Arming Treasurers to Fight Payments Fraud
Corporate treasurers have a world of worries on their minds. Managing liquidity, foreign exchange (FX) risk and counterparty risk are their biggest concerns. So is mitigating operational, compliance and financial risk.
Risk management has always been part of a treasurer’s job description. But these days, when we speak to treasurers about what’s on their mind, we often hear resigned sighs. They’re being buffeted by waves of regulatory reform from Washington and extensive payment card industry (PCI) requirements for securing financial data. And they’re being directed by senior management to make informed decisions in areas beyond their traditional expertise.
When the global economy began spiralling downward several years ago, chief executives elevated their treasury and risk management functions from the back office to the boardroom by giving treasurers more responsibility and greater visibility within their organisations. Today, treasurers are briefing not just the chief executive officer (CEO) and chief financial officer (CFO) but board audit committees about strengthening internal controls, cutting costs, streamlining complex business policies and processes to improve financial transparency, and complying with a myriad of regulatory issues. They are also more accountable for combating internal and external payments fraud.
According to a 2011 survey conducted by the Association for Financial Professionals (AFP), 71% of participating organisations experienced attempted or actual payments fraud attacks last year. Large enterprises were much more likely to have been victimised by payments fraud than smaller businesses: 82% of those with annual revenues over US$1bn were fraud victims in 2010 compared with 58% whose annual revenues were less than US$1bn.
In the US, the vast majority of payment-related fraud and losses are related to cheques. The AFP survey revealed that, even as corporate payments are steadily migrating from paper to electronic forms, cheques continue to be the most prevalent form of financial fraud, with 93% of affected organisations reporting that their cheques had been targeted.
While other payment methods, such as automated clearing houses (ACH), debit cards and corporate purchase cards, are also vulnerable to fraud, the opportunities for criminals to gain access to confidential business and financial data grow exponentially the more organisations virtualise their operations and the more their employees communicate, collaborate and conduct transactions online or via mobile devices.
Criminals online today are cunning, organised and global. They’re masters of social engineering, skilled in targeting the most vulnerable corporations, governments or individuals with the highest potential for gain. Often, they and their supply chain networks are located in rogue nations where security and enforcement are lax and financial fraud is difficult to prosecute.
Their phishing attacks are becoming more sophisticated, luring unsuspecting targets into clicking on links in seemingly genuine emails, unleashing malware that compromises employee computers or allows keystroke logger robots to collect user login IDs, account data and other personally identifiable information.
Cyberthreats also present themselves in the form of malware that embeds itself in a browser application and can divert, modify or manipulate information that a user submits on an online login page. For example, this type of attack, often referred to as a ‘man-in-the browser’ or ‘man-in-the-middle’ attack, looks for data that can be used by cybercriminals as secondary authentication for logging into a user’s bank account.
Federal laws, such as Regulation E, provide consumers with considerable financial fraud protection. Not so for businesses.
Banks and other financial institutions are not obligated to reimburse businesses for fraud-related losses, including those due to malware attacks, and many corporate banking agreements have indemnity clauses protecting the financial institutions as long as they provide ‘commercially reasonable’ protections. As a result, corporations are increasingly suing their banks in an effort to recoup lost funds.
The Federal Financial Institutions Examination Council (FFIEC) issued guidance in 2005 that encouraged banks to move beyond a single-factor authentication requirement for users logging into their online accounts and to take a risk-based approach in evaluating the strength of user authentication. With corporate fraud-related losses and court cases mounting, the FFIEC is expected to release revised guidance in coming months that calls for stronger authentication controls beyond what banks offer today.
Some financial institutions have already implemented technologies that monitor corporate payment account activity and flag irregularities, such as out-of-pattern dollar amounts for certain types of transactions, then bring these irregularities to the attention of the company from which the transactions are originating.
To combat fraud as part of their overall risk management strategy, treasurers are also automating more of their enterprise resource planning (ERP) and treasury management systems, and integrating them with bank-provided tools, such as Positive Pay. This automated fraud detection tool, which is offered by most banks, matches the payee name, account number, cheque number and dollar amount of every cheque presented for payment against a list of cheques previously authorised and issued by the company. Any out-of-pattern anomaly immediately raises a red flag. Similar tools are available for policing ACH activity.
Payment fraud can also strike close to home. A disgruntled employee with high-level access to internal financial systems and passwords, for example, could compromise the security of an entire organisation.
Managing the risk of a porous corporate perimeter has never been easy. But as the economic world becomes more complex and payment fraud more prevalent, treasurers are arming themselves with tools that make cutting-edge fraud protection simple to use and effortless to manage.
The best overall payment fraud defence is a multilayered one. Assume that your perimeter defences will be breached and focus on securing your assets once an intruder has access to your systems. Combine IDs, passwords and tokens with robust business rules that limit activity to normal business patterns, payment types and accounts. Make sure a detailed audit trail is created, so that you’ll know who touched what data and when.
Treasurers told us they want technologies to help them address the complexities of how their enterprise conducts payment transactions, one that helps them control costs, applies business policies and controls uniformly throughout their company, giving users easy yet tightly controlled permissions access to systems and data, embeds multiple layers of protection to keep information highly secure, and provides payment processing, collection, disbursement and reconciliation mechanisms on one common platform.
With a multilayered, high-performance payment platform in place, treasurers can sleep better at night, knowing that the integrity of their corporate accounts is safe and sound.