VERNON HILLS, Ill. — When it comes to preventing internal fraud at Baxter Credit Union, the most important step takes place before new employees start their first day on the job.
The $1.8 billion institution performs due diligence before each potential employee is offered a position, with all candidates having their backgrounds closely scrutinized, said Warren Iskowitz, senior manager of talent management.
"Certainly for those who handle cash we have a stringent process that includes a criminal background check, drug screening and a credit check," Iskowitz said.
What might preclude someone from getting hired depends on the role for which they are applying, Iskowitz explained. He said if someone is convicted of certain felonies it is an "automatic red flag." If there are issues with someone's credit report, those typically are handled on a case-by-case basis, according to Iskowitz.
Once employees are hired by Baxter CU and begin training, they go through a three-month onboarding procedure. Iskowitz said this starts with new hire training in the first two weeks, usually in groups of one to five people.
On the third day of employment new hires are given a department overview, which includes a presentation by the fraud department. Iskowitz said they hear about fraud prevention, counterfeit check scams, warning codes in the system, social engineering, hacking and phishing.
"For internal fraud, we have employee principles classes," he said. "People are told any time they walk away from their desk their screen is locked so no data can be seen. We talk about where data should be stored."
Joette Colletts, senior manager of risk management at CUNA Mutual Group in Madison, Wis., said that Baxter CU is doing it right.
"When I talk to a credit union, the No. 1 point I get across is fraud prevention begins with the hiring process," Colletts said.
Credit unions should perform extensive background checks when vetting candidates, possibly including criminal checks if allowed in that state.
Also, she advised thoroughly checking references and even running credit checks to see how they handle their personal finances.
"A lot can be determined from the onset," said Colletts. "You want to make sure you are hiring an honest person. CUNA Mutual has a database of any credit union employee doing something dishonest. Many credit unions have done a bondability verification through CUNA Mutual and found something that kept them from hiring someone who had committed fraud or other crimes in the past."
Data Security Team
Jeff Johnson, Baxter CU's chief information officer, is part of a data security team. He said Baxter restricts employees' system access to only what is necessary to perform their jobs on a regular basis. If someone needs more access, it has to be granted by audit.
"There is a big difference between an accidental breach and someone intentionally stealing," Johnson noted. "One goal of training is raising awareness of social engineering to prevent hacks. We hire white hats to call the call center and try to hack the employees."
Baxter also strives to not let anyone into the building who should not be there. People have to swipe a card to enter the facility. Johnson said the CU has people attempt to cajole employees into letting them in given various excuses.
"We record these incidents and use them for training," he said. "We also send specific spear phishing e-mails to employees to see if they will click on the link. All of this is designed to help employees be protective of our environment, and it works very well."
According to Johnson, the first layer of data security is limiting rights of access to job classification. IT employees are not given access to the systems. At the same time, the audit department does frequent surprise audits.
Wire fraud prevention involves separation of duties. If someone calls the call center and wants to do a wire, the information is written down and referred to the back office. Someone else verifies by calling the member back. If the address or password has been changed in the last 30 days, Baxter takes extra steps to verify.
"And on the back end we are always monitoring for suspicious activities," he said. "Fraud prevention is not about doing one thing, but a multitude of activities that when combined together are effective."
No Fraud In Five Years
How effective are Baxter's CU's fraud-prevention efforts?
Johnson said there have not been any instances of direct employee fraud in the past five years he has been with Baxter CU.
Iskowitz said HR's perspective is to have zero tolerance of suspicious behavior.
"Hopefully, we are weeding out 99.9% of the problems up front," he said. "For addressing the problem on a continuing basis, we have an internal communication called The Scoop.' This is a place for us to share best practices, tips and tricks that are bubbling up in the industry. This is where we give a reminder for people to lock their screens."
CUNA Mutual Group's Colletts cautioned there is "no silver bullet" when it comes to internal fraud prevention.
"If there were to be litigation, it is important to be able to verify that HR did the right background checks instead of hiring someone because he was someone's cousin," she said. "It is so vital to have excellent hiring practices and do due diligence. The chances of a bad hire are less likely if the credit union is being thorough."
