credit union risk management…

RMLearningCenter.com

Credit Union Risk Management…

“Is the method of management we use to identify, measure, and control risks that might threaten the international credit union movement, its members, employees, and volunteers!”

Presented by:CUNA Mutual Benchmarking Team - 2007


Very Good!

Let’s Review!


Tips for public speaking:

• Know your audience wants and interests.

• Control your topic & promotions

• It’s not only numbers that count

• Conference breakout vs. fireside chats?

• Learn from experience, teach by examples!

• Set the tone and expectations early…

• Read chapter IV…


Outline Benefits:

• Features tell and benefits sell…• Encourage audience participation, but• Control it!• Be honest and admit what you don’t know..• Focus on “best practices” it reinforces good

behavior and avoids a focus on negatives that only foster defensive attitudes!

• Keep it simple and down-to-earth…


UK CU’s are Normal:

• They don’t think it will happen to them..

• They’re prone to ½ life and cynical attitudes that ignore reality.

• They want to be liked..

• They’re real focus is on family and personal survival..

• They prefer to be heard and not told…


Very Good!

Let’s Review!


The benefits from this session are many! We’ll discuss…

Risk Management fundamentals,The status of RM projects in the UK,Fidelity bond risk’ controls recommended

for UK credit unions (To safeguard against Burglaries, Robberies, Frauds, Forgeries, Embezzlements, Scams, Plastic Card Fraud, Liability, etc.)

The latest criminal “Methods of Operation” (MOs) in the UK, and we’ll update your…


Session Benefits at a Glance – Continued..

We’ll help you update your RM Strategic Action Plans for…

Creating controllable crime scenes,Creating defendable zones,Integrating security systems, andAdopting “Crime Prevention Through

Environmental Design” principles into your facility management program, and…



We’ll help you update your RM Strategic Action Plans for…

Developing Best Practices’ RM training for employees, staff and volunteers,

Developing public-to-private partnerships with law enforcement, fire fighters, emergency government’ and homeland security’ personnel, and we’ll introduce 2007 Strategic Action Plans for…



We’ll introduce 2007 Strategic Action Plans for…

Developing a “Credit Union’ Incident Command and Control System” in 2007,

Deploying an “Incident Command and Control at the CU Chapter level,”

Updating credit union’ housing-in-place and evacuation protocols! And,

We’ll discuss any risk that threatens the UK credit union movement!


Session Benefits at a Glance – Continued.. “We’ll use case studies to highlight what the crooks are doing and what we need to do to catch them!” For example…

• Is our credit union and chapter ready for the next natural disaster, terrorist attack, or pandemic?

• Is our credit union part of any “branch banking” network?

• What changes should we have made in your contingency, business continuity, and management succession plans since 9-11-01?


Session Benefits at a Glance – Continued.. “We’ll use case studies to highlight what the crooks are doing and what we need to do to catch them!” For example…

• We know crooks are learning to use the internet to recruit and train. Are we?

• You’ll learn how to “reverse trace” and authenticate transactions, and how to analyze a written statement or internet scam.

• You’ll learn how to manage concentrated risks and exposures to reduce looting, burglaries, robberies, and frauds during and after natural disasters, terrorist attacks, or a pandemic.


Evolution Of RM and CU Movement - continued

• 1960s Robbery and burglary

• 1970s Forgery and check fraud

• 1980s Embezzlement and disasters

• 1990s Violence in the workplace

» Armed robbery, bomb threats and disasters

• 2000 Electronic commerce

• 2001 – 2003 Violence in The Workplace!– Bomb Threats & Extortion

– Terrorism, Anthrax Scares, Threat of Biological Warfare

– Internet Fraud, Scams, Money Laundering and

– “Criminal Integration”


“After 9-11-01 there was a quantum shift from proactively management risks to proactive planning to respond to any large scale community or country crisis!” Rich Woldt

• September 11, 2001 … Terrorists attack the World Trade Center in New York City, NY USA!

• 2005… The world is racked with tsunamis, hurricanes, earthquakes, tornados, bombings, and daily threats of future terrorist attacks.

• Emergency governments around the world adopted the Incident Command and Control System (ICS) as a response standard and NIMS to standardize response terminology.



• Emergency governments around the world adopted the Incident Command and Control System (ICS) as a response standard and the National Incident Management System to standardize response terminology.



• From all levels of government the order goes out to form effective first responder “Public – to – Private” partnerships. Critical industries are asked to set response protocols based on:– A 72 hours stand-alone performance standard,– Required housing-in-place performance standards,– Required upgrade in high-rise evacuation standards, – Demonstrated active community involvement in contingency planning

with a focus on responding during a natural disaster, terrorist att


This is a “what if” exercise:

• We use “what ifs” much like we use “worst case scenarios” and “reverse RM logic”

• So if…


This is a “what if” exercise:

We know the losses credit unions and the insurance industry experienced during Katrina, what if:

• All credit unions and members were identified by their zip or postal code?

• All victims had the following info stream on the left fore arm: (Zip code, name, age, medical disability, physical disability, destination land line number, personal cell phone #?


This is a “what if” exercise - continued

• All CUNA Mutual bond/insurance files could be sorted by zip/postal code?

• All CUNA Mutual employees could be sorted by zip/postal code?

• All credit unions and CU chapters could be sorted by zip/postal code?

• All CU members could be sorted by zip/postal code?


Could we not than better…

• Identify our bonded and insured exposures in harms way?

• Measure our potential claims based on exposure concentrations?

• Assemble and position response assets to include CUNA Mutual first responders?

• Track and indemnify victims, thereby reducing loss adjustment expenses (LAE) and CU extra expense?


Could we not than better…

• Customize RM workshops, presentations, on-site analysis, etc. to regional and local area risks s


Let’s begin with…

A Review of RM Fundamentals!


Risk Management fundamentals:Please define and explain the following:

• The three RM steps?• The two types of risk?• The five RM controls?• The two ways you measure risk?• At least three “tools of transfer?


Very Good!

Let’s Review!


Risk Management “A Method Of Management”

“Our 2007’ goal is to speed up the process!”

1. IdentifyCurrency & cash items

2. MeasureFrequency & severity

3. Control


Pure Risks - only loss, never a gain

• Robbery & burglary

• Embezzlement

• Other forms of dishonesty

• Fire and disasters

Speculative Risks – You hope to gain, but you can suffer a loss

• New products, programs, services and laws

Two Types of Risks


5 Risk Controls“Use them in the following order!”

• Avoid

• Reduce

• Spread

• Assume and

• Effectively Transfer to Someone Else– Insurance, Bonds, Hold Harmless Agreements


Risk Management fundamentals – continued..Please define and explain the following:

– Underwriter Laboratory’s (UL) “burglary resistant” ratings and/or European equivalents,

– UL “fire resistant labels and/or equivalents, and

– How to rate an unlabeled container!


Very Good!

Let’s Review!


The Evolution of Security Technology: Underwriter Laboratories Ratings – A Testing StandardInsurance Services Office ISO & The American Society of Industrial Security write “Construction Standards”

It’s Burglary “Resistant” NOT Burglary “Proof!”

• Money safes– TL-15 & “E”

– TL-30

– TR-30

– TRTL-30

– TRTL-15x6

– TRTL-30x6

• Currency vaults – 5R

– 6R

– 10R

– Type I, II, III

– Modular

– Class I, II, III


The Evolution of Security Technology: Underwriter Laboratories Ratings – A Testing StandardInsurance Services Office ISO & The American Society of Industrial Security write “Construction Standards”

It’s fire “Resistant” NOT fire “Proof!”

UL Record Safes Class A, B, C, D

350 1-2-4 hour

150 1-2-4 hour

125 1-2-4 hour

UL Records Vaults2 hour

4 hour

6 hour

• Doors should equal the fire resistance walls, ceiling & floor!


The Evolution of Security Technology: Automated Teller Machines“A Story of Evolution from the 1920s”

• Night Deposit Boxes– Fish and trap resistant chute

– Dual locking container

• ATMs & High Velocity Cash Dispensers– Business hour

– 24 hour level #1

– 24 hour level #2



Door, lock, window, hinge-pin, security,Object, perimeter, and area alarm security, Internal and external alarm line security, andOn-demand, CCTV, and digital surveillance

systems! Discuss installation, testing, and maintenance

standards for each of the above:



Embezzlement and “internal dishonesty,”Scams and “external fraud,”Fictitious & unauthorized loans, Separation of duties,Reverse Tracing,Transaction authentication,Positive account verification,PIN & PAN controls



Dual-control procedures,Dual access controls, Key codes, Statement analysisChip & Pin technologyCVV & CVCCVV & CVC #2Controlled Member Account Verification



Cash flow analysis,Disaster recovery, vs. Contingency planning, vs.

Continuity Management, vs. Event Management,Kiting,Lapping and withholding deposits,Cash letters & holders in due course, Mysterious disappearance,Spot-check verifications, etc…



Phishing,PHarming,Skimming & refreshing, Identity Theft,How to do a back-ground investigation,How to use the internet to do RM research,How to do a credit check,How to trace transactions back to source

documents!



A contract of “good faith,”Deductibles, Actual cash value, Replacement costs, Extra expense,Negotiable security,Barer instrument, Exclusions and endorsements,



The three most important points to make when writing an RMA report,

How to defend cash item storage recommendations,

How to submit a “memo to file” or “incident report,”

How to locate physical address for fire department and how to make emergency call,



The difference between a fire and a bomb threat evacuation,

How to respond to an earthquake, tornado, anthrax scare, and bomb threat,

How to handle an embezzlement suspect, and

How to take command and control of any life threatening incident!



Duties of an “Underwriter,”Duties of a “Claims Adjuster,”Duties of an “Actuary,”Duties of an “Account Representative,”

What do all the above have in common? Hint; They are all Risk M-------s!


Very Good!

Let’s Review!


Typical Bond Experience

Forgery12%

EmployeeDishonesty

45%

Robbery, Burglary,

Theft, Fraud20%

Faith.Perf.21%

Miscellaneous2%


Typical Bond Experience

Robbery, Burglary,Theft, Fraud

40%

Forgery39%

Misc.5%

EmployeeDishonesty

13%

FaithfulPerformance

3%


Profile of the Credit Union Embezzler

Suspicious life styleCan’t leave or relinquish controlTale wags the dogOverly religious Easily excitedWorks late and alone



Full of Rationale & JustificationsI’m only borrowing,Others are doing it,I’m underpaid and overworked,That’s all I did, I’ll never do it again, Always has a need & looks for an opportunity.Knows he can escape or blame others.You didn’t tell me I was doing wrong,

Has a “character disorder.”



Character disorder?We all have them,Can’t tell right from wrong,Seldom admit they’re a thief.

• Who can your trust?Grandma – grew her CU with bogus accounts Reverend - sold CDs to family and farmers, Uncle - stole member’s money, home and wife –

“The dismembered member”

Are you guarding your inactive and dormant accounts?


Embezzlers are all On A Path Prison!

Most starts small -Open cash drawerCommon fundsWithhold currencyLap depositsKit using multiple accountsManipulate family member accounts


Embezzlers are all On A Path Prison!

Use dormant & inactive accounts Transfer funds to accounts they control Use expense accounts Hide funds in GL clearing accounts Collection department fraud Most find their way to your loan files

Unauthorized loansFictitious loans


Internal Controls“Cash handling procedures”

• Audit trails– Dual verification– Signed receipts, computer entries, etc.– Pre numbered cash receipt vouchers

• Individually “locked” containers

• Combination and key controls

• Spare key controls


Internal Controls“Safeguard Your Reputation”

• Dual controls

– Night depository

– Lost and found

– Smart safes & combinations

• Rotate and separate duties

• Require extended vacations

• Never post to your own account!


Internal Controls“Safeguard Your Reputation”

Passwords No one but you should know or have

access to your passwords! Change it every 90 days! Train all Staff first day on the job!

Supervisory override controls! Use and audit override printouts!


Forgery – Frauds – Scams & Your “run of the mill con-artist!”

Forgery controls when “face to face” Beware of bogus ID Require signed, pictured ID and verify details Teach signature verification procedures

Fraud controls over landlines and Cell Phones Caller ID systems Ask open ended questions Call back procedures

Fax security procedures Good luck Call Backs


Plastic CardsFraud controls and technology

• Card mailing procedures• Card Activation programs• PIN & PAN controls with member education

“Personal identification number and personal account number”

• CVV & CVC “set to decline”– Visa’s Card Verification Value (CVV)

– M/C’s Card Validation Code (CVC)

• All on-board - “neural networks”


Audit Controls“These should be Required”

• Supervisory Committee– Surprise cash counts

– 100% Member account verifications

– New account verifications

• Board of Directors– Rotation & separation of duties

– Cross training to catch a thief

– Independent auditors report to the Board

– Fraud policy – Use it – Review it – Sign it


The Fraud Policy Honesty & Accountability

• Sets tone from the top,• Provides meeting of the minds,• Defines what’s not permitted, • Gives grounds for discipline or dismissal,• Saves legal costs,• Protects reputations,• Review it, update it and • Sign it annually!


To Catch a Thief!“These Should Be Required”

• Credit Committee– Separation of duties

– Loan officer minute controls

– New loan verification procedures

• Loan Audits– Finger audits

– Collection audits


Fidelity Self Analysis “It’s Purpose and Evolution”

• Deters and detects embezzlers.• Start with canceled checks.• Follow transactions back to source documents.• Use forgery detection skills.• Leads to a more detailed audits.• Driven by logic and fraud indicators.• Focus on quickly finding fraud indicators• Have written action plans in case you find fraud!


Your Crime Fighter’ Goal?“Hold People Accountable for Their Actions”

• Audit and Internal Controls protect --* Strong employees from fraud opportunities,

* Weak employees from temptation, &

* Innocent employees from suspicion!


How Do You Handle Suspects?“With Care and Compassion”

Never call them a crook!Notify Supervisory Committee!Focus on the facts!Consult authorities on how to proceed!Notify Bonding Company!Dealing with suspects:

When, where and how!


Very Good!

Let’s Review!


Everyone wants your money!

Common scams to get it:

Phishing

Lotteries & Sweepstakes

Internet Auctions / e-Bay

Telemarketing

Nigerian 4-1-9 Scams

Plastic Cardo Credit & debit cardso ATM cards


Phishing

IT slang .. But it really does mean fishing for information. Account numbers at banks and credit unions Social security numbers Credit card account and security numbers Passwords Personal information; i.e. birthdates, parent’s names, affiliations, etc.

“Spam” or pop-up messages & hyperlinks Appears to be from a legitimate business, online service or government agency.

Links to genuine websites with legitimate pages; such as privacy policies or product information.

85% of all email sent is SPAM – subsequently receive endless repetition of worthless text or pop-ups.


PhishingWhat to look for -

Email MethodsDeceptive subject lines

Forged sender’s address

Genuine looking content

Disguised hyperlinks

Web Site MethodsGenuine looking content

URL appears genuine

Collection of information & use of forms

Incorrect URL (not disguised)

Pop up windows

Trojans / worms / spyware

How to protect yourself -

Steps to protectionNEVER provide ANY financial or personal informationNEVER click on hyperlinks with emailsUse Anti-virus softwareKeep software updated (automatic upgrades)Don’t open ‘strange’ emailLook for “https” and padlock on the siteClean up Spyware & AdwareLearn about Internet fraudCheck you credit report Ask for help

Email MethodsDeceptive subject lines

Forged sender’s address

Genuine looking content

Disguised hyperlinks

Web Site MethodsGenuine looking content

URL appears genuine

Collection of information & use of forms

Incorrect URL (not disguised)

Pop up windows

Trojans / worms / spyware

Steps to protectionNEVER provide ANY financial or personal informationNEVER click on hyperlinks with emailsUse Anti-virus softwareKeep software updated (automatic upgrades)Don’t open ‘strange’ emailLook for “https” and padlock on the siteClean up Spyware & AdwareLearn about Internet fraudCheck you credit report Ask for help


Phishing Phishing e-Mail Spoofed fraudulent

website Legitimate website

https://www.empirefcu.org/home/html

http://218.4.205.85/manual/empirefcuindex.htm

https://www.empirefcu.org


Plastic Cards

Credit & debit cards ATM cards

Do NOT give anyone your CARD Number

or 3-digit Security (CVV2) Code

Memorize your PINPIN –

Do NOT keep it with your card

Do NOT keep it in you wallet or purse

Do NOT give it to ANYONE – not even your family members

CVV2 Security Code• Card not present transactions

• Verified by VISA

Be aware of your surroundings at ATMs

• Check the machine for unusual / suspicious things

• Shield the area when entering your PIN

• Be sure it’s well lit at night

Do NO

T give

anyo

ne y

our C

ARD Num

ber

or 3

-dig

it Se

curit

y (C

VV2) C

ode


Lotteries & Sweepstakes

Occurs when the victim pays money to someone in anticipation of receiving something of greater value. (“Something too good to be true!!!)

Lotteries Sweepstakes “Found money” Work at home

(Advance Fee Scheme)

How it happens: e-Mail notification with instructions on your “next step” USPS mail, often accompanying a check or money order with instructions Send money for validation of prize Deposit check, then wire funds for “taxes” or other redemption costs


Lotteries & Sweepstakes(Advance Fee Scheme)

Your credit union account

Beginning balance:

2. Deposit it into your credit union account

a. CU places a 7-day “hold” on the funds

3. 7 days pass and you withdraw $13,000

a. $10,000.00 is sent via Western Union to the instructed person and bank number

b. $3,000.00 is spent by you on bills

2. Deposit $15,000

3. Withdrawal $13,000

$ 55.00

$ 15,055.00

$ 2,055.00

4. One month later, the check is returned to the credit union as counterfeit

4. Returned $15,000 check - $12,945.00

1. Receive check in the mail for $15,000

And now you owe the credit union

$12,945.00

and the thief got

$10,000


<[email protected]>

Super Complete

New twist: Rather than requiring tax payments in the e-mail, the recipient is referred to an “attorney” who may assess a fee before a certificate can be issued.

Another L

ottery

Win

ner!!!

Lotteries & Sweepstakes “Ruota di Roma” (Wheel of Rome) SUPERENALOTTO You have won, With the introduction of new types of games, with the ushering in of on-line technology and with the permits issued under EU law to EU countries to compete for concessions to run games in Italy and on the internet, we are launching our first international program: “Ruota di Roma” (Wheel of Rome) We are running a program where instead of bought tickets and numbers in the ballots we use email addresses. All contestants were selected through a computer ballot system drawn from email addresses taken from all over the world. You have received this message from SuperenaLotto prize dept. because you have visited one of our sponsored sites and have voluntarily given your email address to receive mails from their sponsors. From the results of the Wheel of Rome draw that took place on the 25th of september 2006. Your E-mail address has come up as one of the winners; you have therefore won the sum of One Million United States Dollars (US $1,000,000, 00). This is from a total cash prize of Ten Million United States Dollars (USD$10,000,000.00) shared amongst Ten Lucky Winners in the Category A+. This cash prize must be claimed not later than the 13th of october 2006. After this date all unclaimed prizes will be declared void. Claimants must be over 20 years of age. All entries must adhere to the “Ruota di Roma” (Wheel of Rome) Terms and conditions stated in our official page. To view the terms click on this link *************** or paste it in your browser. You must read the terms and conditions and understand them before responding. After reading the terms and conditions, contact your processing agent to file for your claim under reference number: OJHN/08-IL1131/06. Mr. Ernesto Bonino. Email: ********** You are to quote your winning reference number when responding. Finally, we call on you to make sure that you save a copy of this mail because you might be called upon to produce it at anytime. Congratulations once more from all of us at Superenalotto and thank you for being part of our promotional program. Management. Superenalotto. Via Allesio di Tocqueville 13-20154 Milano, Italy NOTICE: If you wish to be taken out of this list do not reply to this mail, reply to the agent with the words remove. If you are not the intended recipient, you must not, directly or indirectly, use, disclose, distribute, print or copy any part of this message. If you believe you have received this message in error, please delete it and all copies of it from your system and notify the sender immediately by reply e-mail. Thank you. ************DO NOT DELETE THIS MESSAGE*********** -------------------------------------------------------------------------------- NEVER SEND SPAM. IT IS BAD.


Lotteries & Sweepstakes(How to avoid the

scheme)

If it’s too good to be true …. It’s too good to be true!!

Ask yourself: “did I enter a lottery?” “did I sign up for a sweepstakes?” especially in a foreign country !!!

DON’T Play – Foreign lotteries are ILLEGAL!

Do NOT respond to them!!!!

Legitimate sweepstakes do not request money from you for processing or taxes.

Are there rules? If so, are they easily understood?

Do they ask for your bank account number, SSAN or credit card number?


Internet Auctions / e-Bay Both buyers and sellers have been scammed

through the use of e-Bay or other on line auctions.

Buyers -

Non – delivery of items purchased. Misrepresentation of value. Fee stacking.

Black-market / counterfeit goods. Shill bidding.

Sellers -

Contact from buyers outside US. Counterfeit checks, money orders Check overpayments 3rd party agents

“Act now” pressure

Use of Escrow accounts

Second chance offers

Use of Escrow accounts

Disappearing item

Demanding e-mail/contacts Offers to pay for shipment


Internet Auctions / e-Bay- Avoiding Fraud -

Understand as much about how the auction works as possible.

Find out the actions the website/company takes if a problem occurs.

Carefully examine the feedback of the buyer or seller.

Evaluate the shipping requests.

Arrange for payments – be careful of escrow accounts.

Know your legal obligations.

Protect your identity and your funds.

Do not give out your SSAN or DL to the seller.

Protect your credit card security numbers.


Counterfeit Checks


Counterfeit ChecksCounterfeit Money Orders


Telemarketing- Red Flags -

If the caller tells you that ……

“You must act ‘now’ or the offer won’t be good.”

“You’ve won a ‘free’ gift, vacation or prize, but you have to pay for postage and handling.”

“You must send money, give a credit card or credit union account number .. Or have a check be picked up by a ‘courier’.”

“Keep this confidential. There’s no need to discuss this with your family or your family attorney or accountant.”

“You can’t afford to miss out on this opportunity.”

HANGHANG UPUP


Telemarketing- Avoiding Fraud -

Buy only from known, or familiar, companies.

Get the sales person’s name, business, phone #, address, and business license number BEFORE you purchase.

Do NOT pay for services in advance.

Don’t pay anything for a “free” gift or prize. Federal law prohibits payments for taxes.

When giving to a charity, always find out the percentage is paid for commissions & administration expenses; and how much goes to the actual charity.

Never give personal or financial information over the phone.

Don’t be afraid to demand answers.

Uncomfortable? … Just hang up!


Nigerian 4-1-9 Scams Similar to an ‘advance fee’ scheme; Nigerian letter fraud also

includes:

Impersonation, or false identification of sender.

Offers opportunities to share in a percentage of millions of dollars.

Self proclaimed government official, wealthy exiled family or business exec.

Difficulty in transferring funds from their country to the US.

Request to contact them for interest.

You may be encouraged to travel overseas to complete the transaction.

Requests for “plain letterhead”, credit union account information and phone/fax numbers.

Subsequent requests for “up-front” money.

Often accompanied by fraudulent documents bearing Nigerian letterhead and officials’ signatures.


Nigerian 419 Scams


Nigerian 4-1-9 Scams 5 Rules for doing Business with Nigeria

NEVER pay anything up front for ANY reason.

NEVER extend credit for ANY reason.

NEVER do ANYTHING until their check clears.

NEVER expect ANY help from Nigeria.

NEVER rely on US to bail you out!

Why would ANYONE in Nigeria (or anywhere else in the world for that matter) contact YOU for assistance to transfer their money into the US?

PLUS – one question ….


Some Statistics

Source: Federal Trade Commission

Work-At-Home20%

Internet Auctions

28%

Computer Complaints

17%

Sweepstakes/Lottery17%

Foreign Money Offers18%

Top 5 Fraud Complaints for WisconsinWisconsin Consumers


Who to Contact

U.S. Secret Service (www.secretservice.gov)Financial Crimes Division950 H Street, N.W.Washington, D.C. 20001(202) 406-5850E-Mail: [email protected]

U.S. Postal Inspection Service (www.USPS.com/postalinspectors)

POSTAL INSPECTION SERVICE433 W HARRISON ST FL 6 CHICAGO IL 60699-0002

Phone : 312-983-7900 Fax : 312-983-6300

http://www.usps/


Who to Contact

U.S. Treasury Dept (www.ustreas.gov)

Bureau of Engraving and Printing 14th & C Streets, SW Washington, DC 20228 (202) 874-3019

Office of the Comptroller of the Currency (www.occ.treas.gov)

Customer Assistance Group 1301 McKinney Street Suite 3450 Houston, TX 77010 FAX: 713-336-4301


Who to Contact

Federal Bureau of Investigation (www.fbi.gov)J. Edgar Hoover Building935 Pennsylvania Avenue, NWWashington, D.C. 20535-0001(202) 324-3000

Federal Trade Commission (www.ftc.gov)Consumer Response Center600 Pennsylvania Ave., NW, H-130Washington, D.C. 20580

http://www.ftc.gov/


Who to Contact

Major Credit Bureaus: web request copy fraud unit

Experian experian.com (800) 397-3742 (888) 397-3742Equifax equifax.cm (800) 685-1111 (800) 525-6285TransUnion transunion.com(800) 888-4213 (800) 680-7289

http://www.scambusters.org/

http://www.internetfraud.usdoj.gov/

http://www.sec.gov/investor/pubs/cyberfraud.htm

http://www.lookstoogoodtobetrue.com

http://onguardonline.gov/index.html


Thank You

Rich Woldt

Risk Management 007



Physical security first– Doors, locks, safes, and vaults

Alarm security– Object, area, perimeter - Line security

Surveillance & Access ControlsDiscussion of installations, maintenance,

and testing standards for 2007!


Risk ManagementSecurity Technology

Evolving with the Movement!

“Credit Unions are driven to safeguard life, liberty and the pursuit of economic freedom.” As member services evolved so have regulations, security management methods and subsequent security technology:

NCUA Regulation #748 – Minimum Security Devices and Procedures

NCUA Regulation #749 Off-site Record Reconstruction Program


Risk Management Methods New, more effective crime fighting methods!

• Facility Security Analysis:– Crime Prevention Through Environmental Design

(CPTED)• Defendable Zones

– Security Integration• Proprietary, Community, County, State & Federal,

Chapters, Leagues, National Associations, etc.

• Controllable Crime Scenes, a trap that works! • Casing puts you out in front!


Casing – Staying ahead of the crooks!“Walk-the-walk and you’ll Talk-the-talk”

Crooks case targets to increase their probability of success. We case targets to solve crimes, correct security concerns, safeguard against the next crime, and increase the probability crooks will be caught, prosecuted, convicted, and sent to prison for a long, long time!


Combating terrorism, armed robbery & the fear of violence in the workplace!

• Defendable zones

• Hi-tech alarms and warning systems

• Digital surveillance

• Security system integration

• Best practices training

• GPS & Cellular Technology



2004 – There is a shift to – Proactive Risk ManagementThe Evolution of International RM Projects

• Accountability and Ownership

• Training Alternatives– Self assessments, case studies and best

practices!

– Casing your own crime scenes!

– Creating controllable crime scenes!

• Expanding to Community, County, Country and International Protocols!

• Pursuit through capture, prosecution, conviction and sentencing!



Revised Risk Management Principles, Current Methods and Updated Protocols

2004 and Beyond• CPTED - Crime Prevention through Environmental Design

• Security Integration

• Security Application & Technology – Before, during and after disasters

• Community Response and Recovery – Emergency Response Protocols

• Law Enforcement – Blue Team

• Fire, EMT, Hospitals –

• Credit Unions & Corporate America – Red Team

• FEMA, Red Cross, Salvation Army, HAZMAT, etc. – Orange Team

– Professional Associations and Support Groups• ASIS, FCI, ACFEI, RMLC, chapters, Leagues, Associations, etc.


A “Zoned” response works best during a recovery operation. It’s easier to inventory and protect recovery resources, and position personnel to support either a strike or mission based operation. Traffic flows in one end of the site and out the other to minimize congestion, accommodate supply lines, decontaminate personnel and assist victims through triage, tracking them through hospitals and full recovery.

Response, Recovery & Command Center Zone

Reconstruction ZoneResponse and Recovery ZoneDemilitarized ZoneGround Zero

Before Food Flows Out!

After biological attack food and supplies flow in to critical incident command centers!

Recovery personnel and resources flow in one end of the site and out the other!


Very Good!

Let’s Review!


Proactive Risk Management Methods, Strategies and Accountabilities

“Our goal is to harden criminal targets against criminal acts”And creating controllable crime scenes to reduce internal and external losses!


Very Good!

Let’s Review!


Violence In The Work PlaceViolence In The Work Place “Credit Unions Combat Intimidation”“Credit Unions Combat Intimidation”

• Policy & plans– Tone from the top– Communicated to all

• Set “no tolerance zone”• Report & document• Follow-up & document• Train a response team

– All department managers– Offers third party intervention


Threat Assessment TeamsThreat Assessment TeamsDDocument - Document - Document - Document - Documentocument - Document - Document - Document - Document

• Listen to co-workers – Encourage reporting– Keep confidential & demonstrate

action

• Investigate immediately• Review the records• Document events and action

taken• Report to the “entire” Report to the “entire”

crisis management teamcrisis management team

• Follow-up!


Family & Contingency planning – keeping in touch! Attackers divide and concur – Don’t let them!

• Locate:– Tested contact numbers and verified schedules – Tested answering machine procedures– Sealed envelopes and updated itineraries– School contact numbers and class schedules– Neighbor names and contact numbers

• Lockdown & Link– Private security, law enforcement and 3rd party

intervention– “Secured” landlines, fax machines, internet addresses,

etc. – EOC and Red Cross Tracking and intervention.


Experience has taught ---“Knowing what to expect will put you in control”

• Smart criminals offer little time!• Buy time & they’ll lose! • They’ll be prepared to provide “Proof of life”

– Demand Proof the hostage is unhurt and alive.

• Take control! Tell them --– I must notify our auditor! He’ll call the police!– I must involve others! I can’t control what they’ll do!– I have people in my office. What should I do? How?– Our policy requires me to tell my manager! – What should I tell him?

• Ask open ended questions and take notes:– Who, what, where, why and when


Continued: Hostage Survival – Take care of the family!

• Assign one person as their advocate.• Keep the family “fully” informed.• Contact their physicians, if health is

a concern!• Protect family members from the

media and unwelcome visitors.• Use media effectively.


Hostage Survival Steps in the right direction!

• Have a written extortion policy.

• Have a violence in the workplace team.

• Notify Others - according to policy and plan.

• Never go it alone.

• Contact Police and FBI! – Request a Detective and trained Hostage Negotiator. – Per plan, attempt to verify the person in fact has been

kidnapped. Don’t over-reacting (Bogus busy signals, a change in plans, etc.)


Continued: Hostage Survival – Make sure you following your plan!

• Limit knowledge to your critical incident management team!– Need to Know.– Gossip will endanger the hostage– Beware of an accomplice in the office. – Beware of Media leaks

• Arrange protection and care for victim’s immediate family.

• Determine payment guidelines for authorities.– The family decides to pay or not– The credit union should have a board approved extortion

policy (kept confidential).


Continued: Hostage Survival –

“Whether you’re the hostage or part of the recovery team –”

Take care of yourself!

• Rest when possible.• Use professional negotiators (another voice).

• Avoid coffee & drink water!• Exercise to keep alert.• Accept – “You’ve done your best!”• Remember family and call them.

– “This is a time to come together and stick together”– Time to build a “Sense of Being in Control”


Forensic Investigation – Give me the facts - only the facts

“You’re still in control when you get the call or receive the letter”

Expect him to say --• We’re observing you!

– Ask how?

• You only have a short time!– Ask how much?

• We’ll harm you and your family!– Ask how?

• We’re holding someone you care about!– Ask who and where?

• You bring the money!– Ask what if I can’t and ask for detailed instructions

• I want half a million dollars, now!– Ask how can I get that much?


Forensic Investigations: Assemble “Pertinent” Information!

Current photographs in differing attire.Travel itineraries for past 30 days (Envelopes)Landline, cellular & pager numbersHealth Records:

Condition, required medications, allergies, distinguishing characteristics (tattoos, piercing, scars, etc.)

Other contacts (family, friends, business Associates, recent visitors, tenants, landlord, neighbors, etc.

Assess information hostage might provide:Financial & Other


ExtortionExtortion Is your credit union ready?Is your credit union ready?

• Extortion policy and plan– Involve law enforcement

– Notify board of directors

• All upper management and board • Envelopes - bigger every year

• Cellular phone - technology integration• Locate, lock-down, and link• Defensive driving, walking, and alert living


Executive’ ProtectionSafety, security and survival is a 24 hour effort!

Identify and prioritize targets: – Kidnap, Extortion, Robbery, Stalking and Terrorist

Identify and prioritize “Motives” – Attackers are driven by “motive”

• Money, currency, greenbacks and more money

• Confidential, top secret and proprietary information

• Anger, revenge, sexual attractions, opportunists

Family & Contingency planning “keep in touch” • Do you know where your family is?

• Do they know how to contact you?


Executive’ Protection Continued – Target Assessment When -Where & Why

• Are you running like a railroad?– Vary routes, times, persons and patterns– Be inconspicuous and unpredictable

• Have you been lured from your zone? – False alarms and home invasions

• Is your backup in place and ready to roll?– Callback procedures and action plans

• Have family’ contingency plans been rehearsed?


Executive ProtectionExecutive Protection““Getting Back On-board – Self Defense”Getting Back On-board – Self Defense”

• Learn to evaluate your surrounding and potential threats, “early.”– “People waiting for the bus watch one direction.”

• Drive with windows up, doors locked, keep your space, and know a bailout route.– Stop so you can see their back tires.

– Drive 5-MPH faster than they can run.

– Rear-end a squad car.


Executive Protection Executive Protection “The Art of Self Defense“The Art of Self Defense””

• Martial arts:– Learn from aficionados.– Learn how to use your

fingers, elbows, legs, arms, teeth, and body weight as a weapon.

– Invite a black belt to speak at your staff meetings.


Military TrainingDo you remember?

Staggering troops during search and rescues?

“Move out alpha – Cover me bravo!”

Using the vertical & horizontal butt strokes?

Your basic “rear-strangle” take down hold?

Following through to submission?


Executive Protection Executive Protection ““Getting Back On-board”Getting Back On-board”

• Limit carry-on to what will fit under your feet.

• Select an aisle seat if you plan to fight, a window seat if you plan to hide.

• Select a seat near the cockpit if you plan to defend, and a seat near the back if you don’t.


Executive ProtectionExecutive Protection““Getting Back On-board”Getting Back On-board”

• Identify your shield:– Computer, briefcase, backpack, jackets,

blankets, pillows and cushions.

• Identify your weapons:– Hot coffee, anything you can throw, sharp

objects, keys, your body is a weapon.

• Don’t hesitate.– ACT and REACT until you’re in control.


Very Good!

Let’s Review!


Has evolved from Disaster Recovery to Business Has evolved from Disaster Recovery to Business Resumption to today’s “Contingency Planning!”Resumption to today’s “Contingency Planning!”

• Disaster Recovery (1940s - 1970s)– (Influenced Civil Defense Programs) – 1970s NCUA #749 & off-site storage of vital CU

records”

• Business Resumption (1980s – 1990s)– Earthquakes & The New Madred Fault warning,– Planning to survive a credit union disaster

• World trade center bombing 1993• Oklahoma city bombing 1995


Has been driven by worse case scenarios!

• 2000 – Y2K Contingency Planning• 9/11/01 – terrorist strike the word trade

center• The 9/11 impact on Contingency Planning


Contingency Planning - Fundamentals:Building the solid foundation for your future!Building the solid foundation for your future!

• Set the “tone from the top” – Or you’ll be pushing a rope uphill!

• Select appropriate plan writers and alternates, – Or you’ll miss important details!

• Designate and train “Recovery” Teams:– Damage Assessment Team (DAT)

– Disaster Recovery Team (DRT)

• Focus on “Your Worst Case Scenarios”

• Write plans that will help you survive, recover and grow!– RMLC faculty recommend the “Parking Lot” Approach


Contingency Planning – Four (4) “key” functions:“Recovery often depends on your focus, immediate action and

plans that outline proven response protocols!”

• Life safety: First aid, evacuation, & tracking victims through recovery.

• Protect: Physical property from fire, vandalism, the elements, etc.

• Transportation: From danger to shelter, food, telephones and entertainment.

• Communications: Notifying friends, family and fellow employees. Includes proactively handling the media.

It’s your shift to “Critical Incident Management”


Continued - Shifts to proactive Risk Management

“A 3-Day program for stepping up to the plate!”“A 3-Day program for stepping up to the plate!”

Day one – Shift from your “Standard Management” to “Critical Incident Management” mode! Immediately: Provide victim assistance, activate recovery teams, declare the disaster, establish communication links, set up EOC, ICC and staging areas and focus on taking control.

Day two – Regroup, reevaluate, assemble facts and communicate facts via plan-approved channels. Begin the formal recovery process.

Day three – Focus on getting back to work, and back to normal! Reach out to extended victims and set up a program to monitor the victim recovery process.


Chapter & Community Responses to Biological Attacks!

Response, Recovery & Command Center Zone

Reconstruction ZoneResponse and Recovery ZoneDemilitarized ZoneGround Zero

Before Food Flows Out!

After biological attack food and supplies flow in to critical incident command centers!


Contingency Planning – The “ Parking Lot” Approach! How to build the solid foundation your future depends on!

• Adopt a common methodology for all locations,– It helps cross training and rotating staff, and

– Ensures a focus on critical services!

• Keep it simple, flexible, realistic and fun!– Include and request input form all employees

– Use Bergee’s ABC & 1-2-3

– Keep it confidential & secure!

• Schedule tests, updates, and Board approvals.


Questions Please Questions Please

Rich Woldt CPP, CFECEO- The Risk Management Learning Center

ACFEI – Level III Certified Homeland Security InstructorLicensed Private Detective

[email protected]


Thank You!Thank You!

Rich Woldt CPP, CFECEO- The Risk Management Learning Center

ACFEI – Level III Certified Homeland Security InstructorLicensed Private Detective

[email protected]

credit union risk management…

Documents

credit union risk management

credit union housing

uk credit union movement

credit union incident

uk credit unions

update yoursession benefits

management succession

method of management