It is recommended that corporates and organisations have a written policy regarding payments. This can either be a part of a general risk policy or as separate payments policy. In a fraud perspective it is important that the policy is understood and signed off by senior management and all relevant stakeholders in the payment process. Relevant stakeholders are people in your organisation who have access to the payment process. This can for example be personnel who register or approve payments or process payment files.
In the payment policy there should be stated specific payment procedures for how payments are executed in the organisation. A sign off by senior management is important to prevent what is referred to as CFO fraud. Which payment procedures and guiding principles should your organisations focus on and implement?
Access to the payment process
The most straight forward way to reduce the risk of fraud is to have a comprehensive view on who has access to payments and payment data at each stage of the payment process. Keeping strict access and controlling user rights to electronic banking systems is essential. Please also do not forget to have the same strict access and control of user rights in payment modules in your ERP and Treasury systems. Remember to guard the right to add and edit bank account numbers for suppliers and customers.
Segregation of duties
Segregation of duty means that no single person in the organisation should be able to make a payment alone. Segregation of duties is also referred to as the four eyes principle. There should always be at least two persons involved in the process of registering and approving payments. Segregation of duties should also apply for updates of bank account numbers in your ERP and Treasury systems.
Centralising payments processes
Centralising the payment process can increase the quality of the payment process. Professionalising the payments process and reducing the number of employees who have access to the payment process is a good tool to decrease the risk of fraud.
Which red flags and warning signals should my organisation look for in our daily operation?
Beware of urgent payments requests because fraudsters like to create a state of urgency. Generally an organisation should view urgent payments as an exception with high risk. Treasury or finance can mitigate the number of urgent payment by having overview and control on their cash position and short term payment forecast. The number of urgent payment should be kept as low as possible by forcing the organisation to follow standard payment procedures. An organisation can for example use KPIs to drive down the numbers of ad hoc and urgent payment. It is important to train relevant stakeholders to ask control questions and transfer the payment to standard payment process if possible. Checks and controls are critical before processing any urgent payment. Your payment policy and procedures should be strict related to urgent payments to unregistered receivers.
In a fraud attack it is normal that the fraudster try to trick you to pay to an unknown account. Hence manual registered payments are a risk factor that should be kept at a minimum. All payments to suppliers and customers should follow standard workflows in your ERP system. Manual payments should only be used in cases where the counterparties and their bank accounts are known. As with urgent payment your organisation should work systematically to reduce manual payments and standardise the payment processes in ERP or Treasury systems.
Sending out fake invoices or informing of account number change is also a common fraud attempt. First line of defence in these cases is to contact your supplier or customer when receiving a new bank account number. Your organisation should request a confirmation from their contacts at the supplier or customer side. This should be used as documentation when updating bank account numbers in your systems.
CFO frauds are fraud attacks where criminals is posing as CFO,CEO or other senior management representative to manipulate and push people on the operational side of the payment process to transfer cash. These frauds are well organised, often involve significant amounts and attack the human factor in your organisation. Senior management need to commit themselves to payments policy and standard procedures to mitigate the risk of CFO Fraud. At the same time all employees with a role in the payment process need to be well informed and trained to protect your organisation against manipulative fraud attempts. People working with payments in your organisation should be confident in asking questions as part of the checks and controls procedure!
Risk of internal fraud needs to be taken into consideration and mitigated. Standardised payment procedures are important to prevent internal fraud. Segregation of duty and the four eyes principle need to apply for all stakeholders in the payment process. This is also relevant for stakeholders who have access to payments in ERP and Treasury system or access to payment files.
What should I do if the accident happens?
First call your bank as soon as possible! If you are a DNB customer you should call +47 915 04800. If the alert is sent early to your bank there is a small chance that the bank can stop the transfer before your cash is lost. Second you should report the incident to the police. Third you need to incorporate lessons learned in your payment procedures, to mitigate the risk of future fraud. Unfortunately criminals are likely to return if they have discovered week spots.