In order to address payments fraud, companies must build an atmosphere of fraud prevention. It must be a team effort, involving payment and non-payment areas alike. No one can predict which angle, function, or individual will be the vulnerable area breached.
The first step is to conduct a risk assessment of the entire organization. That may seem like a lot of work, but if a risk assessment has never been completed, your company is likely vulnerable to wire, ACH, credit card and other types of payments fraud. This analysis must include assessing operational, technical and organizational risks that are both external and internal. Once identified, these risks must be minimized, if not eliminated. External fraud occurs when a fraud attempt comes from outside the organization; internal fraud involves the attempted act being carried out by an employee or a consultant.
Beyond simply understanding why fraud is committed, it’s up to you to orchestrate the “who, what, where, when and how” of this companywide risk assessment. Both internal and external fraudsters find backdoors to payment areas. Therefore, anyone outside of the operational area responsible for initiating and or approving payments (electronic, paper check, and other formats) should be included.
The reason why most people commit fraud can be broken down to three basic reasons.
- Opportunity: Ineffective or nonexistent internal and security controls/firewalls provides fraudsters with opportunities.
- Pressure/stress: Employee personal financial problems along with unattainable performance goals can quickly lead to unethical and illegal behaviors.
- Rationalization: Fraudsters seek personal gains and find justification for their intentional acts (e.g., employees feel unfair compensation accompanied with a company’s profitability and success or simply the need to “teach” a company a lesson for not addressing inadequate or antiquated controls).
Look at management and staff—both the number of members and the quality of each member. Put together possible and actual bios and assess their backgrounds; there could be some team members at various levels of the organization with security and/or fraud-related experience that can be drawn upon later. There may be some sinister types, also.
Match the level of experience necessary against what is available, and identify gaps as a risk. Review your bench strength— those individuals in neighboring departments, contractors, and vendors’ staffs that can be called upon in a pinch. This need may only occur during a time of peak staffing levels, or in typical vacation and holiday time periods when the first team is out.
Gather every payment and payment-related risk assessment, audit, and examination that has been completed in recent years. It will give you a history of what is in place versus what needs to be. Organization charts are more revealing than meets the eye—especially staff with “payments,” “electronic,” “business” and the like in their titles. Determine what role they play in the ACH and wire transfer process—and whether they should continue to play that role.
Another vital part is transaction volumes over time—do they fluctuate, is there seasonality, are they steadily increasing in volume or dollar amount? Patterns can be identified easily by algorithms, time-studies, or regression analysis. Build parameters into these, and plan on human reviews of anomalies.
Draw a flowchart of “a day in the life” of an ACH item, a wire transfer, a physical corporate credit cards or even a paper check. Where does its journey begin and end, and who touches it? Here’s where dual approval takes place—one person/system to set it up and another person/system to approve/release it. Each step should be independent of the other, with divided responsibilities. This network diagram may uncover holes or weaknesses that were never dreamed of. Why? Because no one could see the big picture; they only knew their own part of the process.
Measuring success related to preventing payments fraud is tricky. How do you know you’ve stopped an attack if you never saw it occur before, during or after-the-fact? You may only see the legitimate ACH items or wires that come through and discover the failed attack after the fact. Payment monitoring, notifications, and fraud reporting all become important parts of the process. Identify those type of real-time monitors and reports that are vital to decision-making and payment workflow; don’t produce reports for volume’s sake.
All of this work is useless unless the payment process is properly documented with tasks, responsibilities, and owners all tracked in order to measure progress. Use whatever tool(s) you are familiar with as the framework. Microsoft Excel is fine; more sophisticated tools can work if everyone knows how to use them. Work towards the least common denominator. You will find it works best in the long run.
Build a chart with tasks that emanate from the staff assessment. Your data gathering experience will undoubtedly reveal the need for a number of remedial and preventive steps. Build a business process chart for those steps and the individual/personas tasks that will be needed to accomplish them. Assign responsibilities. Include due dates, contact information, and backups. The professional backgrounds that you reviewed and assessed previously will help in placing people in the right tasks.