ALEXANDRIA, Va.–The shocking embezzlement of $40 million from one now failed California credit union was the result of a lack of internal controls, far too much authority in one person, failures by the supervisory committee and extended failures by NCUA examiners, according to a new report.
The report from NCUA’s Office of Inspector General reviews the 2019 failure of C B S Employees FCU in Studio City, Calif. from which its former CEO, Edward Rostohar embezzled $40 million from a credit union with $20 million in assets over two decades.
The report offers two recommendations for improvements by NCUA that it said the agency has since acted upon.
The Office of Inspector General (OIG) contracted with Moss Adams LLP (Moss Adams) to conduct the Material Loss Review.
Not surprisingly, the report found Rostohar’s “fraudulent activities” led to the failure of the credit union. As CUToday.info reported here, Rostohar has been sentenced to 14 years in prison for embezzling $40-millin over two decades. C B S Employees CU was liquidated in March of 2019.
In short, the IG said Rostohar concealed the missing cash by understating member share balances on the financial statements, primarily related to share certificates, as is shown in the table, below.
Beyond “questionable management integrity,” according to the IG report the factors that contributed to “an environment in which such misstatement could go undetected” included:
Lack of Segregation of Duties
The OIG said it found the lack of segregation of duties and dual controls allowed the former CEO to both perpetrate and conceal the fraud. The report noted the former CEO possessed all of the following:
- Access to official credit union checks, which enabled Rostohar to alter the physical records of credit union checks
- “Super-user” access to the credit union accounting system, “which enabled him to alter both the check payee information (electronic records of CU checks) and file maintenance reports, which concealed this action.”
- Sole responsibility for financial reporting, which gave (Rostohar) the ability to prepare fraudulent financial statements.
In addition, until approximately January 2019, when C B S Employees FCU changed its corporate credit union, the OIG said it found Rostohar was the only person at the credit union who was able to access the CU’s accounting system.
The OIG said it also determined had NCUA followed National Supervision policies and identified the Supervisory Committee audits and member account verification procedures as unacceptable, and appropriately addressed identified risks related to the lack of segregation of duties and dual controls at the C B S Employees FCU, it may have identified the fraud sooner and may have mitigated the loss to the Share Insurance Fund.
Mechanism of Fraud
As CUToday.info has reported extensively earlier, the OIG report confirms Rostohar misappropriated funds by making false entries to the CU’s general ledger and effectively created a second set of records to conceal the CU's financial condition. “Importantly, he was able to falsify both the physical records and electronic records to conceal his activity,” the IG report says. “To withdraw funds, the fo1mer CEO would write an official Credit Union check on a share account to the payee of his choice. In addition to checks issued to himself and his companies, he also paid his personal American Express bills, other personal expenses, and vendors used while establishing and remodeling a side business he owned. Checks he issued were in his name or in the name of one of his companies, and he would deposit the altered check in an account that he controlled.
“After the official credit inion check was issued, the former CEO would go back into the data processing system and delete the payee information, which was intended to be an electronic record showing to whom the check was payable,” the report continues. “Deletion of payee information from the data processing system is not possible without special administrative privileges to the credit union's data processing system. The former CEO had granted himself administrator privileges.”
The IG Report includes significantly more detail around other internal control-related failures.
Failures by Examiners
Also not surprisingly, the NCUA IG said it determined examiners failed “to identify that member account verification procedures were unacceptable.”
“There was no evidence to indicate the Supervisory Committee and/or the independent CPA who performed the procedures had performed procedures to reconcile the share subsidiary to the statements printed by the print processor as part of the member verification process,” the IG report states. “Because of this, there was no way to ensure the list of verified accounts represented an accurate and complete list of credit union member accounts. Further, examiners noted the lack of segregation of duties but did not alter planned examination procedures as a result of this assessment. Management was able to manipulate the financial statements. As a result, the fraud went undetected for an extended period of time.”
Two Recommendations
The Office of Inspector General said it made two recommendations to NCUA that the agency has since acted upon in the wake of the failure of C B S Employees FCU.
The first recommendation urged NCUA to revise examination procedures to prioritize assessing and developing a risk response for credit unions that do not segregate certain key duties and that require dual controls.
“These revisions should include a framework that examiners can complete an assessment of those characteristics that indicate lack of segregation of duties at a credit union and additional procedures that examiners should perform when a lack of segregation of duties is apparent,” the IG said.
The second recommendation called on NCUA to amend guidance related to member account verifications.
“Specifically, the amended guidance should require reconciliation from the print processor to the share and loan subsidiaries when a statement verification is performed,” NCUA said.
The full report can be found here.