Fraud and cybercrime have been a concern for corporate treasurers for several years and this past year showed us that there is a new risk to consider: connectivity. The reports of banks being hacked and losing millions through unauthorised payments shook the industry, since protecting payment connectivity workflows was low on the priorities list for treasury.
While unfortunate for those involved, the incidents do also offer valuable lessons to be learned for the rest of us in treasury:
- Protect payment systems from unauthorised access:
Corporates have many options – bank portals, treasury management systems (TMSs), enterprise resource planning (ERPs) – that offer the ability to initiate and approve payments. Each and every one of these systems should be protected by more than a UserID and password. The chief information officer (CIO) in every organisation has likely set a standard for user authentication protocols; treasury needs to align with that to ensure that financial systems are secure from unauthorised entry. Sometimes that minimum standard is multi-factor authentication, but often times it is a combination of safeguards. The CIO will have already set a policy that treasury should follow.
- Standardise payment processes:
Unfortunately, it is not uncommon to see payment policy inconsistencies. Payment policies should be aligned to all types of payments, the systems used to initiate/approve payments, to specific geographies and banks. There must be one payment policy that is then applied to each of these scenarios. Inconsistency in payment controls creates exposures that can be exploited. While every treasurer employs separation of duties and likely assigns limits to those duties, it is important to ensure that the payment policies are global – across the entire organisation, covering every payment scenario. Integration and/or consolidation of payment systems can help that, of course. The key is to ensure that you do not have a “weakest link” that is beyond the visibility of treasury.
- Secure payment files in transit between systems:
Whether payment information within files are sent directly to the bank or exchanged between internal systems first, it is always important to keep this information secure and away from internal or external threats. The more systems that are involved, the more risk: for example, ERP + TMS + service bureau. Reducing the number of systems used to approve and release payments is one solution; applying digital signatures to authenticate payment files is another. The important point is to ensure that what the bank receives was securely transmitted from initiation all the way through the entire payment workflow.
- Review acknowledgements and reconcile outgoing payments:
Every bank provides confirmation that payments have been received. Some payment channels – for example SWIFT – offer more acknowledgements than others, but whatever level of confirmation is received it is critical to review and confirm that what was received and processed by the bank matches what your systems sent to the bank. Running intra-day and prior-day bank statement reconciliation reports are also recommended to offer an additional checkpoint so that treasury can confirm what was sent matches what was processed.
- Implement an internal control centre:
While difficult to implement in a spreadsheet environment, most treasury and payment systems will have some sort of control centre that monitors outgoing payment files as well as any system workflow changes – such as modifications to approvers, changes to limits, or updates to payment instructions. Active monitoring of transactions is important, but just as critical is your visibility into the workflow changes. Ideally this would be presented in a dashboard as well as an email friendly format to more easily identify exceptions.
While 2016 introduced us to risks in payment connectivity that we may not have previously thought about, there are best practices to keep your payments safe. For more information, please feel free to review a recent webinar produced in partnership with the Association for Financial Professionals (AFP) as well as the Association’s Treasury in Practice guide on securing your bank connectivity.
Many banks around the world, large and small, continue to experience major security failures. Biometric systems such as pay-by-selfie, iris scanners and vein pattern authentication can help.
The implementation date of Europe's revised Markets in Financial Instruments Directive, aka MiFID II, is fast approaching. Yet evidence suggests that awareness about the impact of Brexit on MiFID II is, at best, only patchy and there are some alarming misconceptions.
Despite all the automation and improvements that digital banking has the potential to achieve, customers and their needs still form the very core of the banking sector.
Banks might feel justified in victim blaming when fraud occurs, but it does little for customer confidence.