COEUR D'ALENE, Idaho (9/19/13)--Difficult economic times create opportunities for good organizations, but also for criminals, which is why credit unions must adopt loss controls to mitigate the most serious risks, CUNA Mutual Group President/CEO Jeff Post said Wednesday.
Credit unions cannot become complacent in fighting fraud, because criminals continually devise new ways to steal, Jeff Post told attendees at the 2013 National Association of State Credit Union Supervisors' State System Summit Wednesday. (Photo provided by CUNA Mutual Group)
Speaking at the 2013 National Association of State Credit Union Supervisors' State System Summit, Post discussed the five most serious fraud risks CUNA Mutual has identified facing credit unions and offered loss prevention recommendations. They relate to employee dishonesty, funds transfer, plastic cards, data breaches and electronic crime.
"Perhaps the biggest takeaway from this session is there is no single fraud loss area," Post said. "Criminals seem to continually devise new ways to steal or defraud."
Employee dishonesty ranks low in number of insurance claims, but is by far the leader in claim dollars paid. Most losses are caused by cash theft, loan fraud and ledger manipulation. Employee dishonesty fraud lasts a median of 18 months before being detected, with a median loss of $140,000, Post said, citing the Association of Certified Fraud Examiners' 2012 Report to the Nations on Occupational Fraud and Abuse. However, the study showed more than one-fifth of these cases caused losses of at least $1 million. The longer a perpetrator works for an organization, the higher the fraud losses.
"For credit unions, there is no immunity to this exposure based on geography, asset size, or employee tenure. The one common denominator has been that the credit union either lacked the controls to catch fraud from the beginning or got more relaxed about the controls over time, which provides the ideal environment for a dishonest employee," Post said.
He recommended three "Ds" to reduce employee dishonesty:
Deter--Vet job applicants and establish a written fraud policy.
Detect--Segregate duties, require mandatory vacation and reward whistleblowers. Conduct surprise internal audits and institute specific controls on cash handling, loan processing and access to member accounts.
Discipline--Develop a fraud policy that includes detailed procedures for handling these situations and guidelines for terminating or suspending dishonest employees. Train employees regularly on the fraud policy.
Another large loss area for credit unions involves fraudulent transfers from home equity lines of credit. Credit unions reported more than $25 million in losses from 2007 to 2012, with an average loss of $175,000. Some approached $1 million.
"Telephone callbacks are too easily defeated by criminals, who hijack the member's home phone number through call-forwarding. So don't rely only on callbacks," Post said. Credit unions should be wary of large-dollar home equity line of credit transfers, limit the dollar size of transactions not requested in person and implement layered security, such as requiring passwords in addition to callbacks.
Regarding plastic card fraud, which was rampant when he became CEO in 2005, Post said credit unions have made good progress in managing fraud, but sophisticated crooks are still identifying weaknesses. Targeted payment fraud exposures, card data breaches, phishing scams and system intrusions continue to be legitimate threats.
Migration to Europay, MasterCard and Visa (EMV) chip technology provides added security by making the skimming of magnetic stripe data more difficult, but credit unions should plan their migration to EMV carefully. "The new cards will contain a chip, but it will still have a magnetic stripe for a while," Post said. "Educate your members about using chip technology at merchants and ATMs that offer that capability."
As for data breaches in the credit union, the biggest concern is exposing members' personal identifiable information, Post said.
Electronic crime also is increasing. CUNA Mutual is seeing more outgoing funds and account takeovers. "I would characterize data breaches and electronic crime as not necessarily being high-loss areas yet, but they are definitely high-risk and have the potential to produce significant losses," Post said.
He urged credit unions to not get complacent. "Just because you may not have had a loss doesn't mean you should curtail your fraud prevention efforts. Know that CUNA Mutual Group will be here so we can work together to help prevent fraud."