Fraud and cybercrime have been a concern for corporate treasurers for several years and this past year showed us that there is a new risk to consider: connectivity. The reports of banks being hacked and losing millions through unauthorised payments shook the industry, since protecting payment connectivity workflows was low on the priorities list for treasury.
While unfortunate for those involved, the incidents do also offer valuable lessons to be learned for the rest of us in treasury:
- Protect payment systems from unauthorised access:
Corporates have many options – bank portals, treasury management systems (TMSs), enterprise resource planning (ERPs) – that offer the ability to initiate and approve payments. Each and every one of these systems should be protected by more than a UserID and password. The chief information officer (CIO) in every organisation has likely set a standard for user authentication protocols; treasury needs to align with that to ensure that financial systems are secure from unauthorised entry. Sometimes that minimum standard is multi-factor authentication, but often times it is a combination of safeguards. The CIO will have already set a policy that treasury should follow.
- Standardise payment processes:
Unfortunately, it is not uncommon to see payment policy inconsistencies. Payment policies should be aligned to all types of payments, the systems used to initiate/approve payments, to specific geographies and banks. There must be one payment policy that is then applied to each of these scenarios. Inconsistency in payment controls creates exposures that can be exploited. While every treasurer employs separation of duties and likely assigns limits to those duties, it is important to ensure that the payment policies are global – across the entire organisation, covering every payment scenario. Integration and/or consolidation of payment systems can help that, of course. The key is to ensure that you do not have a “weakest link” that is beyond the visibility of treasury.
- Secure payment files in transit between systems:
Whether payment information within files are sent directly to the bank or exchanged between internal systems first, it is always important to keep this information secure and away from internal or external threats. The more systems that are involved, the more risk: for example, ERP + TMS + service bureau. Reducing the number of systems used to approve and release payments is one solution; applying digital signatures to authenticate payment files is another. The important point is to ensure that what the bank receives was securely transmitted from initiation all the way through the entire payment workflow.
- Review acknowledgements and reconcile outgoing payments:
Every bank provides confirmation that payments have been received. Some payment channels – for example SWIFT – offer more acknowledgements than others, but whatever level of confirmation is received it is critical to review and confirm that what was received and processed by the bank matches what your systems sent to the bank. Running intra-day and prior-day bank statement reconciliation reports are also recommended to offer an additional checkpoint so that treasury can confirm what was sent matches what was processed.
- Implement an internal control centre:
While difficult to implement in a spreadsheet environment, most treasury and payment systems will have some sort of control centre that monitors outgoing payment files as well as any system workflow changes – such as modifications to approvers, changes to limits, or updates to payment instructions. Active monitoring of transactions is important, but just as critical is your visibility into the workflow changes. Ideally this would be presented in a dashboard as well as an email friendly format to more easily identify exceptions.
While 2016 introduced us to risks in payment connectivity that we may not have previously thought about, there are best practices to keep your payments safe. For more information, please feel free to review a recent webinar produced in partnership with the Association for Financial Professionals (AFP) as well as the Association’s Treasury in Practice guide on securing your bank connectivity.
When Mark Cuban declared that "Data is the new gold" he highlighted why information is possibly the most valuable asset a business has. APIs are the unsung heroes that make it possible to extract that value.
How treasury stands to benefit from blockchain: Ripple’s goal to revolutionise cross-border transactions
Imagine a world where cross-border transactions can occur in real-time, at a few cents per transaction, to and from any bank, in any ... read more
A decline in the return on capital employed of globally listed companies over the last decade has been noted in recent EY and PWC reports. This is despite businesses taking an increased focus on balance sheets since the financial crisis in 2008.
Europe’s opening banking regulation is finally here. After months of preparation across the continent, the Revised Payment Services Directive comes into effect on January 13.