Process control risks remain in almost permanent evidence for treasurers but priorities change. A decade ago, RFPs to TMS core system vendors focused on information exchange and transparency; payments processes were of interest but not critical. Today, where multiple e-banking applications can expose organisations to increased levels of control risk, payment processes and connectivity are far more important as companies struggle to manage targeted cybercrimes, such as SEPA direct debit and redirection fraud.
Treasurers have raised awareness of the risks amongst other functions, yet despite constant reinforcement of their message, few can be certain that their mitigation processes are being adhered to fully by non-finance colleagues.
It’s no surprise then that, with the rise of cyber-criminality, finance and treasury teams are increasingly seeking control, through greater transparency and connectivity, across their entire organisations. This is evident through changing RFP priorities.
Today, reducing fraud risk can be facilitated by centralising systems and process definitions, and putting control in the hands of smaller, centralised teams. In practice, this could mean simply requiring all banking to be managed through a single application, where static payments data and watchlist monitoring can be validated across the entire organisation.
Key to the idea of enabling greater control is the understanding that this is not about withdrawing local responsibility – most treasuries are too small to manage that anyway – but about using automation to enable transparency across remote-user activities, and being able to take immediate action where necessary.
With treasury departments remaining small despite increasing workloads, the adoption of technologies such as artificial intelligence (AI) alongside single-platform access to data will be crucial to success here both in terms of defeating fraud and in delivering a competitive edge for the organisation.
AI can minutely, and in real-time, check bulk or individual payments flows, allowing treasury to manage by exception; this is a huge help for small and large organisations alike. BELLIN has developed AI that can detect and raise an alert concerning even the subtlest of changes in user behaviours and payments activities across an entire multi-national organisation. The parameterisable system also deploys the BELLIN Vendor Verification whitelisting and blacklisting tool, letting treasury focus on real threats whilst allowing centrally validated transactions to flow unhindered.
Central control, enhanced by AI and validation technology, gives even the most far-flung businesses control over their payments processes. But leveraging this set-up is not just about deploying cutting-edge technology.
Beginning the process of optimisation through centralisation first requires exposure and definition of the company’s risks. It may then set out its goals, detailing how those risks will be mitigated. This should be a collaborative effort, with treasury working alongside other functions such as IT and accounting, to ensure all potential weak points across the business are acknowledged and understood.
One key decision at this stage could be where best to host centralised core systems. Third-party engagement may be most appropriate; BELLIN, for example, offers mirror sites, distanced from its internal networks and main servers, ensuring client process security and continuity. The provision of core system backups on different servers, using encrypted data, can be the difference between getting back online quickly or not at all.
In operation, every company must ensure all personnel know how to respond when, for example, data access has been blocked by an attack. Here, process control documentation is vital. An internal task force should be established to ensure every required step is acted upon efficiently.
Documentation also ensures that even if key personnel are working from home or on sick leave, or leave the company, everyone – including new personnel – understands the different departmental risks, and how to tackle them. The document itself should include an easily accessible and readily available contact list for all relevant third-party providers (such as banks and vendors).
Defining risks across the organisation, and correlating these with existing systems and processes, reveals the security gaps. This allows prioritisation of the highest risks, and decisions to be made, around which applications should be deployed to mitigate those risks.
The end result may be most effectively achieved through a single, centralised platform, where multiple e-banking applications can be eliminated, and static data in different core systems can be easily consolidated and validated, eliminating the risks one by one.
Where this is deemed the most appropriate pathway, and a TMS is the solution, the treasurer’s understanding of the risks and how to mitigate them will suggest certain RFP questions. Open questions as to how the system can support the business in eliminating process control risk are advised.
More specifically, treasurers should ask about the inclusion of automated whitelist/blacklist checking, and whether or not the proposed system is ERP-independent. The vendor should also explain its reasoning for using either in-house or third-party applications to deliver risk mitigation. After all, in the treasury landscape where process control efficiency is now all about transparency and connectivity, adding complexity can only equate to increasing risk.