Finance shared service centres (“FSSC”) have become an essential part of many organisations, but they require a paradigm shift in the way businesses manage fraud risks.
FSSC adoption is being driven by pressure to reduce overheads. With consumer confidence low, many businesses see cutting costs as the key way to boost profits.
FSSCs can improve efficiency by combining back office functions that used to be duplicated across departments and standardising processes. They can cut costs by locating offshore in areas with cheaper labour.
As a result, more organisations are using FSSCs for their finance function or emphasising their role: pushing more services to the FSSC, increasing scale and continuously improving processes.
But the same process-driven efficiency that makes FSSCs attractive may create fraud risks. Employees may not challenge suspicious requests when they are told to handle all tasks same way. With access to commercial secrets and customer data, they may unwittingly give out sensitive information.
For instance, a recent KPMG investigation uncovered an FSSC where employees fraudulently withdrew $400,000 from customer bank accounts. Fraudsters’ agents got jobs in the FSSC and built a picture of how standardised procedures dealt with different requests. They exploited gaps in the security checks to make bogus payments.
Focusing exclusively on efficiency also creates blind spots, which fraudsters can use. In another FSSC, weak IT controls let employees alter customers’ credit ratings. This caused disruption when the business made bad loans and received complaints from angry customers. Employees also had access to trade data which could have been leaked to rivals.
Even where secure systems are in place, the transactional mindset in FSSCs can drive inappropriate behaviour. One FSSC processed £5m in fraudulent transactions despite numerous red flags because staff did not understand the transactions and had not received fraud awareness training.
Even where employees knew what to look for, many felt unable to challenge transactions because they are encouraged to focus on completing their immediate task as quickly as possible.
This potentially opened the organisation up to regulatory action, and could have severely dented its reputation.
Organisations can combine action to reduce their fraud risks with optimising the performance of FSSCs.
This includes both controls to help stop particular instances of fraud, and sustainable measures to shift behaviour so fewer frauds are attempted. We believe the best place to start is with a review of processes to ensure they conform to documentation and to eliminate waste. It’s also worth automating manual controls to speed up execution and reduce risk of misuse.
Of course, processes are not the only area to explore. How often are prospective employees pre-screened? Evidence suggests the answer is simply ‘not enough’, but this should be changed to exclude known fraudsters and recruit the right skills for each role.
Too often organisations leave things to chance. Another step they should be taking is assessing fraud and business risks and conducting performance tests, ensuring regular training happens so employees understand fraud risks and avoid processing errors. They should also empower employees to understand transactions and suggest continuous improvements.
In the longer term, organisations need to foster the right culture. Fewer frauds will occur in FSSCs with the same risk awareness, whistle-blowing arrangements and tone from the top as the wider business.
Yet, the key barrier to this culture is the lack of integration between FSSCs and wider businesses. Where FSSCs are seen as separate walled entities, organisations can concentrate on short-term profitability while local managers focus on efficiency at all costs.
We believe the solution is to build strong partnerships. Regular and open discussion can draw all stakeholders’ attention to what really matters. Service level agreements can be redesigned to better encourage collaboration. They may eventually become unnecessary as the FSSC integrates seamlessly into the wider business.
Remember that even if you don’t see your FSSC as an integrated part of your business, it could still tarnish your reputation if things go wrong.
This article represents the views of the author only, and does not necessarily represent the views or professional advice of KPMG in the UK.