Industry expert discusses how credit unions can support investigations while protecting member information.
CUES member David Stephen Baker, operations & security manager for $700 million Connex Credit Union, North Haven, Connecticut, shares his thoughts on how credit unions can best support fraud investigations while still complying with the rules protecting members’ private information.
Q: What information can CUs share when it comes to fraud prevention?
In an ideal world, CUs could freely communicate with each other to prevent potential losses. However, a list of legal restrictions—such as the Gramm-Leach-Bliley Act and contractual obligations with card industry vendors—protects members’ private information from being shared without their consent or a warrant issued by the government in support of the administration of justice.
Q: What if organizations ask for information that could be considered “private”?
The fraud prevention information that CUs share amongst themselves, either directly or through a common vendor, is typically high level and couldn’t be used to identify a specific member. For example, a CU might share its observation that a known fraud technique is making a comeback—or that it thinks it has spotted a new scheme being perpetrated in the marketplace. In contrast, law enforcement agencies may request specific information about a particular member or members. And that’s where credit unions need to be especially knowledgeable and cautious.
“Sharing comes with certain risks, such as breaking regulations/policy, reputation risk and frivolous litigation risk,” Baker says. “Each institution should determine the level of risk it is willing to accept. Communicating … information (related to fraud investigation) should include a minimal sharing of details.”
Q: How does Connex CU respond to requests from law enforcement?
“We have specific employees who can communicate about fraud,” Baker says. When law enforcement agents call, “these individuals can always safely say, ‘Tell me what you think happened, and I’ll tell you if you should get a warrant and can start getting information compiled and retained for you.’” Connex CU employees will rarely begin the process of releasing member information without first having several people review the details and reach a consensus about what should be done before they relay that information to an executive, he adds.
“If law enforcement requires information to hold a suspect and is willing to send an email that dictates some type of emergency, we will share enough redacted information to hold a suspect and convince a judge to request more information through the proper channels,” he continues. “When another financial institution or the police department calls because one of our members may have done something unscrupulous and there is reasonable doubt, we can either tell them that, based on the information they’ve provided, obtaining a warrant would be the best next step, or let them know that there’s nothing available to help them.
“We typically verify or deny extremely detailed queries or accusations about members’ activities,” Baker says. “But this only occurs after extensive verifications of the inquiry’s source, and we receive detailed information on the incident.”
Q: What are some best practices for deciding whether a request for information is on the up and up?
“At Connex, we’re far more receptive to organizations calling with verifiable International Association of Financial Crimes Investigators credentials,” explains Baker. IACFI members include retail loss prevention and financial organizations, fraud investigators, and members of federal, state and local law enforcement agencies. They are specifically trained in financial industry fraud and the information-sharing guidelines. They are fully experienced in what can be communicated and the limitations of sharing before a warrant is required.
Baker suggests joining IAFCI. “It is an amazing group of industry leaders who understand your limits (as a credit union) and can assist with identifying flexibility in the law on specific situations.”
Baker also notes that Connex CU prioritizes information-sharing in cases with a high degree of certainty a crime has occurred, causing a loss.
Q: What other tips do you have for doing a good job with all of this?
To effectively fight fraud, Baker suggests partnering with a much larger financial institution. For example, Connex CU has a good fraud-prevention relationship with a large regional institution.
“Things show up on our screens long before they hit the radar at a larger institution,” he says. “Larger institutions, meanwhile, have the resources to lean on officials and the payment card industry.”
Also, consider forming a weekly review committee for fraud and claim responses. “This committee should include ... multiple disciplines within your credit union,” advises Baker. “This review helps to eliminate liability concerns and potential delays from placing weighty decisions on one individual. It also allows for fraud trends, losses, exceptions to policy and responses to be communicated to executives, who can ensure decisions are in line with the credit union’s policies.”
Baker also suggests making sure your CU has a blanket indemnification and liability waiver specific to fraudulent activity communications—as well as knowledgeable legal and compliance advisors on speed-dial. Plus, he says, “Remember, the front line often sees emerging fraud first, so ensure they are properly trained to identify and respond to fraud.”cues icon
Stephanie Schwenn Sebring established and managed the marketing departments for three CUs and served in mentorship roles before launching her business. As owner of Fab Prose & Professional Writing, she assists CUs, industry suppliers and any company wanting great content and a clear brand voice. Follow her on Twitter @fabprose.