View
16
Download
0
Category
Preview:
Citation preview
CUNA Mutual Group Proprietary
Reproduction, Adaptation or Distribution Prohibited
© CUNA Mutual Group
Risk Management Southwest CUNA
Management School
Presented by Michael Petrone
2
Session Outline
• Risk Management Principles
• Wire Transfer Fraud
• Employment Practice
• Robbery
• Burglary
3
Risk Management Principles
4
Types of Risks
• Pure
– Only loss-never gain
• Speculative
– Hope to gain, but can suffer a loss
5
Basic Risk Management Steps
Recognize
Exposure Determine Impact,
Frequency & Severity 5 Techniques
1
Identify
2
Measure
3
Control
6
Measure Risk/Exposure Matrix
High Frequency
Low Severity
• Plastic card losses
• Deposit losses
High Frequency
High Severity
• High risk lending
Low Frequency
Low Severity
• Teller shortages
Low Frequency
High Severity
• Employee dishonesty
• Wire transfer fraud
Severity
Fre
qu
en
cy
7
Tools To Control Risk
• Avoid
• Reduce
• Spread
• Assume
• Transfer
The key is selecting
the best control(s)
and then having the
flexibility to change when and if needed.
8
AVOID
Avoid the exposure
Ex: Don’t open branch in
bad neighborhood
LOSS PREVENTION
Prevent and/or reduce
frequency
Ex: Put in a surveillance
system
LOSS REDUCTION
Reduce severity (dollar loss)
Ex: Reduce amount of cash in
drawers
SEGREGATION
Segregate or spread exposure
Ex: Splitting cash between drawers
TRANSFER
Transfer risk to another entity
Ex: Buying insurance
Ex: Armored transfer vehicle
Risk Control Techniques
9
Risk Control Techniques
High Frequency
Low Severity
LOSS PREVENTION
High Frequency
High Severity
AVOID
Low Frequency
Low Severity
RETAIN or ASSUME
Low Frequency
High Severity
TRANSFER or REDUCTION
Severity
Fre
qu
en
cy
10
Notes on Risk Exposure Matrix
• Plastic card and deposit losses can be in the high-severity category
• Credit unions are able to obtain insurance coverage for some of these losses
• The existence of insurance, or deductibles that are too low, can sometimes be disincentive against reasonable controls
• Insurance cannot be a substitute for internal controls
11
––––– Consider both frequency and severity
Incurred Losses, 2009-2013
Source: 2009-2013 CUNA Mutual Group internal data
Bond Trends
12
Risk Management Consultants
NM OK
TX
AR
LA
KY VA
TN NC
MS AL
GA
SC
FL
CA
NV
AZ
MO
UT CO
KS
NE
SD
ND
IA
MN
WY
MT
ID
OH IN IL
MI
WI
ME
NH VT
MA CT
NJ MD
PA
WV D.C.
RI
DE
AK
HI
OR
WA
NY
Central – Eckes – MN Otsuka – IL Stolzer – MO Roossien-MI
East – Bouvier – MA Gill – MD Molina – NJ Petrone – ME Pilch – PA
South – McDuffie – FL McNeary – TX (Houston) Bullard – GA
West – Highby – CA (Central) Terauchi – CA – (Northern) Bowman – UT
Regional Managers - Joette Colletts – PA Larry Forwood - CA
13
Risk Management Activities
• Robbery
• Burglary
• Hazard Liability
• ATM security
• Business continuity / disaster recovery
• Forgery / fraudulent deposit
• Data & Network Security
• Due Diligences
• Employment Practice
• Plastic cards
• E-commerce
• Funds transfers
• ACH
• Fiduciary Liability
• Lending (all areas)
• Internal dishonesty
• Internal control procedures
14
Requests for Service
• Regulators – state / federal
• Claims
• Underwriters
• Credit unions
– Management / Supervisory Committee / Board of Directors
• Anonymous tips - CUNA Management School
15
Risk Management Visit
• Engagement Letter
• Entrance / exit interview
• Written report
• Response
• Report / response to underwriting
16
Underwriting
• Review report and credit union’s response
• Insurance limits
– Deductibles
– Coverage limits
– Update security
– Cash limitations
• No coverage
17
Added Value Services
• Bondability Verification Program
• Risk management
• Credit Union Protection Resource Center (www.cunamutual.com)
– Loss Prevention Library
– RISK Alerts
– 2014 Webinar Series and on-demand webinars
– Risk assessments
– Staff training modules
18
Wire Transfer Fraud
19
Wire Transfer Losses
• Historically, there was more family-fraud, lower dollar incidents, with occasional large outside-fraud losses
• Over the past few years, large-dollar losses became more common
20
HELOC/Wire Transfer Fraud
• Fraudster contacts member’s telephone company and impersonates member
– Has member’s home phone forwarded to fraudster’s untraceable cell phone
• Fraudster contacts credit union via phone, fax, or e-mail
• Requests large advance against home equity line-of-credit (HELOC) – Transfers to deposit account
– In some cases member’s home banking password is compromised due to weak controls or malware (Trojan keyloggers)
– Fraudster initiates transfer from HELOC to member’s deposit account via home banking
21
HELOC/Wire Transfer Fraud
• Fraudster contacts credit union again via phone, fax, or e-mail to
request large wire transfer
– Substantial dollar amounts
– Funds transferred to domestic and foreign institutions
– If faxes are sent, the signatures look good
• Credit unions performed callback verifications using the members’
phone numbers on record
– Calls were forwarded to the fraudsters (call forwarding)
– In other cases, fraudster was successful in having member’s home phone
number changed on credit union’s system
22
Wire Transfers
No Security Value
• “Identifying” a caller on the phone
– Many credit unions simply ask for basic information
– Identity thieves have too much information
• Relying on Caller Identification (ID) for incoming call
– Too easily spoofed with Internet (voice over Internet protocol)
• Relying on fax header phone number
– A fax machine can be programmed to display any phone number on the header
23
Wire Transfers
Loss Controls
• Require large dollar requests to be made in-person at a branch office
– Obtain signature on wire transfer form after verifying identity
– Preferred method of accepting large dollar wire requests
• Check the account to determine if the wire is being funded by an advance against the member’s HELOC
• Perform callback verification to member’s home phone
– Verify that member’s phone number was not changed in the last 30 days
– Adopt strong out-of-wallet security questions to confirm identity during callback
•Password or pass phrase;
•Year member’s account was opened;
•Branch at which member’s account was opened;
•Type or year of vehicle securing member’s loan;
•Source of direct deposit;
•Do you use bill pay service;
•Name two non-utility payees;
•Do you get paper or e-statements;
•Payable on death beneficiary;
•List other account on which you are joint owner; and
•Last loan paid off, approximate date, and collateral
used.
Security Questions
Best
Practice
24
Wire Transfers
Loss Controls
• Adopt a wire transfer agreement signed by member, especially business members, and credit union
• Standard throughout banking industry – especially with business accounts
– Due to the potential for large dollar transfers
• Business members should specify business’ employees who are authorized to submit payment orders
25
Wire Transfers
Common Misconception
“We are safe because we only wire funds to a member’s account at other financials.”
• Under UCC 4A-207 - Misdescription of Beneficiary, the beneficiary’s bank is only obligated to match the account number in the payment order to the beneficiary’s account number
• Beneficiary bank is not required to match the beneficiary’s name in payment order to the name on the account
26
Wire Transfer Case Study
• $183,000 loss
• December 8, 2010: Fraudster contacted credit union by phone to request $183,000 advance against member’s Home Equity Line of Credit (HELOC)
– Fraudster was able to answer basic security questions (member name, address, social security number, birth date, etc.)
– Funds transferred to deposit account
• December 8, 2010: Signed fax request received to wire $183,000 to Sumitomo Bank in Japan
– Verified signature
• Performed callback verification to phone number on member’s account but number was changed shortly before the wire transfer request
27
Employment Practice Liability
28
Employment Applications
• Require applicants to complete prior to being offered employment
• Request the applicant identify all prior employers
• State the applicant will not automatically be disqualified if they have a criminal record
29
Employment Applications
• Ask the applicant if they ever had bond coverage modified or
• Require the applicant certify that all the information in the application is true
• Require the applicant to sign and date the application or use a verifiable electronic equivalent
30
Background Check
• Consider whether to do criminal background and credit checks prior to employment
• Fair Credit Reporting Act requires
– Employer to provide written disclosures
– Obtain prior written authorization
– Communicate adverse action based on information obtained
31
Employee Evaluations
• Provides valuable feedback
– Improve performance
– Identify development opportunities
• Important documentation in an employee lawsuit
• Review prior to making a decision that will negatively impact an employee to ensure actions and documents are consistent
32
Handbook
• Provide information and background about the credit union
• Outline work rules and standards
• Policies and procedures:
– Anti-discrimination policy
– Prohibition and reporting of sexual and other unlawful harassment
– Accommodations for persons with disabilities
– Leave policies and other employee benefits
33
Handbook
• Policies and procedures:
– Prohibit employees from being under the influence of drugs and alcohol while working
– Address use of technology resources
– Address gambling
– Address fraud
• Should be reviewed annually by an employment attorney or a Human Resources Management professional
34
Additional Policies to Consider
• Ant-nepotism policy
• Policy addressing the rehiring of former employees
• Policy addressing dating relationships
• Conflict of interest policy
• Policy addressing the usage of company vehicles
35
Additional Policies to Consider
• Policy addressing solicitation or the distribution of literature
• Policy addressing collections for office celebrations
• Policy addressing employees use of social media
• Policy that requires employees maintain their personal credit union account(s) in a responsible manner
• Policy for lactation breaks
• Policy addressing workplace bullying
36
Investigation of Sexual or Other Unlawful Harassment or Discrimination Complaints
• “Prompt, remedial action”
– A defense to harassment claims
– Helps minimize exposure to discrimination claims
• Includes investigation of complaints and appropriate corrective action
• Establish a consistent process
– Ensure anyone involved in investigating is thoroughly trained
• Eliminate harassment and discrimination
– Positive impact on employees and credit union members
37
Job Descriptions
• Accurately describe the skills and ability needed to perform requirements
• Include physical requirements
• Should be reviewed annually for accuracy
– Do not make assumptions
38
Policy Reviews
• Credit unions should be encouraged to periodically review Employment Practices Liability coverage
– To ensure credit union understands coverages
– To ensure policy limits are adequate
39
Retaliation
• Firing
• Disciplining
• Transferring
• Demoting
• Refusing to give a positive reference
– Person who has made a claim
– Initiated an action
– Testified in another employee’s case against the employer
• Separate claim
– Same possible damage awards as the underlying discrimination claim
40
State Laws
• Important consideration in any employment decision
• May be more restrictive than federal laws
• Branches in multiple states
– Policies and procedures should be reviewed with an attorney
• Ensure familiarity with each state’s laws
41
Training
• Minimize liability for sexual and other harassment and discrimination
– Regularly communicate anti-harassment and anti-discrimination policies
– Ensure all staff understands policies
• Conduct training for new hires and at least annually thereafter
– Employees
– Board of Directors
• Document training
– Employees should sign in
• Proof of completion
42
Violence in the Workplace
• Implement an anti-violence policy
– Identify potential risks early
• Develop an action plan
– Emergency situations involving violence of employees or outsiders
• Create a clear reporting line
– Employees should know who to contact if a situation arises
43
Whistleblowers
• Claims arise when employees who allege or report various regulatory violations are later disciplined or terminated
– Claim they were targeted because of the report
• Claims gaining higher profile in climate of prosecuting “corporate wrongdoers”
• Establish clear lines for reporting issues
– Including a “bypass” route in case the supervisor is the person suspected of wrongdoing
• Prohibit retaliation against employees
– Regulatory issues
– Compliance issues
44
X (Signature)
• Obtain a written or electronic signature
– Application
– Release of records
– Acknowledgement of Receipt and Understanding of Employment Policies or Handbook
– Attendance at mandatory training
– Employee fraud policy
45
EPL Risk Site
46
Robbery Are You Prepared?
47
Robbery
• Robbery is defined as “taking something of value from a person using violence or the threat of violence”
• Unlike burglary, robberies generally occur during business hours
48
People are Priceless!
• Employees are the most valuable assets
• Do everything possible to enhance people’s safety
• Training is the key to employee safety
49
Types of Robberies
• Morning bloomer
• Single teller
• Takeover, tellers / vault
• Currency transportation
• ATM
50
Morning Bloomer
• Cased the location
– Lone employee at opening
– No all clear sign
– No panic alarm
• Vault cash the target
51
Lone Teller
• Usually a lone robber
• Waits in line, presents note, or shows/claims to have weapon
• Calmly exits
• Low dollar losses
52
Teller Area Takeover
• More than one robber and/or weapon
• May have cased the location
• Surprise attack, orders staff away from alarms
• Jumps counters, instructs tellers to empty their cash drawers
53
Vault Takeover
• Cased prior to incident
• Usually two or more suspects and/or weapons
• Enters quickly, orders everyone to the floor
• May disable cameras or demand videotapes
• Most severe dollar losses
54
Robbery at ATM
• ATM remote locations
– Lighting, landscaping, cameras
– Written safety procedures
• Suspects may stake out ATM location
• User accosted at or around ATM
• Often violent encounters
• Employee safety during servicing
55
Office Layout
• Counter height and depth
• Dual cash drawers
• Height markers
• Armed guard consideration
56
Safe/Vault Locations
• Convenient to staff, not to robber
– Visibility
– Back rooms
• Remote locations
57
Security Devices
• Silent alarm actuators
– Push buttons
– Bait clips
– Foot rails
• Warning lights
• Surveillance systems
– CCTV-digital
– Test
58
Security Devices
• Electronic / man trap doors
– Controls entrance
• Rising security screen
• Bullet-resistant barriers
– Drive-up / walk-up
– Lobby / teller area
59
Security Devices
• Dye packs
– Electronically activated
• Electronic tracking
– Hidden sensor device
– Tracking monitors
60
Robbery - Before
• Written procedures
– Before / during / after
• Opening procedures
– Arrive together
– Remain in vehicle
– All clear sign internal and external
– Call police
61
Robbery - Before
• Training procedures
– Periodic alarm testing
– Assign responsibilities; press, site security, evidence, internal audit, etc.
62
Robbery - Before
• Know your local law enforcement response plan
• Request training for your employees
• Confidentiality – Never discuss work procedures – Cash on hand – Cash deliveries – Security
• Alarm locations
• Cash limits
63
Robbery - Before
• Armored car service
– Identify courier personnel
– Promptly secure delivered currency
• Transport guidelines
• Confirm and ID vendors
• Limit access to teller area
• Please remove sunglasses and hood sign
64
Robbery - Before
• Post robbery trauma counselors
• Staff never should be lured outside
• Do not let people in before or after hours
• Approach people in lobby
• Stay alert for cars in parking lot
• Escort members outside at closing
65
Robbery - Before
• Doors lockable from inside
• Ambush code
• Time locks
• Queue lines
• Alarm warning lights
• Clean teller counter and entrance/exit door
• Robbery kits
• Teller cash dispensing machines (TCD)
66
Robbery - During
• Remain calm / don’t be a hero
• Follow robber’s instructions
• Be observant
• Include bait money
• Activate alarm when safe
• Note direction of escape and vehicle
• Do not look robber directly in their eyes
• Do not answer phone without asking permission
67
Robbery - After
• Do not attempt to follow robber
• Call police
• Robbery kit
• Lock doors
• Secure cash drawers
68
Robbery - After
• Block crime scene and preserve evidence
• Identify witnesses
• Record observations
• Do not discuss with other victims
69
Robbery - After
• Media communication per training
• Employee assistance
– Reduce fear/guilt
– Assess employee reaction
• Notify insurance company, workers compensation carrier, and state / federal regulators
70
After the Robbery
Provide victim assistance information
• The FBI has victim assistance – http://www.fbi.gov/hq/cid/victimassist/home.htm
• The Office of Victim Assistance (OVA)
– http://www.ojp.gov/ovc/help/links.htm
71
Burglary
72
• Physical security first
– Doors, locks, safes, and vaults
• Alarm security
– Object, area, perimeter
• Communication links
– Line security
• Policies and procedures
Burglary
73
Burglary
• Night Deposit Boxes
– Fish and trap resistant chute
– Dual locking container
• ATMs
– Business hour
– 24 hour level #1
• UL 291
74
Burglary
• Safe Deposit Boxes
– Physical security for level of exposure
– Alarm security for level of exposure
75
Disclaimer
This presentation was created by the CUNA Mutual Group based on our experience in the credit union and insurance market. It is intended to be used only as a guide, not as legal advice. Any examples provided have been simplified to give you an overview of the importance of selecting appropriate coverage limits, insuring-to-value and implementing loss prevention techniques. No coverage is provided by this publication, nor does it replace any provisions of any insurance policy or bond.
Credit Union Loss Scenarios – Case Studies The credit union loss scenario claim study examples do not make any representations that coverage does or does not exist for any particular claim or loss, or type of claim or loss, under any policy. Whether or not coverage exists for any particular claim or loss under any policy depends on the facts and circumstances involved in the claim or loss and all applicable policy language.
CUNA Mutual Group is the marketing name for CUNA Mutual Holding Company, a mutual insurance holding company, its subsidiaries and affiliates. Insurance products offered to financial institutions and their affiliates are underwritten by CUMIS Insurance Society, Inc. or CUMIS Specialty Insurance Company, members of the CUNA Mutual Group. Some coverages may not be available in all states. If a coverage is not available from one of our member companies, CUNA Mutual Insurance Agency, Inc., our insurance producer affiliate, may assist us in placing coverage with other insurance carriers in order to serve our customers’ needs. For example, the Workers’ Compensation Policy is underwritten by non-affiliated admitted carriers. CUMIS Specialty Insurance Company, our excess and surplus lines carrier, underwrites coverages that are not available in the admitted market. Data breach services are offered by Kroll, a member of the Altegrity family of businesses. Cyber liability may be underwritten by Beazley Insurance Group.
This summary is not a contract and no coverage is provided by this publication, nor does it replace any provisions of any insurance policy or bond. Please read the actual policy for specific coverage, terms, conditions, and exclusions.
CUP-901605.1-0414-0416 ©CUNA Mutual Group, 2014 All Rights Reserved.
76
Michael Petrone CFE, CFSA
Risk Management Consultant
Credit Union Protection Risk Management
CUNA Mutual Group
michael.petrone@cunamutual.com
800.356.2644, ext. 6655187
Questions ?
Recommended