Trek Bicycle Corporation is very much a current success story. Founded in a shed in Waterloo, Wisconsin, back in 1976, the organisation now employs 2,500 employees across 25 countries, sells bicycles and accessories in over 100 countries through a global network of 5,000 independent bike dealers and distributors – a number that continues to grow. All-in-all, it means the four-person treasury team at HQ is busy juggling global cash, currency, banking, debt, hedging, and insurance.
It’s unsurprising therefore that the team decided to implement a treasury management system (TMS). According to Jennifer Tomaloff, Trek’s International Treasury Manager, there were some key goals the firm wanted to achieve from their TMS. These included adding value to the treasury function, adopting best practices, standardizing processes, becoming more strategic, automating processes and reducing trapped cash. System connectivity was also important – as was mitigating fraud – which is something Jennifer worked on with Kyriba and a delivery partner, Actualize Consulting.
“Mitigating fraud was important for us,” explains Jennifer, “because we recognized that the threat was increasing. We’d experienced a significant increase in fraud attempts, so our top priority was to improve global payment controls.”
Payment fraud vulnerabilities
When implementing the new TMS and associated protocols, Jennifer says that a number of fraud and security vulnerabilities were identified. These included the use of multiple (27) bank portals, the fact that some controls could be bypassed, inconsistencies within global processes, the fact that payment files are not always secure and the presence of local bank user setup weaknesses.
As a result, Trek developed a clear four-step plan that would resolve the issues:
- Security: Strengthen and standardize global payment process to be much more resilient to fraud
- Simplicity: Simplify global banking structure, standardize processes, reduce number of bank partners
- Automate: Leverage technology to reduce manual processes and create time for more value-add work
- Efficiency: Identify opportunities to save money through interest, FX, labor cost and/or bank fees, for example
“We also underpinned this plan with a strong executive message, which is important. It’s not all about processes systems. We delivered the message that no payment is a rush, no executive will instruct you to make a payment via email, which removed the risk of phishing attacks. And, above all else, no payment should bypass controls, because that’s dangerous!”
“By standardizing our processes, simplifying our banking structures and removing unnecessary access to bank accounts we could quickly improve the situation. I was shocked when I found out that 60 people that could release payments in banking portals. Today, we’re down to 10 globally. Some of our payment files were unsecured, so theoretically could have been changed. So, we looked to create a system where a payment file would run through our system without anybody being able to touch it.”
The newly-devised, secure system introduced by Trek ended up looking like this:
- Upfront payment controls in ERP (single global source)
- Payment file generated after payment & controls validated – via ERP
- Kyriba’s Payment Fraud Module introduced so that every payment is scanned against rules. Payment is held for review if required – TMS
- Additional payment review and approval – TMS
- Payment made to bank
Six key processes
In her presentation, Jennifer suggested that there are six key processes or takeaways that underpin Trek’s fraud mitigation controls.
- Vendor controls must be complete before payment run
- Move to scheduled payment runs
- No manual file uploads/entry to bank
- Kyriba holds vendor bank information, because it’s more secure
- Every payment scanned for fraud
- Only 10 users can release payments – and dual payment authorization is required
Despite this, a small fraction of payments still need to go through local banks. Recognizing this, Jennifer and her team at Trek devised a secure exception process, limited to payments that cannot be done by global banks and Kyriba (certain tax payments, for example).
“We put a lot of effort into identifying individual payment types that are done through local bank portals, locking down local bank portals as much as possible to prevent non-authorized payments, ensuring treasury has admin access to local bank accounts where possible and limiting payment size.”
Trek is utilizing the Kyriba Payment Fraud Module in its activities – something Jennifer says is a great tool. “You can blacklist or whitelist companies – we opted to whitelist. In our UK subsidiary, for example, the bulk of their payments are to the UK, with some to Switzerland and Germany. We introduced a whitelist that means they’re the only countries they can send payments to. If they attempt to make payment to another country we’re notified so we can review it. The First Payment feature also stops the first payment in Kyriba to a new (or newly updated) bank account, which is a handy feature.”
A successful journey
Jennifer adds: “I think it’s fair to say we’ve come a long way in protecting ourselves from fraud, while at the same time streamlining our activities. We’ve moved from 27 bank portals to three, all payments are sent low value wherever possible, rather than high value, which has saved us money and we’ve moved from inconsistent payment processes and vendor setups/changes that weren’t reviewed/approved to a standard payment and vendor set up with full approval and review that is much more secure.”
In summary, here’s a snapshot of the journey made by Trek in enhancing its operations globally while mitigating payment fraud (click to enlarge):