Like other financial institutions, credit unions are targets for insider abuse due to the easy access to money. Fraud can happen at any time and to any credit union.
Deterring Insider Fraud
According to the Association for Certified Fraud Examiners’ 2020 Report to the Nations on Occupational Fraud and Abuse (opens new window), internal control weaknesses were responsible for nearly half of fraudulent activity.
Credit unions can deter the potential for fraud by establishing strong, impenetrable internal controls, reviewing those controls periodically, and enforcing those controls consistently. Though the type of internal controls that are needed will vary based on the products and services a credit union offers, the board of directors and senior management of every credit union should design and adopt policies that will deter fraudulent employee activity.
Other actions and internal controls to deter insider fraud include:
- Establish a Fraud Policy. Developing a stand-alone fraud policy, separate from personnel policies, will clarify and communicate expectations related to preventing fraud and the consequences of committing fraud. This policy should address whistle-blowing procedures, mandatory and sequential vacation days, employee conduct, and actions a credit union will take if fraud is discovered. Employees should sign the policy annually. The board of directors should also consider ongoing fraud awareness training for all employees.
- Segregate Duties Properly. Clearly define roles and responsibilities for each credit union employee to manage fraud risk. For smaller credit unions that have insufficient staff to segregate duties completely, the supervisory committee or an outside party must actively provide the necessary checks and balances.
- Bond Employees and Perform Background Checks. Credit unions are required to purchase fraud and dishonesty bonds that cover all employees, directors, officers, supervisory committee members, and credit committee members. Background checks can also mitigate the potential for fraud. A credit union should check the background of all new hires, board members, and supervisory committee members, and update the information periodically.
- Adopt Proper Internal Controls. These include dual controls, computer access controls, member-account verification, surprise cash counts, timely recordkeeping, limiting employee access to their own accounts and family member accounts, annual audits, and audit and account verifications that comply with NCUA’s regulations, 12 C.F.R., Part 715, Supervisory Committee Audits and Verifications.
Detecting Insider Fraud
Credit union employees and officials are often in the best position to identify red flags and irregular behavior that are indicators of possible fraud. Initially, insider tips are the main way fraud is detected, and fraud hotlines usually result in higher detection rates. Internal audits and management reviews are also helpful in detecting fraud.
Other fraud detection methods include:
- Review File Maintenance Reports. Routinely review non-financial transaction reports for irregularities, like changes to loan due dates, interest rates, addresses, and do-not-mail lists.
- Review Employee and Employee-related Accounts for Unusual Activity. Unusual activity can include fictitious loans, large deposits or transfers, potential kiting, and missed loan payments.
- Perform Timely and Effective Audits and Member Account Verifications. Supervisory committees and the board of directors should ensure that internal controls are performed on a timely basis and by appropriate staff (internal or external). Any suspicious items should be brought to the supervisory committee’s attention, with fast and appropriate action taken by the board of directors.
- Follow-up on Employee Red Flags. Notify superiors or the supervisory committee of any lifestyle or behavior changes in employees, including gambling, excessive spending, outside employment, or drug use. Also, take note of any employee that does not take a vacation, sick leave, or fails to take the minimum number of sequential days off, as required by a credit union’s policy.
Responding to Insider Fraud
If fraud occurs, officials should take proactive steps to safeguard the credit union and its members. When fraud is discovered, the following actions may be appropriate:
- Contact your legal counsel. The board of directors usually does this.
- Place the employee(s) on leave pending review and investigation. Terminate the employee(s’) employment as appropriate in consultation with legal counsel.
- Contact your bond company.
- Increase the number of supervisory committee audits and verifications.
- Change or limit access to buildings, data processing systems, and accounts.
- Collect keys to prevent potential suspects from re-accessing credit union space, change vault and teller drawer codes, remove remote access, delete or change data processing system log-in information, and delete or change e-mail passwords.
- Contact law enforcement.
- Notify the NCUA by contacting the appropriate regional office.
Reporting Suspected Fraud to the NCUA
Credit union members, volunteers, and staff can submit anonymous tips about potential fraud situations to the NCUA’s toll-free Fraud Hotline at 800.827.9650.
Fraud tips can submitted electronically through the NCUA’s website. Individuals can remain anonymous or provide contact information for appropriate agency staff to discuss their fraud concerns. The new form also allows for a description of the fraud and other critical information to assist in the evaluation of the reported concerns.
A variety of other fraudulent activity can affect credit unions, including consumer fraud, cyber fraud, and fraud through third-party relationships or vendors. These types of fraud are ever-evolving, and today’s scheme may look very different tomorrow. We encourage you to be aware of fraud trends and assess your fraud risks.
Reducing your credit union’s fraud liability is key to mitigating losses and maintaining strong relations with your members. We encourage mitigation through education, training, sound policies, and procedures.
As a reminder, the Fraud Prevention Center (opens new window) and Consumer Assistance Center (opens new window) provide resources that may be helpful to you and your members. Additional information can be found in the resources listed below.
- Risk Alert: COVID-19 Fraud Schemes
- Risk Alert: Business Email Compromise Fraud
- NCUA National Supervision Policy Manual, “Dishonesty, Fraud, and Insider Dealings,” Fraud Discovery Checklist for Credit Union Board of Directors (opens new window)
- NCUA Examiner’s Guide, Fraud section
- NCUA Regulations
- NCUA Webinar, Internal Controls and Accounting Tips for Small Credit Unions (opens new window)
- NCUA Fraud Video Series, “Deterring, Preventing, & Detecting Employee Dishonesty” (opens new window)
- The NCUA Report Newsletter, Help Deter, Detect and Report Insider Fraud
- Federal Deposit Insurance Corporation, New Director Education Series: Fiduciary Duties (opens new window)
- Federal Deposit Insurance Corporation, Offsite Detection of Insider Abuse and Bank Fraud among U.S. Failed Banks 1989–2015 (opens new window)
- Federal Deposit Insurance Corporation, Manual on Bank Fraud and Insider Abuse (opens new window)
- Board of Governors of the Federal Reserve System, Operational Risk Management Concerns and Tools (opens new window)
- Enforcement Actions Against Individuals:
- Federal Trade Commission, Protecting Against Credit Card Fraud (opens new window)