Payment fraud – how companies can protect themselves

|13-2-2017 | Joerg Wiemer | sponsored content |

Information about the opportunities and risks of digitalization is widely spread. In general, risks occur when there is a chance of losing a competitive advantage or falling behind.  However, one of the biggest risks is without doubt cybercrime. Attacks on IT systems worldwide increased yet again by 38 percent in 2015, according to the consulting firm PwC in their “Global State of Information Security Survey 2016”. If these attacks are aimed at the payment transactions of a company, the entire existence of the organization is easily threatened. Therefore, security measures in treasury and payments processes should be at the very top of the agenda. Jörg Wiemer, CSO of TIS, explains how companies can ensure increased security.

In general, when does a risk exist for companies during payment transactions?

JW: In principle, in any situation that involves a lack of transparency across bank relationships and activities. In these cases, cash positions and liquidity are not clear. Let’s assume that a branch transfers ten million dollars at the beginning of the month. If these bookings rely on manual processes and the balance is only checked once at the end of the month, it takes a full thirty days until the fraud is detected. Time is literally money.  By monitoring treasury in real time, it is possible to detect these procedures much earlier, thereby solving them in many cases.   

It can take a lot of time until the head office of the branch gains knowledge about such cases.

JW: This is the heart of the problem: The prevailing regional division of labor makes it easy for fraudsters. If the account statements in paper are collected locally in each branch, it takes weeks until those responsible in the head office notice that an account statement is missing, and with it, the positions written on it. This is exactly why a company should collect all account statements from every bank account worldwide automatically and assess liquidity positions in real time with a software like TIS.

What else facilitates frauds?

JW: Fraud can occur if there is no complete overview of the electronic signing authorities, if there is no dual control principle during payment transactions or during the administration of payment recipients and, in general, during every user administration, which is particularly prone to fraud. These are the typical gateways.

How can I detect that I am at an increased risk?

JW: One reliable indicator of a low level of security in payment transactions is a high amount of manual transactions. Normally, the assumption is that every payment has to be recorded in the accounting system according to the best practices – no booking without receipt, and no payment without a previous booking. Nevertheless, under certain circumstances, there are deviations and exceptions of this principle. The key term here is “exception handling”, which results in a manual payment. An exemption is necessary for these cases, which includes comprehensive process documentation. The possibility of recording and authorization of non-automatic payments should be restricted to certain recipients of the payment and internal user groups. Furthermore, the user should only be allowed to use unchangeable payment templates that have been approved in advance.

How can companies reduce risks?

JW:  A general rule is to standardize and and automate processes across the group of companies! Payment related tasks can be executed on local level, however, based on a standardized and automated process. A central directory of every existing account and a payment governance should be mandatory for every company. Security in payment transactions begins with the professional management of the bank accounts. Otherwise, those responsible run the risk of fraudulent payments through accounts that are not registered in the ledger. The next step is to centralize the payment transactions. Digital payment platforms like TIS pool the cash flow and standardize and automate it. This way, payment procedures and the cash flow are controllable at all times.

What has payment looked like in practice up until now?

JW: Heterogeneous and confusing. Companies have a lot of different systems in each part of their organization and they use different e-banking tools to connect to the banks. The SAP system then generates payments. This is complicated and complex and there are many different protocols and formats. This is the reason for high costs as well as increased fraud risk.

In light of this, which solution approach does TIS pursue?

JW: We provide a payment transactions platform especially for medium and large-sized companies in any industry. The platform connects their accounting system with the respective bank. It then operates between the core systems – which the client does not have to change –  and the bank. Therefore, the platform is the single point of contact, allowing all automated and standardized payment transactions to be combined in a uniform way for the entire company. This makes the management, monitoring and assessment of payment transactions tremendously easier.

The TIS solution runs completely in the cloud. What about the topics of control and secure data storage?

JW: A server as such is either secure or not secure, no matter if it runs in the cloud or in your own house. It is also possible to dial into an in-house server with the banking tools of a company from anywhere as long as the person has the appropriate authorization or the right amount of criminal energy. This is why the server has to be permanently protected from non-authorized access with a high level of modern technology. The big data centers, with which TIS also cooperates, have totally different possibilities than a single company. Let me say a few words regarding the topic of online banking:  the idea that banking tools on a private notebook which runs offline are somehow more secure is an illusion. This computer provides a much bigger gateway for viruses and Trojans than any e-banking solution that runs in the cloud. It speaks volumes, that the Swiss Reporting and Analysis Centre for Information Assurance (MELANI) has recently started receiving a much higher amount of reports from the general public regarding e-banking frauds.

The right software is one part, but what can be done to ensure risk is handled correctly and that the right methods of payments processing are put into place?

JW: Good governance must be established and implemented. Companies need globally valid rules for their payment transactions with detailed guidelines on the following: how accounts are managed, who can open new accounts, who must give permission for this, and the documentation necessary to do so. There are always bad examples for what can happen if the company does not follow the guidelines. Remember the case of the automotive suppliers Leonie mid-2016? Cybercriminals acquired documents and assumed somebody else’s identity. They were then able to divert 40 million euros from accounts of the company to accounts abroad.

My advice on how to minimize risk? Establish governance guidelines and use a central platform for the management of bank accounts and payment transactions. Through automated and standardized processes, companies can protect themselves against manipulation and fraud and, ultimately, the loss of money.

If you are interested to read more about this topic please click on security in payments

joerg wiemer


Joerg Wiemer

CSO and Co-Founder of  Treasury Intelligence Solutions GmbH ( TIS)