The Never-ending Quest for Payments Security

by Vince Bahl, Vice President of Payments, Bottomline Technologies

With the globalization of business, the complexity of payment-related processes has increased exponentially. Yet, despite growing awareness and more sophisticated security protocols, payments fraud continues to be a thorn in the side of corporate treasurers all over the world.

According to an industry survey released in 2007 by a leading association of financial professionals, 72% of organizations experienced attempted or actual payment fraud in 2006, and 39% of survey respondents reported that incidents of fraud increased from 2005 to 2006. And let’s not forget the need for organizations to comply with a vast array of government and regulatory mandates, which further complicate payment security and risk mitigation initiatives by casting a close eye not only on the individuals and organizations making payments, but also those receiving them.

Payments risk management: an inside job

Many threats of payment fraud come from inside an organization’s own four walls. Loosely defined invoice approval rules or inefficiencies in accounts payable processes, for example, can be easy prey for individuals looking to take advantage of opportunities to steal. This type of payments fraud by employees and others most often takes the form of duplicate payments, miscalculations, unsupported payment claims, ineligible beneficiaries, and outright fraud. [[[PAGE]]]

As criminals become increasingly savvy about ways to circumnavigate processes and safeguards, enterprises face a never-ending test of payments risk management. Many improper payments continue to go unidentified due to inadequate internal controls or siloed information systems. Without the ability to proactively create payment thresholds, monitor irregular payment volumes or quickly identify and flag duplicate payments, the task of mitigating payments risk becomes a nearly impossible task.

Today, this reality is amplified across a growing number of enterprises and government programs that disburse high volumes of payments, make expedited payments or manage complex criteria for computing them. By being more proactive and adopting an aggressive approach to payments security, one that leverages advanced payment risk management technologies and centralizes payments monitoring and control, organizations can more readily protect themselves against duplicate payments and other prevalent types of fraud from within.

Changing the guard: from locked rooms to encryption codes

Regardless of the payment vehicle (electronic payment, card payment or cheque, for example) mechanisms for payment security are most often influenced by three common factors: changes in the law, changes in technology, and changes in business processes. Over time, each of these drivers evolves as the law, technological capabilities and generally accepted business practices mature.

Take corporate-originated electronic payments as an example. From the early 1970s to about 1985, data security was largely ensured by operators working in secured areas and duplicate keys for magnetic tape cases, while data transportation was a mixed bag of courier-based solutions ranging from armoured cars to bicycles. This is a far cry from today’s world of Triple DES encryption and secure online sites for direct file upload, and meticulous adherence to regulatory guidelines.

Do you really know who you’re paying?

Different countries are responding in different ways to the need to clamp down on payment security. For example, in the United States, if the response to a news story that appeared recently in The Washington Times regarding the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) is any indicator, understanding and adhering to regulatory guidelines aimed at combating payments fraud is perhaps one of the biggest challenges facing today’s corporate treasury professionals. While Sarbanes-Oxley has forced the establishment of hierarchal payment approval schemes for any payment larger than a pre-determined amount, compliance with OFAC has placed a new emphasis on due diligence around just who is being paid. The challenge for treasurers, therefore, is finding the right balance between internal performance objectives, compliance requirements and risk mitigation.

The challenge for treasurers is finding the right balance bewteen internal performance objectives, compliance requirements and risk mitigation.

The backbone of OFAC is the Specially Designated Nationals (SDN) list. Updated regularly, the SDN list contains more than 5,000 individuals, organizations and countries with whom the US has deemed it illegal to engage in business affairs. Discreet sounding organizations such as Blue Nile Brewery, Rixford Investment Corporation and Nordstrand Maritime and Trading Company are on the list today. With names like that, it is a little easier to understand how businesses can inadvertently find themselves making a payment to an organization on the SDN list.

When dealing with payments security, whether covered by OFAC or not and in whatever country, the primary objective of any organization should be to identify risk and prevent loss or infringement before it occurs. While OFAC exists to enforce sanctions and embargos; it does not mandate the processes and procedures businesses must use to ensure compliance. Finding the right path to compliance ultimately lies with the individual organization.

[[[PAGE]]]

Employing web-based payments risk management to combat fraud

In the new age of Sarbanes-Oxley and OFAC compliance, a new generation of payment risk management solutions are providing organizations with the ability to protect against duplicate payments and other prevalent types of fraud by centralizing payments monitoring and control across siloed or legacy systems. In deploying such solutions, organizations can combat payment fraud proactively through:

1. List checking

Individuals and businesses can easily use variations of names to avoid fraud detection which are not picked up through simple direct name matching practices. Solutions with matching capabilities via a name variation algorithm can help to addresses this by generating large numbers of name variations for a single individual or company on a list to make identification easier.

In addition to helping enterprises monitor and prevent payments to ineligible recipients, payment risk management solutions can also help insure against improper payments by verifying issuances against key eligibility databases, including valid employees, approved vendors and eligible benefit participants.

2. Hierarchal approval schemes

Panel approval schemes, which provide the ability to establish approval hierarchies for payments exceeding a pre-determined amount, are critical as part of best practice centralized payments processing, helping organizations guard against would-be criminals seeking to pass high-dollar payments under the radar. Using electronic workflow capabilities, information relevant to the payment can be quickly routed from one individual to the next, ensuring that payment information is reviewed and approved by authorized individuals prior to release of payment files.

3. Scrutinize suspect payments

More devious criminals, vendors and employees may try to figure out simple AP approval rules and submit invalid requests for payment (invoices, program requests or enrollment) that they know would get paid without review. Payment risk management solutions can help to catch suspect payments by monitoring irregular payment volume under certain thresholds.

4. Catch duplicate payments

In many cases due to inefficient practices, by the time a payment is processed, a payee has already complained about late payment, which for major suppliers or for material amounts may result in immediate payment. Gaining the ability to flag duplicate payments made to the same person with the same amount within a defined time period can help reduce unnecessary or duplicate payments.

5. Monitor payee addresses and account numbers

Some criminals know that companies cross-check their payments with a list of names to identify fraud. Therefore, you need to stay one step ahead by checking for the same payee address or account number as well as name. For example, rogue employees or vendors could make or request fictitious payments to a friend or relative with whom they share a bank account. By identifying checks and electronic payments written or originated to different payee names, yet sent to the same address or with the same bank account number, centralized payment solutions can help to extend the effectiveness of your fraud prevention tactics. Tracking trends for frequent or multiple low-dollar amount items paid to the same account is also particularly helpful in identifying fraudulent activity.

Getting proactive and staying that way

In today’s fast changing word of payment security, staying one step ahead of those seeking to defraud your organization has never been more difficult. The danger of payment fraud and the need to be vigilant in protecting the sanctity of corporate payment processes will be a top priority for treasuries and shared service centres well into the future. Tackling this challenge head-on requires the right mix of technology and determination. With the growth of web-based payment risk management solutions, corporate treasurers are increasingly finding themselves in a position of strength when it comes to dealing with payment fraud. Through the various capabilities offered by these solutions, corporate treasurers can adopt a more proactive - rather than reactive - approach to payment security.