Source: KPMG Corporate Treasury News, Edition 45, July 2015
Fraud is one of the top three concerns keeping CFOs and treasurers up at night; an ever increasing threat due to the proliferation of spear-phishing, data breaches and the resulting loss in company value attributed to successful fraud attacks.
*Source: Association of Certified Fraud Examiners Global Fraud Study, 2014
In addition to the direct financial losses, the indirect losses can be devastating. Falling stock market value, loss of confidence from investors, customers and partners, lawsuits and fines are all possible. So what types of financial fraud should you be concerned about?
There are a broad range of both internal and external threats that face the integrity of an organisation’s corporate cash. In order to understand how your organisation can become more secure it is critical to know what vulnerabilities you may be exposed to. Examples of vulnerabilities include external hacking of treasury systems and files by third parties by exploiting data security flaws; inappropriate employee access to server rooms and internal networks resulting from weak physical and data security processes; fraudulent payments sent by employees to banks, both will-fully or erroneously (often as a result of social engineering or “phishing” attacks); fraudulent purchase orders and invoices created by internal employees to related third parties; settlement instructions directing funds to unauthorised accounts; suboptimal financial trades being made by employees in return for personal gain; former employees remaining signatories on current bank accounts after their departure or termination and infrequent or inefficient reconciliation of accounts leading to fraudulent transactions going unnoticed.
Application Security: Weak passwords and user authentication procedures are the most common vulnerabilities exploited by potential fraudsters. Attacks prey on weak passwords. The first priority for organisations should be to eliminate a single point of failure, e.g. one hacked password shouldn’t allow access to treasury and financial systems. Dual-factor authentication is a tactic often used by bank portals, offering tokens (or key fobs) that randomly generate a second password when the original User ID and password are correctly entered. Most software platforms support bring your own device (BYOD) so that your smart phone can be used to receive the one-time ‘second’ password. Other options include Yubikey, which is often used in EMEA. However, dual-factor authentication alone is not considered best practice. Multi-factor authentication techniques combine different login and authentication strategies together to provide the best possible protection for corporate systems.
Data Security: Hosting data internally within on-premise systems can present a security risk with over 25% of corporate fraud being internal. It is difficult for IT departments working on limited budgets to invest in leading solutions to provide performance, service levels and the data security required to meet treasury’s global requirements. CIOs and CTOs are the first to agree that cloud solutions are one way to improve data security.
Visibility & Control of Bank Accounts: Insufficient visibility into bank accounts and bank signatories is a recipe for disaster in treasury management. All too often bank account approvers and signatories aren’t centrally known, or worse have left the organisation. Maintaining visibility and control of bank accounts becomes extremely difficult as organisations grow geographically or via acquisition. Deploying a bank account management solution can help to streamline process and dramatically improve the level of visibility and control.
Digital Signatures: Digital signatures are a critical tool to help banks authenticate transmitted payment files sent from third party systems, such as TMS or ERP. Digital signatures are personal digital identify solutions based upon a Public Key Infrastructure (PKI). SWIFT’s 3SKey - considered the industry-leading digital signature solution - can be applied internally as part of a payment approval workflow and externally to authenticate a payment batch, confirming to the bank that all payments are accurate and valid. This not only helps validate the payment but also decreases propensity of repudiation by the bank. Use of digital signatures, combined with strong password controls and a centralised payment workflow dramatically eliminate opportunities for payments fraud.
Payment Workflows: Spear-phishing in treasury is the most dangerous fraud attempt because cybercriminals are specifically targeting you. It focuses on payment workflows because success offers immediate payoff - a fraudulent transfer of funds to the wrong bank account. While implementing strong password controls improves protection, standardising payment workflows to ensure payment procedures are consistently followed is also critical. Targeted attempts prey on a single exception to policy; only one mistake is needed to create a fraud opportunity. Standard practice is to implement multiple, standardised levels of approval and ensure approvals are electronic, tied to the separation of duties within the treasury system and aligned to specified limits. Many treasury teams will use digital signatures for internal payment approvals (as well as for external authentication of payments). Organisations who separate the payment workflow e.g. use internal systems and bank portals separately for initiation and approval increase risk of exploitation.
Best practice is to manage the complete payment workflow in one system which offers an electronic paper trail for that payment from initial request through to transmission. This also allows the payment acknowledgements (up to four levels) to be integrated with the payment workflow. Many organisations also centralise treasury and supplier payment transmission via a central payment hub to ensure treasury has complete transparency of every outgoing payment globally. This allows complete oversight over all outgoing cash flows in addition to saving costs.
Standard Settlement Instructions: Settling financial trades is an increasingly exploited opportunity for internal financial fraud. Entering into financial trades (investments, foreign exchange, derivatives) is a daily activity for treasury teams. For typical trades with your bank it is common for standard settlement instructions (SSI) to be implemented in advance at the bank. However, for non-typical trades or for transactions with non-bank counterparties, SSI may not be in place. This creates an opportunity for fraud where wire transfers to settle trades can be fully or partially redirected to unauthorised bank accounts. Standard settlement instructions (SSI) within your financial systems improve efficiency as well as avoiding redirection of funds to unauthorised accounts. Key steps to implement include electronic recording of financial transactions in your treasury system, with approvals and limits applied so a full audit trail is available for review; payment templates should be automatically attached to each trade; additional approval should be required to edit/remove the payment template with all activity tracked in the audit trail; reconciliation of trade tickets between the counterparties and the treasury system should be performed on a standard frequency with oversight of the process to ensure no exceptions slip through.
A robust technology solution is a critical element of the security equation. However, even with a sophisticated TMS in place, treasury teams need to ensure they are not the weak link inadvertently exposing the organisation to fraud. Therefore, it’s essential that companies educate their staff about the ways that fraudsters can dupe employees via social engineering, either into revealing sensitive banking data or sending cash and payments themselves. Employees must be aware of internal processes for creating and sending payments and how to spot a potentially fraudulent request.
Guest author: Bob Stark, Vice President, Strategy, Kyriba
*All data apart from where indicated is sourced from the Association of Corporate Treasurers / Kyriba Treasury Study, 2015
© 2017 KPMG AG Wirtschaftsprüfungsgesellschaft, ein Mitglied des KPMG-Netzwerks unabhängiger Mitgliedsfirmen, die KPMG International Cooperative (“KPMG International”), einer juristischen Person schweizerischen Rechts, angeschlossen sind. Alle Rechte vorbehalten.