Leave No Risk Unchecked

Globalization and electronic fraud heighten risks for CUs.

April 21, 2011

Credit unions are in the business of managing risk. Whether dealing with lending, investments, or liquidity, managing risk requires a careful and calculated approach.

Left unchecked, the many risks credit unions face today could have a catastrophic effect on the bottom line. “One of the biggest problems we’re seeing is losses caused by electronic fraud—wire transfers via fax or phone requests,” says Jay Slagel, vice president, risk management and claims, for Allied Solutions.

A large amount of cyber theft and data breaches originate from foreign venues, says Brad Mundine, senior manager of risk management for CUNA Mutual Group. “Much of the fraud involves money transferred overseas, both for purposes of money laundering and avoidance of U.S. jurisdiction.”

Closer to home, experts disagree on whether a down economy increases fraud. “Historically, incidences of fraud increase during down times because people become desperate,” says Patrick Touhey, senior vice president of Allied Solutions’ Bond Division. Fraud occurs across the board—wire fraud, robberies, check fraud, and employee dishonesty.”

But Mundine says risk doesn’t have as much to do with the current economic environment as it does with globalization and the opportunities for fraud it presents. “No location or person is immune to fraud. Some of the most prevalent threats we’re seeing are related to information theft.”

Besides fraudulent assaults on information technology, Mundine cites other substantial risks:

  • Defaults, particularly with residential construction and participation lending;
  • Real estate, due to credit risk and rising unemployment; and
  • Spot market risk. Certain housing markets are higher risk and more volatile than others.

Even as credit unions face rising risks, they have fewer insurance options than before. “Insurance coverage is different than it was five or 10 years ago, with fewer options,” says Slagel. “If there are no insurance options for certain activities, credit unions have to decide how to minimize their risks.”

One example of how insurance can’t cover every form of loss, says Mundine, is check fraud. “Insurance can protect you against dishonest member acts. But it generally doesn’t [help] when a member deposits a Nigerian scam check and is later liable for the money he wired to the fraudsters, assuming the member didn’t intend to defraud the credit union.”

When they can’t get coverage, says Slagel, credit unions must install clear procedures that shield them from the limits of their policies. “We’ll evaluate a credit union’s policies and procedures and recommend changes that reduce the risk of loss.”

“Some policies will offer protection against loan fraud provided the credit union follows the policies’ conditions,” adds Touhey. “Fortunately, the process of meeting those conditions minimizes the risk of fraud.”

One way to minimize risk is by changing wire transfer procedures. The techniques that work best, though, are ones credit unions should carefully explain to members.

“If someone calls in a request to wire transfer funds from a home equity line of credit to a foreign bank, you have an immediate basis for suspicion,” says Mundine. “Some credit unions, however, might not spot this type of activity. They’re under pressure to provide good member service, and see assenting to a large withdrawal or wire transfer as fulfilling that.

“But given changes in fraud patterns,” he continues, “credit unions need to be more diligent, perhaps by setting monetary limits and implementing stronger authentication procedures, or requiring wire transfers over a certain amount to be made in person.”

Balancing fraud prevention and service, says Slagel, goes back to education. “If a credit union has to do something that inconveniences members to lessen its risk, it should tell them clearly why it’s doing that.”

Next: Privacy liability coverage

Privacy liability coverage

One way to guard against security breaches is with information security and privacy liability coverage, which defends credit unions from financial loss, penalties, and defense costs, says Nick Grant, CEO of SWBC’s property and casualty division.

He says common causes of this type of loss include lost or stolen portable computers, computer hacking, employee misuse, improper disposal of paper documents or computer equipment, and vendor negligence. “Not only can these situations wreak havoc on your ability to keep data safe and secure, it can be expensive to restore security and consumer confidence afterwards.”

SWBC’s information security and privacy liability coverage offers:

  • Electronic media liability, which covers the display of content on a credit union’s website;
  • Financial damages arising from unauthorized disclosure or general corruption of personal data;
  • Defense costs and damages for regulatory agency investigations or requests associated with control and use of personally identifiable information; and
  • Coverage for regulatory penalties.

Common mistakes

Mundine says credit unions make four common mistakes when trying to mitigate risks:

1. Assuming an insurance policy covers all losses. Credit unions should know what a policy does and doesn’t cover.

2. Assuming third-party vendors take on all risk. Outsourcing certain functions doesn’t transfer all risk to the third party.

Also, it’s important to conduct proper due diligence on vendors.

3. Being complacent. Don’t adopt the attitude of, “it can’t happen to us.” Globalization and remote threats can circumvent security even at small, tight-knit organizations.

4. Not knowing where fraud is likely to come from and what patterns to look for.

The most common culprits for internal fraud, Slagel says, are collections staff, tellers, and loan officers. Even tellers can abscond with a surprising amount of cash.

“One credit union with a small staff couldn’t segregate functions,” Touhey recalls. “The head teller, who was in charge of verifying money amounts, buying and selling cash, and making ledger entries, had full control over the credit union’s money. As a result, over a three-year period she walked out with $1 million.”

He says the greatest internal control over employee theft is one most credit unions no longer use: the compulsory two-week vacation.

“That two-week period allows the credit union to detect anomalies the vacationing employee would otherwise cover up,” says Touhey. “If a fraudster knows he can be detected during his vacation, the two-week requirement is a huge deterrent.”

Next: CPI rounds out protection

CPI Rounds Out Protection

Another risk mitigation tool is collateral protection insurance (CPI), something credit unions typically take out to cover auto loans.

“CPI is a more proactive way of managing risk,” says John Pearson, executive vice president/national sales manager at State National Companies. The company monitors credit union loan portfolios to make sure each loan has adequate CPI coverage.

“If not, we notify borrowers that they need to take out insurance,” he says. “After three letters and no response, we do a ‘force place policy’ in which they must pay for insurance if they want to continue with the loan.”

About 3% of the population forces this solution. But a bad economy and high unemployment cause some good borrowers to go “bad” overnight.

“In the past, lenders could see a bad loan developing, such as a pattern of late or missed payments,” Pearson says. “Now this can happen suddenly, when people who have been current all along lose their jobs and can no longer make loan or insurance payments.”

Insurers’ expression for credit unions that don’t take out CPI is “running naked,” Pearson explains. “This is when a credit union makes a loan with no requirement for maintaining proper insurance. Often it’s a case of not wanting a member to have to take on an additional burden, or a belief that the credit union can manage its own losses. “In other cases, credit unions realize that even in a soft-volume lending market, they still have to make loans,” he continues. “This often means assuming more credit risk. That practice requires more protection against loss.”