reducing the risk of fraud through treasury technology

Valerio Trinchi | Senior Manager| Ernst & YoungBob Stark | Vice President, Strategy | Kyriba

April 27th 2017

Reducing the Risk of Fraud through Treasury Technology

© 2017 Kyriba Corp. All rights reserved. PROPRIETARY & CONFIDENTIAL. 2

Valerio Trinchi

Senior Manager

Ernst & [email protected]

www.ey.com/treasury

Today’s speakers

Bob StarkVP, Strategy

Kyriba [email protected]

@treasurybob

mailto:[email protected]

http://www.ey.com/treasury

mailto:[email protected]


Today’s Discussion

Increasing importance of fraud prevention

Protection from unauthorized use of systems

Standardizing your workflows

Detecting fraudulent activity

Agenda


Fraud is a driving concern

74% of organizations have experienced attempted or actual payments fraud1

36% of treasury teams have seen fraud attempts increase in the past year2

63% of corporates report fraud attempts by external parties3

63% of executives report that majority of fraud goes undetected4

Average = 18 months before fraud detected5

Sources: (1, 2, 3) AFP, 2017; (4) ACL, 2017; (5) ACFE, 2016


Incidents of fraud are increasing

Source: Kroll Global Fraud and Risk Report 2016

Source: AFP Payment Fraud Report 2017

PERCENT OF ORGANIZATIONS THAT EXPERIENCED

ATTEMPTED AND/OR ACTUAL PAYMENTS FRAUD

Source: AFP Payment Fraud Report 2017

DID NUMBER OF FRAUD INCIDENTS INCREASE SINCE

LAST YEAR?


CFOs and Treasurers need to ask…

Fraud

Detection

Payments

Access to

Treasury

Technology

Supplier

Account

Verification

Investments

& Trading

Bank

Account

Mgmt

Do I have visibility into every payment?

Are my controls consistent for every

bank, every region, every person?

Do I review my ACKs?

How many bids before a trade?

Can Settlement Instructions

be modified?

How many layers of

protection exist after

your password

Are there controls to prevent

unauthorized change to

supplier payment info?

Do I know my account signatories?

Who can change them?

Does my bank have the same list?

Do I use payment watchlists?

Do I have a control center to

view all transactions and

modifications?

Connectivity

Can connectivity be

compromised?

Fraud & Cybercrime in Treasury

Protection from unauthorized use


UserID/Password should not grant access to the system

Attacks prey on weak login/authentication – the easiest entry point to hack a software solution and access data

Require combination of password controls:– Password timeouts, resets, history, alphanumeric requirements– Virtual Keypad–Multi-factor authentication (hard or soft token)– IP Filtering– Single Sign-On w/ internal IT environment

You need more than just UserID and Password


IT thinks treasury data is safer hosted externally

Cloud technology can offer more safeguards than internal hosting

– Encryption of data - in transit and at rest

– Hosting within audited certified data centers that feature 24/7 security, biometric access

– Separation of duties & other policy driven protections to restrict access to hosting infrastructure and client data

– Firewalls to protect externally and between tiers

Data Security


Cloud technology can offer better protection against data loss and unauthorized access

1) Data is encrypted at rest in both active and backup environments

2) Customer application encryption– Encryption of most sensitive database

fields in application itself– Unique encryption key for each

customer that only they have access to

Data Security


Report

SOC1 Only an assessment that controls exist

SOC2 AICPA’s recommended report for cloud service providers: • Assesses the security behind the controls

Penetration Testing Most vendors hire security firms (McAfee, Qualys, etc.) to test external vulnerability

Audit Reporting

Much confusion around SOC1 vs. SOC2

Must evaluate details of audit; there is no pass/fail

Evaluating Data Security

Standardized global workflows


You should plan to have the following covered:

Formalized/standardized protocols for managing both incoming and outgoing transactions involving corporate bank accounts

– Supported by technology (prevention/detection/forensic)

Identified oversight responsibility

An established and reliable control framework

A readily accessible audit trail and log

Governance of payments


Ensure all exposure points are secure

1) Secure access to software used for payment initiation, approval and transmission

2) Separation of duties and approval limits within payments software in all geographies, for all users, across all payments

3) Secure and monitored transmission to bank connectivity channel

4) Real-time Payment Confirmations and Acknowledgements

5) Full Reconciliation of Payment Transactions

6) Monitored Workflow Changes within Payments Systems

Payment Controls


Standard settlement instructions (SSI)

Many organizations lack SSI automation

– Impossible to audit a disparate trading/payment workflow when it involves walking paper down the hall

SSI avoids redirection of funds to unauthorized accounts

Payment template should be automatically attached to trade and require approval to edit/remove

Ideal to have alert notification when SSI are changed with audit workflow

Settlement Instructions


Establish protocols for communicating payment instructions to your customersStandardized communication of banking instructions - internal

Formalized process for set up/change requests with your existing or new customers – identify oversight responsibility

Establish and Customize controls

Document validation/confirmation and complete test transaction before changes become effective

Reconciliation process to have pre-identified escalation procedure, point of contact (Treasury) and trail log

Receipts – when payments are coming to you


Control of Bank Accounts

As organizations expand/decentralize, easy to lose control of accounts and signatories

Need to establish:1) Central repository – visibility into accounts, tracking of

authorized signers, and one source for documentation

2) Structured workflows – mandate approval processes to ensure no ‘under the radar’ bank accounts or signatories

3) Reconciliation procedures – with the bank(s)

Bank Account Management


Treasury Payments

System

Approved payments transmitted to banks1

2

3

ACKs/NACKs sent back to treasury

4

1

4

1

4

Approved payments transmitted to banks

ACKs/NACKs sent back to treasury

Bank Connectivity

Is my bank connectivity safe?

From prevention….to detection


Daily monitoring of bank activity will find suspicious/fraudulent transactions:

–Daily bank reporting will proactively find suspicions transactions; especially via use of dashboards and automated reporting

–Daily cash positioning forces review of transaction variances

– In addition to reviewing payment acknowledgements and matching what you sent vs. what bank received

Reconciliation


Review of audit trails will identify specific actions

Audit trails should be:

1) At transaction level

2) Centralized log tracking system-wide activity

• Filtered by any variable: activity, user, etc.

• Sufficient detail and descriptions to determine what happened

• Available directly in the system (not a report you have to request)

Identifying Unauthorized Transactions


A visual dashboard or daily summary report is critical to monitoring suspicious activity

Examples of monitoring

Number of payments and payment files transmitted to bank(s)

Internal workflow changes (e.g. limits and approvals)

Bank Accounts & Signatories

Daily monitoring & reconciliation of all transactions

Fraud Monitoring



Setting up detection rules in your payments system will flag transactions that meet predetermined conditions, requiring further attention

e.g. payments to North Korea or payments to a bank account that was just changed in the system

Fraud Monitoring



Also want rules that search for deviations in payment patterns

Proactive alerts can often be viewed in dashboards making it easy to decide what activity merits further action

Fraud Monitoring

Potential Actions:• Change the Status• Change Assignees• Block User• Change Password• Attach Documentation

Conclusion

© 2017 Kyriba Corp. All rights reserved. PROPRIETARY & CONFIDENTIAL.

CFOs and Treasurers need to ask…

Fraud

Detection

Payments

Access to

Treasury

Technology

Supplier

Account

Verification

Investments

& Trading

Bank

Account

Mgmt

Do I have visibility into every payment?

Are my controls consistent for every

bank, every region, every person?

Do I review my ACKs?

How many bids before a trade?

Can Settlement Instructions

be modified?

How many layers of

protection exist after

your password

Are there controls to prevent

unauthorized change to

supplier payment info?

Do I know my account signatories?

Who can change them?

Does my bank have the same list?

Do I use payment watchlists?

Do I have a control center to

view all transactions and

modifications?

Connectivity

Can connectivity be

compromised?



CFOs and Treasurers have answers

Fraud

Detection

Payments

Access to

Treasury

Technology

Supplier

Account

Verification

Investments

& Trading

Bank

Account

Mgmt

Separation of duties and multi-approvals

Standardized Controls and Processes

Digital Signatures

Recorded multiple bids

Standard Settlement Instructions

Multi-factor authentication!

+ IP Filtering, VPN, SSO, V-keyboard

Applied for business continuity

Standardized review/

approval of changes to

supplier bank instructions

Single system of record

Controls for changes to bank data

Full visibility to monitor activity

Watchlist filtering for pmts

Overall visibility into audit,

controls, activity

Connectivity

Encrypted communications

IT Evaluation of connectivity-

as-a-service provider



Additional Resources

eBook: Reducing the Risk of Fraud with Kyriba

Get PDF at: info.kyriba.com/reduce-fraud-with-kyriba-ebook

eBook: Six Ways to Prevent Financial Fraud

Get PDF at: info.kyriba.com/Fraud_eBook_LP

http://info.kyriba.com/reduce-fraud-with-kyriba-ebook

http://info.kyriba.com/Fraud_eBook_LP.html

http://info.kyriba.com/Fraud_eBook_LP


Thank You for Attending

facebook.com/kyribacorp

twitter.com/kyribacorp

linkedin.com/company/kyriba-corporation

youtube.com/kyribacorp

slideshare.com/kyriba

kyriba.com/blog

reducing the risk of fraud through treasury technology

Economy & Finance