Internal Fraud Prevention Is a Team Effort
A CU’s program for deterrence and detection of fraud should involve all members of the board, executive management and virtually every employee.
With the incidences and dollar amounts of internal fraud at credit unions continuing to increase, efforts to detect and deter fraud should be an enterprise-wide effort at your credit union. Too often this is thought of as a function of risk management and/or security. While that is obviously correct, the credit union’s program for deterrence and detection of fraud should involve all members of the board, executive management and virtually every employee of the credit union.
The development of an anti-fraud culture starts with the board of directors. The Board must develop a strict no tolerance policy for fraud or any type of dishonesty at the credit union. Frequently, these policies are titled “Ethics” or “Anti-Fraud” policies. My preference is to fashion it as an “Ethics Policy” because, in addition to addressing theft or other criminal activity, the policy should engender honesty in every aspect of the credit union’s business and leave each person reviewing it with the clear understanding that deviations from the policy will not be tolerated. The policy needs to be communicated to executive management who must then be charged with communicating the policy to rank and file employees, as well as enforcing the policy according to its terms. Regular reports of those efforts should be communicated to the board of directors and supervisory committee. This policy should reviewed and acknowledged, in writing, annually by each employee (including executive management), as well as members of the supervisory committee and board of directors.
An integral part of an Ethics Policy is an effectively communicated Whistleblower Policy. I’m still amazed at the number of credit unions that do not have a formal Whistleblower Policy in effect. Without somewhere or someone to report suspected fraud, an Ethics Policy may be worthless. Even with the technology available today, such a policy can be as simple as providing employees and others at the credit union with a toll-free telephone number that is connected to a voicemail box that can only be accessed by the chair of the supervisory committee. With that as a baseline, a credit union can develop and implement a more detailed Whistleblower Policy to suit its particular needs. Like the Ethics Policy, this needs to be communicated clearly and regularly to all employees (including executive management), as well as members of the supervisory committee and board of directors.
With these two policies in place, the practical steps a credit union can take to detect and deter fraud require the establishment of strong internal controls and procedures directed at what tends to be the areas of the credit union that present risk for internal fraud. These will vary depending on the size and complexity of your credit union but should be based upon a risk assessment for your individual credit union operations, as well as the functions of its employees. These policies and procedures should include:
- Dual controls for important functions such as loan origination and loan disbursement, and purchasing and accounts payable;
- Appropriate system access controls, which should be reviewed for violations regularly;
- Random/surprise verification of cash in teller drawers as well as vaults;
- Random/surprise review of employee and family member accounts for unusual activity or violation of established controls;
- Verification of loans;
- Verification of purchasing and vendor relations;
- Regular training for employees, the board of directors and the supervisory committee;
- Mandatory employee vacation;
- Rotation of branch managers, tellers and loan officers;
- Rotation of external auditors; and
- Review of loan losses for patterns (i.e., loan officers, appraisers, brokers, etc.).
Keep in mind that just putting these policies and procedures in place is not enough. Complacency is fraud’s best partner. It provides the opportunity for someone with the motive to do so – to take advantage of lax implementation and enforcement of these policies and procedures. They must be reviewed at least annually (that’s an NCUA requirement), but should be regularly reviewed and adjusted as your credit union grows or changes its operations and/or personnel. They should also regularly be reinforced in the minds of all employees. Your employees are the so-called “boots on the ground” who may have the first opportunity to observe bad behavior, report it and hopefully stop it early in the process.
Some of the “red flags” that employees or executive management should be looking for are:
- Changes in individual behavior: The onset of erratic behavior can often be a precursor to bad behavior.
- Changes in lifestyle: Does the person appear to live beyond his/her means?
- Changes in performance or reviews: This can be a sign that the person has taken a different attitude toward the credit union.
- Problems at home or outside of workplace: These can sometimes lead to financial stress, which can lead to an inclination to commit fraud.
- Unusual control needs/refusal to take vacation or let others help: This can be an indication that the person is attempting to conceal something and is the best reason for mandatory vacation.
- Repeated failure to provide requested information.
- Unusual access in terms of frequency or time periods to premises, systems, accounts or equipment.
- Financial problems: Garnishments, excessive number or amounts of loans, etc.
Employees should be aware of these red flags and know who the proper person at the credit union they should be reported to. It is important to understand that the presence of any one or more of the above circumstances is not necessarily evidence of fraud, it can be a warning sign that the credit union may want to focus its attention on that particular employee’s functions and activities for two very important reasons. The first obviously is to detect and deter fraud. The second and equally important reason is that this focus can potentially provide the opportunity for assistance to an employee who has no inclination to commit fraud, but may just be on the verge of crisis. It is therefore important to involve HR in this process early on in addition to IT and/or security.
Effective internal fraud prevention is an effort that must involve all aspects and employees of the credit union. A culture of honesty in every aspect of the credit union’s business must start at the top, with the board of directors and supervisory committee. It must be implemented and carried out to some extent by executive management and every employee of the credit union, all of whom, together with the board and supervisory committee, should be regularly trained in their respective duties and responsibilities in protecting the credit union from internal fraud. The efforts of this collective team are the best resource in this important area of risk management.
Christopher J. Pippett is a partner at Fox Rothschild LLP in Exton, Pa.