On Compliance: Fraud Costs and Controls

Financial loss due to internal fraud continues to be a problem despite increased examiner focus on the issue in 2017. According to the National Credit Union Administration’s NCUA Report, from 2012 to September 2016, fraud-related losses cost the National Credit Union Share Insurance Fund $146.8 million. It is no surprise that internal controls and fraud prevention are among NCUA’s supervisory priorities for 2018. 

NCUA Prohibition Orders were issued in 11 of the 12 months of 2017, prohibiting 46 individuals across 24 states from participating in the affairs of any federally insured financial institution. These individuals pleaded guilty to such crimes as mail fraud, grand theft, misappropriation of funds, bank fraud, money laundering, racketeering and embezzlement.
    
The total restitution amount published in the prohibition orders for 2017 totaled $39,494,437.60. This amount is larger than the asset size of 2,344 of the 5,757 credit unions in the United States as of the third quarter of 2017, which represents just over 40 percent of the total number of credit unions, according to the Credit Union National Association’s “U.S. Credit Union Profile, Third Quarter 2017.”  

Internal fraud loss is not showing any signs of slowing down. In January 2018 alone, four individuals in four states received prohibition orders with a total restitution amount published totaling $1,067,595.82.

Why is internal fraud continuing to occur, despite well-publicized cases of prosecutions and lengthy prison sentences? The short answer? Opportunity due to weak internal controls. 

In its published supervisory priorities for 2018, NCUA states its examiners expect federal and federally insured credit unions to establish “a strong system of internal controls and a comprehensive approach to managing fraud risk. Examiners will continue to evaluate the adequacy of credit union internal controls, as well as overall efforts to prevent and detect fraud.” 
 
In practical terms, what does a strong system of internal controls look like? As the NCUA Report provides, some of the measures that should be taken to deter insider fraud include the following:

• requiring employees to sign a fraud policy annually;
• dual controls;
• computer access controls;
• reviews of file maintenance reports;
• cash counts;
• surprise audits; 
• measures that prevent employees from accessing family member accounts;
• performing background checks before hiring employees;
• conducting basic fraud awareness training;
• requiring mandatory vacations and having another employee perform the vacationing employee’s duties; and
• monitoring employees, including lifestyle and behavioral changes.

Understanding how fraudsters operate provides additional insight into the prevention and detection of internal fraud. For example, employees may engage in fraudulent transactions through dormant accounts changed to an “active” status unbeknownst to the real account holder. Fraudulent memberships are sometimes established in the names of family members, with loan proceeds deposited into the fictitious accounts later taken by the thief when the fraudulent loans for these “members” are approved. An effective internal control structure would also include a review of membership cards, loan files (including interest rates and terms that may be much more favorable than the rest of loans in the portfolio, exceptions, refinancings and extensions), dormant accounts, as well as other areas in which operational weaknesses have been exploited by actual fraudsters. 

It is a very positive sign that the regulator is taking notice and addressing this issue. However, due to the lengthy exam cycle by the time an examiner uncovers the abuse, it is often too late. NCUA advises credit union employees who suspect potential fraud or abuse to notify a supervisor, audit department and/or the examiner. Unfortunately, some credit unions do not have the appropriate staffing that engages in regular auditing, and often the best internal control structure on paper is ineffective when the fraud is being committed by the very leaders who are in charge of ensuring its success. 

Credit union staff are required to file mandatory Suspicious Activity Reports under the Bank Secrecy Act as appropriate. Whenever insider fraud is suspected (regardless of the amount), credit union staff also can report suspected fraud to NCUA’s toll-free fraud hotline at 800.827.9650. This hotline is available to report suspected fraudulent or illegal activity by credit union employees, officials and members in federally insured credit unions. All reports to the line are confidential. 

Many resources for learning more about internal fraud are available, including NCUA’s Office of Small Credit Union Initiatives’ (now the Office of Credit Union Resources and Expansion) eight-part YouTube video series on fraud prevention and “Internal Controls and Accounting Tips for Small Credit Unions” webinars and other training for boards of directors and supervisory committees available at http://go.usa.gov/xjskV.

Veronica Madsen is an associate attorney with Howard & Howard, Royal Oak, Mich., where she specializes in financial institution regulatory compliance. Licensed in the state of Michigan, Madsen received her J.D. from the University of Detroit Mercy School of Law and her B.S. from Central Michigan University. Before joining Howard & Howard, she served as the VP/compliance/chief compliance officer with an emerging fintech platform helping small and medium-sized businesses secure financing and working capital solutions. She also owned a compliance consulting company, ESTEE Compliance, LLC, that assisted credit unions with their regulatory compliance needs.