Recent months have brought no shortage of activity by cyber-criminals, from Tokyo-headquartered Nikkei’s £22m loss due to a single Business Email Compromise (BEC) fraud, to a spate of ransomware attacks on cities and school districts in the US.
Treasurers have an important role to play in helping to protect their organisations against payments fraud and cybercrime, although some take the issue more seriously than others. PwC’s 2019 Global Treasury Benchmarking Survey, Digital Treasury – It takes two to tango, warns that while public concern has increased, “many treasurers seem to underestimate the risks of payment and cyber fraud and their role in managing it”.
Nevertheless, the survey also found that 56% of respondents said the group treasurer is responsible for managing payment fraud risk in their organisations – and the report highlights the importance of best practices such as raising awareness, managing processes and securing technology, as well as “collaborating with IT on minimum security controls around data encryption, authentication, ensuring robust interfacing, regular penetration testing, and adequate network segregation”.
Technology vs fraud
Technology can be used effectively as a means of combatting the risk of payment fraud and cyber-attacks. Dedicated treasury management systems, for example, may provide essential controls which can help treasurers identify, such as user access controls, segregation of duties and the ability to monitor transactions for any anomalies.
But as the payments landscape expands to include an increasingly diverse range of fintechs offering innovative services, how much attention are those companies paying to treasurers’ need for robust security? Interestingly, Capgemini’s 2019 World Fintech Report found that while almost two-thirds of banks cited cyber-security concerns as a challenge for implementing open banking, only 42.5% of the fintechs polled said the same. The report also found that fintech firms are less concerned than banks by data security and customer privacy – “possibly because the stakes for them are not as high.”
Joseph Krull, Senior Analyst – Cyber-security at Aite Group, says that while fintechs are very good when it comes to innovation, building digital journeys and supporting frictionless transactions, “fintechs are not really good when it comes to understanding threats and security and internal controls. While some fintechs have marketing materials that talk about security, for the bulk of those I’ve reviewed it’s a secondary or tertiary feature.”
At this stage, Krull says, fintechs would rather emphasise their investments in cutting edge artificial intelligence and machine learning. “What I don’t hear from fintechs is, ‘We put these really great internal controls in the product that keep people from doing things that they shouldn’t do.’”
That’s not to say there are no opportunities for improvement. Krull argues that fintechs may be well positioned to gain competitive advantage by focusing more squarely on this topic. “If a fintech says one of their competitive advantages is that they put a strong focus on internal controls and auditability, and they do great logging and monitoring, that will give them the ability to talk to the operational risk managers in an organisation,” he says.
But in order for this to happen, Krull argues that the organisations that are buying products from fintechs also need to take a proactive approach in telling vendors what they are looking for, thereby prompting fintechs to pay more attention to security as a development priority.
“It’s a two-way street, and those organisations need to drive the conversation,” he comments. “They need to say, ‘That looks fantastic, I can speed up my transactions – but what are you doing in your product to make sure I’m not running with scissors?’”