Segregation of Lending Duties Is Key
The timing of a collaboration between two of the industry’s well-known entities to fight employee dishonesty could not have come soon enough.
The NCUA and CUNA Mutual Group recently announced that they will include fraud mitigation sessions for a series of workshops and round tables the regulator will host this year. Among the hot button topics credit unions, particularly the smaller ones, will learn more about are fraudulent deposits and wire transfers and employee dishonesty.
The announcement also comes a month after William Liddle, a former lending officer at the $231 million AEA Federal Credit Union, was found guilty of nearly 60 counts of fraud for his role in a $1 million business loan kickback scheme. Liddle worked at the Yuma, Ariz.-based credit union for five years, but it was only after he left the financial institution in 2009 that his transgressions were discovered.
Liddle’s fraudulent activity, along with other loan portfolio troubles, led to AEA being placed in conservatorship by the NCUA.
It’s difficult to track a hard figure, but the millions of dollars credit unions lose each year to employee dishonesty and fraud and the subsequent hits to the NCUA’s NCUSIF remain a growing concern. Experts continue to push for stronger internal controls and a clearer segregation of duties.
Brad Mundine, senior manager of risk management services at CUNA Mutual Group, is among those who urge credit unions to continue to be vigilant and proactive.
“First and foremost, it really comes down to internal controls at the operational level,” Mundine said. “All of these cases have one thing in common–opportunity. Any time you have only one person in control over everything it provides an opportunity.”
Mundine applauds those credit unions that have effective procedures and policies in place. However, the oversight gaps tend to occur at different levels of operation, and this is where some are not receiving the assistance they should.
The red flags that fly over internal controls run the gamut, but there are a few that are common and may be easier to spot. With loan approvals, an increase in fictitious or unauthorized loans results when loan approval and disbursement are handled by the same employee. To minimize exposure, credit unions should separate loan approval and disbursement duties.
Mundine is a proponent of segregation of duties. Most transactions can be broken down into the origination, posting and audit, according to a CUNA Mutual white paper on risk management. One employee should not have complete control over the entire transaction.
A regular review of data processing and nonfinancial reports can help discover any discrepancies. Mundine recommends these checks be done on a monthly basis. Changes in an interest rate or a payment due date most likely will need some scrutiny, he added. A due date advancement, in most cases, such as when credit unions implement a skip a payment campaign around the holidays, is legitimate. If there isn’t adequate documentation to support why the advancement is in place, Mundine said a review is certainly in order.
“From an internal controls standpoint, a credit union should ask ‘can my internal controls be circumvented?’” Mundine said. “If so, you need to ask why.”
In the AEA case, it appears that Liddle had most of the oversight of the business lending division. To prevent that exclusive power, a rotation of duties has both internal control and cross-training benefits, according to CUNA Mutual.
A compulsory one-week vacation forces individuals to relinquish their duties to someone else at which time irregularities or unauthorized manipulations may surface, CUNA Mutual said. Along with detection, the compulsory vacation acts as a deterrent.
At the $5 billion Suncoast Schools Federal Credit Union in Tampa, Fla., there are several layers of authority that exist in divisions such as business lending, said Jim Simon, senior vice president, loss and risk mitigation and vice president of member business lending.
Any loan above $250,000 goes before a business loan committee that includes Simon, the chief financial officer, a senior vice president and several others, Simon explained. “If loans go bad, it’s going to be a challenge to get the collateral,” Simon said. “An outside loan review group can go over the documentation, including how the loan is underwritten.”
That outside pair of eyes can go far especially for smaller credit unions that may not have the resources to be as diligent as they would like. In the end, regardless of size, credit unions may have a shared instinct when it comes to fraud detection.
“Even in smaller organizations, there is a commonality in lending–there’s a gut thing,” Simon said. “The nice thing about loan committees is there are several channels that are reviewing loans.”
At the very least, an annual audit with a verification of facts can help ensure that a loan portfolio is receiving an unbiased review, said Guy Messick, an attorney with Messick & Lauer P.C., who has worked extensively with credit unions and CUSOs on matters involving loan participation agreements, business lending, governance issues and privacy law compliance.
“This way, you don’t have anyone [in the organization] looking over your shoulder,” Messick said of an outside review. “You run the risk of employees hiding things, and by then it’s too late.”
When credit unions enter into business lending, Messick said some set up their divisions as one-person shops, which puts much faith in one person. There must be different roles assigned to different people to oversee areas such as credit analysis, underwriting and approval recommendations.
Messick acknowledged that some business development officers who are wearing several hats may cut corners but not out of ill will. In those cases, it’s more proof that an outside audit is the way to go. As general counsel to NACUSO, he, of course, is an advocate of collaborating with CUSOs to fill any voids credit unions may have to ensure due diligence within their lending operations.
“You want that relationship with the borrower but you don’t want that relationship to cause you to make a poor lending decision,” Messick said.
With all of its benefits of speed and accessibility, technology can still be another outlet to commit fraud. According to CUNA Mutual, data processing facilities easily accessible to unauthorized persons create more internal control problems. To thwart those potential invasions, buffer zones, which are those areas around data processing facilities restricted to authorized employees, provide an effective enhancement to a credit union’s access control efforts.
The beauty with technology is there is an inherent deterrent to dishonesty when a reliable and visible audit trail can be traced back to individual operators, CUNA Mutual said. Still, credit unions should know that the dangers can also come from another direction.
“In this day and age of high technology, some credit unions are not grasping the severity of the bad things that can be done by smart crooks,” said Bob Schumacher, senior consultant with The Paragon Consulting Group, a Portland, Ore.-based strategic planning firm. “Taking enterprise risk management to heart and implementing these policies and procedures will [keep] bad things from happening in a big way.”
Credit unions are going to need more dual control systems in all areas of operations, especially lending, to be as diligent as possible, Schumacher said. What was once an onerous task for lending and other areas is now necessary to prevent bad guys from succeeding, he added.
Schumacher said another red flag is a lack of security systems in all the right places. Being able to see what is happening within the walls of each office is paramount, he offered. As other experts have said, he also encourages credit unions to engage in more third-party auditing activities than those that are currently required.
“It may sound old school, but we need to stay in tune with all employees to see if behaviors, personal situations or other red flags are being waved. Tough economic times can create all kinds of incentives for unwanted behavior,” Schumacher said.