Throughout 2016, internal fraud cases have shocked and baffled many in the credit union industry, in part because the schemes went undetected for many years.

CU Times asked three fraud experts to review five of the most confounding cases and provide insights into what can be learned from them in an effort to help credit union executives spot red flags – and stop fraud before it's too late.

Can your cybersecurity strategy handle an attack? Do you have the latest tools and techniques to prevent fraud and data breaches? Get them and more at our FREE Second Annual Data Breach Defense Virtual Conference on September 7. Plus, you'll also learn the latest trends in cybersecurity including incident responses and be able to immediately download white papers, and so much more. Register for FREE Now!

Control Freaks

Donna Jennings, former president/CEO of the merged $12.2 million Winchester Community Federal Credit Union in Winchester, Va., is serving four and half years in federal prison for embezzling more than $1 million to buy real estate and pay $600,000 in credit card bills that resulted from a shopping obsession.

Over eight years, she bought designer shoes, purses, jewelry and beauty products from QVC TV. Thousands of boxes containing this merchandise filled a floor at her home. She also had products shipped to her office to hide her shopping addiction from her fiancé. UPS workers called her the QVC queen.

She raided teller cash drawers, created fake loans, made unauthorized financial transactions, posted false entries in WCFCU's accounting records and lied to NCUA examiners. Jennings also admitted in court documents that she used shares in her 81-year-old mother's account to secure 15 loan advances that totaled $248,000.

David Legge, president of the Manassa, Va.-based Legge Group, which investigates internal fraud cases for credit unions and other businesses, said if the credit union's supervisory committee had reviewed Jennings' transactions and the accounts of her relatives, this fraud would have been detected.

“She created fictitious transactions that were on the general ledger, and she corrected them by making miscellaneous journal entries where the entry ended up in her own account,” Legge said.

“Credit unions have gotten a lot more sophisticated over the last 20 or 25 years, and a lot of older board members have not kept pace with those changes. As a result, they are not fulfilling their fiduciary duties and they should resign. But I also understand that places some credit unions in a hard place because I know it's very difficult to recruit new board members.”

As a general rule, the supervisory committee should regularly review accounts of employees and their relatives, he said.

Even though Jennings acknowledged her shopping sprees were out of control, she also emphasized during her court-ordered psychological therapy sessions that she was a very controlling person.

Very controlling executives or employees, Legge said, could be a warning sign for board members and supervisory board members, especially if they never take time off.

“Every credit union should have a mandatory vacation policy for all employees,” he noted. “And you also should make sure someone is doing that person's job and not letting the work pile up.”

Someone else has to be doing their duties because it can uncover problems, he said.

Making Executive Excuses

Kathryn Sue Simmerman, the former manager of the $17.2 million Shoreline Federal Credit Union, was sentenced to six and a half years in federal prison in January for stealing nearly $2 million from the North Shore, Mich.-based cooperative over 17 years.

What stood out for internal fraud expert Christopher J. Pippett, a partner at law firm Fox Rothschild LLP in Exton, Pa., about this case was Simmerman made all kinds of excuses to the board about getting the credit union's community charter. Five years before the embezzlement was uncovered, the board voted to convert to a community charter to attract new members for growth.

“She would apply and then tell us either the NCUA lost the paperwork or we didn't have the correct form or some other reason,” Shoreline Board Member Eileen Porter wrote in her impact statement to the federal judge before Simmerman was sentenced.

When the board asks repeatedly for any type of information and an executive can't produce it, it's a serious warning sign that must be investigated, Pippett explained.

Simmerman also asked other employees to make large cash deposits for her, which was another red flag.

Because credit union employees were not allowed to deposit funds into their own accounts, Simmerman asked other employees to make the deposits for her. She explained the extra cash came from her husband working a lot of overtime.

When investigators asked employees, who were not involved in Simmerman's embezzlement, whether they thought it was strange or suspicious that their manager had been giving them so much cash to deposit, they said no. Employees said they had been making deposits for Simmerman for years, and that they trusted her and assumed there was nothing wrong with it.

“Typically, when I'm working with credit union clients or doing a seminar, every credit union has got to have some sort of whistleblower policy and procedure,” Pippett said. “If an employee sees something or is asked to do something that doesn't seem right, they may think about reporting it, but they also may think they can lose their job if they do, which is a natural reaction. If there is no place to report it, they may just turn a blind eye to it and start looking for a new job, or stay where they are and say nothing.”

The whistleblower procedure does not have to be a sophisticated system, Pippett noted. It could be something as simple as an email or phone number that can only be accessed by the supervisory committee chair.

Manipulating Internal Controls

Cheryl Vickers had been vice president of accounting and IT for years, and she used her inside knowledge of those systems to manipulate her credit union's internal controls and siphon more than $1.2 million from Houston Police Federal Credit Union more than 18 years.

Vickers stole funds from unclaimed checks and reissued them to pay her personal bills. She was sentenced to three years and four months in the federal pen in May.

Henry Wirz, retired president/CEO of the $2.4 billion SAFE Credit Union, who also worked as a CPA for six years before joining the Folsom, Calif.-based credit union, said almost every credit union has uncashed checks and a process to escheat them, according to laws in the state where the checks were issued.

“This kind of fraud is possible when segregation of duties is not strictly followed and when one person has control of the entire process,” Wirz said. “The key steps in the process include tracking checks, which have been uncashed, monitoring the list of those checks against the state's escheat timelines, canceling the checks and putting them into a payable account, drawing a check made payable to the state controller for escheated funds, having someone sign the checks and attest the checks and order to pay as agreed are valid, and finally, reconciling the account.”

He noted segregation of duties means various steps in this process are completed by different people.

The problem, however, is that credit unions with less than $100 million in assets have a very small staff and can't segregate duties. That's why small credit unions need an active supervisory committee and board to oversee the credit union's operations and offset the segregation of duties.

Unfortunately, Wirz noted, that is not happening at many small credit unions.

“The other control that is missing is the regulatory oversight,” Wirz said. “The NCUA doesn't have an exam that spends much time looking at internal controls, and they have a much less rigorous exam for those with less than $100 million in assets.”

Verifying Financial Reports

Theodore J. Longust, a former business relationship manager for the $1 billion Scott Credit Union in St. Edwardsville, Ill., pleaded guilty in May to a six-year multimillion dollar fraudulent loan scheme.

According to court documents, he was required to meet quarterly with Scott Credit Union President/CEO Frank A. Padak and Chief Lending Officer Craig Burkhard to review members who had loans of more than $500,000.

During the third quarter of 2014, for example, Longust submitted a false report to the top executives that misstated loan balances, omitted loan amounts and underreported loans of more than $12 million.

“He was obviously providing management with reports that weren't being generated from the credit union's computer system,” Legge said. “In one case I'm working on right now we found employees were manipulating reports to hide what was actually happening, and the board and upper management thought everything was fine.”

Executives should be wary of reports generated in Excel files that are not attached to the financial data from the credit union's IT system. They should always ask for the backup data that was used to generate the report.

“If they say well, I don't have it or something like that, you should investigate it immediately,” Legge said.

As a general good business practice, the executive team should consider regularly verifying the financials of internal reports against the financials that are posted within the credit union's IT system.

Trust, but Verify

Former CFO Michael A. LaJoice siphoned $18.6 million in a 13-year fraud scheme at the $68 million Clarkston Brandon Community Credit Union, which threw the Clarkston, Mich., cooperative into conservatorship and forced it to merge into the $3.2 billion Michigan State University Federal Credit Union of East Lansing in March.

Federal prosecutors said LaJoice stole more than $2.5 million by issuing cashier's checks from various credit union accounts without authorization. These checks were deposited in LaJoice's bank accounts at other financial institutions.

He also stole more than $16.1 million from Clarkston Brandon Community by conducting ACH withdrawals from the credit union to his personal accounts held at PayPal, Capital One Bank, TD Ameritrade and American Express. He set up ACH withdrawals to debit funds from the credit union's investment general ledger, which he was responsible for balancing.

LaJoice concealed his fraud by creating fictitious investments in certificates of deposits and bonds at the $2.7 billion Total Bank in Miami.

These fictitious investments were provided to auditors and state examiners to show that the credit union's books were balanced and avoid detection of the missing funds. The court documents, however, did not say if auditors and state examiners verified the existence of those CDs.

“Credit unions should have a policy by which they periodically and randomly verify the existence of CDs, whether it's through an auditor or someone in the credit union if it has that capability,” Pippett said. “Someone should be calling the banks to confirm they are holding the CDs in the name of the credit union and in what amounts. If you don't do that, this is the type of thing that can happen.”

Although credit unions may view the vast majority of their staff as honest people, it is important to always perform verifications even for the most trusted employees. In other words, trust but verify.

“When you become complacent and you stop paying attention is when you become a victim,” Pippett said. “That doesn't mean you have to have your people under 24-hour surveillance, but you need to regularly check and verify all of these things.”

Can your cybersecurity strategy handle an attack? Do you have the latest tools and techniques to prevent fraud and data breaches? Get them and more at our FREE Second Annual Data Breach Defense Virtual Conference on September 7. Plus, you'll also learn the latest trends in cybersecurity including incident responses and be able to immediately download white papers, and so much more. Register for FREE Now!