The Myths and Truths of Payment Fraud for Government Agencies
Fraud losses are complicated. In addition to potential loss of millions of taxpayer funds, government agencies are also facing negative press, reputational damage, potential impact to credit ratings, and decreased public confidence, making this a silent crisis for Treasurers.
At Kyriba we’ve had the opportunity to speak with hundreds of government treasury, finance, and IT professionals. We hear many of the same misconceptions around payment fraud – it’s prevalence, tools to properly fight the battle, and confusion over “Where do I start?” In this article we’ll explore seven myths around payment fraud, as well as the TRUTHS, to help you quickly and effectively safeguard constituent dollars.
Myth #1: “We don’t have a problem with Payment Fraud”
According to a 2021 Payments Fraud and Control Survey Report by AFP (Association for Finance Professionals), 75% of organizations across all areas of business were targeted for payment fraud. With government entities, at the state, local, and agency level, we believe these numbers are significantly higher, with an estimated 95% of agencies being attacked. As vendor and purchasing information is public, US government entities are the perfect target for a cyber-criminal. Through well-intended transparency regarding purchasing awards, current projects, and elected officials, key information is readily available and plays into the hands of fraudsters.
The truth is simple. If you work for a government agency, the problem is present, and the probability of a future attack is very high. The median loss for payment fraud loss is $114,000 with over 25% of losses reported over $1 Million. Delaying solving this issue is the costliest option.
Myth #2: “We’ve put internal safeguards in place”
When asked about protection against payment fraud, most agencies respond with the “internal safeguards” that have been put in place, training that was conducted for their staff, and manual processes to identify potential attacks. This traditional approach to fraud protection is very valuable – in fact, critical, but DOES NOT solve the problem. Alan R. Shark from the Public Technology Institute tells us, “The pandemic was a wake-up call … with the more remote workforce, people were unwittingly clicking on things they shouldn’t have. … In the remote environment, not everyone had the best practices in place.”
Your office MAY “catch” a fraudulent payment, but the risk is high, and it leaves too much to chance. It is estimated that 46% of fraud is committed from individuals inside an organization, and nearly half of reported losses of $100M or more were committed by insiders. People are human, they make mistakes, and cyber criminals are very clever in the way that they craft emails, messages, and communications. They recognize that staff consists of emotional beings, and if asked to rush a payment, quickly make a change for a senior leader, a pressure situation is ripe for payment fraud. According to Brookings, one the nation’s largest think tanks, when discussing internal safeguards they say, “Traditional methods are labor intensive, inefficient, and often ineffective. It is hard to gain detailed information through these approaches, and it requires lots of personnel and follow-up analysis.”
Myth #3: “Our bank handles that for us”
Actually, there is ZERO obligation for a bank to cover any client for payment fraud, unless the bank is in breach (bank employee scheme). The bank my reimburse on case-by-case basis. Many agencies believe that bank services offer adequate protection, but that is not true and here’s why. Payment fraud detection should be preventative, not remedial. The goal is to identify potential payment anomalies BEFORE you direct the bank to make the payment. Once a payment is sent to the bank, entered directly into the bank’s portal, or a file uploaded, the measure becomes one of repair versus prevention. Once a payment is sent to the bank – in whatever form it takes – it is open to public records requests, and your agency could easily be the target of unfavorable press. There are countless articles, with billions of dollars at stake. State Governments losing BILLIONS to fraudulent unemployment payments, counties losing 10% of their annual budget in payment fraud. All of these payments went through the bank and were not detected prior to processing. Recovering the funds is not the answer.
Myth #4: “I have Cybersecurity Insurance”
Cybersecurity insurance covers the liability and costs incurred as a result of a cyber-attack, but does not cover payment fraud. As with any insurance, it’s the fine print that matters. Agencies often purchase these services to provide peace of mind, and protection against an issue should it occur. Unfortunately, this insurance has become increasingly expensive, and oftentimes requires extensive preventative measures before paying a claim, especially for payment fraud. According to a recent article on GovTech.com, “Cybersecurity insurance experts and government officials alike report that cyber-attacks are increasing and, as a result, policy premiums are going up. Underwriters also are asking much more of potential clients in terms of information on the application and training of staff.” If your agency doesn’t have processes in place, such as multi-factor authentication, or technology to identify fraud triggers, the insurance may not protect you. As Benjamin Franklin eloquently stated, “An Ounce of Prevention is Worth a Pound of Cure.”
Myth #5: “Our team doesn’t handle payments… or many payments.”
A common misconception from the Treasurer’s office is that 1) they don’t have enough electronic payments to warrant a program ( “We don’t have a high volume of payments” ), or 2) that the payments are someone else’s responsibility ( “The Comptroller sends the payments.” or “IT handles that.” ) The reality is that it is the Treasurer’s fiduciary responsibility, whether originated in a different office, or managed by a different team, to protect the funds in each of the payments processed. For example – Let’s say a different office, or system determines payments for vendors, or employee payroll. It is often still the Treasurer’s job to understand what payments have been processed. A step can be added in the process to provide a “last and final fraud check” before sending the payment to the bank. The Treasurer owns this step. Maybe you only make a small number of wire or ACH payments? These payments are oftentimes large, and it only takes one. Oftentimes cyber criminals target non-traditional payment vehicles and processes such as one-off payments made from the Treasury team.
Myth #6: “The Cloud isn’t safe”
This myth comes in a few different forms – “The Cloud isn’t safe.” or “I don’t feel comfortable with technology.” Technology feels overwhelming to many people, and fear of a misstep prevents them from necessary protection. Here’s what most people don’t recognize – Cloud technology, if deployed properly, is much safer and more secure than on-premise solutions or manual processes. If you choose the right technology, security will be a priority for the vendor. Standard governance and risk programs allow your IT department to ensure the appropriate tools are selected, such as SOC 1 and 2 certification, ISO 27001 standards, and RPO/RTO commitments, guaranteeing minimal downtime should an emergency occur. Safety and security should represent the benefits of Fraud Detection software. These solutions should enforce recommended best practices such as multi-factor authentication, IP Filtering, and strong password controls.
Myth #7: “We don’t have the budget for technology”
The 2020 NASCIO study on cybersecurity found that in government agencies the lack of sufficient budget is the #1 barrier to overcome cybersecurity issues. At a recent conference, a speaker from S&P (Standard and Poor) was discussing the potential negative impact of payment fraud on credit ratings. She stated, “You will spend the money now or spend the money later.” This is a powerful message, and combined with the high probability of a future attack, the question remains: Can you afford to not make payment fraud a priority?
We know that government contracting doesn’t always make it easy to secure budget or procure solutions. There’s good news though! The business case is very strong for securing funds to prevent payment fraud. Without technology in place, there is negligence in terms of protecting taxpayer dollars, and this has become clear to leaders at all levels. Both CARES and ARPA Funds can be used to fully fund payment fraud solutions. Although every State has different guidelines for funding usage, we’ve seen strong support across the board for infrastructure programs such as Fraud Detection solutions. Additionally, to help alleviate the complexity with procurement, Kyriba is available through a number of Government buying vehicles (NASPO for example), allowing agencies to purchase the solution at pre-negotiated pricing, ensuring a safe and secure solution, and avoiding timely and costly bidding processes.
The Kyriba TRUTH
Fraud is complicated, but the solution to address fraud doesn’t have to be complicated. Kyriba offers a simple solution that is easy to implement, and immediately protects taxpayer funds in ways that no bank, insurance, or internal safeguard can guarantee. Kyriba’s Payments Fraud Detection solution extends the effectiveness of standard payments controls to include real-time detection to stop suspicious payments in their tracks. The module, the first of its kind in the industry, includes customized scoring, centralized alerts, complete resolution workflow management, and data visualization through a drilldown KPI dashboard. Kyriba’s Fraud Detection include real-time notifications and alerts and built-in workflows that include:
- Machine learning (artificial intelligence) to analyze historical data patterns to identify suspicious payments
- Separation of duties between the payment initiator, payment approver and reviewer
- Designation of reviewer(s) by payment rule and specific payment scenario (e.g., payments over $1M are sent to the treasurer for review)
- Ability to assign non-treasury personnel to review certain detected payments
- Option to hide alerts from initiators/approvers of the detected payment so that specific users do not know whether their payment triggered an alert
- Scenario-based determination for stopping payments until resolved by designated users
To learn more about how Kyriba can help you solve your Payment Fraud challenges, send us a note at [email protected] or visit our website at https://www.kyriba.com/solutions/kyriba-for-public-sector/.