Hello CUSO Mag readers! I’m excited to be back with another article. Today’s topic will be monitoring of insider accounts and activity. I get a lot of questions from credit unions asking, “What should I be looking for when it comes to insider accounts?” or “Is monitoring transactions simply enough?”

I always find that having a “Why” drive any control is a great place to start. This helps the credit union identify the level of risk, implement controls, and test those controls periodically to ensure the system is working as it should. Today I’d like to break that down.

The why

When it comes to employee accounts, friends and family, etc., it’s important to understand the risk that is posed. Once we have identified that risk, we will understand what controls we can put in place to mitigate the risk. While some may be obvious, others may be overlooked.

As a person who has helped many credit unions over the years with employee security reviews, I’ve noticed that system access can occasionally be overlooked. The obvious thing to look for may be suspicious transactions; we already do this for our members, so of course, we have to do this for our employees as well. But what about combining factors? Such as financial strain, expansive access to systems that are unaudited, and lifestyle changes? Each one of those factors individually could be a red flag, and when combined, could be a ticking time bomb, as employees struggling with money may be more likely to embezzle.

So why do we monitor these memberships? Simple answer: to protect the integrity of your credit union’s systems and members. Understanding the hierarchy of power and that the person monitoring these accounts believes anyone could be a criminal if enough factors are applying pressure. What are we trying to protect against? A few things come to mind for me.

• Employees performing transactions on their own memberships.
• Employees adjusting their own memberships/not going through proper channels.
• Employees giving favorable treatment to family members.
• Internal theft of members’ funds.
• Internal theft of credit union funds.
• Employees with significant system access not having their permissions audited periodically. (Example: A change in position at the credit union.)

Who is considered an individual at risk of a financial crime?

• Everyone!

Control consideration

Now that we’ve identified some areas of risk, we can consider proper controls to mitigate said risk. A good rule of thumb is to annually audit your security permissions to your core and other vendors’ systems. Employees may wear many hats at your credit union. We all know the employee who is the “catch-all.” If your credit union can not avoid that and create segregation of duty, you will want to consider understanding that individual’s level of access and where there are clear conflicts of interest.

I would suggest creating a procedure to audit that individual’s work. Review reports, run against the members’ trial balance, and monitor the accounts that the individual conducts transactions on with a more watchful eye. Be sure to document! This will save you time and energy with examiners down the road. This is a great example of “Why” and “What we are doing about it.”

Reviewing employee accounts

As stated before, any employee has the potential for embezzlement, but none is more likely than an employee who is having a hard time financially. Whether that be a C-suite executive or a front-line teller. Reading through recent headlines, you can see it all. Employees who are funding their gambling addictions, trying to pay bills, or caught in a romance scam themselves.

I mentioned lifestyle changes earlier in the article, and you might be thinking, “What do you mean, AJ?” What I’m talking about is an employee purchasing a brand-new car, showing up in brand new clothes, or perhaps even flying on private jets! (Yes, I’ve read that in articles as well!) These are things to consider based on the employee’s position and financial income. Where are those funds coming from?

Credit unions should be monitoring employee accounts periodically to look for negative balances and delinquent loans. Going a step further, if their balance is negative, do we see evidence of frequent gambling? Purchasing crypto, or wiring out money? Being able to identify employees who have a higher risk of embezzlement helps the credit union to monitor and go on the offensive.

Put plans in place

As always, it’s a balancing act between preventing bottlenecks and ensuring that no one individual is a single point of failure. Utilize technology where you can help automatically create segregation where possible, whether it be system access, access to personal accounts, or the ability to manipulate cash while being responsible for auditing said cash.

Be sure to have a procedure in place for monitoring insider accounts. If it’s been a while since you dusted these procedures off, I hope this article serves as a reminder to pick them back up!