NASHVILLE—When internal fraud is detected at the credit union, the first thing the board SHOULD NOT do is contact the regulator.
That is advice from Christopher Pippett, an attorney with Fox Rothschild, LLP in Philadelphia. Pippett, who has assisted many credit unions with fraud cases, said contacting the regulator is important, but should be done at the right time.
“Your first call should not be to the examiner,” said Pippett to directors at NAFCU’s annual meeting here. “It should not be your last call, as well. But again, not the first, and here is why.”
Pippett said if the board calls as soon as fraud is discovered, the NCUA examiner then comes in “with his hair on fire” because he just examined the credit union and missed the fraud.
“The first thing the examiner will likely say is to conduct a forensic investigation of the entire CU, which is very expensive, and you may not need that,” said Pippett. “You might just need an agreed upon procedures audit and look into an area of the credit union—as opposed to a full-blown forensic investigation of the entire credit union.”
Pippett explained the first call to NCUA also goes much better and can lead to a calmer examiner demeanor if the board does not simply say it has detected fraud.
“You want to call and say you have identified an instance of fraud at the credit union, you have dealt with it, and here is what you found,” said Pippett. “You don’t want to play hide the ball, but approach working with NCUA in this way.”
Pippett suggested several additional steps boards should take once they learn an employee has stolen from the credit union.
“Of course, the first thing to do is investigate the claims, and you must move fast, because the person who committed the fraud now likely knows you are looking into the matter and will have stopped what he or she was doing,” said Pippett.
Naturally, the board first turns to supervisors, managers and the CEO—as long as none of those people are considered to be involved in the fraud.
“Turn to your security officer as well,” said Pippett.
When the board turns to outside investigators, they must be someone who is experienced in conducting a fraud investigation, emphasized Pippett. The experts must have experience in communicating with the authorities and regulators and with handling HR issues. That ensures investigators know who to contact and the right questions to ask.
“And involve your IT people,” said Pippett. “As soon as you find out something bad is going on, your IT team can shut down someone’s access to systems and to the credit union. That can happen very quickly.”
Pippett added that the board should review the CU’s bond coverage and not use the existing auditor in the investigation.
“You don’t want the current auditor because those are the guys who probably missed the fraud,” said Pippett. “If you use the same auditor, they may come in with the approach of covering their tail, which is not good for you. It is also not a time to go cheap with investigation support.”
Pippett said that susceptibility to fraud is not related to asset size, and that whether the credit union is $1.3 million or $13 billion, “Someone can find a way to rip you off. Of the 192 credit unions that failed in the last ten years, 78 have been caused by fraud,” he said.