The last five embezzlement reviews I have performed all had similar characteristics. The embezzlement had been going on for years, but was not detected. I was asked to assist in a review for what examiners thought were some minor irregularities. All the credit unions had been examined by federal and/or state examiners at least three times, and contracted individuals performed agreed upon procedure exams at least twice or three times. Some of the credit unions were getting their AUP exam every 18 months. All of the resulting bond claims filed were in the six figures. When we started, we were told there might be a little problem. Two of the claims exceeded the credit union's bond coverage limits. But the similar characteristic they all had, was that there were fraud warning signs in a lot of different areas that were ignored, not followed up on or not discovered.
In all of these cases, if some basic minimum procedures had been performed by the supervisory committee, treasurer of the board, or some responsible individual at each credit union, these activities would have been caught early on. For the credit unions that had to be merged, these procedures may have saved the credit union and its members from their merger fate. In most credit unions, some of the procedures discussed below are being handled by the internal auditor or a contracted individual. The definition of a small credit union has been increased to $100 million in assets, and these comments are geared toward the small credit union audience. However, they should be considered for inclusion in every credit union's control procedures.
Small credit unions for many reasons do not have the benefit of an internal control framework. Because of their lack of controls, or controls that can be easily overridden, the need for an independent set of eyes by default gets delegated to the supervisory committee. This oversight function is extremely important and must be diligently performed.
Some of the warning signs that were ignored, and could have led to the fraud being quickly discovered if it they had been monitored, are discussed below:
Corporate credit cards: All of these credit unions let members of upper management have a corporate credit card. They also permitted personal transactions to occur on the cards. In a couple of the credit unions, they even had a policy covering personal use. But in all cases, the person misusing the card was also the person responsible for handling and recording the repayments made. Receivable accounts were not set up for these “borrowings” and there was no supervisory committee or treasurer review of the statements and original charge slips. If repayments were being made by payroll deduction, the amount being deducted approximated 20% or less of the average monthly charge. In one credit union, the supervisory committee did review the statement and identified the charges to be repaid, but there was no follow-up to see if these payments actually occurred. In all five credit unions, the misuse of the corporate card was the first area in which improper activity occurred. When no action was taken to curb this, each individual then branched out to other areas to obtain funds.
Employee accounts: Almost all credit unions let employees have an account at the credit union. This by itself is not a problem. Almost all data processing systems have flags that can be set to prevent an employee from performing a transaction on their account. However, for smaller credit unions, most of upper management has the override privileges to negate this control. If an override is used, it is always captured on a control report. In these credit unions, no one was reviewing the override report, and/or the override report was not being printed or stored in optical.
However, the override reports were not the only affected area – no one was looking at the actual statement of employee account history or at other related accounts for family members. In most of these credit unions, just looking at the statement should have raised concerns. Accounts were permitted to go negative, no fees were being charged on accounts, loan due dates were being bumped, twice-a-week ATM withdrawals from the ATM at a casino or another inappropriate location had been occurring, loan payments were being reversed, share drafts were being posted without check or reference numbers, and transfers of funds from inactive accounts were completed using overrides, just to name a few of the incidents observed in the employee's account. Most of this activity had been going on for years with no discovery or investigation.
Reconciliations of bank accounts and/or corporate federal credit union accounts: In most cases the person maintaining the accounting records was also doing the reconciliation. There was no independent verification. Unfortunately, this also included the examiners and individuals performing the agreed upon procedures. The outstanding check list did not add up. Items listed as deposits in transit were false, and false miscellaneous adjustments were listed. When the “balancing” errors were becoming too voluminous, they were removed from the reconciliation to a suspense account. No reconciliations were being prepared on the suspense accounts. One AUP report in which the suspense account had a $400,000 balance did indicate an account that was not being reconciled. However, this auditor and the supervisory committee did not conduct further follow-up to this comment.
Aires Download. The NCUA requires all federal credit union data processing systems to have the ability to generate an Aires download of member share and loan data in a format prescribed by the NCUA. Obtaining this download and then sorting the data according to various fraud routines provides very interesting results. For the credit unions discussed in this article, it resulted in easy identification of loans made outside of policy, loan accounts being manipulated, and share accounts with high activity traits outside of what normally would be expected.
Call report information: This procedure is not as good for catching fraud that has just begun, but it can provide additional areas of review for fraud that has been going on for a period of time. It has been my experience that individuals committing fraud or embezzlement realize that they cannot continue to do the same thing without being discovered. For fraud that has been going on for a number of years, the pattern and areas of activity frequently change. Once again, the NCUA has created a tool available to anyone, which can be used for analysis of any credit union. Once the quarterly call report information has been inputted, the financial performance reports become available for review on the NCUA's website. These reports have two components: Financial Summary and Ratio Analysis, which provide informational comparisons of quarterly data. In all five of these recent cases, review of these reports identified a change in ratios and/or balances in the financial summary that did not make sense from a normal credit union operation standpoint. Researching these questions either provided additional supportive information, or led to identification of a new area of fraudulent activity.
Finally, if your credit union is not going to perform an annual fraud assessment, or incorporate some of the procedures recommended above in your control process, then your management should not add to your losses. Management should ensure they understand coverage sub-limits, read the definitions and exclusions, and have the maximum coverage amount of audit claims covered on your bond. Locating and determining the amount, the various schemes used, and then preparing the documentation for the bonding company to pay the claim will cost more when the period of time covered is more extensive. You also want to make sure that the job of prosecution by the FBI or other jurisdictions are made easier. The bonding company will be much more willing to pay your claim if they know the FBI is readily willing to take on your case and pursue prosecution. It has been my experience, that in spite of their already heavy workload, if you provide the FBI a solid, detailed package to work from, they will diligently pursue prosecution and attempt to assist in recovering any available assets.
David Legge is president/CEO at Legge Group. He can be reached at 703-257-1364 or [email protected].
Complete your profile to continue reading and get FREE access to CUTimes.com, part of your ALM digital membership.
Your access to unlimited CUTimes.com content isn’t changing.
Once you are an ALM digital member, you’ll receive:
- Breaking credit union news and analysis, on-site and via our newsletters and custom alerts
- Weekly Shared Accounts podcast featuring exclusive interviews with industry leaders
- Educational webcasts, white papers, and ebooks from industry thought leaders
- Critical coverage of the commercial real estate and financial advisory markets on our other ALM sites, GlobeSt.com and ThinkAdvisor.com
Already have an account? Sign In Now
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.