Credit Union Exam Solutions Presents With Flying Colors

Speaker: Hey, everyone.

This is Mark Trakel with another
episode of With Flying Colors.

Today, I'm going to walk through some
of the items in the NCUA's Inspector

General's last report to Congress.

This is something I probably
will do every six months.

NCUA and every federal agency is
required to file a report with

Congress from the Inspector General
on how the agency is responding to the

requirements of the Inspector General.

I've also started to monitor what the FDIC
and the Fed and Treasury related to OCC

is saying in their semiannual reports,
and I'll have a separate podcast on that.

But if you're wondering,
if you're watching this on

YouTube, you can follow along.

If you're listening bear with me here as
I point out how to find these reports.

So on the NCUA website, you go
to About, and you go to Inspector

General, and you go to Reports.

Reports, see more.

And you go to Semiannual
Reports and Letters to Congress.

And you can see their last one was
from the period of April 1st through

September 30th of 2025, and that's
the one I'm gonna be reporting on.

And this was sent to the Inspector...

was sent to Congress on,
let's see, October 22nd.

So what's that?

30 and 22, 52 days after
the end of the quarter.

So at the af- the end of March
add 52 days, we're looking at

possibly having a report to
Congress come out by the end of May.

This podcast that I'm recording will
come out about that point in time.

So when that new one comes out,
I'll jump on it and see if there's

anything else I want to add to it.

But- You can see the report has a
message from the inspector general,

goes through NCUA's mission shows
their organizational chart, shows

some key financial trends legislative
highlights, a summary of how the IG works.

It walks through the
audits that they've done.

There was nothing in particular
there that caught my eye.

And scrolling down to report on
credit unions' non-material losses.

The insurance fund NCUA the IG has to do
to conduct a material loss review of any

insured credit union if the loss of, to
the insurance fund exceeds $25 million and

an amount equal to 10% of the total assets
of the credit union at the time in which

NCUA initiated assistance or liquidation.

So there are none that
hit that this cycle.

But if it's less than that, they
report on credit unions of non-material

losses, and those are the ones
that I wanna walk through here.

And with that, I have a...

Let's see.

How do I get to my PowerPoint here?

Bear with me.

The PowerPoint should be right here,
and I am sharing the screen, and we will

go to the slideshow on the PowerPoint.

Pause.

Now I wanna jump to my, the PowerPoint
I put together on the fraud cases

or the fraud files, as I call
them, for this particular episode.

And this comes from the IG report
from October 2024 to September 2025.

We're gonna walk through
a pattern that's there.

We're gonna walk through the IG r- I
mentioned to you that I'm gonna be doing

IG reporting on a semi-annual basis.

And then I'll also follow up on what the
other banking regulators are do- doing.

We're gonna walk through the seven
failures in the quarter talk a little bit

about the fraud triangle and talk a little
bit about the history of the IG and some

reports talk about some examiner behavior
that this will trigger walk through s- a

prevention playbook on what you can do to
prevent fraud and then talk a little bit.

I've got a separate podcast on why
exams have to be on site and we'll

talk through a little bit about that.

So There are seven failures that
occurred from October 2024 to

September 2025, and those are failures
that cost the insurance fund money.

You had Total Community Action
Federal Credit Union in the southern

region with a slight loss of $5,380.

The root causes there were
weak leadership, record

keeping, and inaccurate books.

You have Unilever Federal Credit
Union in the eastern region failed

in April of 2025 for a cost of 8.44

million.

There was internal fraud there, hidden
borrowings and falsified liquidity.

Eastern Kentucky Federal Credit
Union, the southern region, in

June of 2025 for a cost of 1.47

million.

Management lost visibility into the
loan portfolio is the note we have here.

Seoul Community Federal Credit Union, the
southern region, June of 2025, for a loss

just over $91,000 caused by insolvency.

Yes insolvency's caused by loan
losses or write-offs federal

Credit Union Act violations and
unsafe and unsound operations.

Butler Heritage Federal Credit
Union in the southern region,

$192,000 in June of 2025.

You had record keeping, BSA,
and IT compliance failures.

Aldersgate Federal Credit Union,
western region, July 2025, 7.98

million.

This was a management level fraud.

Loan and share, loans and share
accounts were abused, so that

would've been fake loans or not
recording book shares on, on two sets

of books essentially, most likely.

And Members 1st of Maryland Federal
Credit Union in the eastern region

August of 2025, for a
loss of about $230,000.

They had pervasive record keeping
problems and declining net worth.

You can see if you're watching the
two items that are highlighted in

pink were internal fraud cases.

And t- Eastern Kentucky,
Now that doesn't make sense.

What, why is those showing
us pink internal fraud cases?

And you also had Eldersgate
management level fraud, which

is internal fraud cases.

So ignore the reference to the pink.

So what we have here you can see the
two largest losses, Unilever Federal

Credit Union was internal fraud, 8.44

million, and members for
excuse me, no Eldersgate 7.98

million, almost 8 million.

So two losses, the two biggest ones one
just over 8 million and one just under

8 million had fraud driving the train.

And what happens when
people aren't watching?

Fraud happens.

And when you have 27% less staff
there's less people watching.

So I think what you're going to see over
these next cycles, the next one, two,

three, four, five, six, let's say, let's
call it six reports to Congress every six

months they have to report to Congress.

So I'm gonna say over the next three
years, I think you're gonna see bigger

losses that pop up here just because the
fact that NCUA has less people there.

And I'm not saying that they
shouldn't have do- done what they did.

I'm just saying that when you have
less people stopping by credit unions

the likelihood of fraud goes up.

It's just when you see a police car in
the middle of the road and they don't have

anybody in it, it makes people slow down.

You see the police car, you slow down.

You see the examiner,
sometimes you slow down.

So what does this data tell you?

There were seven credit
union failur- failures.

There were 16 million plus
dollars from fraud alone.

Those are the two, Unilever
and Eldersgate combined.

Four of the seven losses had re-
record-keeping failures, TCA, Butler

Heritage, Member First, and Seoul.

And 50% of the fraud was from the inside.

Key takeaways, two failures,
Unilever and Elders- Eldersgate

were driven by internal fraud.

Both involved trusted insiders
with system access, insufficient

oversight, and falsified records.

The boards in both cases were making
decisions based on numbers that they, that

had been deliberately corrupted by staff.

The three elements that enable
every fraud, what are they?

Pressure, opportunity,
and rash- rationalization.

Those are, that's the the
fraud triangle, if you will.

That's if you read up on fraud, if you
t- if you're a certified fraud examiner,

you know far more than me on this.

But from the pressure side, personal
financial stress, lifestyle, debt,

workplace performance demands.

A- alone, pressure is not
enough, but it's the ignition.

It lights the- It lights the fraud.

Opportunity, access and authority, and
insufficient oversight, often structur-

often structural at small credit unions.

The most controllable element,
design your organization to limit

it, but again, if you're super
small, sometimes that is difficult.

Rationalization, "I'll pay it back.

They owe me."

The longer someone is trusted, the
larger the fraud losses tend to be.

The AC- ACFE finding internal
control weaknesses drove nearly

half of all occupational fraud.

Not phishing attacks,
not external attackers.

NCUA trains certified fraud
examiners because this framework

maps directly to what examiner finds.

Now, NCUA doesn't do fraud exams,
but they do have certain people on

their team that are fraud examiners.

They do let those folks take some of their
continued development to enhance that.

But again, with 27 for less, 27%
less staff I imagine some of those

fraud examiners took the buyout.

The fraud triangle in action.

You've got the case studies
of Unilever and Aldersgate.

The loss on Alders-- in Unilever, $8.44

million.

Two trusted employees were involved.

What was the method?

Hidden borrowings and
falsified liquidity reports.

So they were borrowing money, but not
putting it on the financial statement.

Again, the board was making decisions
on information that wasn't accurate.

And again, on the fraud
opportunity, they had system as-

access, they had no dual control.

They had rat- rationalization
insider trust accumulated over time.

So they've been there a long time,
everybody trusts what they say.

Aldersgate, July 1st, 2025, just
under, just $2,000 under $8 million.

It was management themselves,
not a rogue employ- employee.

Fraudulent activity across
loans and share accounts.

That could be taking funds from inactive
accounts, booking fictitious loans.

Those are the kind of things
you typically would see at NCUA

for these type of situations.

And it was the worst case
of governance failure.

The perpetrators ran the
institution, ran the credit union.

And again, opportunity, highest
level access, no oversight, and

rationalization, and were operating
without any accountability.

The outgoing IG's legacy
from the early 2000s, NCUA's

examiners don't look for fraud.

The position was e- examiners
don't look for fraud during exams.

The inspector general pushed it because
of fraud ca- Material loss reviews.

Fraud at small credit unions kept
causing Share Insurance Fund losses.

Progress was made.

NCUA adopted examiner fraud
checklists, robust scope steps, job

aids and fraud-related procedures.

Result was there was a reduced
fraud losses to the insurance fund.

Now, Jim Hagan retired as part of the
buyout, and the acting IG, Marta Irzag

has the advantage of the fact that these
things have been put in place under

the prior regime, and she also worked
for Jim Hagan when I was there at NCUA,

and is very capable of leading the IG.

Now, however, again, with twenty-seven
percent less staff, what has that done

to NCUA's use of the fraud checklist?

The steps that they take as part of their
exams, they have to cut in certain places.

And if they cut in the fraud area,
it will likely potentially lead to

fraud increasing moving forward.

Examiner behavior what they're pattern
matching against the, the loan portfolio.

Do you know what's in your book?

Loan stratification, concentration
reports, delinquency trend analysis by

product, vid-vintage, and originator.

Are people looking at these reports
to see if something pops out?

Liquidity reporting, Unilever.

Is anyone independently
verifying these numbers?

Again, coming back to the
supervisory committee.

BSA and recordkeeping.

NCUA has a zero tolerance
for recordkeeping problems.

If you have recordkeeping problems,
you will see them every quarter, not

every hundred and twenty days, not
every hundred and eighty days, not

every year, not every other year.

You will see them quarterly.

Now, what they do when they show up,
are they pushing you to to get an audit?

Are they pushing you to make
sure that things are resolved?

So if you see these accounting issues
causing losses that means that the

credit union failed, the supervisory
committee failed, and NCUA failed

probably in what they were looking at.

Getting to the supervisory committee.

All seven of these situations
the supervisory committee is

your first line of defense.

Are they doing their job?

Are they being listened to?

And then IT controls.

This was an issue at Butler Heritage.

It's something that every NCUA board
member has said they lose sleep at

night because of the IT side of things.

I lose sleep on that side of it,
but they haven't had a lot of losses

tied to that, but maybe that'll
be something that comes soon.

Now, smaller credit unions, less than
fifty million dollars in assets their

biggest vulnerability is structural.

They have limited staff, which
creates opportunities for default.

And you can o- you can compensate that
with active oversight of the supervisory

committee or whoever does your audit.

Looking at account maintenance reports.

Manda-mandatory consecutive vacation.

That's another thing they
teach you in the fraud classes.

Surprise cash counts.

Anony- anonymous reporting
hotline, bond coverage review

do they have the right coverage?

'Cause these losses can
be recovered sometimes.

And the annual
fraud-specific audit inquiry.

Auditors should ask directly whether
management is aware of any fraud.

When I was the executive director at
NCUA, the CPAs would sit down, and

they would ask me that, and I would
have to sign a letter saying that I

was not aware of any fraud at NCUA.

Same type of thing happens in the audits.

Mid-size and larger credit unions, 50
million above you get into behavioral

analytics and AI monitoring, which
is a new tool where you can w-

you can watch outliers, role-based
access controls, internal audits.

Of course, these credit unions can
afford internal audits and can do

fraud-related reviews, and they
can do more granular loan portfolio

visibility with the resources that they
have as a large, larger credit union.

Now, the living fraud risk assessment,
you've got member risk, you've got product

risk, and you've got enterprise risk.

On the member side, who are your members?

What channels and products do they use?

Are onboarding controls
adequate for the risk pro- file?

Of course, you have people pretending
to be who they're not, and you

see a lot of fraud in that arena.

Product risk, which products carry
the highest fraud exposure, business

accounts, digital channels, loan
products with minimal documentation.

What specific things are you doing
at your credit union where the,

where you could perhaps enhance and
make your procedures more robust?

And then enterprise risk, the
most under-invested assessment.

Given your current control
environment, where are the most

exploitable gaps right now?

And then having someone
look at those gaps.

Now, why virtual exams will
never replace on-site exams.

They need to see you, right?

NCUA can do a lot of things off-site,
and they can get, can identify anomalies,

but coming in, looking at loan files,
asking questions, walking through their

fraud checklist, looking at account
reconcilements, ticking and tying the

financial statement from a, from an
NCUA perspective can reveal fraud.

You also, when NCUA shows up my guys
here on the podcast have talked about,

you pull your sample of 30 loans.

They bring you 35 because somebody knows
those other five loans are fraudulent.

That does happen.

So just showing up, you have
whistleblowers who don't blow the

whistle, but they point NCUA staff
in the right direction, which is why,

again, having a good, well-trained
exam team and having on-site exams

is something, in my opinion, that'll
never go away and never should go away.

So five things to take back to
your credit union from this.

Fraud can come from the inside.

Two of the seven failures were internal,
combined losses over $16 million.

Your greatest fraud risk isn't
external hackers, it's insider

access without oversight.

The opportunity is the
controllable element.

You can't always detect pressure
or predict rationalization.

You can design your organization to limit
opportunity through segregation of duties,

dual controls, and mandatory vacations.

Wrecking, record keeping, number
three, record keeping failures

compound every other problem.

Four of seven failures had
significant record keeping issues.

Inaccurate records don't just fail the
auditors, they fail your board, your

examiners, and your own decision-making,
and of course, your members.

Examiners are pattern matching.

Every ques- hard question about your
loan portfolio, liquidity reporting,

or supervisory committee activity
has a failed credit union behind it.

They're not adversaries.

They carry institutional
memory about failure.

Some of these questions are to try
and figure out if there is fraud.

And lastly, the fraud risk assessment
should be alive, not an annual review.

It's not something you
can just check the box.

It's something you need to
be looking at all times.

Ask the uncomfortable questions.

Where does opportunity exist right
now, and who in your organization

might already feel pressure?

All right, that's a wrap on this episode
of what I'm calling The Fraud Files.

Watch for more frequent discussion
about what NCUA is saying in their

IG reports and what the other banking
regulators are saying in their reports.

And with that, I'm gonna stop sharing, and
I'm gonna click thank you for listening.

Thank you for watching.

As always, this is Mark Trakel.

Signing off, I hope you'll
listen or watch again soon