CUNA Mutual Group Proprietary Reproduction, Adaptation or Distribution Prohibited © 2014 CUNA Mutual Group, All Rights Reserved.

Internal Fraud Affects Everyone Joni Lovingood, CRM, CFE

Corporate Property & Casualty Sales Specialist CUNA Mutual Group joni.lovingood@cunamutual.com

2

Statistics

• The median loss for all cases in our study was $150,000, with 23.2% of cases causing losses of $1 million or more

• Asset misappropriation was by far the most common form of occupational fraud, occurring in more than 83% of cases, but causing the smallest median loss of $125,000. Financial statement fraud was on the other end of the spectrum, occurring in less than 10% of cases but causing a median loss of $975,000.

• The longer a fraud lasted, the greater the financial damage it caused. While the median duration of the frauds in our study was 18 months, the losses rose as the duration increased. At the extreme end, those schemes that lasted more than five years caused a median loss of $850,000.

• In 94.5% of the cases in our study, the perpetrator took some efforts to conceal the fraud. The most common concealment methods were creating and altering physical documents.

ACFE 2016 Global Fraud Study

3

Famous Last Words

• Losses only happen in small/large credit unions • Our employees are like family • We have developed excellent controls • Our employees are active in the community • Dishonesty losses are not common in our area

4

Ingredients to Minimize Employee Dishonesty Losses

• Sound Internal Controls

• Frequent audits

• Frequent cash counts

• Surprise!!!!

5

Goals

With strong leadership and training, credit unions can: • Create an internal culture that: deters dishonest acts

• Detects those that do occur

• Follows a disciplined investigation and correction process

6

Educating Employees

• Discuss the importance of internal controls – New employee training – Regular staff meetings

• Stress that exclusive control or true dual control is crucial • Explain the importance of not sharing passwords • Explain why locking their workspace is critical

Internal controls protect

» Strong employees from fraud opportunities » Weak employees from temptation » Innocent employees from suspicion

7

Red Flags

• Financial – Lifestyle changes – Spending habits – Borrowing habits

• Behavioral – Attitude changes

– Obsessive/territorial – Records in disarray – No vacations

• Environmental – Opportunity = Fraud – Lax internal controls – Inactive Supervisory

Committee/Internal Auditor(s) – Ineffective internal audits

8

Who Typically Uncovers Embezzlements?

• Co-Workers • External Auditors • Credit Union Management • Internal Auditors • Regulators • Risk Management • Supervisory Committee

Co-worker / employee tips are the most common detection method • The overwhelming majority of employees are honest • They are a critically important component of minimizing dishonest acts by others

9

Case Study 1

Accused: Unknown Employee Amount: $12,000 Action: Bundle of $100 bills missing from Vault Cash

Cash shortage discovered when Supervisory Committee conducted a surprise cash count of the vault. All employees had access to the vault cash. $25M in assets 7 full-time employees

10

Case Study 2

Accused: Loan Officer Amount: $15,500 Action: Concealed spouse’s bankruptcy

Joint on loans with spouse. Spouse filed bankruptcy. Employee died, spouse collected credit life insurance and stopped paying loans $25M in assets 4 full-time employees

11

Case Study 3

Accused: Teller Amount: $75,000 Action: Unauthorized transactions—member account

Member complained regarding unauthorized transactions on account over an 11 month period. Credit union internal auditor conducted investigation. Employee withdrew funds in excess of $75,000 $800M in assets 250 full-time employees

12

Case Study 4

Accused: Loan Officer Amount: $50,000 Action: Fictitious/Unauthorized loan

Loan officer set up share secured loan with no shares to pledge. Employee suddenly left credit union $6M in assets 3 full-time employees

13

Case Study 5

Accused: Loan Officer Amount: $135,000 Action: Unauthorized loans

Loan officer granted 4 loans to members who had caused previous losses to credit union Loan officer received kickback from the members $1.5B in assets 400 full-time employees

14

Case Study 6

Accused: VP of Lending Amount: $250,000 Action: Fictitious Loans VP of Lending created 3 fictitious loans Opened the fraudulent accounts on the system Disbursed the loan proceeds. Advanced due dates to prevent the loans from appearing on

the delinquency report $8M in assets 6 full-time employees

15

Case Study 7

Accused: Marketing Employee Amount: $1.5M Action: Contract Negotiation Credit union budget had approved vendors with approved

amounts (ex. janitorial, shredding) Employee negotiated lower rates that approved and

transferred the difference into employees account $2B in assets 305 full-time employees

16

Effective Internal Controls

• You can reduce the length of a fraud scheme with the following: – Rotation of job duties – Mandatory vacation – Rewards for whistleblowers – Surprise internal audits – Having a “code of conduct” or a fraud policy – Rules for cash handling – Procedures for loan processing – Access to member accounts – A hotline to report alleged fraud

17

Fraud Policy Guidelines

• Termination/Suspension—outline the nature of the offense, dollar amount involved, existing policies, effect on bond coverage, and applicable laws and regulations – If the employee is covered by a union contract, be sure that anything you

do adheres to the requirements of the union contract. • Regular employee training--the most comprehensive fraud policy in

the world won’t be effective if staff doesn’t know how it works – Stress a disciplined approach to handling allegations of employee

dishonesty • Notification of dishonest act--appropriate law enforcement agency,

regulatory agency, and the bond provider when employee fraud is alleged – May also have to file a Suspicious Activity Report (SAR).

18

Basic Safeguards

• Rotation of Duties – Internal control and cross-training benefits

• Segregation of Duties – Three steps:

• Origination • Posting • Audit

– One employee should not have complete control over the entire transaction • Compulsory Vacations

– Consecutive one-week vacation • Forces individuals to relinquish their duties to someone else

– Revoke all remote access to email/operations • Cell phones • Tablets

19

Cash Handling Controls

• Currency deliveries—verified under dual control • Vault cash—exclusive control or forced dual control • Teller cash—lockable drawers • Spare key control—employee’s signature • Teller area access—limited access • ATMs, Cash Dispensers—dual control • Surprise cash counts • Over/short records • Controlled cash limits

20

Employee/Family Member Account Controls

• Restrict access • Report family members annually • Include “zero tolerance” in fraud policy

21

Data Processing Controls

• Log on procedures – Access control – Passwords – Security policy

22

Lending Controls

• Segregation of duties in the loan department

• Review file maintenance reports daily – Changing payment due dates

• Periodic confirmation of member loans by telephone

• Protect/monitor dormant accounts - Supervisory override - Review transactions on dormant

accounts report

• “Do not mail” & “bad address” controls – Require a supervisory override to add

these flags – Generate report of accounts flagged as

“do not mail” • Confirm “do not mail” flag

– Bankrupt accounts – Bad addresses

– Audit transactions occurring on these accounts

• Statements mailed to branch offices – Generate report of accounts mailed to

branch offices – Why mail to branch? – Audit Transactions

23

Plastic Card Department Controls

• Deploy lockout feature on credit card terminal to block card department employees from processing transactions on their own credit card account and accounts belonging to their family members

• Review monthly report of employees and their family members with credit union-issued credit cards

• Audit card department employees’ and their family members’ credit card accounts – Credit limit agrees with approved limit – Waiving fees (e.g., late, over-limit and cash advance fees) – Unauthorized account reaging (advancing due dates)

• Monthly credit card report showing the total balance outstanding should be reconciled to the general ledger by someone not involved with card operations and who does not have access to the credit card terminal

24

Self-Assessment Questions

Are you checking / verifying previous employers, references & performing criminal background and Bondability verifications for new hires? Does your Fraud Policy Statement highlight “zero tolerance” for fraud and

dishonest acts? Are you proactively monitoring employee warning signals related to internal

controls and employee dishonesty? Do you have a whistleblower policy? Do you report all cases of employee wrongdoing to CUNA Mutual Group? How are you proactively monitoring employee warning signals?

Have you implemented dual control over vault cash, currency shipments, ATM/teller cash replenishments and cash dispensers

Are vault cash, cash drawers and ATMs subject to frequent surprise audits?

Are you verifying transactions initiated by tellers or vault teller before and after a surprise cash audit?

Are sound controls used to monitor expenses and general ledger accounts?

25

Bondability Verification & Background Checks

Hiring the right employees is no simple task. Utilize Bondability Verification and Background Checks to reduce employee dishonesty losses.

CUNA Mutual Group’s Bondability Verification database is only accessible to Bond Policyholders (must have username and password to access online services)

Contains over 40,000 individuals who lost their bondability under CUNA Mutual’s Bond

Verify bondability of potential employees and volunteers

Conduct background checks in addition to bondability verification

26

Reporting Dishonest Acts

• Credit unions should report dishonesty, fraudulent acts, or conscious disregard of your established and enforced share, deposit or lending policies committed by employees, directors, and volunteers whether the situation has been committed inside or outside the credit union

• Use Notice of Employee Discrepancy at www.cunamutual.com to report situations and help determine if an individual's continued coverage on any concerning situation would be impacted. Report to Bondability underwriting if: – There is no loss – There is a loss, but the individual reimburses your credit union – Your credit union learns of a dishonest or fraudulent act committed by the individual

outside of the credit union (e.g. shoplifting) – Any time you have a bondability concern on an individual

27

Bondability Making the business decision to not report dishonest, fraudulent, or acts in conscious disregard of established and enforced share, deposit or lending policies by their own employees or volunteers because the person’s actions didn’t result in the credit union incurring a loss can still impact your bottom-line results • Problematic when credit union directors, officers and/or supervisory staff are aware

of the situation • Taking matters into your own hands by reprimanding and not reporting employee

wrongdoing to your bond provider, increases your risk of having a future loss caused by the employee denied as a claim

28

Risk Mitigation

Bondability underwriting thoroughly reviews the situation details to mitigate future credit union risk The resulting actions can include:

– Coverage remains terminated for the discovered act and employee is not bondable; – Coverage is reinstated for the employee; or – Coverage is reinstated with restrictions, such as an individual deductible for that

person or other limitations of coverage

29

Discovery of Employee Dishonest Act

• The Fidelity Bond, underwritten by CUMIS Insurance Society, Inc. contains a provision (Condition 9, Subsection 1) that stipulates coverage for an employee terminates automatically when any officer, director, or supervisory staff of the credit union becomes aware of any dishonest or fraudulent acts committed by the employee, or any intentional violations of established and enforced share, deposit, or lending policies by the employee

• Problems arise when a credit union fails to notify CUNA Mutual Group and elects to retain an employee who committed a dishonest or fraudulent act

• If the employee subsequently causes a loss and it is discovered during the investigation that the employee committed a prior act, the claim may be denied

Report employee wrongdoing to CUNA Mutual Group Bondability Underwriting regardless of any loss

30

Questions & Answers

Joni Lovingood CRM, CFE Corporate Property & Casualty Sales Specialist CUNA Mutual Group Email: joni.lovingood@cunamutual.com

31

Disclaimer

This presentation was created by the CUNA Mutual Group based on our experience in the credit union and insurance market. It is intended to be used only as a guide, not as legal advice. Any examples provided have been simplified to give you an overview of the importance of selecting appropriate coverage limits, insuring-to-value and implementing loss prevention techniques. No coverage is provided by this publication, nor does it replace any provisions of any insurance policy or bond. Credit Union Loss Scenarios – Case Studies The credit union loss scenario claim study examples do not make any representations that coverage does or does not exist for any particular claim or loss, or type of claim or loss, under any policy. Whether or not coverage exists for any particular claim or loss under any policy depends on the facts and circumstances involved in the claim or loss and all applicable policy language. CUNA Mutual Group is the marketing name for CUNA Mutual Holding Company, a mutual insurance holding company, its subsidiaries and affiliates. Insurance products offered to financial institutions and their affiliates are underwritten by CUMIS Insurance Society, Inc. or CUMIS Specialty Insurance Company, members of the CUNA Mutual Group. Some coverages may not be available in all states. If a coverage is not available from one of our member companies, CUNA Mutual Insurance Agency, Inc., our insurance producer affiliate, may assist us in placing coverage with other insurance carriers in order to serve our customers’ needs. For example, the Workers’ Compensation Policy is underwritten by non-affiliated admitted carriers. CUMIS Specialty Insurance Company, our excess and surplus lines carrier, underwrites coverages that are not available in the admitted market. Data breach services are offered by Kroll, a member of the Altegrity family of businesses. Cyber liability may be underwritten by Beazley Insurance Group. This summary is not a contract and no coverage is provided by this publication, nor does it replace any provisions of any insurance policy or bond. Please read the actual policy for specific coverage, terms, conditions, and exclusions. ©CUNA Mutual Group, 2015 All Rights Reserved

32