I work for a firm that has performed forensic investigations into some of our industry’s most notorious fraud cases. When I first started investigating fraud cases and unwinding transactions that concealed the theft, I often shook my head and wondered “how did this happen? How could this not have been detected?”
Having previously worked for a credit union with strong internal controls, I couldn’t fathom how a fraudster was able to get away with their criminal activities…and for so long! As I’m not a thief, I was puzzled how a person could even conceive of some of the methods they used to steal money and then conceal their crimes. And as difficult as it is for an auditor such as myself to question this, I asked “how did the auditors or examiners NOT find this?”
Flashforward several years and many cases later and I’ve come to realize that all fraud has several things in common: 1) an absence of strong internal controls, 2) minimal oversight by a supervisory committee or internal audit function, and 3) the opportunity of the fraudster to perpetuate their crime.
It is important to remember that your auditor is not an internal control; their essential role is to express an opinion as to whether the financials are fairly represented. Equally, your regulator is not an internal control. Their responsibility is to protect the assets of your members and make sure you are operating within safety and soundness guidelines and regulations. In fact, accountability for internal controls is conferred directly to the credit union. Section 715.3 of NCUA’s rules and regulations sets forth expectations of the Supervisory Committee relative to internal controls.
In our experience, the most vulnerable areas for fraud are lending, the change fund, Corporate and investment accounts, and systems access privileges. For example, when one employee has the ability to create, disburse, and perform maintenance on loans, he or she can falsify documents and create fictitious loans. The proceeds of these loans can then be used for myriad deceitful purposes.
We often see fictitious loans as a concealment method. One credit union employee we investigated created $4 million in unauthorized loans to conceal vault cash theft that had occurred over a period of 7 ½ years. Her basic scheme was:
- Steal cash from the vault
- Record an unauthorized loan on an unsuspecting member’s account
- Deposit proceeds of the loan into the unsuspecting member’s account
- Record a vault transfer to an unsuspecting teller drawer using the teller’s credentials
- Record a cash withdrawal entry from the unsuspecting member’s account that had received the loan proceeds (again, using the teller’s credentials)
The end result: the employee got cash, the vault and teller drawers were balanced, and the member’s account balance remained the same as before the transaction. She kept the loan paid and current by creating new fictitious loans to make the payments.
Brilliant, right? Not so much. She was caught and is serving eleven years in prison and the credit union was eventually liquidated.
But she was able to get away with it for so long because she had opportunity. She had complete access and control over the vault; was in a position of authority; was in possession of a log of all teller IDs and passwords; and had the ability to create and disburse loans. She also had wire transfer authority, general ledger access, and prepared the Corporate bank reconciliation. Most heartbreakingly, she was completely trusted by members and many employees.
Despite the lack of operational controls, there were behavioral clues that the employees and board should have paid attention to: working long hours with no vacation, working on weekends or late in the night, “assisting” tellers with their out of balance situations, restricting vault access to only herself, a disorganized office, explaining missing documentation as an “oversight” to the auditors, examiners, or board of directors, and much more. Several employees later claimed that they suspected something but were afraid to speak up. The board of directors simply thought she was “overworked.”
Our experience has taught us one thing: all credit unions, regardless of size, must assess their operations and ensure there are controls in place to deter fraud. These controls should be commensurate with their size and resources, but even small credit unions can institute safeguards.
Credit union personnel must be vigilant and aware. Behavioral red flags should be identified, and a safe climate should exist in which employees can come forward with concerns. Finally, since internal controls can break down for a variety of reasons: employee turnover, apathy, resources, or external influences (like a pandemic…), it is also important to test your controls on a regular basis.
In my line of work I get the privilege of assisting credit union staff with a variety of projects and standard audits. Most of them are hardworking, honest folks who can be trusted to do the right thing. However, as one of my bosses once told me, if you have a trusted system, you’ll never mistrust your employees because the system will spit out the bad ones.