How to deal with payment fraud and cyber crime?
In the past few years, many companies have centralized their payment processes by setting up a payment factory. The main focus of these types of projects is often on change management and technical implementation. This means that operational risk and control issues, which arise when the execution of payments is transferred from several local entities to one central entity, do not always get the attention they deserve. Operational risks that can be identified relate to payment fraud (internal risk) and cyber crime (external risk). How should companies deal with these challenges? In this article, two experts provide their points of view.
Guillaume Metman is the product manager of AvantGard Trax, the payment factory solution of SunGard. With 10 years of experience at SWIFT, Mr Metman is an expert in the field of bank communication systems for corporates.
Eliane Eysackers is a consultant at Zanders and specializes in payment and treasury solutions for corporate clients.
When implementing a payment factory, a corporate encounters both technical and operational challenges, such as payment fraud and cyber crime. How can corporates protect themselves against this?
Guillaume Metman: “Payment factories are a great way to implement centralized and consistent procedures and controls and to have proper segregation of duties. But they introduce challenges at the same time. The main one is the process of remote approval and final release of payment files containing potentially thousands of payments for hundreds of vendors from the subsidiaries initiating the payment process.
The payment factory user will never have the same degree of involvement and the same intuition that a local finance manager has in detecting possible erroneous or fraudulent payments. Even if technology is good at enforcing the process, it has to be smart to be successful. For instance, payment factories could help with verification to detect such payments. Instead of someone checking all normal invoices, it can be more useful to check only for the deviations from established patterns, such as those to new vendors or with amended account details, or with amounts inconsistent with historical payments.
Without going as far as profiling payments the way a card processing company does, even some simple checks can be beneficial, if the proper process is in place. For example, it is quite easy to block a supplier payment that happens to contain an employee account number as beneficiary.
But who should act on it? Treasury? Human Resources? Which process should be used and what should be the response time? Corporates have yet to build the compliance teams that banks were required to build 15 years ago, when the filtering regulation was enforced under OFAC (Office of Foreign Assets Control).”
Eliane Eysackers: “When centralizing payments, it is key to ensure that strong procedures and controls are in place. Zanders has gathered in-depth experience in designing ‘best practice’ centralized payment processes and supported many clients in their implementations. When payment processes at a corporate are reviewed, it is vital that the procedures and controls are indeed followed as indicated. A full review of user roles and authorizations of all employees in a treasury department, including maintaining the principles of ‘four eyes’, is appropriate to identify any conflict or possible opportunity for internal payment fraud. Corporates show big differences in payment centralization approaches.
Where some only implement a payment factory technology solution to ensure central processing of payments, others also centralize the accounts receivable and payable functions in a shared service center. Irrespective of the solution chosen, whenever payments are centralized it provides a unique opportunity to ensure compliance with external regulations – and avoid payments being made to sanctioned countries or individuals.
Payment factories look for state-of-the-art solutions that guarantee straight-through processing (STP) and once all internal procedures and controls are passed and payments are formally approved, the payment data or files need to be sent to the bank in a secure manner.
It’s critical that the essential privacy, encryption and authentication is in place to ensure no external manipulation is possible between the payment initiation and receipt by the bank without compromising the STP principle.”
Is it still manageable for a corporate treasury department to deal with high-impact risks that cover both financial, regulatory and IT areas?
Guillaume Metman: “If there is one group that has an important role within the finance organization, it is definitely the treasury department. Many internal security constraints and external regulations fall into the treasury department, since it is the last place where invalid payments can be caught before they leave the company. But these have to be balanced with another key responsibility of treasury, which is to maintain the capability of processing legitimate payments, whatever happens.
Today it is ever more difficult to achieve these conflicting goals, and automation is therefore required. This means a strong partnership between treasury and IT is needed, and neither should try to specify the functional and technical requirements independently.
Let’s take an example to illustrate this. Treasury needs to have a backup payment channel that allows it to execute payments in case the payment factory is unavailable. But the question is: what kind of backup? How complex should it be? How secure should it be? Is a fax machine hidden somewhere the best idea you can have? Or the worst? Only a proper risk-driven system design approach will help to answer these questions.”
Eliane Eysackers: “Many of our corporate clients are currently Sarbanes-Oxley (SOX) compliant, although in reality there can be different degrees of compliance. A good SOX control framework is a minimum requirement and should prevent payment fraud. Both manual and automated procedures and controls need to be documented and implemented, with regular checks to test their effectiveness in the payment execution process.
There are two kinds of payment fraud. Internal fraud relates to situations where employees abuse their authorizations or access to systems to embezzle funds. This has to be controlled by internal procedures.
External fraud is typically IT security related, for example skimming, cyber crime or hacking. Even though the mitigation of all these risks is usually not fully within its scope and remit, a treasury department can still play an important role in ensuring that the required IT security and policies are in place and enforced.”
How can a payment factory cope with the challenges of supporting local payment requirements?
Guillaume Metman: “The world is not flat, so you have to take care of local particularities and any payment factory has to adapt to these. But on the other hand, when the payment factory starts to process multiple payment types in multiple ways, this creates complexity. And complexity is one of the biggest enemies of security.
So, we need tools that are able to work at two levels: to be very versatile at the lower, more technical level, to allow the payment factory to adapt to all local requirements, yet it must preserve its ability to be as abstract and simple as possible from the end-user’s point of view. The way to deal with complexity and make it transparent to users’ needs is for the payment factory to be managed and approved properly by the right people in the design phase.
SunGard’s payment factory was built with these principles in mind, offering deep customization possibilities, yet preserving a simple view for the users that just want to approve their payments.”
Eliane Eysackers: “Implementing a payment factory is about centralizing payments while keeping in mind that in reality, some countries do not allow the degree of centralization that the organization is seeking.
At the same time an STP process wouldn’t be feasible in every country, as such a solution often requires certain technical capabilities that are not supported by the local banks. Most organizations implementing a centralized payments process realize at some point that it is simply not possible to achieve 100% centralization, due to local regulations or technical constraints. What complicates things further is that this tends to involve those countries that have a higher risk of payment fraud. It is therefore vital that the procedures and controls that are put in place are also applied locally.
Another important aspect is to have sufficient visibility over local payment processes, to ensure local compliance and to detect fraud as soon as it occurs.”
How can technology, procedures and controls ensure that payments are executed safely?
Guillaume Metman: “Unfortunately, procedures and controls supported by technology will never be enough to guarantee that payments are executed safely.
It is always important that specific situations are carefully analyzed so that the real weaknesses are detected and fixed, rather than generic remedies being applied. Cyber-attacks should not be underestimated. They will identify real weaknesses sooner or later.
On the other hand, excessive procedures and controls are to be avoided as well. When too strict, they become impractical and users will tend to start resisting or attempting to bypass the system, thereby jeopardizing all the efforts that have been made.
Finally, the situation is not static. Payment processes and controls should be constantly reviewed. As the threats and ways to protect against them evolve, so do the determination and sophistication of the perpetrators of these crimes. Given the situation most corporates still seem to be in, a first recommended step could be to completely ban paper-based payments such as checks and faxes, unencrypted files and manual actions which are still commonly used – for example between an ERP and a web-banking portal.”
Eliane Eysackers: “If a corporate is SOX compliant it means that, at least on paper, it has the required processes and controls in place to prevent payment fraud and to detect it in a timely manner. Processes such as bank statement reconciliation or master data checks should be in place and be executed in a stringent and efficient manner to ensure that fraud – internal or external – is detected as soon as possible. Reconciliations of executed payments should be automated as far as possible and carried out with a minimum delay to ensure immediate detection of issues and the possibility of minimizing possible losses and the risk of damage to reputation.
Treasury departments need to be aligned with risk management and IT and need to be pro-active in tackling the problem. Some companies have taken the approach of creating a formal internal compliance role with responsibility for risk avoidance and mitigation in payments.
The cost of ensuring that adequate and appropriate security is in place to protect the company needs to be considered fully in the context of the potential losses and collateral reputation damage arising from payment fraud and cyber crime.”