LAS VEGAS-Credit unions can prevent, or at least limit, losses due to robberies and wire transfer fraud by implementing a few simple procedures.
Jay Slagel, VP-risk management/claims for Allied Solutions, and Don Thompson, an independent consultant who works with the company, said the common thread is credit union people need to know their responsibilities.
A robber ideally wants three things, Thompson said: the element of surprise, cash on hand, and few witnesses. The best way to accomplish the first and third is to accost a lone CU employee who is opening or closing the CU. He offered the example of a $156,000 robbery in October 2011, during which a credit union manager had a gun put in her back when she opened the door. The robber ordered her to turn off the alarm, forced her to open the vault, and then tied her up as he stole the cash.
This robbery was a prime example of what not to do, Thompson observed.
"One person arrived alone, had no ambush code to put in the alarm, and that one person had the door key, the alarm code and the combination to the vault," he said. "There needs to be separation of duties."
Ideally, Thompson continued, two employees would arrive together to open the credit union. While one waits in a vehicle, the other enters and checks out the building. He said no one employee should have the alarm code and the full vault combination.
"In some small branches it is impossible to have a pair of people," he acknowledged. "In these cases there are remote actuators that can summon help."
In another robbery the perpetrator brazenly walked from teller drawer to teller drawer, and then the vault. Several employees watched silently and did not set off the alarm until after the robber had departed with $186,700.
"They were instructed to not set off the alarm until after the robber leaves," Thompson recalled. "It is not a good idea to reach for an alarm button when someone is pointing a gun at you, but the people at the other teller stations should have set off the alarm."
Social Security Number? Useless
When authenticating a telephone request to transfer money out of a credit union account, Thompson told attendees of the recent NAFCU Technology & Security Conference here it is all but useless to ask for someone's Social Security number and date of birth, as those are too easily compromised.
Similarly, he continued, a faxed copy of a driver's license is not proof of identity because "the licenses available online are just as good as the ones states are issuing," he said.
Slagel said the key for any telephonic request for a transfer is to always perform call-backs.
"To qualify for bond coverage in case of a loss, the credit union must have full documentation," he said, noting this includes the name of the employee making the call, the phone number used, the source of the phone number, and all identification questions used. "It is extremely important to have a record."
Thompson said an additional step is to be careful the call is going to the actual member, not a criminal or a conspirator. In some cases thieves will change the contact number is someone's file, and in others they can hijack a person's telephone account by setting up call forwarding.
"Listen for an echo, which is a sign of forwarding to a cell phone when calling a land line," he advised.
Questions To Ask
Once the call is placed, Thompson said strong authentication includes a password or pass phrase set up in advance by the member. Other questions to ask may include the year the member's account was opened, the branch at which the account was opened, the type and year of a vehicle in a car loan, source of direct deposit, and, "Do you use our online bill pay service?"
"These are a starting place," Thompson said. "The important thing is to get several people involved in the process, including having different employees be the ones receiving the transfer request, conducting the call back, and making the transfer."
Added Slagel: "Make sure everyone knows their responsibilities. For coverage to apply, everyone must follow due diligence."
