Fraud caused 11 of the 16 small credit union closures last year.What's more, these fraudulent cases cost the NCUSIF more than $12.5million in total losses, according to the NCUA.

But fraud cuts even deeper, given the loss of jobs andreputational damage it causes to the credit union industrynationwide.

Most if not all of these fraud cases could have been detectedearly or perhaps prevented had these credit unions maintainedfundamental internal controls, fraud experts said. In interviewswith CU Times, they shared fraud detection and preventionbest practices that any small credit union can leverage withoutsubstantially increasing operational costs.

David Legge, president/CEO of the Legge Group in Manassas, Va.,was recently hired by three small credit unions to investigatesuspected fraudulent activity. In all three cases, the individualsinvolved were using their own credit union accounts or the accountsof family members to siphon funds from the credit union.

“At one credit union, this individual was transferring moneyfrom dormant accounts to her daughter's account and then taking outthe money,” Legge said. “It had been going on for three years andI’m sitting there asking, God, why didn't anyone check theseaccounts?”

A review of employee accounts and those of their relatives bysupervisory committee members, the board treasurer or an outsideauditor would have raised concerns and questions.

But sometimes these accounts are not reviewed because oflaziness or some managers’ assumption that employees would nevercommit fraud, Legge said.

While credit unions have the ability to prevent employees fromperforming transactions on their own accounts, that doesn't preventemployees from conducting transactions on accounts for which theyare the joint owner.

“There are additional controls that can be put into place toprohibit that, but a lot of credit unions say that's kind oftreating employees like second-class citizens,” Legge said. “To me,that's just doing common sense controls.”

Fraud can also be commonly detected in suspense accounts. Whenan account is not balanced, it is typically labeled as a suspenseaccount and flagged to be reconciled, but in many cases, theyaren't.

“Because they are not reconciled or looked at, that's an areawhere you can dump [fraudulent] transactions and hide them becausenobody is going to reconcile that, and that builds up over time,”Legge explained. “Someone should be going through and identifyingwhat's in there and then deciding if it's something that needs tobe looked into further or reconciled.”

Another problem area is cash missing from a credit union'svault, said Joette Colletts, a senior manager in businessprotection risk management for CUNA Mutual Group in Madison,Wis.

A lot of credit unions have the misconception that they havedual control, where two people have access to cash in the vault atall times.

“So credit unions think they have dual control because they saythat two people have to go together to the vault, but it's not whatwe call forced dual control,” she explained. “If each person knowsthe entire combination to the vault, that's not forced dual controlbecause one person could get in the vault alone. Credit unions needto divide that combination or have a combination key so that nobodyhas both components. Even if they have a camera monitoring thevault, there have been instances where a person covered the cameraif they were in the vault alone so that no one could see whatthey’re doing. If you have forced dual control it is unlikely thatyou would have a loss because two people would have toconspire.”

Unannounced cash counts can also help reduce incidents ofmissing cash. Counts of cash items should be conducted bysupervisors, auditors and/or supervisory committee members at leaston a quarterly basis.

Fictitious loans are another common area where embezzlementoccurs. This typically happens when one employee approves anddisburses the loan. To minimize this exposure, credit unions shouldseparate loan approval from disbursement responsibilities.

“Even in larger credit unions where they may have only a fewpeople working in a branch, a loan officer may have totalauthority, but the credit union really needs to think about havingsomeone else involved in that loan process,” she said.

What's also very important, however, is for an employee who doesnot have transaction authority to regularly review the creditunion's file maintenance transaction report to look for red flagtransactions, Colletts said.

An embezzler can manipulate the data on the file maintenancereport to ensure phony loans never post as delinquent or the nextpayment due dates are advanced to conceal fake loans. Other redflags include changing interest rates on any account, changing thepayment amount, several address changes to the same address,changing the payment frequency and changing the collateralcodes.

Securing the verification of the credit union's assets such asbalances and other financial information with its correspondingbank may seem like a no brainer, but when it's missed, it can be abig miss, NCUA Executive Director Mark A. Treichel said.

NCUA material loss review reports showed there was no actualverification of assets of some credit unions that became insolventand were closed because of fraud.

It's important for auditors and supervisory committees to usethe trust-but-verify principle so as not to overly rely onmanagement assertions, Treichel said. To do this, they canimplement a process to independently verify that assets existwithin the audit steps.

“Those steps to verify those assets are a huge part of the wholepuzzle because if the assets are there, then there's no loss,” hesaid.

Treichel also recommended credit unions use the NCUA'sSupervisory Committee Guide, which is available for free on thefederal agency's website.

“The Supervisory Committee Guide has 22 chapters with tons ofchecklists, including internal control checklists with yes and notype questions,” he said. “If you answer no to any questions, itmeans you have to take additional steps to improve your internalcontrols. So it is a training module, if you will, but it also canhelp develop an audit procedure that walks the supervisorycommittee through it and the steps they need to follow.”

Mike Sacher, a CPA who worked as a credit union consultant andwas recently named CFO for the $947 million Xceed Financial CreditUnion in El Segundo, Calif., said he's investigated many fraudsover three decades and they all had one common thread.

“I saw that if only employees had the ability to, in anon-threatening way, express their concerns, so many of thesefrauds could have been either prevented or detected much earlier,”Sacher explained.

What's more, Sacher said he believes employees can serve as afrontline of defense against fraud because they can see controlweaknesses at the workplace that may be overlooked by managers.

About three years ago, he established a web-based and telephonewhistleblower service, Protect My Credit Union, which allows creditunion employees to anonymously report suspicious activity andcritical internal control weaknesses. Employees can also choose toprovide their contact information.

To provide an incentive for employees to report fraud, Sacherrecommends offering a financial reward that identifies actual fraudor abuse. Credit unions also may consider offering a periodicreward for the best internal control recommendation made by anemployee.

Other ways credit unions enable their employees to anonymouslyreport suspicious activity is with a post office box controlled bythe supervisory committee. The NCUA also has a hotline that allowsemployees to anonymously report fraud at 1-800-827-9650 or703-519-6550 within the Washington area. The federal agency said itreceives about one call per month.

Requiring all employees to take at least one week of vacationevery year can help detect fraud, Colletts said. Typically,embezzlers don't take time off because they have a constant need tomonitor and manipulate internal information to keep concealingtheir fraud. An employee who is excessively controlling also can bea red flag, but not always. During an employee's vacation, his orher records should be reviewed by management.

Thoroughly screening prospective job candidates is anotherimportant step that may weed out potential fraudsters.

In addition to conducting a background check, drug test andpersonal and professional reference check, it is also essential ifallowed by state law to review a person's credit report. A badcredit report is a red flag.

“I think you have to be a little bit concerned when somebodycan't manage their finances and whether they are going to be ableto work at the credit union,” Colletts said.

She also recommended credit unions do an FBI fingerprintcheck.

Finally, every credit union should have a written fraud policydocument, which every employee should be required to read and signevery year. Credit unions also should review their fraud policyduring training or educational sessions.