Credit unions face a two-pronged loss threat: fraudulent acts committed directly against the institution, which result in immediate losses; and third-party claims, litigation, and subsequent losses, according to Roger Nettie, senior risk management consultant.
Direct losses can result from myriad reasons, including employee dishonesty, illegal funds transfers and electronic crime, Nettie told Discovery breakout session attendees.
Employee dishonesty is universal but banking and financial services are the most commonly victimized industries, according to the 2012 Global Fraud Study conducted by the Association of Certified Fraud Examiners.
Instances of employee fraud last a median of 18 months before detection, with a median loss of $140,000, the study indicates. More than one-fifth of these incidents caused losses of at least $1 million.
“The longer a perpetrator works for an organization, the higher fraud losses tend to be,” Nettie said. “CUNA Mutual Group claims records show that over a five-year period, employee dishonesty represented just 13% of fraud claims, but 45% of fraud losses.”
Many credit unions believe all their employees are trustworthy and that their internal controls are strong enough to prevent internal theft. Yet, it still occurs.
“Fraud does not discriminate," Nettie said. "There is no immunity to this exposure based on geography, asset size, employee tenure, or past experience."
Another growing area of direct losses is wire fraud, especially from HELOC accounts, with credit unions reporting more than $25 million in losses from 2007 to 2012. The average reported loss in 2012 was $175,000, with some events approaching $1 million.
“Credit unions experiencing losses generally had inadequate security for large dollar transfers, enabling crooks to easily defeat callback security measures,” Nettie said.
Consequently, CUNA Mutual Group implemented new terms with its funds transfer coverage to encourage additional controls for remote requests, and discourage the practice of accepting large-dollar remote requests. Nettie offered a number of recommendations to limit wire fraud, such as spotting red flags and using layered levels of security.
Other forms of electronic crime that cause direct losses include computer malware and money mules that illegally transfer money on behalf of scam operators, typically in another country.
Prevention measures such as cookies, device recognition, Internet protocol and challenge/response questions have limited effect on this fraud. As alternatives, Nettie suggested out-of-band authentication, hardware tokens, digital certificates, and biometrics.
Employment practices liability claims and subsequent litigation continue to be credit unions' top liability loss categories.
“EPL losses make up nearly two-thirds of all of CUNA Mutual Group Management and Professional Liability losses, with the most common allegations being wrongful termination, retaliation, and race and gender discrimination," said Nettie, who suggests credit unions request legal counsel review policies and procedures, then train staff on those guidelines.
Another costly and growing threat is lender liability claims, which generally allege the credit union failed to follow state law requirements in its Notices of Intent to sell repossessed property and Notices of Deficiency letters.
“Usually, this is a case of you getting sued by your worst borrower and then having it mushroom into a class action lawsuit,” Nettie said. “It’s vitally important to have your forms reviewed and approved by legal counsel for each applicable state, and train employees on how to properly complete the forms.”