Payment Fraud - No software can save you
Knock knock, who’s there? It’s your regular payment fraud blog post. That’s right, it’s 2020 and even with advancing technologies and AI detecting fraudulent behavior, payment fraud remains an ever-present risk for any company.
The other day I met with someone who has recently been a target of payment fraud and is now implementing a payment factory in order to reduce the risk. I wanted to take a look at how we approach the subject with our solution. But I also want to go beyond that because having the right software in place is important, sure but it goes beyond technology. And yes, I’m writing this fully aware that we are a software provider.
Let’s start with the software, Nomentia's cash management solution has several mechanisms in place that protect you against fraud.
Here's a quick list
- First of all, our software creates a single point of managing all payments. We talk a lot about centralizing and this is just that. Our product brings all these payments into a single view. If we think of a typical case, a company might upload some payments to internet banks, some to a service bureau, use host-to-host connections for others and maybe even run some payments via SWIFT. That creates at least 5 times x channels where payments are executed. This means all payments can't be seen from one view, which already makes it impossible to detect fraudulent or suspicious payments. But in addition those 5 times x channels also mean 5 times x places where user rights need to be maintained and controlled.
- This brings us also to the second point, our software comes with a comprehensive user and user rights management. Our software creates a clear structure and visibility as to who has rights to which companies and accounts and what kind of user roles they are having. We create visibility and an easy way to maintain those rights.
- When payments are transferred from one source system such as ERP, payroll and the likes to our cloud, files cannot be altered. This creates additional security measures that protect companies from attacks.
- Lastly, we have created capabilities to set up straight forward approval flows that ensure a segregation of duty into the way payments are done, within the users’ approval limit. Approval limits can be set for each user when working in different roles for multiple companies.
Those are the things that come built into our software. But it’s important to highlight one key fact, most fraud attempts have a human factor and that’s why it’s important to look beyond the software and take a critical look at the processes. As a matter of fact, despite all the noise about external risks, fraud and theft are more likely to be committed by an internal actor than an external actor (Source: FBI Internet Crime Complaint Center).
In other words, if you focus on validating data for possible fraud, you probably should take steps to minimize the possibility of fraud in the first place. Otherwise, proverbially speaking, it’s winter (Northern Finland winter for that matter) and you are going out in shorts and with wet hair.
Apart from controlling user access rights, I would like to share some more tips and ideas that can help to mitigate the risk of fraud.
- Payments that are made from ERP but rejected by the bank cannot be modified by all users. In practice this means when a payment is made from the ERP system but rejected by the bank, it bounces back where users need to review the failed payment, before sending it to the bank. Fixing the payment data on ERP master data instead of manual adjustments. This would highlight and prevent for example internal fraud attempts.
- Consider working with your system admins to install payment templates that your end users can use. This decreases the risk for fraud and error by limiting the manual work of filling in information.
- Make use of the full audit trail that we provide. You can see the whole lifecycle of a payment from its creation to its reconciliation, including by whom and which changes were made, who has approved and sent the payment.
- Create clear rules on manual payment creation. We enforce a 4-eye approval flow before sending it. In manual payments, there might be a reason to have more than 2 persons approval. If you are having SSC’s in use or even multiple SSC globally. Use the standard 4-eye approval flow locally but have additional approval from another SSC to reduce the internal actor.
These are a few ideas from my side. I am always happy to hear more ideas and feedback on how we can together create safe payment processes. Feel free to reach out to us via the form below and let me know your ideas and questions.