be_ixf;ym_201907 d_19; ct_100
Embezzlement Risk Management

If someone pitched you the story where the villain manages to steal over $40 million over 20 years from a financial institution so small that it only had $21 million in assets, you’d call the story far-fetched.

What if I told you he used his experience as an NCUA examiner over 30 years ago to hide his scam? And that both Variety and Deadline would cover the story?

In this case, the truth really is stranger than fiction, according to a fascinating collection of court documents.

L.A. Story

Edward Martin Rostohar, 62, was CEO of CBS Employees Federal Credit Union in Studio City, Calif., for 30 years—until the NCUA liquidated the financial institution upon discovery of Rostohar’s massive fraud last month. Rostohar was arrested in his car carrying his passport and $200,000 in cash after his wife called 911 saying her husband had stolen money and was planning to leave the country.

Rostohar is accused of stealing over $40 million since at least 2000 and gambling most of it away. He also opened a café in Reno, blew it on luxury cars and vacations, and gave his wife a $5,000-a-month allowance.

Playing the role of the ingenue in our story, Rostohar’s wife says she spent the cash on “food, clothes, and expenses related to her work as an aspiring recording artist,” noting that “making a music video and taking various classes was very expensive but that she hoped to become a recording artist in the near future.”

Catch Me If You Can Video: https://www.youtube.com/watch?v=_eKUQKv0_DY

Investigators say she wasn’t involved in the theft and was shocked to discover the amount stolen. Reminiscent of the scene from Catch Me If You Can, Rostohar’s wife says he came into their bedroom after being fired “in a panic,” saying, ‘I knew this day was coming. I’ve got to go. I have to leave the country. I’m a con. Everything is true. I don’t have time. I have to pack. I don’t want to go to jail. I’d rather die than go to jail.’”

Of course, in the movie Leonardo DiCaprio invites his wife along. Ostohar didn’t invite his wife and she reported him to police who promptly arrested him.

The Examiner Becomes the Examined

Rostohar’s well-practiced scheme involved altering the payees on credit union checks.

According to an FBI investigator’s affidavit: “His process was to pretend to withdraw funds from member accounts by using the credit union’s data processing system to issue a check with a blank payee. He then manually typed the name and address of a member on the credit union receipt to ensure the credit union’s physical records would show a member’s name and address as the payee information; the check was shown with a blank payee on the data processing system. Funds to issue the check were withdrawn from share account, number 9999999-S1. This share account belongs to the credit union and is used as a clearing account.

Once the credit union check was issued on the data processing system, he would manually type a payee of his choosing, most often reflecting his name or an associated party name. Then, he would deposit the altered check in an account that he controlled.”

A former NCUA examiner, Rostohar says that the agency’s examiners didn’t have any real-world banking experience and thus didn’t know what to look for. He also knew what the examiners would look at and adjusted them to hide his theft.

That included:

  • Quarter-end records. He adjusted the balance of the clearing account, depositing fake funds and taking the funds from the CU’s overall CD balance.
  • Negative earnings. Even if it was just $1,000, Rostohar edited records so earnings were always positive.

The Role of the Hero Will Be Played by the Assistant Manager

Rostohar’s alleged scheme worked for close to 20 years until the day an assistant manager went looking for a copy of a stopped check. While on the hunt, she was surprised to find a check for $35,000 made payable to Rostohar. Further investigation uncovered over $3.7 million in checks payable to Rostohar and signed by the credit union’s member services representative, according to court documents.

Shocker: The signatures were forged.

In a fit for a movie ending, Rostohar waived his Miranda Rights after his arrest and spilled his guts to the Los Angeles Police Department. He said that he first began by paying off his personal credit card with credit union funds in online accounts or forging checks. By the end he was just forging the MSR’s signature on credit union checks and depositing them. He estimated stealing over $40 million over 20 years.

ERM 101: What's COSO, and Why Should I Care?

Unanswered Risk Management Questions

This story raises so many questions that I don’t know where to begin. Rostohar explained how he was able to fool examiners, claiming they didn’t know how a credit union really worked. But what about other folks inside the bank?

Over $40 million went missing! That’s twice the value (200%) of the credit union’s assets at the time it was liquidated. How did it take 20 years for someone to notice? One would think that the disappearance of significant sums would have been noticed at some point. Rostohar’s alleged theft averaged $2 million a year. That kind of loss would go noticed even at a large institution.

You can argue that Rostohar’s fraud started out small and eventually got out of control. After all, stealing $3.7 million in under three months is downright brazen. But there should have been policies and procedures for reconciliation that caught Rostohar’s alleged shenanigans years ago. There should have been checks and balances and audits, not just of the books, but also of the adherence to policies and procedures.

What about the board? Clearly it wasn’t in due diligence and asking enough questions about financials, compliance, and how the CEO of a small credit union could afford to travel on a private jet. That alone should have raised a red flag.

Proper risk management could have prevented this problem. If the board had considered fraud as a potential risk, it might have crafted the aforementioned policies and procedures. It would have made it much harder to conduct the fraud and far more likely that someone at the credit union would uncover the fraud quickly.

But without risk management discussions, significant risks went unaddressed when a few simple controls could have made all the difference.

Epilogue: Where Are They Now?

Rostohar: Fired from his job and charged with two felony counts: bank fraud and aggravated identity theft. If found guilty, he could be sentenced up to 30 years in federal prison and fined as much as $1 million.

CBS Employees FCU: It was liquidated and discontinued operations due to insolvency. A nearby credit union assumed all assets, loans, and member shares.

Rostohar’s wife: Probably still in shock. She told investigators that her husband of nearly 15 years was the most honest person she knows.

The enterprising MSR who discovered the fraud: I don’t know what happened to her, but I’d like to think with good instincts like hers, she’s destined for great things.

 Featured image for Ask Me Anything Q&A
NGAGE 2019
COAST TO COAST
User Conference