Is Capterra a scam

Payment Fraud - How Companies Can Protect Against It

You can now read a lot about the opportunities and dangers of digitization. Basically, there are always risks when you fear losing your competitive advantage or falling behind. Cybercrime is undoubtedly one of the greatest risks. Attacks on IT systems are increasing all over the world. According to a study published by the consulting firm PwC under the title “Global State of Information Security Survey 2016”, there was an increase of 38 percent in 2015 alone. If these attacks are aimed at a company's payment transactions, its entire existence can quickly be jeopardized. Security measures in the area of ​​treasury and payment processes should therefore be high on the agenda. Jörg Wiemer, CEO of TIS, explains how companies can ensure more security.

When can it be assumed that payment processes can become a risk for a company?

JW: In principle, any situation in which there is not complete transparency with regard to bank details and activities can be associated with a risk. In such a case, there is no clarity about cash positions and liquidity. Let's assume that a branch office transfers ten million dollars at the beginning of the month. If these postings are made manually and the balances are checked only once and this at the end of the month, it may have taken a full thirty days before the fraud could be detected. Time is money in the truest sense of the word. With real-time treasury monitoring, these processes can be identified much earlier and often also corrected.

It can take a long time for the branch manager to become aware of such cases.

JW: That's exactly the problem: The prevailing regional division of labor makes it easy for fraudsters. If the printed account statements are collected on site in the respective branch, it can take weeks for those responsible in the head office to notice that an account statement is missing and with this missing account statement, the printed account movements are not available. For this very reason, companies should be able to automatically collect all bank statements for all bank accounts worldwide and analyze liquidity positions in real time using software such as that from TIS.

What else is it that fosters fraud?

JW: Fraud is always possible if there is no complete overview of the signature authorizations and if the four-eyes principle is not adhered to in payment transactions or in the administration of the payee and, in principle, in all user administration, which is particularly susceptible to fraud. These are the typical gateways for fraud.

How can I find out whether I am at particularly high risk?

JW: A reliable indicator of a low level of security in payment transactions is a high proportion of manual transactions. It is generally assumed that every payment is recorded in the accounting system according to the best practices - i.e. no booking without a receipt and no payment without a previous booking. However, under certain circumstances there may be exceptions to and deviations from this principle. The keyword here is "exception handling" and this is associated with a manual payment. In such cases, an exception is required and this includes comprehensive process documentation. The ability to record and approve non-automatic payments should be restricted to certain payees and internal user groups. In addition, a user should only be allowed to use payment templates that have been approved in advance and cannot be changed.

How can companies reduce the risks?

JW: The rule of thumb is that only standardized and automated processes should be used throughout the group. Payment-related activities can well be carried out at the local level; however, they should be based on a standardized and automated process. Every company should have a central register of all existing accounts, as well as payment governance. Security in payment transactions begins with professional bank account management. Otherwise, those responsible run the risk of abusive payment transactions using accounts that are not recorded in the general ledger. The next step is to centralize payment transactions. Digital payment platforms such as TIS bundle payment flows and standardize and automate them. In this way, payment transactions and payment flows can be controlled at any time.

How have payments looked in practice so far?

JW: Inconsistent and confusing. The reality in companies is that different systems and online banking tools are used in different parts of the organization to handle bank details. Payments are then generated by the SAP system. It's complicated and complex, and there are many different protocols and formats. The consequences are high costs and an increased risk of fraud.

In view of this, what approach does TIS propose?

JW: In particular, we provide medium-sized and large companies in all industries with a platform for payment transactions. The platform connects the company's own accounting system with the bank concerned; it stands between the core systems, which the customer does not have to change, and the bank. The platform is the only point of contact and enables the company-wide standardization of all automated and standardized payment transactions. This greatly simplifies the management, monitoring and analysis of payment transactions.

The TIS solution is operated exclusively in the cloud. What about the control and security of the stored data?

JW: A server itself is either secure or it isn't; that has nothing to do with whether it is running in a cloud or at your premises. It is quite possible to use a company's banking tools to dial into a company's own server from anywhere, as long as the person concerned has the appropriate authorization or has enough criminal energy. The server must therefore be permanently protected against unauthorized access using the most modern technologies. The large data centers with which TIS also works have completely different options than a single company in this regard. Let me briefly say something about online banking: The idea that banking tools that are used offline on a private notebook are somehow more secure is an illusion. Such a computer offers a much larger gateway for viruses and Trojans than all online banking solutions that are operated in the cloud. It speaks for itself that an increasing number of cases of fraud in online banking have recently been reported by the general public to the Swiss Reporting and Analysis Center for Information Assurance MELANI.

The right software is one thing. But what can be done to ensure that the risk is adequately managed and that the correct payment processing methods are used?

JW: It is important to establish and implement guidelines for adequate governance. Companies need group-wide rules according to which payment transactions are to be carried out. In their guidelines, they must define in detail how accounts are to be managed, who is allowed to open new accounts, who gives their approval and which documents are required for this. It is easy to find examples of what can happen if the company does not follow the guidelines. Do you remember what happened to the automotive supplier Leonie in mid-2016? Cyber ​​criminals got hold of documents and assumed someone else's identity. This enabled them to steal 40 million euros from the company's international accounts.

My recommendation to minimize risk? Establish governance guidelines and use a central platform for managing bank accounts and payment transactions. With automated and standardized processes, companies can protect themselves against manipulation and fraud and ultimately against financial loss.


Jörg Wiemer
is CEO of Treasury Intelligence Solutions GmbH.