Corporate credit cards: All of these credit unions let members of upper management have a corporate credit card. They also permitted personal transactions to occur on the cards. In a couple of the credit unions, they even had a policy covering personal use. But in all cases, the person misusing the card was also the person responsible for handling and recording the repayments made. Receivable accounts were not set up for these “borrowings” and there was no supervisory committee or treasurer review of the statements and original charge slips. If repayments were being made by payroll deduction, the amount being deducted approximated 20% or less of the average monthly charge. In one credit union, the supervisory committee did review the statement and identified the charges to be repaid, but there was no follow-up to see if these payments actually occurred. In all five credit unions, the misuse of the corporate card was the first area in which improper activity occurred. When no action was taken to curb this, each individual then branched out to other areas to obtain funds.

Employee accounts: Almost all credit unions let employees have an account at the credit union. This by itself is not a problem. Almost all data processing systems have flags that can be set to prevent an employee from performing a transaction on their account. However, for smaller credit unions, most of upper management has the override privileges to negate this control. If an override is used, it is always captured on a control report. In these credit unions, no one was reviewing the override report, and/or the override report was not being printed or stored in optical.

However, the override reports were not the only affected area – no one was looking at the actual statement of employee account history or at other related accounts for family members. In most of these credit unions, just looking at the statement should have raised concerns. Accounts were permitted to go negative, no fees were being charged on accounts, loan due dates were being bumped, twice-a-week ATM withdrawals from the ATM at a casino or another inappropriate location had been occurring, loan payments were being reversed, share drafts were being posted without check or reference numbers, and transfers of funds from inactive accounts were completed using overrides, just to name a few of the incidents observed in the employee's account. Most of this activity had been going on for years with no discovery or investigation.

Reconciliations of bank accounts and/or corporate federal credit union accounts: In most cases the person maintaining the accounting records was also doing the reconciliation. There was no independent verification. Unfortunately, this also included the examiners and individuals performing the agreed upon procedures. The outstanding check list did not add up. Items listed as deposits in transit were false, and false miscellaneous adjustments were listed. When the “balancing” errors were becoming too voluminous, they were removed from the reconciliation to a suspense account. No reconciliations were being prepared on the suspense accounts. One AUP report in which the suspense account had a $400,000 balance did indicate an account that was not being reconciled. However, this auditor and the supervisory committee did not conduct further follow-up to this comment.

Aires Download. The NCUA requires all federal credit union data processing systems to have the ability to generate an Aires download of member share and loan data in a format prescribed by the NCUA. Obtaining this download and then sorting the data according to various fraud routines provides very interesting results. For the credit unions discussed in this article, it resulted in easy identification of loans made outside of policy, loan accounts being manipulated, and share accounts with high activity traits outside of what normally would be expected.

Call report information: This procedure is not as good for catching fraud that has just begun, but it can provide additional areas of review for fraud that has been going on for a period of time. It has been my experience that individuals committing fraud or embezzlement realize that they cannot continue to do the same thing without being discovered. For fraud that has been going on for a number of years, the pattern and areas of activity frequently change. Once again, the NCUA has created a tool available to anyone, which can be used for analysis of any credit union. Once the quarterly call report information has been inputted, the financial performance reports become available for review on the NCUA's website. These reports have two components: Financial Summary and Ratio Analysis, which provide informational comparisons of quarterly data. In all five of these recent cases, review of these reports identified a change in ratios and/or balances in the financial summary that did not make sense from a normal credit union operation standpoint. Researching these questions either provided additional supportive information, or led to identification of a new area of fraudulent activity.

Finally, if your credit union is not going to perform an annual fraud assessment, or incorporate some of the procedures recommended above in your control process, then your management should not add to your losses. Management should ensure they understand coverage sub-limits, read the definitions and exclusions, and have the maximum coverage amount of audit claims covered on your bond. Locating and determining the amount, the various schemes used, and then preparing the documentation for the bonding company to pay the claim will cost more when the period of time covered is more extensive. You also want to make sure that the job of prosecution by the FBI or other jurisdictions are made easier. The bonding company will be much more willing to pay your claim if they know the FBI is readily willing to take on your case and pursue prosecution. It has been my experience, that in spite of their already heavy workload, if you provide the FBI a solid, detailed package to work from, they will diligently pursue prosecution and attempt to assist in recovering any available assets.

David Legge is president/CEO at Legge Group. He can be reached at 703-257-1364 or [email protected].