Helping a credit union uncover a $300,000 fraud
Poor segregation of duties leads to a significant loss
CASE STUDY |
In 2014, a local credit union uncovered fraud while investigating a stale-dated $20,000 reconciling item in a general ledger account. The employee responsible was quickly identified, but that was just the beginning. As the credit union investigated the employee’s activities, the investigation spread from $20,000 and a single fraud to dozens of acts over a period of years. As losses reached the $100,000 mark and continued to grow, the credit union became overwhelmed by the scope of the investigation and turned to RSM for help.
The credit union wanted our help to ensure that all of the culprit’s fraudulent activities were uncovered, to accurately quantify its loss and, most importantly, to ensure it understood exactly how the fraud had been committed so that it could adjust its controls accordingly.
RSM’s experienced fraud investigators went to work and found a familiar story. The perpetrator was a well-liked and trusted administrative assistant with strong relationships with both the credit union’s staff and with its customers. Because of this trust and the credit union’s small size, she was trusted with a wide range of functions, which lead to a breakdown in the appropriate segregation of duties. She had system access to perform all of the following functions:
- Opening member share, checking, savings, individual retirement accounts (IRAs)
- Opening new member loans
- Transferring funds between member accounts
- Cutting cashier’s checks, including access to check stock
- Initiating automatic clearing house (ACH) transactions
- Posting to general ledger accounts
- Making data changes to member accounts, such as changing account names, changing addresses, changing account statement codes and changing Social Security numbers
As is often the case, the employee had committed a small original fraud due to a financial hardship in her personal life, with the intention of returning the money. However, because the first fraudulent act was so easy to commit and went undiscovered, her activities quickly snowballed into years of fraudulent acts. Here is an overview of the scope of the fraud:
- The perpetrator opened a fake account in the name of a credit union member with health issues that the perpetrator knew would prevent that member from identifying unusual activity in the member’s accounts. She then changed the last name on the account by a single letter, changed the Social Security number by two digits and changed the mailing address to a post office box. She would change this data back to the accurate member data at the statement cutoff date to keep the discrepancies from being identified, then immediately change it back to the false data once the date had passed. She used this account for most of her fraudulent activity. For example, as her fraud deepened, she would use this account to make payments on a variety of fictitious loans that she opened. Eventually, she also began to make withdrawals from this member’s IRA account.
- She created a number of fictitious loans using the false member account and deposited advances from those loans into the account, which she then transferred via ACH to her own personal accounts at other financial institutions, usually keeping the transfers at or below the $10,000 ACH limit.
- She also took over other member accounts that were dormant, but still open with minimal balances. She then created fictitious loans to these members. Again, the funds were transferred to her personal accounts via ACH or sometimes with fraudulent checks.
- Using the date change module in the credit union’s system, she would move money back and forth between the various accounts and loans she controlled to kite loan payments and cover her tracks. These date changes and the outgoing ACH transfers were also done through this module. Neither were identified by teller number, making her activities difficult to track back to her.
- She used general ledger entries through suspense accounts to purchase cashier’s checks payable to other banks. She would handwrite her personal account information on the memo line of the checks so that her account information was not recorded in the credit union’s systems. These entries eventually showed up on reconciliation reports as stale-dated items. However, the perpetrator herself was the one charged with researching those items. She cleared them using funds from the various fake accounts she controlled.
- Fortunately, the credit union began to make some changes to its controls, which included limiting the ability to open new loans. This cut off the perpetrator’s main source of fraudulent funds, limiting her to the general ledger activity that eventually led to her discovery.
When the credit union asked for our help, it had uncovered approximately $100,000 in fraudulent activity dating back about one year. By the time we concluded our investigation, we had uncovered a series of frauds totaling more than $300,000, dating from 2009 to 2014, and had exposed the full range of tactics the perpetrator had used to commit them. By helping the credit union fully understand the range of fraudulent activities involved, we positioned them to improve their internal controls to prevent future losses. Our report was also provided to the credit union’s regulatory body to explain the institution’s losses. Additionally, our work supported the credit union’s claim to its insurance carrier. The credit union subsequently submitted our report to authorities to assist in prosecuting the perpetrator.