Data breaches are becoming uncomfortably common news, and while credit unions may not be as heavily impacted as other financial institutions, data breaches are not the only type of risk that needs to be addressed by a CU. Thirty percent of financial-related fraud losses are call-center related, according to a recent study from Pindrop Security. For a credit union, maintaining a positive reputation is critical to serving its member base. Since most CUs are extremely community oriented, a credit union's reputational risk rivals monetary losses and regulatory issues in overall risk exposure. The fact is, all types of fraud are on the rise, and credit unions need an effective fraud mitigation strategy in place to protect them from reputational harm.
Generally, the two broadest categories of internal fraud are embezzlement (some type of misappropriation of funds) and customer identity theft. For credit unions, identity theft likely presents the most concerning exposure due to the high reliance on call-centers, combined with the rapid emergence of online markets and the resulting shifts in member behavior. To address this onslaught of threats, credit unions should implement a three-pronged strategy:
- Create a culture of compliance across the organization, clearly defining policies for anti-fraud employee conduct.
- Assess system and platform controls and safe guards, monitoring activity and mitigating internal threats.
- Define clear roles and responsibilities at all levels, recognizing that management and systems are the first lines of defense to flag suspicious employee activity
The creation of a culture of compliance is not only a prudent strategy for credit unions, but it is also one of regulators' heightened expectations for all financial institutions, regardless of segment. Beyond the issuance of a policy, this demands an organization-wide adoption of the principles, concepts and requirements associated with regulations. It includes a top-down employee conduct strategy in which the expectations are clearly defined, communicated and acknowledged at all levels as it relates to their specific function. This also requires a coherent partnership between compliance and the individual lines of business to ensure that the first and second lines of defense operate in tandem. Only through this added attention can a credit union reliably address complex regulations like Bank Secrecy Act (BSA), new regulations actively emerging from the Consumer Financial Protection Bureau, and even employee bonding provisions.
Understandably, this requires a mindset shift for credit unions. Credit unions often seem to have a natural tendency to have trust as the default setting when it comes to employees. However, with the reputational risk associated with fraud, it's important for credit unions to evolve their internal systems and create a culture of compliance.
The efficiency of credit union fraud mitigation strategies is only as effective as the controls in place to prevent and/or flag suspicious activity. Effective controls and processes are paramount to expose and address fraud risk. This monitoring is essential as employees know the systems and the best ways of how to circumvent the controls.Creating a profile of what constitutes a "high-risk employee" and "high-risk activity" will drive the detection of suspicious activity and trigger further investigation as necessary. For example, if there is an employee who repeatedly accesses specific accounts for non-CU business inquires, then these actions may be classified as "higher risk."
Example traits of high-risk employees might also include short time on the job, employees organizationally disgruntled and employees identified as "financially stressed." If a single employee or contractor accesses a member information system to inquire the details of a member account, personally identifiable information, or other identifying member information protected under the BSA and internal security policies, this may indicate potentially suspicious insider behavior. Systems and controls must constantly be monitored for performance through a combination of analytics, operational/process rules and basic business knowledge. The objective is to reduce false positives and evolve with constantly changing practices used to commit internal fraud.
Once system controls and a culture of compliance are in place, clearly defined roles and responsibilities at all levels becomes the glue that brings an effective fraud strategy together. A system may produce alerts or even prevent suspicious activity, but they must then be addressed and resolved by the individual with the responsibility and accountability to execute the necessary action. Roles must be clearly defined at each level with appropriate performance metrics. The roles can fall into a few categories: monitoring, investigation, enforcement and most importantly ownership of the function. The reality is that all employees at all levels have an assigned role in the prevention of fraud. Training, sharing information and developing a cohesive communications plan are key to ensuring that everyone understands their role in protecting the credit union and its members.
Consumers often express concern that companies, regardless of industry, don't do enough to protect from "within." While no system is bullet-proof, following this approach can ensure that credit unions prevent and detect fraud as effectively as possible. By cultivating a culture of compliance across the CU, implementing the appropriate monitoring and controls, and conducting employee training, credit unions will create a well-rounded system for internal fraud protection.
Edmund Tribue is the national lead for credit, risk management, and compliance solutions for North Highland. Scott Mullen, Ph.D., is a principal with North Highland specializing in financial services. North Highland is a global consulting company based in Atlanta.