Fraud and cybercrime have been a concern for corporate treasurers for several years, and this past year showed us that there is a new risk to consider: connectivity. The stories of banks being hacked and losing millions through unauthorized payments shook the industry, since protecting payment connectivity workflows was low on the priorities list for treasury.
While unfortunate for those involved, there are valuable lessons to be learned for the rest of us in treasury:
1) Protect payment systems from unauthorized access. Corporates have many options – bank portals, treasury management systems, ERPs – that offer the ability to initiate and approve payments. Each and every one of these systems should be protected by more than a UserID and password. The CIO in every organization has likely set a standard for user authentication protocols; treasury needs to align with that to ensure that financial systems are secure from unauthorized entry. Sometimes that minimum standard is multi-factor authentication, but oftentimes it is a combination of safeguards. The CIO will have already set a policy that treasury should follow.
Additional reading: Centralizing corporate Payments to Improve Efficiency and Reduce Fraud
2) Standardize payment processes. Unfortunately, it is not uncommon to see payment policy inconsistencies. Payment policies should be aligned to all types of payments, the systems used to initiate/approve payments, to specific geographies and banks. There must be one payment policy that is then applied to each of these scenarios. Inconsistency in payment controls creates exposures that can be exploited. While every treasurer employs separation of duties and likely assigns limits to those duties, it is important to ensure that the payment policies are global – across the entire organization, covering every payment scenario. Integration and/or consolidation of payment systems can help that, of course. The key is to ensure that you do not have a “weakest link” that is beyond the visibility of treasury.
3) Secure payment files in transit between systems. Whether payment information within files are sent directly to the bank or exchanged between internal systems first, it is always important to keep this information secure and away from internal or external threats. The more systems involved, the more risk: for example, ERP + TMS + Service Bureau. Reducing the number of systems used to approve and release payments is one solution; applying digital signatures to authenticate payment files is another. The important point is to ensure that what the bank receives was securely transmitted from initiation all the way through the entire payment workflow.
Additional reading: Reducing the risk of fraud with Kyriba
4) Review acknowledgements and reconcile outgoing payments. Every bank provides confirmation that payments have been received. Some payment channels (e.g. SWIFT) offer more acknowledgements than others, but whatever level of confirmation is received it is critical to review and confirm that what was received and processed by the bank matched what your systems sent to the bank. Running intra-day and prior-day bank statement reconciliation reports are also recommended to offer an additional checkpoint so that treasury can confirm what was sent matches what was processed.
5) Implement an internal control center. While difficult to implement in a spreadsheet environment, most treasury and payment systems will have some sort of control center that monitors outgoing payment files as well as any system workflow changes – such as modifications to approvers, changes to limits, or updates to payment instructions. Active monitoring of transactions is important, but just as critical is your visibility into the workflow changes. Ideally this would be presented in a dashboard as well as an email friendly format to more easily identify exceptions.
While 2016 introduced us to risks in payment connectivity that we may not have previously thought about, there are best practices to keep your payments safe. For more information, please feel free to review our webinar with the AFP as well as the AFP’s Treasury in Practice guide on Securing your bank connectivity.