Avoid Large Losses With Proper Preparation

Jay Isaacson, Vice President CUNA Mutual Group

May 16, 2016

© 2016 CUNA Mutual Group, All Rights Reserved.

What’s In Store For Today…

• Credit Union Risk & Loss Trends

– Fidelity Bond and Plastic Card

– Management & Professional Liability

– Cybersecurity

• Questions / Discussion

Bond Claim Count (frequency – incurred losses)

Bond Claim Dollars (severity – incurred losses)

Point of Emphasis: Always consider both frequency and severity

Source: 2011-2015 CUNA Mutual Group internal claims data

Employee & Director Dishonesty

• C-Note sandwich

• Dishonest purchase orders

• Fraudulent loans

Employee Dishonesty Risk

Managing Risks

• Strong hiring practices - is a prospective employee bondable?

• Segregation of duties

• Regular review of authority levels

• Dual controls

• Supervisory / Internal audit program (trust but verify)

Check Transactions & Processing

0

2

4

6

8

10

12

14

16

18

0

10

20

30

40

50

2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014

Bill

ion

s o

f C

he

cks

Pro

cess

ed

Pro

cess

ing

Site

s

Processing Sites Checks Processed

Source: Federal Reserve

-7.8% CAGR

ACH & Wire Volumes

-

2

4

6

8

10

12

14

16

18

20

Bill

ion

s

ACH

8.9% CAGR

0

50

100

150

200

250

300

Mill

ion

s

Wire

2.5% CAGR

Source: NACHA, Federal Reserve and CHIPS

Wire Transfer Fraud Losses

• Fraudsters getting devious with appearance of wire destinations

• Tricking members into providing false instructions for legit transactions

• Remote request

• Request to transfer funds internationally

• Primary risk mitigation tool fails: Call backs defeated

Loss

sce

nar

ios

Take These Action Steps:

• Monetary cap on wire requests not in person

• Understand coverage risk sharing

• Exceptions must be approved by officer

• Written agreements with members in advance

• Passwords on file

• Avoid too much reliance on signature verification or any documentation sent electronically

• Train staff to be looking for red flags

Wire Transfer

ACH Transactions Losses

• Funds pushed in from other institutions, direct deposit, tax refunds, etc.

• Not insurable if they get returned

• Not a big problem area

CU: RDFI of Credits

CU: RDFI of Debits

• Funds are pulled out by other institutions, such as recurring bill payments

• Coverage available under Funds Transfer part 3, but not problematic due to generous return rights

CU: ODFI of Credits

• Funds are pushed out to other institutions, online banking payments, business member payrolls

• Coverage typically under Electronic Crime (or Funds Transfer if by phone) if fraud

CU: ODFI of Debits

• Funds are pulled in from other institutions

• Currently one of the biggest Bond claim problem areas

• No coverage available

ACH Case Study • Large credit union allowed account

to account transfers

• Member pulled in $322,000 over one month from a bank

• Member immediately transferred funds to another institution

• Member contacted bank and claimed the debits were unauthorized

• Bank returned the transaction

CU has a $322,000 negative balance

Not insurable (Collection issue)

credit union impact

OD

FI D

eb

it

• Assessing & controlling ACH risks requires a strong understanding of transaction process

• Taking the time to implement and set controls could significantly reduce the risks

• Functioning as an ODFI typically has more risk than an RDFI

• Insurance usually applies to funds removed, not funds first coming in

Managing ACH Risks

Plastic Card Fraud

• U.S. EMV implementation 10/2015

– Delayed implementation for ATMs and fuel pumps (2017)

• Fraudsters still view U.S. payment cards as path of least resistance

• Techniques continue to rapidly evolve and improve

PIN-less

Debit

Local Fraud

ATMs

Common Fraud Trends

UK EMV Transition Observations

Source: Financial Fraud Action UK, Fraud the Facts 2015

UK EMV Transition Observations

Source: Financial Fraud Action UK, Fraud the Facts 2015

Plastic Card Fraud Key Recommendations

• Review non-financial transaction report to legitimize changes – cards; PIN; credit limits; or address changes

• Segregate duties involving payment card changes, file maintenance, and report review

• Eliminate immediate credit for card payments

• Restrict high risk merchant category codes such as wire transfers and cash disbursements

• Avoid using VRU for member PIN changes

• Review security controls annually to confirm adequacy and effectiveness

Management & Professional Liability Trends

CUP

Incurred Losses, 2009-2013

EEOC Charges - Employment Practices Liability

0.0

10.0

20.0

30.0

40.0

50.0

2013 EEOC Charges 2014 EEOC Charges 2015 EEOC Charges

Source: www.EEOC.gov, EEOC Enforcement and Litigation Statistics (2013-15)

Changing Risk Landscape

Growing severity

3.2 million records exposed

nearly double from 2011

Cybersecurity

Source: NetDiligence 2015 Cyber Claims Study

Growing severity

$964.31 per record average cost to repair

Cybersecurity

Source: NetDiligence 2015 Cyber Claims Study

How Data Breaches Are Happening

Employee Negligence / Theft

Lost / Stolen Data Laptops, backup tapes / disks;

and other data-bearing mobile devices

Network Hackers & Malware

Vendor Leaks / Mistakes

Emerging risks on the radar

Active Shooters

Social Media Discrimination

Transportation Network Services

Fair Labor Standards Act / Wage & Hour

ADA – Website Accessibility

Overdraft Litigation

Collection Letters

Sharing relevant

insights & resources

to assist with your

strategic decisions

Thank you for the opportunity to partner on managing credit union risk.

This presentation was created by the CUNA Mutual Group based on our experience in the credit union and insurance market. It is intended to be used only as a guide, not as legal advice. Any examples provided have been simplified to give you an overview of the importance of selecting appropriate coverage limits, insuring-to-value and implementing loss prevention techniques. No coverage is provided by this presentation/ publication, nor does it replace any provisions of any insurance policy or bond.

CUNA Mutual Group is the marketing name for CUNA Mutual Holding Company, a mutual insurance holding company, its subsidiaries and affiliates. Insurance products offered to financial institutions and their affiliates are underwritten by CUMIS Insurance Society, Inc. or CUMIS Specialty Insurance Company, members of the CUNA Mutual Group. Some coverages may not be available in all states. If a coverage is not available from one of our member companies, CUNA Mutual Insurance Agency, Inc., our insurance producer affiliate, may assist us in placing coverage with other insurance carriers in order to serve our customers’ needs. For example, the Workers’ Compensation Policy is underwritten by non-affiliated admitted carriers. CUMIS Specialty Insurance Company, our excess and surplus lines carrier, underwrites coverages that are not available in the admitted market. Data breach services are offered by Kroll, a member of the Altegrity family of businesses. Cyber liability may be underwritten by Beazley Insurance Group.

This summary is not a contract and no coverage is provided by this publication, nor does it replace any provisions of any insurance policy or bond. Please read the actual policy for specific coverage, terms, conditions, and exclusions.

©CUNA Mutual Group 2016, All Rights Reserved.