Set Your Threshold

Have you ever noticed that when you go into a big-box store, there are only electronic tracking devices on the most expensive items? At Wilson’s Leather, for example, there will be a tracking device—sometimes several—on a $500 jacket, but the $29.95 leather address books are unprotected. Why? Risk analysis. The store has determined the maximum amount it is willing to lose due to theft, and it expends the majority of its loss-prevention resources to stop losses that exceed that amount.

“You don’t put a $5 marker on a $2 item,” says Dana Turner, security practitioner at Security Education Systems LLC, Pipe Creek, Texas. “But I went out last week and bought a new Windows Surface 2 tablet, and there were more electronic tracking things on that box and the components within than just about anything else I’ve ever seen. So obviously if you go out the door (without paying), you’re going to get tackled in the mall by security.”

Similarly, retailers think about the relative value of items when they plan store layout. Expensive electronics are in the back center of the store where they can be watched and protected. All you’ll find up front at the checkout line is nail files, sticky notes and gum.

This is an example of setting thresholds, something retail stores do as part of their security programs. It’s something credit unions could learn from.

“We have to determine what we’re prepared to lose,” says Turner. “It may be $100 in an over/short for a teller. We’re not going to go spend $5,000 investigating a $100 crime. So we establish what’s called a threshold for acceptable loss. The bigger retailers do a really good job of this—Target and Wal-Mart and TJ Maxx. You can learn a lot about financial institution security by hanging out with those people.”

It’s easy to be lulled into the Hollywood movie idea that anyone who’s casing a financial institution is after the cash in the vault. Sure, that should be protected, but it’s never a credit union’s most valuable asset. The loss of cash from the branch would hurt the institution, but there are other losses that could do much greater damage, both to the bottom line and to the credit union’s credibility and reputation.

Credit unions are starting to get the message, thanks to high-profile security breaches at retailers.

“You hear about cyber-criminals attacking businesses and financial institutions, because that’s the new bank robbery,” says CUES member Edward Lis, SVP/chief financial officer/compliance officer at $80 million Fulton County Federal Credit Union, Gloversville, N.Y., with 11,000 members and 26 employees. “That’s the new way. If you get information from 400 credit and debit cards from a financial institution—or from a store like Target, where they got (to the data from) 40 million (cards)—that, to me, is more valuable than robbing a bank, because we only have a limited amount of money in our vault to begin with.

“The money isn’t in robbing; the money is in the data that we all have and we all manage.”

Most credit unions, including Fulton County FCU, are conscientious about partnering with their credit and debit card processors to ensure top-notch network security. But that isn’t the only way data must be protected. Physical security is important, too, because a surprising number of data thieves actually walk in the door.

“If you let a crook in with false identification, you give them access to a variety of different services that they can probably benefit from,” says Turner. “So, just as a store will put the highest-dollar items in clear line of sight or in an area that’s covered by multiple cameras, credit unions should protect the new accounts desk. Put additional cameras— and preferably a sign that says, ‘This area is under video surveillance’—there so that people can see that.”

The sign acts as a deterrent to criminals who join a CU so they have easier access to the CU’s systems, but it’s not all bark and no bite. An $80 minicam that plugs into an MSR’s USB port can provide a startlingly clear visual image. And since it takes an average of 22 minutes to open an account, the CU has substantial evidence if the new member turns out to be a criminal.

“You’ve got a person on camera for 22 minutes,” Turner says. “The cops are going to love you. You put [the camera] there because you have so much to lose and the risk is great.”

The 80/20 Rule

According to Turner, low-level staffers commit 80 percent of the crimes in a credit union, but it’s small change, relatively speaking: $100 here, $200 there.

“It’s the execs that do 20 percent of the crime that get 80 percent of all the dollars,” he says. “The higher up the chain you go, the more they can steal because the more power they have, and the less control. The higher up the food chain, the more money you risk [losing from internal crimes]. And therefore, in my world, that’s where you put the controls.”

To put it in perspective, look at the Taupa Lithuanian Credit Union case, in which the CEO conspired with multiple other parties to embezzle (at last count) $10 to $16 million. That’s an amount a $24 million CU can’t afford to lose, and it obviously has the full attention of regulators and law enforcement agents. It’s a death blow.

There are several retail-store strategies that can help reduce the risk of embezzlement. Credit unions should fight the urge to trust their higher-level employees more, and instead apply the following security measures strictly at all levels, no exceptions.

First, restrict access to sensitive areas of the building. This is something Lis’s CU does, even though it’s a small institution where everyone knows everyone else.

“To get into certain areas of the CU, such as the vault, teller line, any non-public rest room and records retention areas, you have to know a combination,” he explains. “You punch that combination in to gain access. So we have a very restricted flow of access to staff and the members.”

Turner says badges with magnetic strips that must be swiped at checkpoints are an even better option, since they generate a record of who went where, and when. He says some retailers have gone as far as installing retina scanners on their cash vaults to restrict and record comings and goings.

“If you lose your key, anybody can get the key,” he points out. “But a retina scan is something entirely different. I will not say that every retail store does that, because that would be untrue. But it’s been piloted now for a couple of years, and the pilots, as I understand it, have come back very well.”

Another retail-store tactic credit unions can borrow is employing secret shoppers.

“Credit unions can sign up with a shopping service where someone will come in and, based on the instructions he or she receives, open an account, apply for a loan, or apply for a job,” says Turner. “They’ll document how this was done, and then it will be reviewed later by somebody else to determine whether it was done according to policies and procedures. They use them in retail, and you can use them in credit unions too.”

Perhaps the most effective tool is an independent third-party employee tip line. According to the Association of Certified Fraud Examiners, a tip line will cut internal losses by an average of 50 percent. It might even catch the big fish.

“It’s the most significant single thing that either a retailer or a credit union can put in play,” says Turner. “But it’s got to be independent. It has to be somebody who’s not a co-worker.”

Meet and Greet

Even though old-style bank robbery represents a lower overall risk than cybercrime or embezzlement, it’s still something that both retailers and credit unions need to address. And there’s no reason not to do it well, because the very same policies and behaviors that discourage robbery also help improve customer or member service.

Paul Seibert, CMC, VP/financial services, EHS Design Inc., Seattle, points out that in a well-run retail store, the first thing that happens when customers walk in is that someone greets them. That, he says, is a behavior that’s intended to help sell merchandise. But it deters theft as well.

“They say, ‘How are you? Welcome to our store! Can I help you?’” he says. “It’s immediate recognition. If you correlate this to something that we developed with the FBI about six years ago, called SafeCatch, it’s exactly the same thing. Somebody comes in the door and there’s someone there to greet them. Maybe it’s a [dedicated] greeter, or maybe you all share the responsibility for an hour a day. Maybe the door is close enough that the teller can say hi to people when they come in. But it’s that initial recognition when you come in. You don’t have the sense that you can hide. You’re immediately recognized. SafeCatch is proven to reduce robbery and fraud by 70 percent.

Seibert says he recently audited a branch where the teller line was in the back of the room, turned sideways, with no view of the front door. Other staff were in offices. Any member—or criminal—who walked in the front door would see no one looking back at him.

“Even though the tellers are behind a teller line, they’re still going to get robbed,” Seibert says. “Most robbers are of an age where it’s easy for them to leap over a counter. So it’s not a good position.”

He advocates moving to a universal-employee system, where tellers become member service agents who walk the floor, meeting members at “pods” with secure cash recyclers. Loan officers and other employees who work in offices should have sliding doors that double the size of the door opening and make the space feel more open and welcoming.

“From an engagement standpoint it’s much more open and people feel more available,” he says. “From a security standpoint, it puts more eyes and more presence on the floor, more observation. Robbers do not want to be talked to or be viewed or be connected with. So you start putting more eyes on the floor and make it feel more engaging, and there’s a lot less likelihood of robbery and fraud.”

Jamie Swedberg is a freelance writer based in Georgia.