about it. They're going to know you didn't file a SAR, so there really is no way around that."

Filing a bonding claim is often next, but don't wait too long, Madsen noted.

"The earlier you can notify the bond carrier that there may be a potential situation, the better off you're going to be," she said. "They may actually have steps that they want the credit union to follow. They may have third parties that they use. The investigative process may be driven by the bond carrier, but the sooner that you know that there is a potential claim, you need to notify them."

Local prosecutors often handle the cases, Reed noted. Sometimes they don't know what embezzlement is, what constitutes theft from a federally insured institution or how to identify fictitious loans, he noted.

That may be one reason why credit unions make what Reed said is one of the most common mistakes with internal fraud: They just fire the person or give them the opportunity to resign and then take no further action.

"The credit union says, 'All right, we've gotten rid of the problem. We're going to go in and modify policies, procedures, dual controls; we're going to slap the hands of supervisors that didn't catch this, but we've let go of the bad person,'" he said. "Now what's going to happen is they didn't file a bond claim, they didn't prosecute, and everybody is so paranoid, somewhat rightfully so because of litigation risk."

But there are risks to not reporting or prosecuting. Employees might notify regulators, for example.

"That's how a lot of things are discovered – you have somebody inside that ends up blowing the whistle," Reed noted.

It also could invite more fraud.

"I think no one wants to believe that their employees would steal," Madsen explained. "No one wants to admit to maybe having bad judgment of character or making bad hiring decisions. But if you allow that, if you have a culture that doesn't take ethics seriously, if you don't have an anti-fraud policy, if you don't train credit unions, if you don't recognize the motives, if you don't recognize the signs, it's just allowed to happen."

Also, other credit unions might hire the employee, which Reed said is like sending pollution downstream.

"You owe it to your members," he said about the importance of reporting and prosecuting. "You owe it to everybody else in this industry to do it. If they've done it once, they're going to do it again."