Protecting Your Credit Union From Every Angle
Although no one tactic, procedure or product can protect a credit union entirely from internal fraud, experts in the field reported credit unions can deploy a set of policies and procedures that can make internal fraud riskier and more difficult for the culprit to carry out.
“Internal fraud often reflects what we have come to call a fraud triangle,” ACL Services Ltd. Vice President of Product Dan Zitting explained.
Based in Vancouver, Canada, ACL Services has written software that monitors financial institutions and other corporate computer and financial systems for signs of fraud.
Pressure comprises the base of the triangle that Zitting described. This might refer to some sort of financial trouble or an addiction issue that would cause an otherwise trusted employee to need money, he explained.
The triangle's left side represents the opportunity to commit fraud, he said. Fraud opportunities might arise from a set of too-lax internal controls or a failure to implement procedures that exist on paper but not in day-to-day practice.
The triangle's right side, Zitting described, stands for rationalization or motivation. The rationalization part of fraud is where the employee – who might be a long-term, highly trusted staff member – explains his actions to himself.
“Rationalization could be anything from, ‘I am not stealing the money because I am going to put it back when I can,’ to, ‘They shouldn't have passed over me for that promotion or treated me so unfairly,’” Zitting said.
Countering internal fraud often comes down to the measures a credit union has in place to break up that triangle, if it already exists, or keep it from forming in the first place, he said, adding that opportunity is usually the easiest side of the triangle to attack first.
For example, Zitting endorsed the policy of ensuring the employees at the credit union who approve loans or handle cash take two weeks’ vacation each year in one single stretch as an anti-fraud measure.
“This is one of the single, best and simplest things credit unions can do to counter some types of internal fraud,” Zitting said, explaining that taking the person away from their station means they will not be able to hide ongoing fraud.
Another policy he suggests for attacking the opportunity side of the triangle is making sure tellers and branch managers rotate from branch to branch at least once every five years, and in some places as frequently as every 18 months.
Zitting also suggested rotating tellers, branch managers and loan officers who know each other so they consistently do new types of work together, and to make sure more than one person is involved with approving loans or handling cash.
Many credit unions understand the wisdom behind having one person take a loan application and another approve it, Zitting pointed out, but not as many recognize this principle can apply to other processes as well, such as adding new vendors.
“The person who requests to hire a vendor should not be the same person who approves that hire or the same person who brings them on board with a credit union's system,” Zitting said.
He related the following story that took place when he consulted with a bank on internal fraud prevention: While assisting the bank with launching a program that compared the addresses of the bank's vendors with the addresses of its employees, he flagged instances where the addresses were almost the same. Just doing that, he said, had revealed a couple of situations that raised fraud concerns, and a couple of others where the bank had hired an employee or family member as a consultant, which led to conflict of interest risk.
“Every case wasn't fraud,” he said. “But just looking and checking up about it let everyone know the bank was looking out for fraud.”
When it came to the pressure side of the triangle, Zitting said it would be a good idea for a credit union to routinely redo background or credit checks on high ranking employees with sensitive jobs every three to five years to confirm that their circumstances have not significantly changed.
“Particularly in the cases of high level people such as chief information officer or CFO,” he said. “It makes since to update their checks from time to time to make sure nothing has happened that could make them a bigger fraud risk,” he said.
Finally, Zitting said it's completely acceptable for a credit union to be up front with employees about having these policies in place and to let them know the credit union has, as part of its standard operations, procedures in place for detecting fraud.
“Just the knowledge that someone cared and was looking out for fraud provided a key deterrent,” he added.
Alma Angotti, managing director for global investigations for the Chicago-based Navigant Consulting, advised that credit unions often didn't need to set up entirely new sets of procedures for monitoring internal fraud, and that many of the rules set up for detecting money laundering and other types of external fraud can be adapted for internal fraud protection.
“It's important to be sure to have someone at the credit union who is responsible for looking, and that they know what they are looking for,” she said.
She suggested credit unions routinely look for “outliers” or accounts that have stopped acting in predictable ways. Likewise, she said to keep an eye out for patterns and ask whether there have been a significant number of loan losses stemming from a certain branch or loans that are tied to a specific appraiser. It might not be significant, but such a pattern could be a sign of kickbacks or other irregularities, she warned.
She agreed with Zitting in that credit unions should be open about putting a fraud detection office or officer in place, and that these individuals regularly check data and information.
In addition to having policies and procedures in place to make itself less of a fraud target, credit unions should be aware of the rationalization side of the fraud triangle, Greg Mancusi-Ungaro, Chief Marketing Officer for the Toronto, Canada-based firm BrandProtect, argued.
“Typically, when employees decide to ‘go rogue’ and use their insider status to take illegal actions to defraud their employer, the situation is triggered by some event: A transfer, a change in responsibilities, being passed over for a promotion, or losing out on an expected raise or bonus,” Mancusi-Ungara wrote in an email.
“Whatever the cause of the situation, the employees find themselves under emotional or financial pressure,” he continued. “But, long before such an event occurs – particularly in a financial institution – HR, IT and security teams should consider their options to monitoring internal and external online actions, including printer use, network access, building access and external activities (public postings on social media sites) to create a behavioral baseline for their employees. Following a triggering event, the credit union or bank should watch those same forums for the telltale changes in behavior, as changes in online behavior are often indicators of an imminent insider threat.”