Arming Treasurers to Fight Payments Fraud

Corporate treasurers have a world of worries on their minds. Managing liquidity, foreign exchange (FX) risk and counterparty risk are their biggest concerns. So is mitigating operational, compliance and financial risk.

Risk management has always been part of a treasurer’s job description. But these days, when we speak to treasurers about what’s on their mind, we often hear resigned sighs. They’re being buffeted by waves of regulatory reform from Washington and extensive payment card industry (PCI) requirements for securing financial data. And they’re being directed by senior management to make informed decisions in areas beyond their traditional expertise.

When the global economy began spiralling downward several years ago, chief executives elevated their treasury and risk management functions from the back office to the boardroom by giving treasurers more responsibility and greater visibility within their organisations. Today, treasurers are briefing not just the chief executive officer (CEO) and chief financial officer (CFO) but board audit committees about strengthening internal controls, cutting costs, streamlining complex business policies and processes to improve financial transparency, and complying with a myriad of regulatory issues. They are also more accountable for combating internal and external payments fraud.

The Face of Payments Fraud

According to a 2011 survey conducted by the Association for Financial Professionals (AFP), 71% of participating organisations experienced attempted or actual payments fraud attacks last year. Large enterprises were much more likely to have been victimised by payments fraud than smaller businesses: 82% of those with annual revenues over US$1bn were fraud victims in 2010 compared with 58% whose annual revenues were less than US$1bn.

In the US, the vast majority of payment-related fraud and losses are related to cheques. The AFP survey revealed that, even as corporate payments are steadily migrating from paper to electronic forms, cheques continue to be the most prevalent form of financial fraud, with 93% of affected organisations reporting that their cheques had been targeted.

While other payment methods, such as automated clearing houses (ACH), debit cards and corporate purchase cards, are also vulnerable to fraud, the opportunities for criminals to gain access to confidential business and financial data grow exponentially the more organisations virtualise their operations and the more their employees communicate, collaborate and conduct transactions online or via mobile devices.

Criminals online today are cunning, organised and global. They’re masters of social engineering, skilled in targeting the most vulnerable corporations, governments or individuals with the highest potential for gain. Often, they and their supply chain networks are located in rogue nations where security and enforcement are lax and financial fraud is difficult to prosecute.

Their phishing attacks are becoming more sophisticated, luring unsuspecting targets into clicking on links in seemingly genuine emails, unleashing malware that compromises employee computers or allows keystroke logger robots to collect user login IDs, account data and other personally identifiable information.

Cyberthreats also present themselves in the form of malware that embeds itself in a browser application and can divert, modify or manipulate information that a user submits on an online login page. For example, this type of attack, often referred to as a ‘man-in-the browser’ or ‘man-in-the-middle’ attack, looks for data that can be used by cybercriminals as secondary authentication for logging into a user’s bank account.

Attaining Fraud Protection

Federal laws, such as Regulation E, provide consumers with considerable financial fraud protection. Not so for businesses.

Banks and other financial institutions are not obligated to reimburse businesses for fraud-related losses, including those due to malware attacks, and many corporate banking agreements have indemnity clauses protecting the financial institutions as long as they provide ‘commercially reasonable’ protections. As a result, corporations are increasingly suing their banks in an effort to recoup lost funds.

The Federal Financial Institutions Examination Council (FFIEC) issued guidance in 2005 that encouraged banks to move beyond a single-factor authentication requirement for users logging into their online accounts and to take a risk-based approach in evaluating the strength of user authentication. With corporate fraud-related losses and court cases mounting, the FFIEC is expected to release revised guidance in coming months that calls for stronger authentication controls beyond what banks offer today.

Some financial institutions have already implemented technologies that monitor corporate payment account activity and flag irregularities, such as out-of-pattern dollar amounts for certain types of transactions, then bring these irregularities to the attention of the company from which the transactions are originating.

To combat fraud as part of their overall risk management strategy, treasurers are also automating more of their enterprise resource planning (ERP) and treasury management systems, and integrating them with bank-provided tools, such as Positive Pay. This automated fraud detection tool, which is offered by most banks, matches the payee name, account number, cheque number and dollar amount of every cheque presented for payment against a list of cheques previously authorised and issued by the company. Any out-of-pattern anomaly immediately raises a red flag. Similar tools are available for policing ACH activity.

Payment fraud can also strike close to home. A disgruntled employee with high-level access to internal financial systems and passwords, for example, could compromise the security of an entire organisation.

Managing the risk of a porous corporate perimeter has never been easy. But as the economic world becomes more complex and payment fraud more prevalent, treasurers are arming themselves with tools that make cutting-edge fraud protection simple to use and effortless to manage.

The best overall payment fraud defence is a multilayered one. Assume that your perimeter defences will be breached and focus on securing your assets once an intruder has access to your systems. Combine IDs, passwords and tokens with robust business rules that limit activity to normal business patterns, payment types and accounts. Make sure a detailed audit trail is created, so that you’ll know who touched what data and when.

Treasurers told us they want technologies to help them address the complexities of how their enterprise conducts payment transactions, one that helps them control costs, applies business policies and controls uniformly throughout their company, giving users easy yet tightly controlled permissions access to systems and data, embeds multiple layers of protection to keep information highly secure, and provides payment processing, collection, disbursement and reconciliation mechanisms on one common platform.

With a multilayered, high-performance payment platform in place, treasurers can sleep better at night, knowing that the integrity of their corporate accounts is safe and sound.

Best Practice Tips for Payments Fraud Protection

  1. The best defence is multilayered. Form a fraud prevention team that thinks and works strategically to prevent attacks rather than just detect and fight them. Involve your suppliers and vendors so that everyone understands one another’s goals, requirements and capabilities. Assume your system will be compromised at some point – and plan for it. Manage the risk of a potential breach by solving for the concept of ‘graceful failure’, and invest sufficient time and money in smart people and the right technologies to build and maintain a secure system that locks down payment data so it’s worthless to hackers in case of a breach. Have policies in place for firewall maintenance. Provide for vulnerability assessment and intrusion detection as well as training for systems administrators with access to sensitive information. By assuming that perpetrators will eventually gain some form of access to your confidential data, plan for a deep, multilayered defence to secure your system so that if one safeguard fails, other countermeasures can detect and respond to an attack.
  2. Use your head. An alert mind is often the best defence against fraud. Train employees and system users to keep an eye out for ‘things that don’t belong’ – out-of-pattern, unexpected account usage, for example – and to sound an alert in case of anomalies.
  3. Move the target. No data stored equals less risk. Unless it’s absolutely necessary to retain payment or cardholder data, don’t. Cybercriminals think day and night about how to invent and execute a clever attack, and they gravitate to pathways that offer the least resistance for the greatest payoff. Study after study shows that failure to protect sensitive payment data from a breach leads to massive financial costs, customer defections, lawsuits and loss of reputation.
  4. Change the target. Tokenisation is one of the best strategic weapons for protecting financial data. With tokenisation, a customer’s credit card or bank account data is replaced with randomly generated reference keys using a process that safely converts real card or account numbers into a string of characters which then become useless to would-be hackers.
  5. Isolate the target. Segregate accounts by type of use, such as for exclusive deposits, and instruct banks not to post cheques or ACH transactions against those accounts so that out-of-pattern events are easier to detect.
  6. Secure system gateways and endpoints. Your network architecture and PCs should be scanned regularly for vulnerabilities, every transaction point where payment information is exchanged should be scrutinised, and all document payment data flows and touch points secured. Protecting against malicious viruses, malware and spyware infections is often the first line of defence against a security breach. Not only should you install anti-virus software, you must also keep it regularly updated.
  7. Adopt best practices. The major US credit card companies developed the PCI standards as guidelines to help merchants, vendors, service providers and banks who collect, process and store credit card data better protect that sensitive data from being stolen or compromised. Becoming PCI-certified doesn’t magically shield a business from losing data or provide impenetrable security against hackers or malware. But they have proven to be an excellent roadmap for data security best practices. Use PCI standards not only for card activity, but also as a guideline for protecting other key data and access.
  8. Identify and know your go-to team. When choosing an outside payment system or data security provider, make sure they have deep security capabilities and a like-minded business focus. If card-based, make sure they’re PCI-compliant and audited every year by an independent third party. There are a lot of vendor choices in the marketplace. Do your homework to find one that provides the mix of services you need with the most secure infrastructure and policies.



Related reading