Corporate treasury is under increasing pressure: payment fraud is on the rise and security requirements are growing. Several incidents in the last few years (for example million-digit fraud cases, such as the ones of the Austrian aviation supplier FACC or the German automotive supplier Leoni) reveal that there are different ways of manipulating payments. Meanwhile, banks have tightened compliance requirements for corporates, as they themselves are under increasing pressure to comply with money laundering prevention regulations and other regulatory requirements bank-wide. What we need is more security and better control, and we need it in the place where all payments converge: corporate treasury!
“Payment fraud” is often used as an umbrella term for anything that is somehow related to payment compliance: fraudulent payments, internal manipulation, data theft, illegal payments, or the breach of embargos and sanctions. But a more differentiated analysis is needed to work out where corporate treasury can best intervene. Payment fraud in the original sense of the term refers to the act of “stealing” money from accounts. Perpetrators often have inside knowledge and can cause substantial losses to businesses that are lured into making payments that can never be recovered.
External payment fraud – the “CEO Scam”
For a while now, the focus has been on external fraud cases and scams, such as the “CEO Scam” or the “Fake President Trick.” This involves contacting specific employees directly and impersonating the CEO, asking the employee in question to make a both confidential and urgent payment on their behalf. They cite a time-sensitive but still strictly confidential acquisition or a request for funds from the parent company, and the person contacted to make the payment is duped with emails and phone calls that look deceptively real. These scams often involve a certain degree of inside knowledge. Fraudsters strike exactly the right note, are aware of the correct communication channels and single out particularly “trustworthy” employees.
The very fact that such payments are possible at all generally reveals a lack of compliance, process and workflow guidelines. It helps to have processes in place that ensure separation of duties or multiple approval levels, simply to prevent one single person from being able to transfer a large sum without anyone else’s involvement. However, even companies who do have such workflows in place are not exempt from the threat of fraud. For businesses with multiple international subsidiaries, it is often the local entities that are most vulnerable – as it proved the case with Leoni, where the local Head of Finance in northern Romania transferred the requested sum to what he believed to be the parent company.
Internal fraud – master data manipulation
Much less the focus of public debate but no less dangerous are fraud cases that involve regular transfers of small sums to non-existing suppliers, rather than a one-time large payment. It often takes a long time to detect these manipulations, precisely because the sums aren’t very high. Perpetrators require access to master data and must be in a position to influence accounts auditing and invoice release processes. Having several people complicit in a fraud makes it all the more difficult to detect these cases. Treasury has no chance to intervene: it generally has no means of systematically checking if accounts payable details are correct or to ensure that no fake beneficiaries have been added to the master data. So what can you do to prevent this?
Fraud prevention with whitelists
Random checks can create more security, but even more helpful are so-called whitelists. By compiling all account connections classified as trustworthy group-wide, you can use this information as a filter. It goes without saying that the approval of account connections for this internal Positive List requires a very structured and secure validation process in order to guarantee optimum payments security. Only payments to verified beneficiaries on the whitelist are processed. Any other payments require additional verification. This additional security check in connection with entering master data in the ERP system makes the final payment release in treasury less susceptible to internal fraud.
No less important: preventing illegal payments!
When people talk about payment fraud they often also mention illegal payments, i.e. financial transactions that breach the law of one or more countries. In many cases, companies aren’t even aware of the fact that they make payments to accounts or countries that are sanction-listed – the very reason why they fall into this trap. If they were aware that they’re transferring money to someone who is black-listed, for example in connection with terrorism, then they’d never effect these payments in the first place. This is where checking mechanisms, such as an integrated check against sanction and embargo lists, are helpful, provided for example by Accuity. Specific search algorithms can be applied to payments, accounts, beneficiaries or subject – really more or less any detail. Companies are directly alerted to any irregularities, so treasury is aware of which transactions might be problematic. In turn, targeted intervention can dramatically reduce the risk of money laundering or financing terrorism.
Banks are tightening their grip
Money laundering, financing terrorism – are these not things banks should be concerned with? No longer exclusively! More and more responsibility falls to corporate treasury to ensure that payments comply with money laundering legislation and don’t breach any sanctions. The pressure on banks has certainly increased. Anyone who’s followed the news in the last year has seen various banks (BNP Paribas, Deutsche Bank, HSBC or RBS) pay partially hefty fines for supporting money laundering activities and breaching sanctions regulations. The fines and the increased regulatory requirements that go with them have seen banks forced to ask more questions (buzz term “Know Your Customer” – KYC) and become less flexible. In many cases they’ve withdrawn from certain countries deemed particularly risky altogether. A company that wants to do business in Iran for example may have to do without their preferred bank, as the bank fears possible fines for violating sanctions. We can witness a general trend towards banks transferring the pressure from the demands they’re faced with onto businesses, mirroring requirements and passing on the risk. In turn, corporate treasury is faced with more and more responsibilities that don’t actually add any value to their business but are the direct result of the information and documentation requirements banks deal with. Companies who don’t comply with these standards risk being cut loose by their banks.
Comprehensive, global compliance: the most important rules
Ensuring group-wide compliance is a massive challenge for companies. They need to include additional security measures in their workflows if they want to prevent accounts from being frozen, losing money due to fraud or suffering economic and reputational damage. There is no such thing as 100% security, but a few simple rules will go a long way:
Rule no. 1: transparent payment processes
Using a joint, group-wide payments platform is a prerequisite for more security in connection with payments. Using one system centrally and various other tools locally means having no reliable means of group-wide control. Anything that happens locally cannot be checked.
Rule no. 2: centralized monitoring of group-wide payments
A group-wide platform allows businesses to standardize processes and to put systematic control mechanisms in place instead of random checks. Measures such as integrated, automatic sanction screening or using whitelists will only ever be as successful as workflows are transparent.
Rule no. 3: raising awareness with everyone who makes payments
A number of fraud cases have shown that the key to “success” is often the gullibility of individual employees. When it comes to security aspects in connection with cybercrime, the factor “people” should never be underestimated. Putting structural and organizational security mechanisms in place and raising awareness amongst employees makes businesses less susceptible to new tricks that might be yet to come their way.
Rule no. 4: treasury needs to step up to the plate
Waiting and checking when something appears suspicious can be a fatal mistake – by the time you’ve completed your checks, the money could be long gone. Acting quickly and being responsive are absolute musts – and this is precisely where treasury requires technological support for monitoring cash flows. In light of global dynamics and changes in the industry, sanction screening will soon be standard procedure. Similarly, whitelists and similar checking mechanisms at master data level will become absolutely essential if businesses want to safeguard their ability to act.
Rule no. 5: finding suitable security measures and combining them to meet demands
Blacklists, whitelists, random checks or training employees – where to start? This is a relevant question, and the answer always depends on the specific circumstances. Combining several instruments is what really creates added value. For example, treasurers can use a whitelist to select approved beneficiaries at master data level, and then make use of a blacklist that screens for any problematic transactions in connection with sanctions or terrorist organizations lists. Combined with an additional “repository” containing checked and non-authorized beneficiaries, this makes for an intelligent and really efficient checking system.
Combining these measures in a suitable manner and integrating them in processes and workflows enables corporate treasury – with little effort – to include additional steps to prevent payment fraud and illegal payments, making their lives easier. We’re happy to provide advice on how you can optimize your security setup in cooperation with us and our partners.