Cybercrime, ‘Fake President’ fraud attempts, vishing, phishing, or fraudulent invoices – these are just some of the attacks on corporates that have been topping the news on a daily basis, with no end in sight. Losses have been soaring to new record heights – figures that were recently confirmed by the 2018 AFP ‘Payment Fraud and Control Survey Report’. So how can companies protect themselves against fraud? Are ever more complicated technological setups, filters and firewalls the answer? They are certainly useful measures, but the most efficient approach to security is to create visibility and transparency when it comes to payments. One way of achieving this is by using a web-based treasury management system (TMS) that enables cross-border payments across different banks on one platform, used group-wide. Such a TMS-integrated, multi-bank payments platform represents the foundation on which companies can build secure processes and achieve cash flow visibility.
Payments processing is the moment where money leaves a company for good. All the more reason why treasurers should pay particular attention to this weak spot and secure it as much as possible. Unfortunately, it’s not that simple. Taking a closer look at payments, you quickly run into a number of issues. Most corporations, whether they are global multinationals are internationally active medium-sized companies based in Europe, have grown organically over time and were not created on the drawing board. They usually have subsidiaries whose finance departments differ in their setup, including their specific payments solution. What does all this translate to?
- A number of different banking tools are used throughout a group
- A limited number of local admins represents a risk with view to separation of duties
- No central overview of group-wide processes
- A lack of visibility when it comes to subsidiary cash flows.
The sheer number and diversity of the different banking tools poses an enormous risk. It makes processes more error-prone, with practicality issues overriding security measures. What’s more, such a setup can lead to targeted fraud attempts capitalizing on the lack of administrative visibility and transparency, as incidents remain undetected for a long time. In fact, some companies might still be in for a nasty surprise. I have been a consultant for multinational companies for over eight years. While every project is different, there is some clear advice that applies to everyone: the most efficient solution for a secure payments setup is a web-based TMS with an integrated, multi-bank-enabled payments platform.
Security through visibility
The advantage of a multi-bank TMS is that all banks can be integrated on one single platform, which translates to complete cash flow visibility. Data from anywhere in the world can be entered in the web-based application, and the integration of the subsidiaries is a given. In turn, their collaboration is assured and local knowledge can be leveraged easily. At the same time, data is available anywhere and in real time, including at the headquarters. A standardized banking interface that users worldwide benefit from when processing global payments through any bank, ensures ease-of-use in all entities. In addition, a web-based and multi-bank TMS makes administrative processes at headquarters more secure by paying heed to the processes, permissions and limits defined in a company – i.e. to their treasury policy.
Single payment security through central user rights administration
A multi-bank TMS also enables treasurers to specify rights-based controls, allowing them to limit the number of people who are authorized to create manual payments. The right to approve these payments can then be assigned to someone else, ensuring that dual approval and with it a fundamental security standard are upheld. Within the framework of this permission model, payment limits can be set, or it can be made mandatory to involve a specific management level in the payments approval process. Moreover, by placing the task of administrating these rights with the central treasury means they are able to assign or revoke rights in real time, ensuring that companies are always able to respond quickly to a change of staff. By the same token, a sophisticated permission model that is centrally administered in the TMS represents an efficient means of protection against various fraud schemes – in particular in connection with single payments that are ultimately at the bottom of a “successful” Fake President fraud or embezzlement attempt.
Bulk payment security through checksums
While single payments can either be avoided altogether or be placed within the framework of a permission model to achieve fraud prevention, bulk payments call for different security measures. They are often created in an ERP or HR system, and using a web-based TMS enables subsidiaries to check and approve them. This first step ensures that the payment is correct, but how can you prevent errors or route manipulation whilst the file is transferred to the payment system? This is where checksums come in handy, which alert you to any discrepancies. Using checksums means your bulk payments are perfectly secure, even while they’re being transmitted from an ERP or HR system to a multi-bank treasury management system.
Standardizing payments processing and central payment administration in a multi-bank and web-based TMS systematically combines payment security and efficiency. No payment can leave the company unless its accuracy has been established and it has been authorized. That said, oftentimes companies process payments that do not leave the overall group, but where the beneficiary is someone within the group – for example account reconciliation aimed at avoiding overdraft interest. One secure solution for internal payments are pre-signed templates. They give treasurers maximum responsiveness and protect them against issues in connection with a lack of visibility or any arbitrary acts by stipulating a pre-defined process. A similar process can be determined for FX deals in order to avoid expensive penalty interest. Standard Settlement Instructions (SSIs) can be used for trades with non-account holding banks. The treasury policy can impose templates for both internal payments and FX deals, making corporate cash management as effective as possible.
Security through Two Factor Authentication
Last but not least, I’d like to take a look at the role Two Factor Authentication (2FA) can play in creating additional security. The underlying principle of this method is that a user needs to confirm his or her identity and is only granted access after presenting two factors to an identification mechanism. This impedes unauthorized access to a system and also prevents identity theft by means of stolen passwords. Some systems also use 2FA for payments, following the same underlying principle: payments can no longer be approved using one system alone, but a second device is introduced, and the approval process is split up. The user requires another device and another hardware to authorize a payment. A very elegant way to implement this is 2FA via a mobile app, as it provides ease-of-use and is available on the go. After all, the corporate world is constantly moving, and this dynamic environment requires treasurers to be able to act in an instant wherever they are – without compromising security.
Security and the ability to act whenever and wherever are absolute musts for any globally active company. A multi-bank payments platform that is integrated in a TMS not only creates complete cash flow visibility but enables companies to manage payments from anywhere in the world and ensures system permissions are in line with security standards. Using 2FA to access this system further boosts security considerably. Overall, this represents a very systematic approach to cybercrime and fraud prevention and creates maximum payment security.