The NAFCU Journal: Lowering the High Cost of Internal Fraud

How policies, culture and training work together to improve fraud detection and prevention

It’s a continual problem, but one that many of us don’t like to think about: internal fraud. Why do we avoid it? Sometimes we don’t want to admit that we made a hiring mistake or that our policies didn’t protect us. But employee fraud happens, and the results can seriously hurt the credit union.

A 2014 report from the Association of Certifi ed Fraud Examiners (ACFE) showed that fi nancial institutions had the highest rate of internal fraud among the industries they analyzed — 17.8 percent of the total cases reported. According to a review of the data by Ray Birch for CUToday.info, there have been fl uctuations in the annual number of internal fraud cases and the dollar amounts involved, but overall, it has remained relatively steady since this ACFE study.

One particularly concerning piece of information, though, is the number of times internal fraud has caused credit unions to fail. For example, Birch pointed out that in 2015, employee fraud was a key contributor to 69 percent of credit union failures.

So how do we work to prevent internal fraud and mitigate losses to the credit union? A combination of policy strategies, cultural changes and training.

The Costs of Internal Fraud Go Beyond Cash

The ACFE study found the median reported dollar cost of internal fraud in financial institutions to be $200,000, and these losses are likely to be covered by insurance. But hard dollar costs are only part of the picture.

Sabrina Waner, senior vice president and chief financial officer at Allegiance Credit Union in Oklahoma City, points out the burden on staff time that gathering information and evidence of internal fraud can have, especially for small credit unions. There were two cases of internal fraud while she was working at a previous credit union. Because they were small — the staff numbered between seven and 14 when the two fraud cases happened — and she was a vice president who was responsible for the accounting functions, much of the burden of documentation fell on her shoulders. “We weren’t big enough to hire an auditor or an audit firm to come in and pull all that information,” she says. “I spent a year of my life making sure we had documentation of every transaction, every piece of paper and every policy, then going through the trial and testifying in court.”

Ryan Ross, senior vice president and chief risk officer at Pen Air Federal Credit Union in Pensacola, Fla., had a similar experience with one fraud case in which a staff member was skimming off the top of cash shipments. In this case, it took a year and a half of working with the local district attorney and the FBI to get the case to court. “The time I put in just myself, pulling video footage and working with the FBI to see where she was in the branch and see if we could catch her doing it, [was substantial],” he says.

Additionally, credit unions may suffer reputational loss. “When you start reporting things to law enforcement and regulators, that becomes public record,” says Jon Crawford, security manager at Apple Federal Credit Union in Fairfax, Va. And in cases involving large sums of money or senior staff, local media can find a refreshing take to an interesting story whenever there is a new development in that long investigation timeline. This can be an ongoing issue, repelling new members until the story blows over. To combat this potential risk, give your credit union spokesperson information they can discuss with media that underscores how the credit union’s policies, procedures and internal auditing helped them find this internal fraud. It also helps to highlight relationships with law enforcement to protect member assets and prosecute anyone who commits fraud. Prosecution of employees who commit fraud, says Crawford, “sends a message that fraud will not be tolerated and the assets of the members of Apple Federal Credit Union will be protected at all costs.”

Strong Policies Are Critical

Internal auditing and policies and procedures help prevent and uncover internal fraud. Two of the most important, according to Michael J. Carroll, assistant vice president of internal audit at Apple Federal Credit Union, are dual control and segregation of duties. “As long as you’re segregating duties properly, it’s going to make it very difficult for one employee to complete a fraudulent transaction from beginning to end.”

Also important are tiered approval limits on specific types of transactions, says Ross.

Carroll also suggests credit unions of all sizes outsource some of their auditing functions and a review of policies — “having a fresh set of eyes look at your controls is extremely important.”

Waner points to the importance of internal audits, especially in preventing fraud at the teller level. “We count cash at the end of shifts and do surprise cash counts,” she says, “and we really don’t have any employee losses.” She also notes that they often find issues when employees are taking their required 40 hours off or when they’re rotating in new employees. “Someone will say, ‘This just doesn’t look right,’” she says, and that gives the credit union the opportunity to investigate and see whether there is any fraudulent activity.

Technology tools can help prevent fraud. For example, Ross says Pen Air recently launched RSA keys, a secure ID to log in to computers. “It’s a key fob that’s based on you, and the numbers change every 60 seconds. There’s never a password to log on. That keeps others from being able to guess your password and get into your computer.” Of course, this works only when employees log off their workstations when leaving, so it is important to emphasize this procedure. Waner mentions a specific case in which an employee used another employee’s workstation and teller number to cash fraudulent checks, and it took about a month to get the proof they needed of that activity.

Ross also points out that cash isn’t the only area to monitor. Mileage logs and credit charges are given extra scrutiny by supervisors at Pen Air. Additionally, call center calls are recorded, file maintenance records track account changes, and all new memberships and accounts go through quality assurance reviews.

Culture Is Key to Catching and Preventing Fraud

Giving employees the opportunity to speak up when they see something unethical is a key component of a fraud-preventing culture.

Pen Air Federal Credit Union includes a whistleblower procedure in the employee handbook. Says Ross, “We tell our employees, ‘If you see anything that is against Pen Air’s policies and procedures, inform us. We will safeguard your identity.’” They also ask employees to sign a commitment card to show that they are living the credit union’s culture of honesty and integrity.

Employee onboarding is an important moment for setting culture. Waner says all new employees at her credit union meet every member of senior leadership during their orientation. “From the get-go, employees visit with the vice presidents and the president, and they get to know who we all are,” she says. “And I talk about fraud and let them know that our culture is open and we depend on them to alert us — if there is something suspicious, you need to tell someone.” That openness has paid off. Waner says Allegiance employees report suspicious activity directly to human resources, rather than the ethics hotline they’ve set up.

At Apple Federal Credit Union, open access to leadership continues after new employee orientation with branch visits from the CEO and the head of human resources (its “chief people officer”) and town hall meetings at which the credit union comes together to hear from senior management. Additionally, they provide an incentive for following the “if you see something, say something” culture, says Crawford. “I award a semiannual fraud defender award — and it has a monetary benefit to it.”

Ongoing Training Is Essential

Training on what is and isn’t appropriate and ethical can help keep credit union employees diligent in their anti-fraud behavior.

Apple Federal Credit Union begins its fraud training at new employee orientation. Crawford says he is “charged with discussing fraud and fraud issues at the credit union.” He discusses external fraud schemes employees can look out for and then describes his and Carroll’s roles in preventing internal fraud. He also demonstrates the anonymous tip link on Apple’s intranet — which goes only to internal audit to protect anonymity — and their policy that “if you bring something to our attention, we’re going to look into it.”

Annual bank security training presents the perfect opportunity for ongoing reminders about internal fraud, says Waner. “Besides just suspicious activity,” she says, “we talk about internal issues and employee fraud.”

Crawford has developed an in-house e-learning module on internal fraud. It’s updated annually based on real cases in the past year from nonsupervisory employees all the way up the chain. He includes criminal penalties for fraud so they understand what the potential ramifications are from a criminal perspective. Crawford and Carroll also work together to create one-off trainings based on what they’re seeing in the credit union. A recent example is a training on dual controls to help everyone understand and follow the policies as outlined.

Also important is ongoing training for a credit union’s fraud and loss prevention staff, say Crawford and Carroll. The ACFE, the Association of Certified Anti-Money Laundering Specialists, the Association of Credit Union Internal Auditors, and regional and local groups for credit union management and law enforcement and security professionals offer education and training, while NAFCU can connect members with resources at www.nafcu.org.

Preventing internal fraud requires a holistic approach and an open culture. One of the hallmarks of success at Pen Air, Apple and Allegiance is that the culture of fraud prevention is embraced at all levels, from the tellers to the board of directors. Policies and procedures work to support that culture, and training ensures that policies and procedures are followed.


Jennifer Roland Cadiente is a freelance writer based in Oregon. She focuses on technology, financial institutions and education.

From the May-June 2019 edition of The NAFCU Journal magazine.