The Fraud Risk Inside Your Walls

The scary fact: 31% of credit union members are more likely to leave their institution after a fraud event — even when the credit union itself wasn't at fault.

In 2023, an Operations Manager at Altana Federal Credit Union in Billings, Montana whose job it was to oversee the fraud alert process — the very system designed to catch suspicious activity and protect members — was the one embezzling money.

She used her access to steal from them.

How? Throughout that year, she created duplicate bank cards for member accounts, took undelivered cards from Altana's mail, and used them for personal purchases at Target, Walmart, and online retailers. When members noticed fraudulent charges and filed claims, she personally handled those claims to prevent detection.

It worked — until an Altana member reported one of the purchases directly to law enforcement. When a detective called the credit union to investigate, she downloaded a recording of the call, fled the building, and never returned.

She was sentenced in May 2025 to more than a year in federal prison and ordered to pay over $65,000 in restitution. Altana reimbursed every member she stole from. In his victim impact statement, CEO Jason Hagadone said the credit union "suffered significant reputation risk from this incident."

This is a scenario examiners have in mind when they ask about your internal controls.

Where the Gaps Are

The Association of Certified Fraud Examiners found that internal control weaknesses were responsible for nearly half of all occupational fraud in their 2024 report. Not sophisticated hacking or elaborate external schemes. But rather gaps in oversight — the kind that accumulate when teams are stretched thin and trusted employees handle multiple steps in a process without secondary review.

The FTC reported $12.5 billion in fraud losses across financial institutions in 2024, a 25% increase from the year before. But the statistic that should keep credit union leaders up at night comes from Javelin Strategy & Research: 31% of members are more likely to leave their institution after a fraud event — even when the credit union itself wasn't at fault.

Members remember that something went wrong while their money was in your care. The reputational damage can outlast the financial loss by years.

What Examiners Will Evaluate

The NCUA examiners will review the effectiveness of internal controls, including the effectiveness of segregation of duties, governance structures, and safeguards designed to prevent and detect insider abuse. The agency has also committed to refining its examination procedures to keep pace with the evolving fraud landscape.

They're looking for evidence that your controls function in practice — not just that they exist in written policy.

If you have a lean team, where the same person might handle member onboarding, process transactions, and reconcile accounts, ask yourself what compensating controls are in place? Secondary reviews. Exception reporting. Audit trails. Rotation of duties where possible. These types of mechanisms prevent a single point of failure from becoming a single point of exposure.

Monitoring matters here, too. The irony is that internal fraud rarely looks suspicious. It hides in patterns: small overrides that accumulate, transactions that pass procedural review, but repeat in patterns that don't make sense, behavior that only stands out when you're looking for it. Catching problems early requires systems designed to surface anomalies. Simply blocking intrusions is not enough.

Trust Isn't a Control

It comes as no surprise that internal fraud is exceptionally difficult to talk about because it usually isn't committed by people who seemed like risks when you hired them.

The Altana case is instructive and worth paying attention to. The Operations Manager wasn't a new employee testing boundaries. She was the person responsible for protecting others from fraud. She had the access, the knowledge, and the trust that came with her role. She exploited all three.

Small credit unions are built on relationships. You know your team. You've worked alongside them for years. That trust is what makes credit unions different. But trust can't be the only safeguard standing between a member's account and an employee who finds themselves in personal financial trouble and sees an opportunity.

Managing this risk well doesn't mean assuming the worst about your people. Instead, it's around building systems that make misconduct harder to commit and easier to detect — so that trust is reinforced by structure and repetition.

Building the Framework

Developing the internal controls that satisfy examiners and protect your members doesn't require a compliance department you can't afford or even an additional headcount. It requires the right expertise applied to your specific risk profile.

JNTtek's Compliance as a Service and Fractional Chief Risk Officer offerings exist for exactly this purpose — to help credit unions under $1B build governance structures that match enterprise expectations without enterprise-scale headcount. Control assessments. Policy development. Ongoing monitoring. The infrastructure that makes examiners confident in your answers and members confident in your institution.

Altana's Operations Manager's fraud went undetected because she was the person in charge of detecting it. Would your controls catch someone in a similar position — or would you only find out when a member calls the police? Don't let it be the latter.

This is the third article in our series on preparing for NCUA examinations in 2026. Previously, we explored AI readiness and the questions your team should be asking, and cybersecurity governance and why the threat landscape — not your asset size — sets the bar. Together, these pieces address three risk areas examiners are prioritizing this year: operational risk from emerging technology, third-party vendor oversight, and fraud prevention and internal controls.