Combating the Enemy Within
The average case of internal fraud in 2012 lasted a median of 18 months. Eighty-seven percent of those cases were committed by first-time offenders with clean criminal and employment histories.
How much damage could your credit union sustain in 18 months of unchecked fraud? It's a scary question but one which requires immediate consideration and action. There are a number of steps a credit union can take to minimize the risk of internal fraud and maximize the potential to quickly uncover it.
Start at the top. The first and most important step is for leadership to enforce a zero tolerance policy for internal fraud and create a culture that neither tolerates it nor discourages employees from reporting it. This type of directive and commitment is absolutely essential. Further, it's critical for employees to feel vested in the organization and understand and embrace the vital role they play in its success. This serves as an effective deterrent to engaging in fraudulent activity or looking the other way should they witness it.
Comprehensive fraud management system. The reality is that fraud can occur no matter how motivated and dedicated most of your employees are. It takes only one bad apple. That's where the second step comes in with the development of a comprehensive internal fraud prevention system. It begins with clearly defined and documented policies and procedures that govern access to areas where potentially sensitive information such as Social Security numbers and account details are stored.
Regulators also want to see step-by-step instructions on how such information is accessed and used. A comprehensive training program should instruct employees how to incorporate policies into day-to-day activities so that there is no gray area about who can look up private customer data and how it has to be done.
Limits on access. Entrusting one employee to handle multiple roles is one of the biggest risks for internal fraud. It's important to segregate tasks among team members and set restrictions on who can perform each activity. Define a formal work flow which lays out each required step in a process. The work flow needs to include required approvals from the appropriate managers to access sensitive information. If it's not part of their regular duties, the team member should not be able to do it.
Enforce policies and procedures. It's not enough to simply define roles and put procedures in writing. Standards must be enforced through properly set and maintained system parameters and security authorizations.
Drew McMullen is a partner and financial services segment lead for Sense Corp. He can be reached at 214-206-8724 or DMcMullen@sensecorp.com.