The former CEO of the now-defunct C B S Employees Federal Credit Union of Studio City, Calif., got away with embezzlement for about 20 years undetected by staff or the credit union’s federal regulatory agency until last year, when $42.2 million in missing cash was discovered, according to an agency inspector general report.
The IG, in a Feb. 11 report posted online just recently, said the credit union, which had been examined under procedures of the National Credit Union Administration’s (NCUA) Small Credit Union Examination Program (SCUEP), failed due to fraud perpetrated by the former CEO, Edward M. Rostohar, who concealed the missing cash by understating member share balances on the financial statements, primarily related to share certificates. The fraud resulted in a loss of about $39.5 million to the National Credit Union Share Insurance Fund (NCUSIF), the federal fund that insures credit union members’ deposits.
Rostohar was able to conceal his activities for so long because of a lack of segregation of duties and dual controls, the report says. He had access to official credit union checks, which enabled him to alter the physical records of credit union checks; “super-user” access to the credit union accounting system, which enabled him to alter both the check payee information (electronic records of credit union checks) and file maintenance reports, which concealed this action; and sole responsibility for financial reporting, which gave him the ability to prepare fraudulent financial statements.
The IG review also revealed inadequate procedures for required Supervisory Committee audits (in at least one exam, audit documents were not obtained or reviewed) and member account verification procedures (with no evidence that the share subsidiary was reconciled to the statements printed by the print processor).
Examiners did not flag these issues for follow-up, which the IG notes might have resulted in discovery of Rostohar’s activities much earlier. This and other findings of the review led the IG to make two recommendations to NCUA for improving exam procedures:
- Revise exam procedures to prioritize assessing and developing a risk response for credit unions that do not segregate certain key duties and that require dual controls. These revisions should include a framework that examiners can complete an assessment of those characteristics that indicate lack of segregation of duties at a credit union and additional procedures that examiners should perform when a lack of segregation of duties is apparent.
- Amend guidance related to member account verifications. Specifically, the amended guidance should require reconciliation from the print processor to the share and loan subsidiaries when a statement verification is performed.
Agency management agreed with both recommendations, the report said. In connection with the first recommendation, management said they have established a working group to start evaluating the SCUEP, including evaluating current scope steps, requirements, polices, and fraud detection techniques, and plans to incorporate any working group recommendations into relevant policies, Examiner’s Guide, training, and the Modern Examination and Risk Identification Tool (MERIT) by Dec. 31, 2021. On the second, they indicated that by Dec. 31, 2021, they will amend examiner guidance related to account verifications to include a reconciliation and any other fraud techniques.
C B S Employees FCU and the small-CU exam program
C B S Employees FCU over the previous several years was examined under SCUEP procedures. SCUEP was implemented nationally in 2012 following a brief pilot program in one of the NCUA regions. As explained in the IG report, SCUEP expanded the minimum required examination scope for nationally identified areas of elevated risk and reduced the minimum required examination scope in CAMEL 1, 2, or 3 federal credit unions with less than $10 million in total assets. The IG said NCUA officials indicated that the new scope requirements supplemented existing risk-focused exam practices “and do not replace the examiner’s judgment and responsibility to refine and adjust their scope.”
In 2015, the report noted, the NCUA issued instructions that set requirements for defined-scope examination with tiered procedures for SCUEP-eligible federal credit unions. Effective in 2015, SCUEP exams were required to focus resources on the areas that presented the greatest potential risk to the NCUSIF in those institutions: internal controls, recordkeeping, and lending. In the examinations for C B S, examiners applied SCUEP procedures, but those procedures failed to detect the fraud.
The IG noted that “had the NCUA followed National Supervision policies and identified the Supervisory Committee audits and member account verification procedures as unacceptable, and appropriately addressed identified risks related to the lack of segregation of duties and dual controls at the Credit Union, it may have identified the fraud sooner and may have mitigated the loss to the Share Insurance Fund.”
The report goes into great detail on how Rostohar carried out the fraud and hid it from his staff and board (though a footnote on page 5 and a paragraph on page 6 related to that discussion have been redacted). Rostohar, it notes, pleaded guilty to bank fraud last May; he was sentenced in September to 169 months in prison and ordered to pay $40,541,130 in restitution to NCUA.