Risk Management

Powering Change: the do’s and don’ts of navigating payment risk

Published: Mar 2024

in partnership with

J.P. Morgan Payments logo

For all the opportunities of digitisation, the process of leveraging digital technologies to streamline operations and provide new revenue also comes with real risk. None more so than in payments. The Powering Change Taskforce gathered a group of senior treasurers at J.P. Morgan Payments’ UK headquarters in London’s Canary Wharf to discuss topics including the importance of working with other teams to combat payment risk and why watertight policies are essential.

J.P. Morgan powering change taskforce group 2 photo
Watch video

The Taskforce kicked off with an acknowledgement that payment risk is escalating, driven by the speed of payments and new technology, like APIs. People expect things to be turned around faster, and in an electronic world, money is sent in just a few clicks. However, speed creates new risks, deep fakes, and increasingly sophisticated fraudulent emails requesting payments or bank changes, are harder to prevent. Taskforce speakers said that repetitive, small theft is just as damaging as large amounts, and all theft should be treated the same.

“Connectivity is accelerating, and in turn, people expect faster payments, but this is creating more ways for fraudsters to increase the sense of urgency and threat; often it leads to people making decisions they wouldn’t make in a normal environment,” said Varun Wadhwa, Deputy Treasurer at Baker Hughes.

Treasury teams have adopted different strategies over the years to prevent and respond to payment fraud. But many companies are overhauling or adding to these strategies given evolving technology and heightened risk. For example, at Aliaxis, the Brussels-headquartered water and energy group, Séverine Le Blévennec, Global Head of Treasury, is in the process of updating system connectivity and payment processes, even though treasury at the company is not solely responsible for payments.

“As the custodians of cash, treasury has a clear leadership role to take in helping prevent and mitigate fraud and risk,” she said, adding that she is spending time reaching out to internal colleagues to network treasury expertise in the wider business and build a treasury community with a higher skill level. She takes time to make sure colleagues understand her operating model, the key objectives and the transformation, going down the line.

At Baker Hughes, the B2P (Buy to Pay) process is centralised and only a handful of people have the authority to authorise a payment or permit a vendor change, said Varun. “A top-down approach with setting-up a B2P policy and a clear exception management process is very important – the standardisation, along with clear communication, helps get alignment within organisations to mitigate fraud risks.” At Virgin Media O2, different companies that make up the group have come together over the years. Preventing fraud means ensuring diverse systems and products, with different teams and approval processes, come together, explained James Marshall, Head of Treasury, Virgin Media O2.

James Marshall, Head of Treasury, Virgin Media O2

When outsourced teams sign up to new technology, it can open a side door that companies aren’t always aware of.

James Marshall, Head of Treasury, Virgin Media O2

Working with different teams

Cue the next conversation topic amongst the Taskforce. Panellists agreed that successfully managing payment fraud depends on working with other teams across the business. One of the most important teams is IT, the gatekeeper to payment fraud because it protects treasury from most of the traffic that comes through in terms of malware and phishing emails.

Teams like cyber security and IT are also subject matter experts. They’re the ones that can quickly flag issues because they are dealing with them every day and know what a programme might need. Panellists also stressed the importance of empowering other team members to contribute to the process.

Séverine said that working with experts opens treasury up to hard questioning that improves processes. It helps treasury push models to the extreme and should be viewed as an opportunity. “Listen to your biggest objectors – they will highlight good points and areas which can be improved on and give you the opportunity to ask all the required questions,” she said. “It’s very important to keep everyone, at every level, engaged. Each year I share treasury’s objectives and priorities with our legal, IT and tax teams so they understand in advance how they can help us across all the touchpoints we have with them. Involving every team at the start of a new project really helps break down siloes between functions and levels.”

Working across teams to combat payment fraud doesn’t stop for companies that have outsourced to providers. Virgin Media O2 buses outsourced providers to run much of its payments processes, and these teams are responsible for tasks including maintaining data, reconciliations and updating bank details. But treasury is hands-on when it comes to managing them.

It is treasury’s responsibility to ensure oversight of these processes and an outsourced provider should not be treated any differently than an internal team. James said his team must always have the confidence to challenge outsourced providers methods of working. “It’s a treasurer’s responsibility to have oversight of all teams – whether they are internal or outsourced – to make sure they have absolute confidence in processes and can challenge where required.”

Engagement with these teams, internal or external, is always collegiate, not adversarial, and within this relationship treasury is entitled to point out gaps. It is important to break down the silos, and treasury should make itself completely accessible and ensure confidence in its own processes. “What we do is considered magic, not everyone understands! Treasurers should make themselves very accessible to the wider business, as then they will know we know what we’re doing,” said James.

Although panellists agreed that fraud prevention is shared across multiple teams, they also indicated an opportunity for treasury to lead given its oversight of bank relationships and technology. Treasury is also in a good position to overcome resistance to change, including the introduction of centralised payment controls and processes, for example.

Varun Wadhwa, Deputy Treasurer at Baker Hughes

Define roles and responsibilities – treasurers are the custodians of cash; we hold the relationship with the banks and so we control the infrastructure.

Varun Wadhwa, Deputy Treasurer, Baker Hughes

Treasury is well positioned to educate colleagues that controls are designed to protect people from making mistakes – if there is a chain of control, mechanisms, and a system, it protects them. “It’s about protecting your people from the consequences of pushing the wrong button,” said Séverine.

One challenge for treasury in this role is that, historically, it hasn’t positioned itself as the department at the forefront of change. Much of this is embedded in treasury’s innate sense of caution. “Today, treasury is open to change and the benefits of technology, but in the same breath, we are rightly cautious and need to weigh up risks,” said Royston Da Costa, Assistant Treasurer at plumbing and heating distributor Ferguson.

He added that a decentralised treasury function like Ferguson’s, should not hinder visibility, or leadership. Decentralisation isn’t a barrier to treasury maintaining full visibility of all bank accounts around the group, in line with compliance requirements, he said. Best practice, like a weekly meeting amongst treasury colleagues from around the group, ensures cohesion.

Treasury leadership and working across different teams is particularly important during mergers and acquisitions (M&A), a time when treasury must act fast and with urgency and payment fraud risk increases. Panellists reflected that, on closure, treasury needs to make sure processes are completely aligned. Big ticket payments need the same controls in place as all other payments, and treasury should be mindful that fraudsters will try and siphon off funds by pretending to be advisors. Clear statements from the CEO help with clarity; for example providing a green light when the payment should be made that bridges the gap between the deal and communications team.

Panellists agreed it is very important to give structures around a delegation of authorities, which also involves putting in place a safety net with banks. They flagged the importance of calling the treasurer on “the other side” to confirm bank details through a call back process. “These types of processes need to be written into policy,” said Varun.

Working with other teams includes working with external technology providers, important allies in combating payment fraud because few companies can develop the tools they need internally. But panellists reflected that selecting the right technology partner introduces another element of risk. Selection includes ensuring these strategic partners have the financial clout behind them to invest in research and development going forward. “Whatever technology provider we select must meet all our treasury requirements and stability needs,” said Royston.

Working with new technology providers is also challenging for outsourced treasury. When outsourced teams sign up to new technology, it can open a side door that companies aren’t always aware of, said James. Treasury should also be aware that technology providers typically offer standardised solutions. The minute treasury teams request for something bespoke or specific, it gets more challenging.

Limit human intervention

Panellists were unanimous that human intervention heightens payment risk and the less manual process, the better. “Automate everything as much as possible to enable strong governance,” said Royston.

Typically, a chain of automatic controls flag when a payment is an outlier, and only then does it come to the attention of high-level individuals. Aliaxis has strict rules around what types of manual payments are allowed – and only a few are permitted.

Working with experts opens treasury up to hard questioning that improves processes.

Séverine Le Blévennec, Global Head of Treasury, Aliaxis

All manual payments require two approvals, and even a third one from the treasury team if they are not done on the basis of preapproved payment templates. “This gatekeeping process includes asking several questions, amongst which, why a payment hasn’t been generated in the enterprise resource planning (ERP) as we want to eliminate every payment that is not going through the safe pipeline”, said Séverine.

Baker Hughes has leveraged technology solution to automate controls ensuring only required people at the company have signatory authority on bank accounts and signatory rights are removed as people change roles. “It’s a process that is no longer people-dependent,” said Varun.

Policies and processes

The speakers also discussed the importance of policies and processes. So many different departments touch payments that, preventing fraud depends on building a chain of control.

Strict processes in place mean people know who to call when alarm bells ring. This includes contacting relationship managers at the bank and informing SWIFT in line with legal requirements. At Ferguson, policies include ensuring any bank account that is opened within the group is approved by the treasurer. “We must educate treasurers and the wider company to understand it’s everyone’s responsibility to protect sensitive data and enforce governance processes,” said Royston.

At Baker Hughes, processes include clear roles and responsibilities in a segregation of duties, which ensures that authority is only with a limited number of people and at the right level within the organisation. “Define roles and responsibilities – treasurers are the custodians of cash; we hold the relationship with the banks and so we control the infrastructure. Execution of a payment is not a treasury activity, said Varun. “Treasurers might not own every process in cash disbursement, but we must take the lead to create the secure infrastructure ensure standardisation and enable automation,” he added.

Other speakers highlighted their policies, including procedures that prevent any payment going through without a purchase order. Robust policy and procedures also endorse know your customer (KYC) and recognise that due diligence means things will take longer. Panellists said it was about “doing the right thing” and ensuring “standardisation,” even though it takes time.

Today, treasury is open to change and the benefits of technology, but in the same breath, we are rightly cautious and need to weigh up risks.

Royston Da Costa, Assistant Treasurer, Ferguson

Response planning comes under the policy umbrella too, another crucial part of the payment fraud jigsaw. Baker Hughes has a clear touch point in each region, highlighting the person to contact in case of fraud. The company has a formalised process around recalls and its technology teams have a similar chain of command. Importantly, news of an incident is openly shared. Response planning at Ferguson involves contacting the banks, the corporate communications team, SWIFT and TMS providers.

“Governance on the governance is essential – ensure policies are embedded into workflows and there are reports to monitor ongoing compliance,” said Séverine.

Culture and education

The Taskforce also highlighted the importance of creating a culture that ensures employees feel safe to speak up when a payment doesn’t look right; people need to know they can question something, even if they’ve been asked to do it.

Creating the right culture means sharing mistakes and learning to be open when something goes wrong; it requires an atmosphere of trust and employees knowing that when fraud is committed, something can be done about it. “It’s about trying to encourage teams to be open with us in Treasury – nine times out of ten there is something we can do to help mitigate risk. Treasurers need to be embedded in teams across the business, so these teams trust you to share critical information in sensitive situations,” said James.

“Employees should be trained to question when they have concerns – regardless of someone’s seniority – and have the confidence to say the process doesn’t allow me to make that payment,” added Royston. He said that successfully navigating payment risk is an exercise in change management. It is about learning to ask questions and eradicating the mentality of just doing something because we are told to do it. “It’s about having the confidence to question everything,” he concluded. “It’s about people thinking I can’t do that, no matter who you are, or how important you are, because the processes we have in place won’t let me.”

2024-03-25-tt-00-sf__jpm__powering-change__gallery__DSC03393__400x267
2024-03-25-tt-00-sf__jpm__powering-change__gallery__DSC03402__400x267
2024-03-25-tt-00-sf__jpm__powering-change__gallery__DSC03473__400x267
2024-03-25-tt-00-sf__jpm__powering-change__gallery__DSC03527__400x267
2024-03-25-tt-00-sf__jpm__powering-change__gallery__DSC03575__400x267
2024-03-25-tt-00-sf__jpm__powering-change__gallery__DSC03335__400x267
2024-03-25-tt-00-sf__jpm__powering-change__gallery__DSC03366__400x267
2024-03-25-tt-00-sf__jpm__powering-change__gallery__DSC03467__400x267

Powering Change

in partnership with
J.P. Morgan Payments logo
A hub for collaboration, exploration, and learning, designed to highlight the strategic role of the Treasurer and spark educational, cross-discipline conversations around growth and innovation.
View the hub

All our content is free, just register below

As we move to a new and improved digital platform all users need to create a new account. This is very simple and should only take a moment.

Already have an account? Sign In

Already a member? Sign In

This website uses cookies and asks for your personal data to enhance your browsing experience. We are committed to protecting your privacy and ensuring your data is handled in compliance with the General Data Protection Regulation (GDPR).
Ok, I agree Privacy Policy