Managing corporate payments is becoming a riskier proposition. The threat level, primarily due to fraud and cybercrime, is growing in volume and sophistication. The AFP Payments Fraud and Control Survey found that 73% of organizations were the target of payment fraud in 2015, with 42% reporting that fraud attempts were successful.
Fortunately, there are best practices that corporate treasurers can implement that will reduce the risk of fraud occurring – and increase the timeliness that fraud is detected should an event occur.
1. Securing access to payment systems
The first level of defense is to ensure that only authorized users are logging in to systems that can initiate, approve, and transmit payments. Depending on the technology used, this may include bank portals, treasury management systems, or ERP solutions. Two-factor authentication – either by hard (e.g. key fob) or soft token (e.g. digital key messaged to your smartphone) – is the minimum any treasury team should rely upon.
Additional reading: eBook: Six Ways to Prevent Financial Fraud with Kyriba
Further safeguards include IP Filtering, Virtual Keypads, Encrypted VPNs, and Single Sign-On (SSO) with internal systems. SSO requires some collaboration with internal IT, but often this remains the preference of the CIO’s office. Whatever the methods chosen, combining multiple security protocols is recommended to maximize protection, ensuring that more than a UserID and Password is required to access payments systems.
2. Encrypted data
There are typically two areas of encryption necessary in treasury. The first is encrypting data at rest. This simple technique prevents any user (or criminal) that gain control of the data within the database from being able to read or understand that information.
If treasury systems are hosted on premise, this will be the responsibility of the CIO’s office. If payment systems are in the cloud, this is 100% the responsibility of the software vendor. It should never be assumed that encryption at rest is offered; this must be validated as not all payments systems offer data encryption at rest.
The second encryption requirement is to ensure that data in transit is encrypted. “In transit” may mean in between treasury system and bank, or it may be between ERP and payment aggregator/hub, such as a SWIFT solution. At no point should a human readable file containing payment instructions be accessible to any users – authorized or unauthorized.
3. Standardized payment workflows
Many organizations manage payments that are initiated by multiple people in different geographies. Whatever the level of decentralization, it is important to have a global payment policy that encompasses payments initiated in different countries, across all banks, for all payment types, and for various notional amounts.
Cybercriminals and internal fraudsters prey on inconsistency in payment procedures. If there are payments that don’t require approval or certain scenarios where payment initiation is not followed by review of supporting documentation, fraudsters will find those weaknesses through BEC schemes and imposter fraud. Standardizing workflows provides the consistency needed so that CFOs and treasurers can be assured that all payments are initiated, approved, and transmitted in alignment with corporate policy – which will increase transparency and reduce risk.
4. Central control center
Large treasury operations with significant payment volumes are challenged with reviewing every single workflow, limit, and approval change – which is why a central dashboard for change management is a best practice. The need for proactive monitoring has never been higher, especially as spying cybercriminals are increasingly able to uncover opportunities to exploit treasury’s overall lack of visibility and control over payments.
While every treasurer will have slightly different activities to be monitored, common requirements include tracking new account signatories, changes to user duties, updates of approval limits, acknowledgements of all imported and exported data, and – especially for payments – acknowledgements (ACKs) of payment transmission through the different stages of the workflow from payment system to payment hub to transmission protocol (e.g. SWIFT or FTP) to initiating bank.
A central dashboard or control center offers the visibility across all of these changes and updates, enabling treasurers to be more in control of their cash and payment workflows.
5. Watchlist screening
Every bank will compare payments received from corporate customers against industry watchlists, such as OFAC in the US or EU and UN lists globally. However, Treasurers are taking unnecessary risk by relying on their banks as the exclusive determinant of which payments pass or fail this check. Integrating watchlist screening into your payment process and technology will not only identify suspect payments – which may have been initiated through fraudulent behavior – but will also give treasury teams advance notice that the bank will be requesting more documentation to support legitimate payments. This advance notice should not be underestimated, as even a valid payment that is flagged by an OFAC check can be tied up for many days as the bank performs their due diligence. Reducing this wait time reduces costs, never mind offering reduced risk.
6. Multiple points of reconciliation
In addition to all the fraud prevention and detection mechanisms and processes that are implemented to make payments less risky, it remains an absolute must to perform reconciliation of payments sent to the bank versus the payments the bank confirms they received. This is a current day activity that can identify a fraudulent payment in sufficient time to take corrective action.
In addition, prior day reconciliation of all disbursements is important as the prior day transaction file (BAI, MT940, XML CAMT, etc.) will provide sufficient detail to automatically match expected payments to recorded transactions, meaning that exception reports can also be automatically generated.
These checks and balances are necessary even if all payments are centralized through the ERP or treasury management system to ensure that no payments were transmitted by other means.
Reducing payment risk is an objective for every treasury team to minimize the likelihood that unauthorized payments are transmitted to the bank as well as enabling uninterrupted payment workflows. Technology can play a key role to offer visibility, control, and validation of change management so that treasurers remain efficient and productive at managing corporate payments.