This issue’s question
“The latest AFP Fraud Payment Survey found that 80% of companies had at least one instance of payment fraud occur in 2017. What can treasury do to stop this?”
Katja Franz, Treasury Consultant and Anton Wahl, Treasury Consultant/Payments Specialist, BELLIN:
Cybercrime is a huge and universal issue that affects companies around the globe. Treasury can and must play a role in tackling it. Corporate treasuries are best placed in a company to act as “gatekeeper”, and treasury management system providers and consultants have a duty to provide the solutions – both in terms of technology and in terms of processes – to empower them.
With cybercrime being a multi-layered issue, treasury also needs to approach this subject from several angles. Technology, processes and users are the main vulnerabilities and there are a number of ways in which treasury can make a difference. As for technological solutions, a treasury management system offers multiple opportunities for preventing fraud. This starts with access controls to the system that ensure that only those employees can access and/or process data – including payments – that should. Ways of implementing access control in a TMS are for example SSO, IP restrictions or two-factor authentication. Equally important are secure and viable password conventions and password policies. All of these measures should be joint efforts by the treasury and IT departments.
These access controls should go hand in hand with sophisticated rules and mechanisms for permissions and roles. By assigning permissions to perform certain operations to specific roles – and in turn assigning specific roles to every user – treasuries can exercise much better control and considerably boost security. You can ensure that users can only perform tasks that they should be able to perform. Ideally, the system settings allow you to administer this centrally. Treasury should clearly advocate segregation of duties, for example, a clear distinction between responsibilities for master data maintenance (and approval when a dual approval process is in place) as well as authorised signatories. In addition, multiple approval levels for payment authorisation can be a useful measure. For example, the person who has entered a payment should not also be allowed to approve it. Also, of relevance in this context is two-factor authentication for the signing of payments, again tackling the issues of access control and password security.
Treasury should also use process design to promote fraud prevention. Automation can be a powerful security measure that prevents manipulation. Streamlined and automated bulk file processing, eliminating single payments and using templates and SSIs for treasury payments are some of the options. In addition, the technological set-up should be embedded in a process that spells out clear rules and workflows. Everyone needs to be aware of these processes and training is crucial to make sure they’re enforced. Other topics such as supplier account verification and whitelisting, blacklisting and sanction screening should also be on the treasury security agenda.
Overall, treasury can lend support in tackling all three main vulnerabilities: technology, processes/governance and people. Treasury system providers must make their customers’ security their business and help them with sophisticated tools and process consulting.
James Richardson, Head of Market Development – Risk & Fraud, Bottomline Technologies:
Being proactive in identifying fraud by using the right technology to monitor transactions in real-time is the best way to secure payments.
In line with the findings of the latest AFP Payments Fraud Survey, our recent reports have also found that it can be incredibly difficult for treasurers to recover funds stolen by fraudsters, whether this is internal, for example, when an employee updates a supplier’s account and diverts payments to their own account; or externally, such as a business email compromise scam where the fraudster imitates an email from the CEO to deceive employees into making payments into fraudulent accounts.
Treasurers can only make and receive secure payments if they have full confidence in a system that identifies and notifies suspicious transactions in flight, as well as monitors the behaviours linked to these transactions.
With the rise in immediate payments, it’s becoming even more critical for treasurers to block transactions before they hit the payment networks. The pressure is being squeezed to solve the issue upstream.
Our own recent survey, Treasury Fraud and Controls 2018, commissioned in partnership with Strategic Treasurer, highlights that financial decision-makers feel they are now better equipped to identify cyber fraud within their organisation. If we look at previous years, treasurers and organisations made significant improvements to protect, prevent and respond to fraud, with the report noting that 26% of corporates are planning to spend more or significantly more on treasury security compared to last year. This increase in fraud prevention has largely been driven by advanced technology and the use of automation which has allowed them to continually improve their capabilities over time.
But while organisations now have better control and are better equipped to respond to payment fraud, the persistence and number of breaches are on the rise. Consequently, the number of corporations impacted and unable to recover from fraud losses has increased significantly in the past year and continues to grow. Having the right technology solutions in place for preventing payment fraud is paramount for organisations to mitigate the risk.
While the technological component of security is critically important, the human component is equally vital. Providing employees with the right training and awareness is an area all organisations need to address. Some corporations may have the most robust technology infrastructures, but they will still be vulnerable if they don’t get the human component right.
It’s a strange scenario we face; organisations currently feel more secure because they’ve made an investment, yet they still admit seeing fraud rise in their organisation. This is a classic ‘Perception versus Reality’ wake-up call which shows that investments are not being made in the right area.
Sungmahn Seo, Managing Director, Head of EMEA Payments & FX, J.P. Morgan:
Fraud prevention should be at the top of any corporate treasurer’s agenda. With growing volumes of online payments, increasing digitisation within the industry and evolution of new payment types, firms are more susceptible than ever to fraud. Concurrently, fraudsters are becoming ever more sophisticated; they are turning to AI to identify vulnerabilities to maximise their success rates and surreptitiously increasing fraud attempts using smaller amounts to avoid detection. Frankly, instances of payment fraud are multiplying at an alarming rate.
Payment fraud can have devastating consequences for businesses, both in terms of their finances and reputation. In October 2017, US$60m was stolen from an international bank through fraudulent transactions, resulting in lasting financial and reputational damage. The impact is cross-industry; no firm is safe.
Treasury staff play an important role in protecting the business. As corporate treasuries become targets of fraud attempts, there is an urgent need for the uplift of systems, training, detection and verification. The introduction of real-time payment types creates a need for real-time detection methods and proactive monitoring at the point of payment initiation.
A strong multi-layered approach to fraud prevention gives the greatest chance of success, using a combination of best practice and external services to mitigate risk. The three key strands we suggest treasury departments consider are:
Make fraud-checking a priority
The traditional lifecycle of payment involved limit checking and sanction screening. Fraud-checking is now an integral layer of this process. We recommend that treasury departments work with banking partners to ensure effective fraud-checking measures are in place. For example, J.P. Morgan continues to explore various tools to assist customers in fraud deterrence and adding further security to payment flows. Additionally, treasury can consider implementing controls including web-filtering and registrations, daily reconciliation, segregation of duties, payment limits, user entitlements and key authentication.
Other suggested steps to protect your firm include engaging an experienced company for an independent assessment of vulnerabilities. Making use of industry forums and establishing a clear engagement model with governing authorities can also aid understanding of the latest threats.
Invest in education and training
Treasury departments need to see fraud as an area of collaboration and work with trusted advisors to adopt best practices. J.P. Morgan regularly partners with clients to deliver fraud webinars as well as awareness and prevention sessions, which provide a useful control environment.
It is vital that internal staff and external partners (eg vendors) are trained regarding payment fraud and related safeguards. Examples of threats include social engineering, malware and email spoofing. Simulations and drill scenarios help staff recognise common practices used by fraudsters and underline the importance of following key validation procedures.
Update treasury practices and bank account management processes
In addition to the hygiene factors identified above, treasury could consider greater centralisation and standardisation of processes, compliance, payment platforms and monitoring. Updating outdated practices, such as moving to e-invoicing, presents an opportunity to combat fraudulent instructions by introducing authentication within the workflow.
Defending against financial fraud requires both financial institutions and their clients to understand the risks. Vigilance is paramount, as the question of a payment fraud attempt on any organisation is simply a matter of time.
“How do I manage treasury when it looks like rates might rise?”
Please send your comments and responses to firstname.lastname@example.org