Credit unions facing costly fraud threats from multiple sources

CUNA Mutual Group CEO Jeff Post Tells NASCUS Summit Audience to Remain Vigilant

COEUR D’ALENE, ID (September 18, 2013) — Difficult economic times create opportunities for good organizations, but they also create opportunities for criminals, which is why credit unions need to adopt loss controls to mitigate the most serious risks, CUNA Mutual Group President and CEO Jeff Post said Wednesday.

Speaking to attendees at the 2013 National Association of State Credit Union Supervisors’ State System Summit, Post discussed the five most serious fraud risks CUNA Mutual Group has identified facing credit unions and offered loss prevention recommendations. The five risks relate to employee dishonesty, funds transfer, plastic cards, data breaches and electronic crime.

“Perhaps the biggest takeaway from this session is there is no single fraud loss area,” Post said. “Criminals seem to continually devise new ways to steal or defraud.”

Employee dishonesty ranks low in terms of number of insurance claims but is by far the leader in claim dollars paid. Most losses are caused by cash theft, fraudulent loans and ledger manipulation. Citing the Association of Certified Fraud Examiners’ 2012 Report to the Nations on Occupational Fraud and Abuse, Post said employee dishonesty fraud lasts a median of 18 months before being detected, with a median loss of $140,000. However, the study showed more than one-fifth of these cases caused losses of at least $1 million. The longer a perpetrator works for an organization, the higher fraud losses tend to be.

“For credit unions, there is no immunity to this exposure based on geography, asset size, or employee tenure. The one common denominator has been that the credit union either lacked the controls to catch fraud from the beginning or got more relaxed about the controls over time, which provides the ideal environment for a dishonest employee,” Post said.

He recommended three “Ds” to reduce employee dishonesty:

  • Deter – Vet job applicants and establish a written fraud policy.
  • Detect – Segregate duties, require mandatory vacation and reward whistleblowers. In addition, conduct surprise internal audits and have specific controls on cash handling, loan processing and access to member accounts.
  • Discipline – Develop a fraud policy that includes detailed procedures for handling these situations and guidelines for terminating or suspending dishonest employees. Train employees regularly on the fraud policy.

Another large loss area for credit unions involves fraudulent transfers from home equity lines of credit. Post said credit unions reported more than $25 million in losses from 2007-2012, with the average loss being $175,000. Some approached $1 million.

“Telephone callbacks are too easily defeated by criminals, who hijack the member’s home phone number through call-forwarding. So don’t rely only on callbacks.” He said credit unions should be wary of large-dollar HELOC transfers, limit the dollar size of transactions not requested in person and implement layered security, such as requiring passwords in addition to callbacks.

“I know convenience is important in attracting and retaining members, but in these large-dollar transactions, credit unions need to be prudent as well as convenient,” Post said.

Regarding plastic card fraud, which was rampant when he became CEO in 2005, Post said credit unions have made good progress in managing fraud, but sophisticated crooks are still identifying weaknesses. Targeted payment fraud exposures, card data breaches, phishing scams and system intrusions continue to be legitimate threats.

Migration to EMV (Europay, MasterCard and Visa) chip technology provides added security by making the skimming of magnetic stripe data more difficult, but credit unions should plan their migration to EMV carefully. “The new cards will contain a chip, but it will still have a magnetic stripe for a while. Educate your members about using chip technology at merchants and ATMs that offer that capability.”

In discussing data breaches at a credit union itself, Post said the biggest concern is exposing members’ personal identifiable information. “Breaches are often caused by lost or stolen devices, as well as by hackers. They’re expensive and can put your credit union’s reputation at risk.”

Electronic crime is also increasing and CUNA Mutual Group is seeing more examples of outgoing funds and account takeovers. “I would characterize data breaches and electronic crime as not necessarily being high-loss areas yet, but they are definitely high-risk and have the potential to produce significant losses.”

In closing, Post urged credit unions to not get complacent. “Just because you may not have had a loss doesn’t mean you should curtail your fraud prevention efforts. Know that CUNA Mutual Group will be here so we can work together to help prevent fraud.”

To learn more, follow @CUNAMutualGroup on Twitter, circle +CUNA Mutual Group on Google+, or visit

CUNA Mutual Group insurance, retirement and investment products provide financial security and protection to credit unions and their members worldwide. With more than 75 years of true market commitment, CUNA Mutual Group’s vision is unwavering: To be a trusted business partner who delivers service excellence through customer-focused products and market-driven insight. More information on the company is available on the company’s website at

CUNA Mutual Group is the marketing name for CUNA Mutual Holding Company, a mutual insurance holding company, its subsidiaries and affiliates. Life, accident, health and annuity insurance products are issued by CMFG Life Insurance Company. Property and casualty insurance products are issued by CUMIS Insurance Society, Inc. Each insurer is solely responsible for the financial obligations under the policies and contracts it issues. Corporate headquarters are located in Madison, Wisconsin.

More News