MADISON, Wis.-Just about every small credit union believes it is invulnerable to employee fraud simply because it is a small CU.
But Joette Colletts, regional manager, risk management for CUNA Mutual Group, reported she frequently hears "we never thought it could happen to us" after fraudulent activity is discovered.
"Problems happen when internal controls do not exist, or when controls become lax over time," she explained during CUNA Mutual Group's Online Discovery conference. "That is why continued vigilance is so important."
To combat employee fraud, Colletts suggested:
• Efforts focused on vulnerable spots such as currency shipments and cash replenishments of ATMs and/or teller drawers. In these cases, Colletts recommends dual controls.
• "Conduct surprise audits on teller drawers, and make sure they truly are a surprise to employees," she said.
• Maintain an active supervisory committee.
• Audit expenses with special attention to double payments.
• With loans, red flags include payment amount changes, payment date changes and address changes.
• Any one of these changes might be explainable, but make sure all the proper documentation is in the loan file to ensure it is legitimate.
• Have a written fraud policy to "set the tone" for the organization and ensure employees cannot later state they did not realize what they were doing constituted fraud. Each employee and volunteer should sign a statement noting they understand and agree with the policy, and an easy-to-follow whistleblower policy should be in place.
"Vigilant employees may be a credit union's best defense," she said.
• Enforce mandatory vacation time of at least a week.
Vendor Fraud
As many small CUs turn to third-party providers, they become exposed to vendor fraud. Colletts said the most common areas for trouble are lending and electronic services.
"Evaluate risk in all third-party relationships, even the vendors the credit union has worked with for years," she advised. "Due-diligence is ongoing. Credit unions should continue to have oversight and monitoring."
Vendor oversight starts with legal review of any and all contracts and a clear understanding of the obligations of each party. If a vendor fails to respond to phone calls or e-mails, or if it makes frequent errors and does not fix them despite promises, look out.
"Enterprise risk management, or ERM, helps boards and management make better decisions," she said. "It improves decision making by integrating risk management with the strategic planning process, and even the smallest, two-employee credit unions can have ERM."
