Suspicious Activity and Fraud: Warning Signs to Watch Out For


Credit unions are required to comply with a litany of regulations and to have internal controls in place to monitor adherence to the Bank Secrecy Act (BSA) as it relates to the risk of money laundering. Controls should also be in place in an effort to minimize operational risks. I often get questions from credit union compliance professionals about what is most important from a monitoring perspective on a day to day basis. They often wonder, “Where should I be spending my time?”

Every day the Financial Intelligence Unit (FIU) at AuditLink performs monitoring services on behalf of over a hundred credit unions focused on specific areas including: cash logs, dormant accounts, file maintenance, teller reversals, downloaded data, wire transfer review and others. While monitoring of each of these areas is either an important aspect of an anti-money laundering program or for maintaining well-controlled operations, there are three of particular importance that should be reviewed daily. Let’s breakdown some of the things you should be looking for when reviewing cash logs, dormant accounts, and file maintenance.

BSA cash log monitoring

The BSA requires financial institutions to file a Currency Transaction Report (CTR) within 15-days of a single transaction or multiple transactions that exceed $10,000 during a business day. A BSA violation occurs when transactions are structured to avoid this reporting requirement, in which case a Suspicious Activity Report (SAR) must be filed within 30-days of discovering the violation. These deadlines support the importance of a daily monitoring process.

The Federal Financial Institutions Examination Council (FFIEC) published money laundering red flags that are useful in determining what to look for. We have already noted structuring of cash transactions to avoid a CTR filing; here are some other, but not all, risk indicators:

  • Numerous deposits or withdrawals within a short period of time
  • Loans paid off with cash shortly after opening
  • Frequent cash exchanges from small-dollar denominations into large-dollar denominations
  • The use of a personal account for business purposes
  • Elder exploitation
    • Sudden increase in cash activity
    • Transactions primarily conducted by the joint owner
    • Unusual debit or credit card activity
    • Large unexplained loans
  • Large cash amounts used to purchase multiple monetary instruments or the frequent purchase of monetary instruments

Reviewing dormant accounts

Share accounts that have been inactive over an extended period of time—most commonly 12-months—are one of the most susceptible areas for fraud by insiders. When a member is actively participating, they are more likely to monitor their accounts. In the absence of regular monitoring, unauthorized activity may go unnoticed. You can see why regular monitoring, ideally daily, is important for mitigating this risk. Here are some questions to ask yourself as you review activity occurring on a dormant account:

  • Did the same employee suspend or remove the account from dormancy AND conduct subsequent transactions?
  • Was a new loan opened? Is the member’s address correct?
  • Was the account liquidated and closed?

File maintenance review

Examiners have required credit unions to monitor file maintenance activity. This activity involves changes that affect members’ accounts, such as: loan due dates, interest rates, payment amounts, addresses, maturity dates, etc. Again, it is apparent why regular and consistent monitoring of these changes is necessary. The types of data alterations are wide-ranging and there are certain fields that should be considered critical because when changed, it could be an indicator of malfeasance by an insider. Here is just a sample of some of the critical fields that should be monitored daily and things you should look for.

  • Address changes – were there multiple changes to the same street address?
  • Accounts deleted from dormancy – was there actual activity on the account by the member? Did the same employee process a transaction on the account and then subsequently deleted the account from dormancy?
  • Interest rate changes – was there a large drop in the interest rate on an LOC, HELOC, or credit card? Was there a rate change on a closed end loan account?

So much more can be said on this subject, but the main point I want to leave you with is that these are some of the more critical areas to focus resources, especially when capacity is limited or stretched. How consistently is your credit union monitoring these focus points?


  • Marvin Johnson

    AuditLink Manager, NCCO, CAMS, CFE. Marvin started his career in public accounting and over the next eleven years served in various audit and risk management capacities. Most of that time was spent at a large regional bank and a smaller savings and loan, both headquartered in Cleveland, Ohio. Marvin has experience with SOX compliance, vendor management, AML/BSA and OFAC controls testing, credit underwriting reviews and portfolio monitoring, operational risk assessments in support of enterprise risk management, access control and various other processes.

Your email address will not be published. Required fields are marked *