Strategic Treasurer is currently hosting a Global Treasury Fraud and Prevention Survey as a means of gathering up-to-date statistical information about the fraud threats that treasury professionals are actively facing, and what methods are being used to combat fraud.
It seems safe to assume four things about fraud within treasury: treasury professionals are constantly gathering information about the topic – the more details the better; everyone wants to know what others are experiencing and doing as prevention; relatively few treasury groups formally address the issue with a layered approach; and lastly fraud is costly, for both those who successfully thwart it and particularly those who fall victim.
Fraud is Costly: Let’s begin with the fourth item. Fraud is costly, regardless of an organization’s size or scope and the following examples are just two out of countless scenarios:
- Credit card hacks; hacking for card information; personally identifiable information (PII). These cases of financial and informational theft aren’t confined to treasury departments only. The amount of data that is stolen or accessed is massive and there have been multiple, large-scale occurrences of this fraud type over the past few years. Instances include a retailer who was hacked in late 2013 via a network vulnerability in their heating, ventilation and air conditioning (HVAC) system; to recent multiple breaches suffered by a major card issuer. While individual card holders rarely suffer the loss, the merchant and card companies have had to significantly strengthen and improve their security procedures to address this continually escalating threat. The cost to organisations in terms of spend and market capitalisation damage has been massive and has been widely and comprehensively reported.
- Man in the email theft; corporate treasury social engineering. The man-in-the-email or imposter fraud situations are more widespread than most treasury groups realise. Although banks such as Wells Fargo have offered presentations on this topic during the past 12 months at numerous industry conferences, there has been little corporate action – despite the danger this particular theft poses and the frequency with which it occurs.
In these cases, the criminal targets treasury or finance staff who have access to wire payments and issues convincing instructions – purportedly coming from the chief executive (CEO) or chief financial officer (CFO – to issue a confidential payment quickly. In many circumstances, the hacker has gained access to an employee’s email account and has studied the company’s interactions for payment requests. He/she is then able to send a fraudulent email that appears nearly identical to a typical payment request.
Another common tactic used by hackers is to breach a company’s vendor accounts and either generate fraudulent invoice/payment requests, or send an email directing a company employee to change payment instructions (routing number, account number, etc.)
Many organisations have tightened their processes and empowered the individuals authorised to make payments to challenge any request that arrives outside of normal channels, as direct losses typically range from tens of thousands to millions of dollars.
Other current examples regularly seen include debiting schemes and account takeover, with new methods perpetrated by hackers continuing to emerge. Every bank account, payment type and access point of each system that handles payments represents an area of exposure. While most organisations’ defensive strategy and tactics are steadily improving, these are increasingly likely to fail when the only control method is merely responding to known fraud vulnerabilities in the wake of a publicised fraud attempt or loss at another organization.
Framework and Layers: IT security fraud experts regularly emphasise that security requires multiple layers to be successful. For treasury, a layered approach is also an appropriate organisational concept for developing a treasury control framework.
Threats against treasury can emerge from various human sources including current and former internal operators as well as external operators. Fraud perpetrators can target weaknesses in banking structure; bank systems; internally/externally managed treasury systems; payment files; standard and control processes; staff training or understanding; visibility; and the four reconciliation control activities within an organisation.
As part of the framework for treasury controls there are three core elements (summarised below in table 1) around which our methodology is organised.
- Design and Prevention: This element refers to the overall framework itself; policies put in place to support the framework; individual controls (system, process, file control, reconciliation); and visibility. These are among the key factors essential to preventing fraud from a design standpoint.
- Preparation: This involves several different elements including the actual execution of controls and management of the control processes. For most companies these will include: monitoring; exception management; bank account management; and transaction management.
- Incident Response: When fraud occurs or fraud is attempted, treasury will need to respond thoughtfully, accurately and swiftly. This response must include both communication and action. To simplify this section of the article we have listed two key pieces: firstly, execution of a plan, which refers to planned responses to various anticipated events and general situations; secondly, rapid, accurate communication within treasury, with the department’s banking and technology partners and the rest of the organisation.
Layers: In discussing layers of security for treasury, a range of categories may quickly be addressed. The concept of multiple layers seems innate for many treasury professionals and includes the following:
- Reconciliation Controls. File control; general ledger (GL) reconciliation, bank account reconciliation; treasury proof; reporting for exceptions.
- Policy Layers: Framework; policy; controls; visibility and monitoring.
- Bank Account Management to Transaction Controls: Banking structural design; account level controls; Transaction Level Controls.
Each treasury group should create its own control environment and independently define the categories and layers needed. Table 2 provides one partially completed example, showing three categories of control: staff or personnel; bank account management and deal management; and system.
As an example of multiple layers providing security or controls, here are some descriptions:
- Structural Design: Having a collection account for this type of activity segregates the items flowing into this account, making unauthorised debits easy to detect.
- Visibility: Having both balances and transactions reported through the treasury management system (TMS) allows for rapid visibility.
- Monitoring and Treasury Proof: The ability to notice any amounts or transactions that are unexpected is essential.
- Account Level Controls: Filters or blocks can be set up to stop or block other types of activity that an account wasn’t designed for.
- Transaction Controls. Electronic pre-authorisation or positive payment can control specific transactions and everything else is blocked (this is an example of a preventative disbursement transaction control).
- Bank Reconciliation and GL Reconciliation. These functions will detect fraud or other issues—a final stopping point for controls
Security for treasury is a top level concern and is gaining more attention. Treasurers are eager to know what fraud attempts and failures others are experiencing and what they are doing with regard to overall security, fraud prevention, deterrence and mitigation.
A future article will elaborate on the key findings that this survey produces. The survey is currently active and will be closed at the year’s end. The link is provided below; individuals working in a treasury position are encouraged to participate. http://survey.constantcontact.com/survey/a07ebeshjoeidap70va/start
Many banks around the world, large and small, continue to experience major security failures. Biometric systems such as pay-by-selfie, iris scanners and vein pattern authentication can help.
The implementation date of Europe's revised Markets in Financial Instruments Directive, aka MiFID II, is fast approaching. Yet evidence suggests that awareness about the impact of Brexit on MiFID II is, at best, only patchy and there are some alarming misconceptions.
Banks might feel justified in victim blaming when fraud occurs, but it does little for customer confidence.
Politicians have united in urging the Reserve Bank of Australia to lend its backing to the digital currency by officially recognising it.