Policies & Processes

Credit unions can manage the risk of fraud by adopting and enforcing board-approved policies. A credit union following best practices will have policies and processes to deter fraud, which include:

• Anti-Fraud & Conflict of Interest Policy

• Internal Control Structure

• Internal Control Policy

• Travel and Expense Policy

• Hiring Policy

• Code of Ethics

• Whistleblower Policy

Anti-Fraud and Conflict of Interest Policy

Ideally, a credit union’s anti-fraud and conflict of interest policy will:

• Define what constitutes fraudulent conduct, including conflicts of interest between related parties, nepotism, and vendors

• Establish the action the credit union will take in the event fraud or conflicts of interest are discovered (for example, termination, suspension, prosecution, notification to the bond carrier, and filing a bond claim if losses are determined)

• Require all employees and volunteers to review and sign the policy annually to maintain enforceability and demonstrate a culture of compliance

• Provide instructions for how to anonymously report fraudulent conduct internally and to the NCUA

• Discuss anti-fraud education and training for employees and volunteers

• Require relevant employees to take at least five consecutive days of leave per year if other forms of monitoring are not existent

• Identify a senior management official who is responsible for ensuring compliance with the policy

Internal Control Policy

Internal controls refer to the processes established by a credit union's board of directors and implemented by its officers and employees to provide reasonable assurance that financial reporting is reliable, and assets are protected from unauthorized acquisition, use, or disposition.

Smaller credit unions may have an internal control policy in place that addresses all areas of operations, whereas larger institutions are more likely to incorporate internal controls into each individual policy (for example, lending policy, investments policy, cash policy, IT policy).

Internal Control Structure

Credit unions can deter the potential for insider fraud by establishing strong internal controls and ensuring these controls cannot be overridden. Internal controls will vary based on the products and services offered and the credit union’s ability to segregate duties.

Maintaining a strong internal control structure is a key element to deterring fraud.

Some examples of strong internal controls include:

• Current, board-approved policies

• Segregation of duties

• An active supervisory committee

• Sound recordkeeping

• Complete audit trail

All credit unions, regardless of size, can deter fraud by establishing and regularly testing proper controls. See the Internal Controls and Supervisory Committee sections of the Examiner’s Guide and NCUA’s Fraud Prevention Resources for additional information.

Travel and Expense Policy

A credit union’s travel and expense policy governs employees’ and officials’ activities while they are on credit union business-related travel. This policy governs the use of corporate credit cards, documentation requirements, permissible and prohibited charges, reimbursement of expenses, and review and approval by a manager (in the case of smaller credit unions, the board of directors).

Ideally, the policy will also address standard expenses, such as the purchase of fixed assets, supplies, and third-party contracts. A strong policy imposes limits on these expenses and requires approval by a manager or the board of directors for certain purchases.

Hiring Policy

A prudent credit union establishes a hiring policy that outlines standard hiring practices and has an attorney review its hiring policies and processes to verify they comply with all federal and state laws. Strong hiring policies include a review of a prospective employee’s criminal record, credit report, prohibition lists from all Federal Banking Agencies, open-source records, and drug testing reviews. Additional areas for thorough hiring procedures include confirmation in writing that a prospective employee is bondable. Strong hiring procedures also include avoiding the practice of hiring relatives, friends, or business associates of current employees, and include a probationary period for all employees.

In addition, prudent credit unions will have a process for monitoring all key employees with civil judgments or bankruptcies.

After hiring an employee, a prudent credit union would also conduct periodic checks against the same sources for any new derogatory information that could impact their employment and bondability. This can include periodic drug testing, refreshing credit checks, reviewing bondability, revisiting prohibition checks from all Federal Banking Agencies, and confirming that the employee’s criminal record hasn’t changed. Ideally, management establishes a plan to address the situation before adverse information is discovered about an employee.

Code of Ethics

A code of ethics or code of conduct contains written standards designed to deter conflicts of interest, wrongdoing, promote honest and ethical conduct, and protect the integrity, reputation, and image of the credit union. Ideally, the credit union will document its code of ethics, which may include:

• A statement outlining the expectations of officials and employees

• A definition of unethical conduct

• A discussion of the repercussions associated with unethical acts

• Instructions on how to report unethical conduct (for example, a whistleblower policy)

• A requirement for all employees and volunteers to review and sign the policy annually

• A requirement to identify any conflicts of interest, including any conflicts that may preclude the individual from performing their assigned duties without the appearance of or actually personally benefiting

• A requirement to disclose gifts, discounts, and services offered by a vendor or member

• A statement that establishes the expectation that employees will attend periodic training on the credit union’s values and code of ethics

Whistleblower Policy

Some credit unions have a board-approved whistleblower policy that provides employees with a confidential, non-retaliatory means of reporting suspected wrongdoing within the credit union. A strong policy:

• Defines the objective of reporting suspected wrongdoing

• Defines who is covered by the policy (for example, any person associated with the credit union, including employees, volunteers, members, contractors, vendors, and other persons with direct knowledge about the credit union)

• Addresses non-retaliation (for example, the credit union will not discriminate against any party who reports suspected wrongdoing)

• Addresses confidentiality (for example, it allows for anonymous reporting and protects the confidentiality of the reporting person to encourage reporting)

• Outlines the process for reporting to designated persons

• Informs employees about reporting fraud concerns to the NCUA’s Fraud Hotline, which can be electronic or via phone at 800-827-9650

Last updated on May 01, 2023