FinTechCyber Security & FraudProcess automation key to protecting against payment fraud

Process automation key to protecting against payment fraud

Payment fraud remains a big threat for organisations with the rapid growth in real time payments posing an especially tricky, but solvable dilemma, for organisations

Payment fraud may have eased in recent years but with a recent survey by the Association of Financial Professionals (AFP) finding that 71% of organisations were still victims of fraud in 2021 and that attacks are becoming increasingly sophisticated, CFOs and treasurers must remain on their guard.

As the AFP 2022 Payments Fraud Survey and Control notes, while the overall number of firms suffering payment fraud in 2021 is well off the peak of 81% recorded in 2018, nearly 30% of organisations reported an uptick in payment fraud in 2021, with 63% reporting it as unchanged versus 2020. Larger organisations, with annual revenue of at least $1bn are more susceptible to attacks than smaller ones with annual revenue of less than $1bn, according to the report.

It had been assumed that the move to remote working globally during the pandemic would lead to increased payment fraud because verifying payments requests became more challenging, with financial professionals relying on emails and other forms of virtual communication for payments information vulnerable to attack. The AFP survey findings, however, suggest that remote working did not play a significant role in the incidence of payments fraud at organisations during 2021.

But while the pandemic may not have led to a surge in payment fraud, Bob Stark, global head of market strategy at Kyriba, is certain another major trend in recent years is helping to sustain its high levels of incidence.

“The instantaneous nature of transactions, the adoption of real-time payment systems nowadays compared to even a few years ago is definitely creating problems with respect to payment fraud,” he says. “Payments are getting faster and faster, and as more opportunities arise for CFOs and treasurers to leverage that capability, the more vigilance needs to be exercised by them because those payments settle immediately so opportunities for their repudiation are squeezed.

“Ten years ago, with wire fraud say, things could be clawed back in some situations. That facility doesn’t really exist in the same way with these new types of payments.”

AFP 2022 Payments Fraud Survey

Source: AFP 2022 Payments Fraud Survey and Control

Aftermath of attack is worse

Aside from suffering a loss of funds from successful payment fraud schemes, Stark says often worse for the victim is the time, effort and investment needed for cleaning up systems and processes after the attack and managing reputational damage.

According to the AFP’s survey of 552 treasurers, the majority of payment fraud continues to originate from Business Email Compromise (BEC). In fact, 55% of organisations surveyed experienced attempted or actual fraud from BEC in 2021 versus 62% in 2020.

The survey also found that Accounts Payable (AP) continues to be the department most susceptible to BEC, with 58% of respondents indicating their AP teams were compromised through email scams. While that is slightly less than the 61% reported last year, “it remains a concern as payments fraud via ACH debit and ACH credit is on the rise,” says the AFP.

The second most common source of payments fraud (51%) in 2021 was an individual outside the organisation who may, for example, forge a cheque or steal a card. Other sources of fraud highlighted by the AFP report include third parties such as vendors and professional services providers (18%), and hackers infiltrating systems and accounts (16%)

Stark says a key task for firms looking to bolster their security is to consider in forensic detail all the different types of payments they engage with and the processes for each one: “You should ask lots of questions. What are the process components for each one? Should we have an extra level of control? Should we have an extra level of audit? Should we be incorporating bank account verification or sanction list screening?”

Ensuring each type of payment has the appropriate approval process is vital says Stark, not least as using the same controls for different types say, for example, real-time versus T+1 settlement can mean the organisation fails to fully exploit the particular strengths of each.

“If your process involves, say, six hours of checking of layers from initiation to actually reaching the bank that kind of negates the value of real-time payments. It could be one hour, it could be 30 minutes, but that still is probably too long to take advantage of some of the benefits that you’re trying to get out of real-time.

“On the flip side if your process for real-time doesn’t have enough checks and balances, then you may not be exercising the diligence that you should, given these payments settle immediately and you don’t have the same repudiation features that you do with other types of longer timescale payments.”

Automation to the rescue

When dealing with different types of payments, it’s important to adapt processes and be agile. The alignment of control process with the capabilities and speed of those payments is key for developing effective fraud prevention. Otherwise, says Stark, an unsatisfactory scenario arises where there are process inefficiencies with the organisation either not taking full advantage of its payment capabilities or missing things with its anti-fraud checks and balances that can compromise the organisation.

While automation of processes such as sanctions screening and third-party validation would be most beneficial of real-time payments, Stark is keen to stress it can also save considerable time and effort with longer lead time payments.

Solutions are available that enable CFOs to automate payment processes to standardise controls that strengthen fraud prevention and ensure each payment is handled in a consistent manner regardless of geography, type or amount. Kyriba’s own payments platform for example aims to enforce corporate payment policies, reduce the cost of managing payments and ensure all payments are intelligently screened against internal and external compliance standards, improving overall payments efficiencies, and further reducing opportunities for fraud.

“Organisations can certainly put in more resilient sets of checks and balances to fortify payment processing. Speed and automation are critical when we’re talking about instant payments but even with other types it can all be customised, so you have different sets of rules for each payment channel, say for screening, third-party validation, geographies, or specific countries or groups of countries and so on,” says Stark.

Source: AFP 2022 Payments Fraud Survey and Control

Enterprise-wide vigilance required

Solutions now also incorporate machine learning so that they can be trained to tell the difference between a good and bad payment and look for suspicious payment patterns, all in real-time.

“By using a data-based fraud prevention approach organisations can ensure that every payment that’s being presented can be managed and reviewed automatically versus the relevant policy as well as historical payments,” says Stark. “Additional checks and balances such as sanction lists can also be integrated.”

Stark can only see fraudsters becoming more sophisticated with their schemes. With data increasingly driving decision-making within organisations, enterprise-wide initiatives to protect it as well as the payment processes themselves are essential.

“We need to become more intelligent in terms of recognising fraud threats and that means leveraging data, automation, and the connective tissue between your processes,” he says. “Data and process are separate things, but they need to be interwoven in terms of your overall approach to payments fraud.”

On a positive note, Stark believes greater collaboration between CIOs, CFOs and treasury teams has been a key factor in bearing down on fraud generally in recent years.

“There are many categories of fraud and the ones that pose the biggest threats to organisations are cybercrime, customer fraud and asset misappropriation, of which payment fraud is a subset,” he says. “CIO, CFOs and treasurers are working together to provide more end-to-end defence for their organisations, cover all these bases, and that is helping to create resilience across the entire organisation for all the different types of fraud.”

Stark says CFOs have an especially vital role in developing and actioning effective fraud strategies as they often drive the partnership between AP departments and treasury.

“When it comes to fraud it’s incredibly important that those two departments and their workflows act in concert as payments are generally managed by those two departments in an organisation,” he adds. “They have different values, processes and systems but you absolutely don’t want one to be a weaker link than the other in their potential exposure to fraud.”

AFP Payments Fraud Survey_fraud_victims

Source: AFP 2022 Payments Fraud Survey and Control

Whitepapers & Resources

Transaction Banking Survey 2019

Transaction Banking Survey 2019

TIS Sanction Screening Survey Report

Payments TIS Sanction Screening Survey Report

Enhancing your strategic position: Digitalization in Treasury

Payments Enhancing your strategic position: Digitalization in Treasury

Netting: An Immersive Guide to Global Reconciliation

Netting: An Immersive Guide to Global Reconciliation