MADISON, Wis. — In addition to carefully vetting all new hires, Joette Colletts, senior manager of risk management at CUNA Mutual Group in Madison, Wis., said establishing a written fraud policy is also extremely important.
The policy should address several common dishonesty elements, including forgery and manipulation of accounts.
"Member information on the street can be worth more than walking out of the credit union with cash in the pocket," she noted. "The policy should be read by every employee, signed every year by the employee and witnessed by the credit union. This sets the tone from the top that fraud is taken seriously and will not be tolerated."
Having a "Whistleblower" policy in place, which guarantees the ability to report suspicious behavior without fear of retribution, likewise is "really important," she added.
The third prevention element Colletts recommends is having effective internal controls to detect fraud. For example, tellers must be trained to ensure if they leave their stations — even for a brief moment — they lock their drawer and take their key with them.
"Credit union management will have to audit procedures to make sure all controls are followed," she said. "Most credit unions have dual controls — requiring two people to access the vault together — but if both people have the combination then it can be circumvented."
Colletts recommends CUs install forced dual controls when it comes to their vaults. They can give some people a key, and some people the combination, but both have to be present. Another example is to give multiple people half of the combination.
Manipulation of loan accounts is another common instance of fraud. Usually, this involves non-financial transactions such as advancing the next due date. Colletts said loan officers who have too much access can approve loans and disburse funds to fictitious persons, and then simply manipulate the due date so the unpaid loan does not show on a delinquency report.
"A review of non-financial transaction reports catches these things," she said. "Some credit unions do not perform these tests because they do not need them for balancing purposes."
Other tips from Colletts include:
- Employees should not have access to their own or family accounts. Beyond a written policy, CUs should set up the system to bar such access, as this is where a significant percentage of losses occur.
- Employees must disclose if any family members have accounts at the credit union upon hiring, and CUs should review such lists every year.
- Do not advertise the CU is looking for someone to work in the credit card department, as that might attract someone who has the sole purpose of stealing information.
- Enforce separation of duties on cash handling, and especially with wire transfers. Make sure one person does not handle a wire transfer from start to finish. Have another person verify.
- Limit amounts on wire transfers. She said many credit unions do not realize they can limit the amounts, which limits losses. If there is a member or two who needs a larger transfer, it can be done by hand.
- Remote deposit capture will be used only by a small percentage of members. Make sure they "qualify" for RDC by being a member of the credit union for a certain amount of time.
- Think through all electronic services and limit risk. Limit employee access to only what they need, and review that regularly.
