Fraud and Cyber Security Archives - Page 12 of 12 - treasuryXL

Treasury Barometer – the report

In the 6th edition of the Treasury Barometer, developed by Enigma Consulting and Rabobank, the trending topics that are shaping the treasury in 2019 and beyond have been explored drawing on feedback from the survey held in mid-2019. This report presents the latest trends and developments and provides a unique and representative understanding of the Dutch corporate treasury landscape.

The Editor Panel consisting of 6 members of the Dutch treasury community, set the direction of this year’s Treasury Barometer and to monitor the quality and relevance of the content. The 4 content-interviews were again a great added value to the results of the survey, as they gave more insight into the subjects.

Treasury Barometer results

Sustainability seems to be established as a core value and has moved beyond the initial hype, but the results of the Barometer showed no increased activity.

Bas Kolenburg from Enigma Consulting concluded: “From this year’s Treasury Barometer, the Fraud, KYC, LIBOR and Technology/Innovation themes are clearly very much on the radar of Dutch corporate treasurers and we are confident that this year’s report is motivating and inspiring for treasury departments. We aim with the Treasury Barometer not to provide an one-way publication but that this will be part of a multi-stakeholder conversation with the Dutch treasury community. The invitation is therefore open for persons to be engaged in future editions of the Treasury Barometer”

The full report is available for download here.

Bas Kolenburg

Senior Consultant at Enigma Consulting

How to stay ahead of emerging threats

| 03-10-2019 | treasuryXL | BELLIN

Cyber Fraud and Treasury
Company-wide strategies to understand and mitigate cyber fraud risk

Cyber fraud represents a rapidly-evolving threat. It is essential for treasury departments to be aware of the new types of fraud that are emerging because of online technologies. The global nature of cyber crime means every business must make sure that security systems are watertight. Gangs can now conspire to defraud corporations from different countries and jurisdictions across the globe.

Royston Da Costa of Ferguson Group assisted in drafting this immersive white paper titled “Cyber Fraud and Treasury: How to Stay Ahead of Emerging Threats,” which highlights how to prevent cyber fraud and the strategies on combating it. The white paper covers:

Cyber fraud consequences
Most common types of cyber fraud
How to prevent cyber fraud
How to respond to cyber fraud

DOWNLOAD WHITEPAPER

Internal Fraud – or how not to cheat yourself

| 22-02-2018 | Lionel Pavey |

Most companies, regrettably, experience internal fraud. The financial value of the loss can be small or large – however the impact is the same. Internal investigations, procedural reviews, the time spent on detection, possible prosecution, together with the potential loss of reputation are significant factors above and beyond the monetary loss. Fraud can never be eliminated, but the threat can be minimised through proper procedures.

Fraud is normally caused by false representation, failure to disclose information and abuse of power and position. As fraud is performed by people and their actions, a first step to prevent fraud would be to look at the current working environment within a company. If a company is putting extra stress on employees – bigger targets, loss of overtime payments, reductions in secondary benefits, no pay rises nor promotions etc. whilst the directors receive bonuses– this can lead to employees becoming aggrieved and seeking retribution. Furthermore, employing more temporary staff and external contractors, can distance the remaining employees and challenge their allegiance and loyalty.

Internal procedures

One of the least sexy components within a company is internal procedures. They need to be drafted, amended, agreed, published, implemented and reviewed on a rolling basis. Very few people enjoy writing these manuals, but they are essential to ensure that everyone is aware of the correct procedures that have to be followed to perform any tasks. Often there is talk of a “four eyes principle”. Personally, I have always believed in a “six eyes principle” as it requires more independent control and makes fraud less easy to perform. Most of the procedures are, of course, built around common sense. Duties should be segregated – different departments have different roles to perform in ensuring the complete procedure is followed throughout the company. Even within a single department, attention should be paid to segregating duties.

An example would be the administrative function relating to a purchase. There are 4 distinct stages – procurement, arrival, warehousing and dispatch/shipment. If one member of staff was responsible for the relevant data input for all 4 stages, there is an increased risk that fraud could take place. This is not to say that work should be segregated that one employee only ever does one function – this could also lead to fraud either through disenchantment or over familiarity of the systems and procedures used at one specific point in the production chain.

External procedures

Certain departments within a company have contact with external sources – suppliers, clients, financial institutions. Anyone who has contact with an external counterparty can be swayed by opportunity if the controls are not in place. In respect of purchasers – what contact do they have with suppliers outside the office? Are they entertained – restaurants, sports events etc? How often do they have contact? In respect of sales – are they responsible for determining the sales price? How often do they see clients and spend money on them? The same also applies to treasurers, cash managers, risk managers etc.

The necessary checks and balances need to be put into place. A record of all contact with external parties needs to be kept, updated, verified and stored. Temptation can be caused by personal hardship, flattery or grievance at how the person is perceived to being treated by the company.

Standing up to the boss

As stated, a healthy company should have procedures and statutes in place. These need to be adhered to at all times – there can be no exceptions. However, a mechanism for escalation is often missing. Example – someone sends in an expense claim approved by their manager. The treasurer or controller might question the veracity of a particular entry. A proper mechanism to escalate the discrepancy needs to be firmly established. That a manager has signed off on the expense claim does not mean it is correct.

Even directors have to make sure that their claims are signed off by other members of staff. Being at the top does not mean that the procedures do not apply. Requests for a priority payment outside of the agreed procedure should always be questioned. If everyone has agreed to the standard procedures, then there can be no justification to make a payment outside of the normal procedure, just because it has been deemed a priority. If truly deemed necessary, then authorisation must be given not only by management and directors, but also by the legal department. If this occurs, then the existing procedure needs to be examined as to why the incident occurred and where the procedure broke down. This all has to be detailed in writing – fraud can happen at the highest level as well as low down with an organisation.

Static data

Every contact both inside and outside of the company should be recognised and recorded in a data system. Static data refers to all relevant data concerning an entity – full name, registered address, bank details, contact details etc. This data should be fed into all other systems, but data input should be restricted to a small number of employees. These employees should not have access to any of the systems that are used to input data relating to daily operations.

Another key area is in the cash management side – book keeping can be complex and differences not noted until the yearly audit. However, cash movements contain plentiful details – name of beneficiary, account numbers etc. This can be reconciled against the prevailing static data – are the bank account numbers the same?

Fraud can never be eradicated, but by being open, allowing questions to be asked, even performing unexpected checks on the system and its integrity, and creating an atmosphere where staff know that they can question without fear of reprisal, then at least everyone will know that the company is alert and vigilant.

That knowledge and awareness will make a potential fraud think twice.

Cybersecurity & corporate treasury – not your favourite, but beware!

| 17-10-2017 | Pieter de Kiewit |

We all have these topics we know are important but never get the highest priority. Until it is too late. Cybersecurity is one of them. Do you want to be the treasurer named in the newspapers? Finding examples and input on-line is not hard. Only this morning these articles popped up through LinkedIn:

“Hackers steal $60 million from Taiwanese bank using bespoke malware”. This is about SWIFT, technology used by many in the corporate treasury environment. This is not to shame SWIFT, what can happen with them, most likely can with other service providers.

Input from this mentioned article specifically has a focus on corporate treasury. What I think is interesting in their input: it is not only about malware. They also mention “social engineering”.

Now what to do? We all know many service providers step forward to guarantee security. Your time and budget is always a restraint. 100% security is an illusion. We will not decide for you. Perhaps we can help you start by browsing through who is offering solutions:

The ACT is organising an event at the end of this month:
“This highly interactive two-day course will take you through the process of building a secure treasury environment. It covers all the essentials, from the creation of a framework of policy and delegated authority, to the way treasury should be organised to ensure maximum control of its activities. You will learn about front, middle and back office functions, regulatory requirements, controls and security essential to managing treasury and you will debate the key issues of control failure. You will learn how to create a secure environment in which treasury transactions can be managed and carried out with minimum risk of fraud or error. You will, be able to judge the adequacy of any security arrangements and make or recommend necessary changes. You will also learn how to effectively plan and execute a risk- based treasury audit that adds value and helps identify early warning signals of potential problems.”
Software suppliers like Reval are stepping in, offering technology connected to consultancy. Their article is an easy read, gathering a first glance.
And of course consultants are happy to step in. This article of PwC might give you a first idea. Consultancy fees are quite steep. A known sales strategy of consultants is describing scenarios that make you stay awake at night. Are you willing to take the risk or consider “an amateur”.

We will further inform you about the topic in the future. We wish you low risk and high wisdom.

Pieter de Kiewit
Owner Treasurer Search

How to combat Payment Fraud

| 29-3-2017 | Mark van de Griendt | sponsored content |

Payment Fraud is one of the biggest threats to a treasurers’ reputation and career path in an organization. One of the most common ways to reduce payment fraud is to reduce human intervention and to increase the levels of automation in payment structures. With cyber-attacks and payment fraud regularly making headlines, treasurers must be vigilant in safeguarding financial assets. Only 19% of treasurers list cybersecurity as a critical concern. By contrast, 45% of CFOs name cybersecurity as a priority, pointing to a significant misalignment in CFO and treasury agendas in this regard (PWC Global, 2017).

That is why it’s really important for treasurers to know what they can do to reduce payment fraud. There are two ways to lower the risk of payment fraud in payment processing:

Increase the level of Straight Through Processing
Implement a Payment Hub

Higher level of Straight Through Processing
Corporates sometimes have hundreds of banking relationships and thousands of bank accounts, all managed manually on spreadsheets. Redesigning these treasury processes based on STP creates an integrated treasury workflow that streamlines processes effectively and provides treasurers with timely access to financial information. No more manual entries, no more errors.

Implementing a Payment Hub
A centralized payment platform combats payment fraud while also ensuring treasurers of having the money they need to manage day-to-day business obligations.

Some key benefits include:

Centralized monitoring and control
Flexibility and efficiency in payments
Reduced banking costs
Global Visibility
Easy access and more transparency

Please refer to our company page on treasuryXL or contact Mark van de Griendt if you’d like to receive more information about reducing payment fraud by a corporate payment hub.

Mark van de Griendt

Cash Management Expert at PowertoPay

Payment fraud – how companies can protect themselves

|13-2-2017 | Joerg Wiemer | sponsored content |

Information about the opportunities and risks of digitalization is widely spread. In general, risks occur when there is a chance of losing a competitive advantage or falling behind. However, one of the biggest risks is without doubt cybercrime. Attacks on IT systems worldwide increased yet again by 38 percent in 2015, according to the consulting firm PwC in their “Global State of Information Security Survey 2016”. If these attacks are aimed at the payment transactions of a company, the entire existence of the organization is easily threatened. Therefore, security measures in treasury and payments processes should be at the very top of the agenda. Jörg Wiemer, CSO of TIS, explains how companies can ensure increased security.

In general, when does a risk exist for companies during payment transactions?

JW: In principle, in any situation that involves a lack of transparency across bank relationships and activities. In these cases, cash positions and liquidity are not clear. Let’s assume that a branch transfers ten million dollars at the beginning of the month. If these bookings rely on manual processes and the balance is only checked once at the end of the month, it takes a full thirty days until the fraud is detected. Time is literally money. By monitoring treasury in real time, it is possible to detect these procedures much earlier, thereby solving them in many cases.

It can take a lot of time until the head office of the branch gains knowledge about such cases.

JW: This is the heart of the problem: The prevailing regional division of labor makes it easy for fraudsters. If the account statements in paper are collected locally in each branch, it takes weeks until those responsible in the head office notice that an account statement is missing, and with it, the positions written on it. This is exactly why a company should collect all account statements from every bank account worldwide automatically and assess liquidity positions in real time with a software like TIS.

What else facilitates frauds?

JW: Fraud can occur if there is no complete overview of the electronic signing authorities, if there is no dual control principle during payment transactions or during the administration of payment recipients and, in general, during every user administration, which is particularly prone to fraud. These are the typical gateways.

How can I detect that I am at an increased risk?

JW: One reliable indicator of a low level of security in payment transactions is a high amount of manual transactions. Normally, the assumption is that every payment has to be recorded in the accounting system according to the best practices – no booking without receipt, and no payment without a previous booking. Nevertheless, under certain circumstances, there are deviations and exceptions of this principle. The key term here is “exception handling”, which results in a manual payment. An exemption is necessary for these cases, which includes comprehensive process documentation. The possibility of recording and authorization of non-automatic payments should be restricted to certain recipients of the payment and internal user groups. Furthermore, the user should only be allowed to use unchangeable payment templates that have been approved in advance.

How can companies reduce risks?

JW: A general rule is to standardize and and automate processes across the group of companies! Payment related tasks can be executed on local level, however, based on a standardized and automated process. A central directory of every existing account and a payment governance should be mandatory for every company. Security in payment transactions begins with the professional management of the bank accounts. Otherwise, those responsible run the risk of fraudulent payments through accounts that are not registered in the ledger. The next step is to centralize the payment transactions. Digital payment platforms like TIS pool the cash flow and standardize and automate it. This way, payment procedures and the cash flow are controllable at all times.

What has payment looked like in practice up until now?

JW: Heterogeneous and confusing. Companies have a lot of different systems in each part of their organization and they use different e-banking tools to connect to the banks. The SAP system then generates payments. This is complicated and complex and there are many different protocols and formats. This is the reason for high costs as well as increased fraud risk.

In light of this, which solution approach does TIS pursue?

JW: We provide a payment transactions platform especially for medium and large-sized companies in any industry. The platform connects their accounting system with the respective bank. It then operates between the core systems – which the client does not have to change – and the bank. Therefore, the platform is the single point of contact, allowing all automated and standardized payment transactions to be combined in a uniform way for the entire company. This makes the management, monitoring and assessment of payment transactions tremendously easier.

The TIS solution runs completely in the cloud. What about the topics of control and secure data storage?

JW: A server as such is either secure or not secure, no matter if it runs in the cloud or in your own house. It is also possible to dial into an in-house server with the banking tools of a company from anywhere as long as the person has the appropriate authorization or the right amount of criminal energy. This is why the server has to be permanently protected from non-authorized access with a high level of modern technology. The big data centers, with which TIS also cooperates, have totally different possibilities than a single company. Let me say a few words regarding the topic of online banking: the idea that banking tools on a private notebook which runs offline are somehow more secure is an illusion. This computer provides a much bigger gateway for viruses and Trojans than any e-banking solution that runs in the cloud. It speaks volumes, that the Swiss Reporting and Analysis Centre for Information Assurance (MELANI) has recently started receiving a much higher amount of reports from the general public regarding e-banking frauds.

The right software is one part, but what can be done to ensure risk is handled correctly and that the right methods of payments processing are put into place?

JW: Good governance must be established and implemented. Companies need globally valid rules for their payment transactions with detailed guidelines on the following: how accounts are managed, who can open new accounts, who must give permission for this, and the documentation necessary to do so. There are always bad examples for what can happen if the company does not follow the guidelines. Remember the case of the automotive suppliers Leonie mid-2016? Cybercriminals acquired documents and assumed somebody else’s identity. They were then able to divert 40 million euros from accounts of the company to accounts abroad.

My advice on how to minimize risk? Establish governance guidelines and use a central platform for the management of bank accounts and payment transactions. Through automated and standardized processes, companies can protect themselves against manipulation and fraud and, ultimately, the loss of money.

If you are interested to read more about this topic please click on security in payments

Joerg Wiemer

CSO and Co-Founder of Treasury Intelligence Solutions GmbH ( TIS)

Payment fraud – Leoni case

| 30-08-2016 | Udo Rademakers |

At the 5th of August I wrote an article regarding payment fraud. Not even two weeks later, Leoni, an automotive company in Germany with EUR 4.5b turnover, has been the victim of massive fraud where USD 40m has been wired … to a crime organization. “Leoni realized it had become the victim of fraudulent activity with the help of falsified documents and identities and the use of electronic communication channels,” the firm said. (source: dw.com)

Most probably, this has been done via the so called “Fake President Fraud”: an employee receives a top secret message from the “CEO” with the instruction not to discuss this request with anyone else and to make a high value wire (to an account abroad). Obviously, the money flows into a crime organization.

Currently I am working in Germany where one sees (including myself) an increase in these kinds of attempts. I suspect that most of the cases don’t make it into the paper however.

I refer to my article what measurements could be taken to avoid payment fraud, but would advise corporates as well to make a “quick scan”, as a lack of transparency and decentralization of payments increases the opportunity for fraud and cybercrime:

1. Do you centrally manage and control payment workflows?

2. Are payment workflows consistent within the group?

3. How many payment initiation systems do you run within your group and are limits and processes aligned?

4. Do you link your payments to your Cash flow forecast?

If all of the above questions can be answered with “yes” and the payment systems are limited, some risks are reduced and therewith “Leoni-cases” will hopefully be avoided.

Udo Rademakers

Independent Treasury Consultant & Interim Manager

How to avoid payment fraud?

| 05-08-2016 | Udo Rademakers |

Generally speaking, most of the fraud cases don’t make it into the paper because companies are so embarrassed that they choose to keep the affair quiet instead. In some cases however, amounts are too substantial to hide and corporates (need to) publish. One case has been published some months ago by Accell, a Dutch listed company. This triggers us again and brings us to the question: how can we control / “treasure” corporate cash the best and avoid possible fraud?

Fraud case

January 2016:
Press release Accell: Accell Group confronted with theft in Taiwan

Financieele Dagblad (Dutch newspaper): Fabrikant Accell voor miljoenen bestolen door Taiwanees

Accell had to publish a fraud case: according to the Annual Report “an employee could circumvent and misuse the availability of certain payment facilities by misappropriation of systems, processes and trust”. It led to a possible loss of EUR 4 million.

In my work as Treasury Consultant, I have seen more cases where in- and external fraud (almost) took place. All cases have been settled “internally”, however, the learnings out of it were huge.

How can your company avoid losing cash by fraud, or more generally, also avoid human errors?

Without going into too much detail, avoiding fraud or mistakes is avoidable by defining clear Accounting and Internal Control Systematics and sticking to those rules. A fraud is almost never 100% avoidable, but the aim should be to find a balance between the risk on fraud, possible impact and costs (or keeping procedures still “workable”).

Define a “Static” Supplier Data process

Separate the Master Data responsibility from the Finance area (Segregation of Duties) with clear defined restrictions
Request supplier for original documents/data, verify and capture them
Capturing of data should be done by a limited number of employees and with segregation of duties (4 eyes principle)
Data should be protected and only be possible to amend via a standardized process (by limited number of employees)
Documentation

Define a Payment process (stand-alone banking system)

Create standardized payment templates (and make sure this cannot be amended)
Reduce the number of banks / bank accounts (less systems, less procedures, etc.)
No ad-hoc payments should be allowed (or only with additional secured processes)
Define limits according to authorization matrices (per person, department, per day, etc.)
Define clear segregations of duties
Documentation
Transparency

If HQ prefers having full cash control, one way could be to let payments only be released by the treasury department. Another way is to define certain limits on local level and higher limits at HQ. Still the 4 eyes principle (or 6 eyes) should be in place for accepting payments content-wise.

Define a Payment process (interfaced out of your ERP system)

Make sure the interface from the ERP system to Payment system is secured where data cannot be amended while being stored on a server or in the payment system itself)
Automate the process, no manual intervention should be required

Control cash outflow by comparing it to your Cash Flow Forecast

(see as well my posting of May 2016)

Automated reporting of cash balances (MT940/MT942) to Group Treasury
Analyze daily variations and link it to the forecast
Link the annual budget to the annual CFFC (and analyze the delta regularly)
Review on a weekly or monthly base your cash variations and analyze it

In case of any questions, business cases or other questions, please do not hesitate to contact me.