Coronavirus response could sideline fraud prevention
Regulators are still struggling to detect fraud within the industry.
The failure of CBS Employees Federal Credit Union in March 2019 is a prime example of that. And the coronavirus crisis is likely to make it even more difficult to catch criminal activity since management and regulators’ attention is currently elsewhere.
“Smaller credit unions commonly do not have employees to segregate all of the duties that should be segregated,” said Jack Tracy, shareholder at Doeren Mayhew, an accounting and audit advisory firm. “Paying the bills, putting the financial statements together at small credit unions are oftentimes done by one person.”
The number of credit unions that failed in 2019 plummeted to just two, down 75% from 2018 and a drop of almost 88% from 2015, according to data from the National Credit Union Administration.
Despite this improvement, fraudulent activity is still contributing to the financial demise of some institutions. That was the case with the now-defunct CBS Employees FCU. At the time of its liquidation, the institution had more than 2,700 members and $21 million in assets.
Its former CEO, Edward Rostohar, was accused of embezzling $40 million from the institution over the course of 20 years. He allegedly used the money to pay for expensive cars and watches, to travel by private jet and to gamble.
Rostohar, a former NCUA examiner, made online payments to himself or forged the signature of a coworker on checks payable to himself, according to the U.S. Attorney’s Office. He later pleaded guilty to one count of bank fraud.
The failure of CBS Employees FCU cost the share insurance fund almost $40 million, triggering a material loss review. NCUA’s Office of Inspector General report, issued in February, found that a lack of segregation of duties was one of the reasons that the fraud went undetected. The credit union’s supervisory committee and NCUA examiners who audited the credit union were also found lacking in their duties.
Despite that conclusion, there’s little additional guidance that the credit union regulator can provide to help prevent fraud at other institutions.
“There are already numerous regulations that require separation of duties at federally insured credit unions,” Dennis Dollar, a former NCUA chairman, wrote in an email. “The issue here, as is the case at times, is that the supervisory process did not catch the lack of adequate separation of duties sufficiently in the exams over the years and require corrective actions.”
The difficulties in catching bad actors
Federally chartered credit unions are required to have supervisory committees under NCUA's model bylaws. Members of a supervisory committee tend to be appointed by a credit union's board. NCUA recommends that committee members have accounting knowledge and an understanding of auditing procedures.
That means that a lot of responsibility rests on the shoulders of supervisory committees and on credit union examiners to catch maleficent behavior. But the question remains why credit unions still fail to separate duties to help prevent fraud and why criminal activity continues to happen.
“At a smaller credit union, sometimes it becomes a challenge to have a separation of duties,” said Bill Brooks, president and CEO of the $327 million-asset Mid-Atlantic Federal Credit Union in Germantown, Md. “Theoretically at some credit unions, you have a handful of people — it’s not uncommon for somebody to do the whole thing.”
Indeed, smaller credit unions are more likely to experience the type of fraud that persisted at CBS Employees because of their limited staff. Compared to their larger counterparts, there's less room for redundancy.
Brooks, a former NCUA examiner, said that there are many red flags when examining a credit union that “should trigger an ‘uh-oh.’” For example, extended delays in sending accounting information to an examiner is cause for concern since those numbers should be readily available.
Another red flag is offering members interest rates on products significantly higher than the rest of the market, said Rick Metsger, a former NCUA chairman. Rostohar, the former CEO of CBS Employees FCU, offered rates such as a 3.1% for a one-year share certificate, much higher than the market rate of 1.3% at the time of its liquidation, the OIG report found.
NCUA told Credit Union Journal last week that the agency had undertaken appropriate changes in relation to the recommendations made by the inspector general and that it continues to employ techniques to identify risk of fraud where appropriate.
However, NCUA also did not clarify if it implemented all of the recommendations from the inspector general. In 2019 NCUA completed 83% of OIG and Government Accountability Office recommendations that were due that year, up seven percentage points compared to the year prior, according to the regulator’s 2019 annual report.
“This is almost entirely involving small credit unions where they have little staff, so you don’t see this [type of fraud] at larger credit unions,” Metsger said.
Fraud can still happen at larger institutions. For example, a former mail clerk at VyStar Credit Union, which has more than $9 billion in assets today, embezzled more than $5.4 million over an extended time frame.
However, these bigger institutions are usually able to withstand the financial hit that results from fraud and are therefore less likely to fail because of it.
Fraud detection during a national crisis
For years, CUs have pushed NCUA to better utilize technology to shorten on-site exams. In 2016, Metsger established the Exam Flexibility Initiative working group, which led to the creation of NCUA’s Flexible Examination program. The initiative has allowed the agency to start moving away from only on-site exams to ones that are at least partly completed remotely.
In the fourth quarter of 2019, the agency also started piloting its Modern Examination and Risk Identification Tool, or MERIT, a platform for credit unions to securely transfer files, provide updates and access exam reports. The agency plans to roll it out on a broader basis later this year.
Now the coronavirus pandemic has forced NCUA to work remotely, including completing exams virtually until at least May 1.
“It is a new method that will be monitored and improved over time,” said Mike Fryzel, a former NCUA chairman. “Once the pandemic crisis has passed, I anticipate NCUA to conduct an on-site exam of any credit union they believe raised a red flag during the agency's review of virtually received documents.”
However, there are some concerns that regulators are loosening oversight so they don’t burden financial institutions already stressed by the pandemic. NCUA said on Monday that it would be “mindful of the impact information requests may have on a credit union experiencing operational and staffing challenges associated with responding to the COVID-19 pandemic.” The agency also won’t generally issue examination reports right now.
The Federal Reserve said last week that it would temporarily reduce its bank examination activities, particularly at smaller banks.
And that’s on top of overall concerns that virtual exams may not be as effective as ones that take place on-site at catching fraud.
“When you look at Camel ratings, part of that is management,” said Carrie Hunt, executive vice president for government affairs and general counsel at the National Association of Federally-Insured Credit Unions. “It can be easier to hide things remotely than if you were to go on site. Part of the examiner's job is to interview key individuals at the credit union.”
Because of that concern, many in the industry still see a need for on-site exams.
"Certainly in a best-case scenario on-site is always the best and it'll never be replaced, but you can do a lot of things virtually," Metsger said.