Governance

Segregating employee duties by clearly defining the roles and responsibilities of each credit union employee or director can help manage the risk of fraud. For example, a credit union following best practices will not allow a loan officer who has authority to approve loans to also have access to cash or recordkeeping, including access to systems where they can change loan payments, or be part of the collections team. Similarly, in an ideal situation, a collector does not have access to cash and never physically collects payments without additional controls.

Smaller credit unions may not have adequate staffing resources to completely segregate duties in all areas. A prudent credit union provides adequate oversight through the supervisory committee or an outside audit firm to verify there are sufficient compensating controls and that employees are following board-established policies and procedures.

Additionally, all employees, directors, officers, supervisory committee members, and credit union committee members must have bond coverage that covers fraud and dishonesty.

The following personnel play a vital role in protecting a credit union from fraud:

Board of Directors

The FCUA requires a credit union’s board of directors to establish and maintain a system of internal controls. The system itself is not defined by the Act, but a prudent credit union establishes internal controls that are commensurate with its size and complexity. A prudent board enacts policies that guide internal control functions (for example, hiring policy, internal controls policy, travel and expense policy).

NCUA Letter to Credit Unions 11-FCU-02, Duties of Federal Credit Union Boards of Directors, outlines the duties of FCU boards of directors as required by NCUA regulation § 701.4, General authorities and duties of Federal credit union directors.

Compensation

FCUs are permitted to compensate only one board member, per NCUA Regulation § 701.33, Reimbursement, insurance, and indemnification of officials and employees. All other board members must serve on a volunteer basis. While only one board member can be compensated, board members may be reimbursed for certain travel and training expenses. Laws in some states permit state-chartered credit unions to compensate all board members.

Relationships

A credit union’s board of directors can include relatives of employees. Standard credit union bylaws state employees’ relatives or employees and relatives may not make up more than 50 percent of the board of directors' members.

Supervisory Committee

The supervisory committee is appointed by the board of directors and must consist of three to five people, per the NCUA regulation, part 701, Appendix A, Federal credit union Bylaws, Article IX: Appointment and membership. This committee plays a key role in managing the risk of fraud because it is responsible for assessing the effectiveness of the internal controls through audit and review.

NCUA regulation § 715.3, General responsibilities of the Supervisory Committee, requires the supervisory committee to ensure that:

  • Internal controls are established and maintained to achieve the credit union's financial reporting objectives. Internal controls must be sufficient to satisfy the requirements of the supervisory committee audit, verification of members' accounts, and the committee’s additional responsibilities

  • The credit union's accounting records and financial reports are prepared promptly and reflect operations and results accurately

  • The relevant plans, policies, and control procedures established by the board of directors are properly administered

  • Policies and control procedures are sufficient to safeguard against error, conflict of interest, self-dealing, and fraud

Per NCUA regulation § 715.3(c), Mandates, the supervisory committee’s responsibilities also include performing or obtaining an annual supervisory committee audit and a biennial member account verification.

As part of this responsibility, the supervisory committee may contract with state-licensed professionals (in the state the credit union is operating in) to perform financial statement audits. Non-licensed professionals may perform agreed-upon procedures or quarterly internal control reviews.

The supervisory committee may also provide for external review of larger credit union programs (for example, overall lending program, MBL program, ACH, or wires). This review can provide an independent assessment of the risk exposure for a particular program area.

For more information, see the Supervisory Committee section of the Examiner’s Guide, NCUA Regulatory Alert 20-RA-01, Other Supervisory Committee Audits, and the NSPM’s Audit Workpapers Review section for additional information.

Management

A credit union’s board establishes policies and procedures to manage the risk of fraud. Management is responsible for implementing these policies and procedures. Additionally, management considers adequate segregation of duties as they assign staff roles and monitors the function of the internal controls to determine if adjustments are necessary.

NCUA regulation part 701, Appendix A, Federal credit union Bylaws, Article VII, section 1(b), requires credit union management to maintain full, complete, and current records of all assets and liabilities. Management is responsible for ensuring the credit union’s financial statements have not been misstated or manipulated.

Branch and Department Managers

Smaller credit unions with limited employees and segregation of duties are more susceptible to fraud. However, fraud can occur even in large credit unions that have multiple departments and managers. The following positions/departments play a role in deterring fraud in credit unions.

Internal Audit

Larger credit unions may have a designated function or group of employees responsible for the internal audit. Ideally, this group functions independently within the credit union and reports directly to the supervisory committee. In smaller credit unions, the supervisory committee itself may perform internal control testing or hire outside assistance to perform quarterly interim procedures.

The following controls can help manage the risk of fraud in the internal audit area.

  • Maintain complete independence from other functional areas

  • Work solely for and reporting directly to the supervisory committee (not the CEO or manager of the credit union), except for administrative items, such as leave approval which could still report to credit union operational leadership

  • Receive annual performance reviews from the supervisory committee

  • Maintain an audit plan that covers all areas of the credit union’s operations

Accounting

The accounting department is responsible for the fair and accurate presentation of the credit union’s financial statements. Depending on the size of the credit union, this department may make daily postings, reconcile GL accounts, transfer funds (via wire transfer, ACH, FedLine), and post share drafts.

The following controls can help manage the risk of fraud in the accounting area.

  • Require a mandatory vacation consisting of at least five consecutive days for front line, accounting, and internal audit staff, if other forms of electronic monitoring and data analysis do not exist

  • Assign a back-up person for each staff member

  • Restrict accounting staff member access to cash

  • Establish system access privileges (for example, a best practice is that accounting staff do not have the ability to make or approve loans, fund loan proceeds, grant lines of credit, or issue credit cards/debit cards)

  • Implement dual controls and authentication procedures for wire transfers and ACH systems

  • Conduct managerial reviews of GL reconciliations

  • Review non-financial transaction reports (for example, file maintenance or audit log)

  • Reconcile all cash, bank, and corporate accounts to the GL at least monthly

  • Reconcile suspense, receivable, and payable accounts at least monthly

Lending

A credit union’s lending department is responsible for administering the institution’s lending policies, including processing and underwriting loans, granting loans, servicing loans, collections, etc.

  • Vice President, Loan Manager, or Chief Lending Officer—This person is responsible for overseeing the lending department and may be the highest level of loan approval. Typically, this person reports to the CEO of the credit union and the board of directors.

  • Loan Officer—A loan officer’s primary responsibility is to approve or deny loans, lines of credit, or advances from lines of credit. Loan officers enforce the lending policy by adhering to underwriting standards established by the board of directors (for example, credit or risk rating limits, DTI limits, LTV limits, aggregate limits of exposure to one member, and collateral requirements).

  • Collector—A collector’s primary responsibility is to collect on delinquent and charged-off loans. Collectors enforce the credit union’s collections policy either by performing the collections function internally or working with a third-party collector (for example, a law firm or collections agency).

The following controls can help manage the risk of fraud in the lending area.

  • Establish board-approved lending authorities and limits

  • Separate loan approval and disbursement functions

  • Restrict lending staff’s access to cash

  • Prohibit staff from granting loans to themselves, family members, friends, or business associates

  • Establish a quality control process

  • Review non-financial transaction reports (for example, file maintenance reports or audit logs)

  • Prohibit collectors from granting loans, making loan extensions, and changing loan terms

  • Verify all loan modifications are properly approved and reported to the board

  • Establish internal audit or other independent reviews to ensure these controls are in place, and to mitigate fraud risks

IT Department

A credit union’s IT department is responsible for security and information technology infrastructure, disaster recovery, and ensuring proper internal controls over the credit union’s systems are established, maintained, and updated regularly.

Additional information can be found in the Information Technology section of the Examiner’s Guide and on the NCUA’s Cybersecurity Resources page.

Human Resources

A credit union’s human resources department is often responsible for the hiring and training of credit union staff, as well as payroll. The following controls can help reduce the risk of fraud in the human resources and payroll areas.

  • Implement a sound hiring process that includes criminal history background checks, bondability determinations, prohibition list checks from all Federal Banking Agencies, open-source records, and credit checks—over the course of an individual’s employment, prudent credit unions will repeat these checks periodically

  • Perform annual performance reviews for all staff members without preferential treatment or inappropriate incentives

  • Enforce a policy requiring annual five consecutive-day vacations for relevant staff, if other forms of electronic monitoring and data analysis do not exist

  • Provide access to relevant fraud-related training

  • Implement checks and balances to validate that payroll is approved, accurate, and properly dispersed Separation of duties can also play a critical role in this area to mitigate fraud

  • Review the credit union’s benefits program to determine if it is used appropriately

  • Require credit union employees and officials to read and sign a written anti-fraud policy

  • Cross-train staff and document the training

  • Ensure internal audit or other reviews are conducted to verify controls are in place and mitigate fraud risks

Branch Services

Tellers and member service representatives are typically responsible for:

  • Opening and closing accounts

  • Processing cash and check transactions

  • Balancing the vault

  • Handling cash and cash items (for example, stamps and other items for sale, such as traveler’s checks, gift cards, or movie or amusement park tickets)

The following controls can help manage the risk of fraud in the branch services area.

  • Provide locking devices or other access limitations on cash drawers and keep spare keys under dual control

  • Establish maximum amounts allowed in a cash drawer at any time

  • Perform cash counts at the end of every day (to include ATMs and teller cash machines) and report discrepancies (for example, cash over and short reports) to the head teller, manager, and board of directors

  • Perform surprise cash counts on all teller drawers, vault, and ATMs (these counts may be performed by the supervisory committee or branch manager)

  • Verify tellers keep a log of all sale items and have limited access to those items, to the extent possible

  • Perform surprise counts of sale items on all teller drawers

  • Require supervisory overrides for certain transactions (for example, reactivating dormant accounts, large transactions)

  • Perform mail, night deposit, cash shipments, and ATM refills under dual control

  • Confirm tellers’ system access privileges are appropriate to their duties

  • Prohibit teller access to their own accounts or accounts of relatives and friends

  • Obtain up-to-date listings of employees’ relatives’ accounts

Contracted Third Parties

Credit unions may work with third parties to provide member services, including loans, insurance, and investment services. Examples of third parties can include:

  • CUSOs

  • Indirect lending program partners (for example, auto dealers)

  • Collection agencies

  • Contracted parties (for example, repo companies and builders)

  • Insurance companies

  • Investment brokers

  • Outside auditors or professionals consulting for a supervisory/audit committee audit

  • Data systems providers

  • Records repositories

  • Member insurance providers

  • Card benefit companies

Ideally, credit unions will perform adequate due diligence with any contracted third party to manage the risk of fraud. For further guidance, see Supervisory Letter 07-01, Evaluating Third-Party Relationships.

Last updated on May 01, 2023