The Risk is Real
By: Nena Groskind
Members of two association boards are chatting with an insurance agent at a conference. One of the trustees says: “We are so lucky to have Judy on our board. She handles all of the finances, and she’s been doing it for years. She keeps the books balanced and the bills paid. We don’t have to worry about any of the details, because we know she’s taking care of them.” The other board member replies: “Wish we had someone like that on our board.” But the insurance agent has a different response. He tells the first board member: “I’m glad we’re not insuring your community against fraud.”
Fraud isn’t a theoretical risk for condominium communities ― it is very real and all too common. Although these financial crimes differ in size and impact, they share two characteristics:
• They are almost always perpetrated by an insider – a manager or a board member, like Judy, whom everyone trusts; and
• They are largely, if not entirely, preventable.
“What boards should do,” Joel Meskin, vice president in charge of community association products for McGowan & Company, Inc. suggests, tongue firmly implanted in his cheek, “is put all the association’s funds in a box in a closet in the clubhouse, and post two sentries outside with large guns to guard the door.”
Actually, that is not at all what Meskin and other industry experts advise. We’ve compiled a list of the measures they do recommend to reduce the risks that make so many communities so vulnerable to fraud.
“Trust but Verify”
That’s the philosophy former President Ronald Reagan applied to his dealings with Russia, and Gregory Pierce, LIA, CPA, vice president and director of business development for NorthStar Insurance Services, Inc., thinks it would serve association boards equally well. “It’s never someone you don’t trust who steals from the association,” he says. “It is someone everyone trusts too much.”
“You should never make one person responsible for everything,” Meskin agrees. Both Meskin and Pierce emphasize the importance of strong internal controls anchored by a system of checks and balances in which duties are segregated and oversight is consistent. A few of the specifics:
• The person who reconciles bank account statements should not also be responsible for making the deposits; the individual(s) with check-writing authority should not review the bank statements.
• At least two board members (preferably, Meskin suggests, board members “who don’t like each other”) should receive original copies of the bank statements and should review them every month.
• The individual responsible for hiring employees or selecting vendors should not also be responsible for paying them. The risk here, Pierce says, is that the individual with hiring authority could receive kickbacks or create phantom contractors and channel payments to him(or her)self. “The more authority you give someone to hire vendors and approve cash disbursements,” Pierce cautions, “the more likely that authority will be abused.”
Require Multiple Approvals
If only one approval is needed for expenditures, fraud requires only motivation; if two or more approvals are needed, Pierce points out, fraud requires “collusion.” The more people involved in the process, the less likely any of them will be able to perpetrate a fraud. With that basic truth in mind, boards should:
• Require two signatures on checks above a specified minimum, written on the association’s operating account. What that minimum should be will depend in part on the size of the association and the amount of money at risk. Most industry experts agree that association managers should be authorized to write checks for recurring expenses without obtaining a second signature. But the consensus view is that $500 should be the outer limit for most communities. “I don’t care how inconvenient it is,” Meskin says. “There should be a limit on the size of the check a management company can write.” You don’t want to set the limit so low that association operations are impeded. On the other hand, the higher the limit, the larger the potential for loss. Pierce, who once worked as an auditor for a large accounting firm, recalls, “If a company had a $2,500 limit, you’d see a bunch of checks written for just under that amount.”
• Checks written on reserve accounts should require the signatures of two trustees – without exception, because the amounts at risk are so large. Industry experts, including association managers also agree that managers should not be allowed to approve withdrawals from the reserves.
Bankers who work with condominium associations have an interesting perspective on their check-writing policies. “I’m not a big fan of boards delegating their check-writing authority to managers,” Wesley Blair, senior vice president at Brookline Bank and CAI-NE’s current president, says. “I’m not saying anything against managers,” he adds, ‘but board members have a fiduciary responsibility to pay close attention to the association’s funds. I think it’s better money management for the trustees to sign off on the checks.”
That said, his bank doesn’t require multiple signatures for operating or reserve accounts. But it does require the board to adopt a formal resolution specifying who is authorized to sign the checks for both.
Exercise Due Diligence
Due diligence requires many protocols in many different areas. Some of the most important:
• Issue checks in numerical order; keep blank and unused checks in a secure location to which there is limited access.
• Change personal identification numbers and access codes regularly and keep them in a secure location, too.
• Require original invoices to document expense payment requests and stamp invoices ‘paid’ once the checks have been issued.
• Conduct background checks on association employees. Vet vendors carefully, as well.
• Require employees to take vacations every year. While the individual who never takes time off may be truly dedicated, it is also possible ― and even likely, Meskin suggests — that this individual doesn’t want anyone to look too closely at what he or she is doing.
• Obtain an audit or a financial review annually. Some state laws require this for larger communities (more than 50 units in Massachusetts); some association bylaws require audits or reviews, as well. But required or not, independent financial reviews make sense for communities of all sizes. Audits and reviews won’t necessarily uncover fraud (although they may spot irregularities suggesting something is amiss), Pierce says. “But they can deter fraud,” he notes, because people are less likely to misbehave if they know someone is looking over their shoulder. Security experts call this “hardening the target.” The more controls you have in place, the more difficult you make it for bad actors to act badly, the less likely they are to do so.
Insure Against Loss
All of the steps we’ve described here will reduce your fraud risks, but nothing you do can eliminate those risks entirely. Insurance provides the safety net that will protect you from losses if other precautions fail. All condominium associations should have fidelity and crime coverage – sometimes these policies are packaged together, sometimes they are packaged separately, but you need both. A fidelity policy insures against fraud committed by an employee; crime coverage kicks in for crimes committed by non-employees – the hacker in China who drains the association’s bank account, for example, or the owner of the management company who (unlike the association’s manager) would not be considered an employee and would not be covered by the fidelity policy.
If board members don’t understand this coverage (and many do not, Meskin says), their associations may not be adequately insured. That was the case at a community Meskin recalls (not in New England) from which the husband and wife owners of the management company stole more than $3 million. The wife co-owner, who was responsible for purchasing the insurance, hadn’t bought any fidelity coverage for the association. She had a $250,000 fidelity policy for the management company, but it only covered employees; it didn’t cover the owners, who had stolen the money. This example highlights several essential precautions, Meskin suggests, primary among them:
• Require your management company to have its own fidelity coverage, and make sure you know the details – how much coverage the policy provides and who is covered under it.
• Make sure the association’s fidelity policy either:
Identifies (by name) directors, officers, volunteers and committee members as employees covered under the policy; or
Includes them as agents on a policy endorsement.
• Make sure the association’s coverage equals the funds at risk or, if less than that, complies with secondary market requirements, applicable state laws and/or the association’s bylaws.
Watch for Red Flags
Evidence of fraud isn’t always buried in the association’s financial statements; sometimes it is hiding in plain sight. This comes back to trusting some people too much. It is called blind trust, because it can obscure your vision and your judgment. Meskin explains: “There’s Betty, who makes $20,000 a year as a bookkeeper. She’s always available, always willing to help. She bakes cookies for the annual meeting – everyone loves her. So no one asks how she’s able to afford the Mercedes she drives or pay for an expensive nursing home for her parents.”
Fraud isn’t always that obvious. Meskin also recalls the retired resident of an old New York co-operative who volunteered to collect the coins from the building’s laundry facilities — a job no one else wanted. He did this for years, earning the gratitude of board members and other residents. It was only after he died and the board took over the collections that they realized their reliable volunteer had been not so reliably reporting considerably less money than he’d been collecting – and he’d been doing that for more than 20 years.
The obvious message for boards is the one Pierce noted earlier: “Trust but verify.” Check the details, watch for anomalies (vendor names you don’t recognize, the $10 solvent you’ve been buying for years that suddenly appears as a $25 charge); ask questions – even of your most “trusted” employees or volunteers. Count those laundry room coins yourself every now and again.
Insurance companies look carefully at the security measures associations have in place when underwriting fraud and crime policies for them. But Meskin says he’s found that the best risks are associations that have had a large fidelity crime claim in the past, because they have learned, the hard way, that crime is not something that happens only to other communities.
“Once that bell has been rung,” Meskin says, “you know the chances it will be rung again are pretty slim.” □