The upsurge in financial crime during the early stages of the pandemic illustrates the point that criminals thrive in chaos. At individual company level, such conditions can be created by a cumbersome and disparate ERP and banking landscape where there are no uniform processes to track cash outflows, treasury accounts that are not subject to the same controls as other corporate accounts, and a preponderance of manual processes.
It is widely accepted that eliminating manual handling of payment data removes many opportunities for misuse.
“Automating invoice handling and payment processing is one of the best means of increasing security as it adds to the transparency, quality and speed of payments,” observes Anna-Lisa Natchev, Vice-President of Sales at Nomentia. “The process also needs a clear owner, responsible for both functionality and security.”
There is also a strong case to be made for the view that treasurers with decentralised operating structures and fragmented or outdated technologies are at the highest risk from fraudulent activity.
“Treasurers should apply checks and validations on payment transactions and it is crucial that this is automated as part of the payment process,” says FIS treasury solutions enterprise strategist, Steve Wiley.
He suggests that digital payment hub solutions can flag suspicious payments and define a workflow process to deal with them, including involving the right teams – such as accounts payable and the compliance department.
Many corporates have more than one payment hub because of disparate ERPs, purchase to pay, human resources and other systems that drive the generation of a payment.
“This makes the detection of fraudulent activity much more complex because of the multiple points of exit for payments, so the first recommendation would be to move towards the centralisation of payment execution through a single payment hub,” says Kyriba’s Chief Product Officer, Thierry Truche.
At individual transaction level, treasurers should be alert to requests for payments made urgently, late or close to the end of the day, at the end of the week (Friday night) or even during the weekend. An indicator of internal fraud is sending a payment for approval a second time, where the first genuine request is followed by a second request for the same payment but with a different (fraudulent) account number.
Corporate treasurers may have multiple bank relationships and hundreds of bank accounts worldwide, each with their own system access, so treasury needs to consolidate these accounts and be more in control of its destiny.
That is the view of Omri Kletter, Global VP Product & Strategy at Bottomline, which works with treasury teams to implement defence systems to catch fraud earlier and prevent an over-reliance on banks to spot suspicious activity.
“Given the emergence of new tools such as confirmation of payee and pay management software, treasury teams need to review their payer and beneficiary processes,” he continues. “Considering the growing, global threat of authorised push payment fraud, it has become increasingly difficult for banks to deal with this type of fraud if the treasurer has authorised the transaction. Banks are appealing to treasurers to up their game in adopting comprehensive fraud prevention technologies and processes.”
For payments tracked in a spend management system or in the company’s ERP system, treasurers need to understand and be able to rely on the process within those systems that create a payment batch observes Martin Bellin, Senior Vice President of Operations EMEA at Coupa (formerly Bellin).
“Internal fraud happens typically on two levels – one time high volume; or regularly with smaller payment volumes,” he says. “If treasurers know the usual process they can determine if something is out of the ordinary.”
For external fraud prevention, allow lists and block lists help identify account details provided for a known supplier that do not match previous records. Past executed payments are also useful for comparing settlement instructions, currencies, size of amount, or payment terms.
“If usually only small amounts have been paid and now a large payment is being requested to a different account, this should be recognised as a suspicious payment,” says Bellin. “Likewise, treasurers should be wary of unusual payments for a particular legal entity – for example, a subsidiary being asked to transfer a large amount for an acquisition.”
Other potential signs of bank account fraud or false invoicing are when the approval process has deviated from the norm or the payment is going to an account in a sanctioned country when the recipient claims to be from a ‘regular’ country. Requests for urgent payment or reluctance to disclose information should also arouse suspicion, as should requests for payment directed at people who would usually not approve such payments.
Treasurers should take advantage of threshold and limit monitoring features within their applications that establish limits around the number of trades that can be executed by a user or the magnitude of payments they can approve, says Peter Pippan, Product Owner, ION Group.
“Alerts should be enabled to send reports when thresholds have been exceeded,” he says. “Audit trails track all activity, including who performed an action and when. Every version of data saved should be available for examination so that history can be reviewed and logs produced by the system should not contain any sensitive information that can be used by hackers to gather intelligence. Finally, workflow-oriented tools help users to better manage operations as opposed to sharing spreadsheets via emails.”
Passwords should expire after a number of failed login attempts and users should be forced to reset their passwords periodically. Sensitive data stored in the database should be encrypted and data in motion should be encrypted by secure channels like SFTP, so that it cannot be ‘sniffed’ or intercepted on the network.
“Treasurers should stick with tried and trusted practices,” says Pippan. “For example, automated reconciliation of bank statements against internal systems will spot fraudulent behaviours. To do this, treasurers should have their treasury management system linked to that of their bank so they can receive prior day and intra-day updates without delay. The introduction of open banking APIs makes it possible for treasurers to have a near real time view of their cash position.”
Corporates have accelerated their move to the cloud and by continuing this migration can leverage the huge sums spent by cloud vendors on security. They should also encourage their banks to leverage cloud computing and artificial intelligence to monitor the activities of bad actors by adding apps such as NetGuardians to their core offerings.
“Having systems and processes running on the cloud allows additional security measures to be taken that are very difficult to implement or are not available for deployment on site,” says Finastra’s Global Head of Capital Markets, Pedro Porfirio. “Two and three factor identification, single sign-on, and using artificial intelligence to check on uncommon behaviour are fundamental to keeping organisation and clients safe.”
Another potentially useful application is AIO’s financial identity verification technology, which enables customers to establish and own their verified financial identity and share it securely with financial institutions.
“Cloud-leading vendors offer solution uptimes above ninety nine per cent, have rapid disaster recovery services packaged with standard cloud services, and have dedicated processes, staff and technology which can mitigate fraud,” says Wiley. “Treasurers who were exposed by the pandemic will need to upgrade their technology to the cloud to give themselves the best possible chance of detecting fraudulent activity.”
Fraudsters often use social or business media to identify senior financial staff and determine when they are out of the office in order to perpetrate identity fraud. To minimise this threat, treasury consultant Craig Jeffery advocates implementing guidelines for private and public posting; providing training on when staff should or shouldn’t post travel or holiday information; and encouraging staff to reveal only the general area they work in rather than their specific title.
Employees should not use their company email address to register on any social media website for personal use and any social media posting by an employee should be consistent with company policies and reviewed through a central function.
Staff should make their social media profiles private and not public and specific training for certain job functions in a treasury department is also essential. “Fraudsters typically use fear and urgency to push fraud attempts,” says Wiley. “Employees in the treasury department must be aware of this and should not have an issue questioning anything.”
Some companies ask their employees not to use social media or restrict their usage, but relying on individuals to exercise discretion is risky. As Truche points out, it is pretty much impossible to prevent the teenage child of a senior staff member from posting a video on TikTok during their holidays, for example.
It may help if senior financial staff didn’t post pictures on social media from their vacation, or send greetings from holiday on those public platforms, says Bellin. However, he adds that it is often the autoresponder of a mailbox or a simple call to the assistant excusing the absence of such a senior manager which enables fraudulent attempts.
The payments industry has a job to do in waking people up as to how fast the business of fraud is evolving, concludes Kletter. “Treasurers cannot rely on an approach laid out a year ago to suffice for the future. While coronavirus accelerated digital transformation, it also accelerated new vectors in fraud and increases in insider fraud.”