Late last year, NCUA Board Vice Chairman Rick Metsger told attendees of the National Directors Roundtable Conference in San Diego that credit union board members are the first line of defense against internal fraud
"Your job is to know what's going on, to be engaged and to ask questions," Metsger told his audience. "That's how you lead your credit union, that's how you protect it, protect your members, protect the system and protect the Share Insurance Fund."
Mr. Metsger is certainly correct: credit union management, beginning with board members, all have a role to play in identifying and preventing internal fraud. But more must be done on a daily and on-going basis than just enhancing the vigilance of senior management. And the credit union sector needs to look no further than what happened last year to the $48 million Oahu Transit Services Employees Federal Credit Union to understand the seriousness of internal fraud.
In that case, three former employees of the Hawaii-based credit union were charged with embezzling $500,000 from the organization — without the other knowing that they were stealing. All three were sentenced to jail terms, while CUMIS Insurance Society, which covered the nearly $1 million loss caused by the thefts, filed a civil lawsuit against the three defendants and the credit union's auditor, CU Pacific Audit Solutions.
Internal Fraud a Growing Problem
According to Verizon's 2014 Global Data Breach Investigation Report (see http://tinyurl.com/kg6v2g7), the number and frequency of internal fraud incidents like Oahu's continue to rise — and the top insider threat is staff members taking advantage of their organizations' IT systems to perpetrate their fraud, typically on company premises.
Even with more vigilant senior management, credit unions will find it impossible to successfully counter every insider threat. But they can take proactive steps to identify and address the problem through a combination of strengthened employment policies and data analytics tools, which can quickly process and analyze large volumes of data to connect the dots, identify events and relationships of interest, and disrupt insider crime.
Strengthen Pre-employment Checks
Many employment recruiters rely on an element of trust. They frequently take job applicants at their word when they check a box declaring that they have nothing to disclose. However, they might be lying outright or by omission — by failing to mention a conviction in another jurisdiction, for example.
Ineffective background checks also comprise a large part of the problem. New employees shouldn't begin work until credit unions have followed up on their references. Do not place a candidate who has "references pending" into any position of trust until you've run a check. And be sure to cross-reference applicants against your organization's internal records. I knew of a case in which a financial institution had closed a customer's account because the customer had committed credit card fraud. Unbelievably, within 12 months the ex-customer landed a customer service job with the same company, gained access to its systems, and stole customer information!
Address insider Threats from the Start
Credit unions should educate all new employees about fraud protection policies and individual responsibility to report suspicious behavior. Senior management should spread the word not just during orientation sessions but through frequent updates reinforced by supportive messages on screensavers and login pages, for example -- about organizations' ethical standards.
Credit unions also regularly update staff on policies and the law and reiterate to middle managers that they should watch for suspicious activities. And organizations should establish communications channels for those who want to blow the whistle: according to the 2014 ACFE Report to the Nations on Occupational Fraud and Abuse (ACFE.com/RTTN), whistleblowing still accounts for the highest level of early identification of internal fraud.
Know Your Employees
What drives internal fraud? Motivation can include pure intent at the outset (as when a fraudster seeks employment to commit fraud or data theft), general criminal greed or the result of operational failures leading to opportunistic criminal acts.
Most insiders perpetrate their crimes for financial or personal gain. However, another fast-growing crime — insider espionage, which targets internal data and trade secrets — might pay more dividends for fraudsters in the long term.
Knowing and understanding your employees is key to management's awareness of risk. Management should particularly be cognizant of employees' behavioral or personality changes, requests for emotional or financial help, or uncharacteristic actions that can lead to desperate acts with serious consequences.
Data Analytics Can Mitigate Risk
If you don't fully understand the threat or motivation behind an inside attack, then you don't know what to look for. And that's where data analytics software can help.
Data analytics software allows management to easily and quickly manage, integrate and analyze complex data and intelligence from disparate sources to pinpoint and highlight suspicious activities, unusual relationships and persons and events of interest. By identifying and characterizing insider threats, and assessing the vulnerability of critical assets and operation, credit unions can use data analytics to better identify ways to reduce those risks and prioritize risk reduction measures. They can clearly plan for the likelihood and consequences of specific types of attacks, and better manage and minimize the risk.
A quick glance at the headlines tells us we live in an age of constantly changing and evolving risks for all types of businesses. Credit unions should adopt a proactive approach to protecting their systems, processes, data and customers. It's not about higher and stronger fences, but building better and smarter tools inside your barriers that can detect, identify, and manage insider risk.
The bottom line for credit unions: insider fraud will always be a challenge. But by ensuring that boards and senior management are vigilant, adopting strict employment policies, and implementing data analytics to keep a watchful eye on insider transactions, credit unions can more ably prevent insider fraud, mitigate potential threats, preserve data, and ultimately protect their reputations.
Jim Oakes is the director of financial crime for Wynyard Group. A former Fraud Squad detective, Jim is a Certified Fraud Examiner and Certified Financial Crimes Investigator, and is President of the Association of Certified Fraud Examiners in the United Kingdom.
