www.tis.biz/enVisit our website for more information 1

SECURITY AND RISK MANAGEMENT IN PAYMENT TRANSACTIONS

PRIVATE INDIVIDUALS CAN BE EXPOSED TO SEVERAL RISKS WHEN PERFORMING ONLINE BANKING AND ELECTRONIC PAYMENTS. HOWEVER, FOR POORLY ORGAN-IZED COM PANIES WITH SECURITY GAPS, THE CONSEQUENCES ARE OFTEN EVEN MORE SEVERE – EVEN LEADING TO INSOLVENCY.

Alongside smaller companies, there are still many medium and large-sized companies that have not yet implemented real-time monitoring of their payment processes. The result? These organizations then fail to discover missing cash until the

end of the month. This is often the case despite tried-and-tested digital payment platforms that standardize and automate cash flows being readily available in the market. With such tools, corporations are provided with the necessary controlling and an uninterrupted overview of these cash flows.

Bank account management as well as the security and transparency of processes are critical to risk related to payment transactions – you can only manage what you see. If a company fails to keep an eye on its bank accounts and payment

processes, serious consequences can occur, as payments flow out of bank accounts unnoticed.

For this reason, a central record of all existing accounts and payment governance are indispensable for any company. Moreover, central payment solutions not only provide protection against fraud, but also reduce costs to process payment flows. They also trigger an alarm if unusual trans -actions occur, making hidden bank accounts and a black economy a thing of the past.

WHEN ARE THERE RISKS IN PAYMENTS?

• When there is a lack of transparency and central overview of bank relationships and activities• When cash positions and liquidity are not visible• When there is an incomplete overview of electronic signature authorizations• When user administration occurs manually, which is particularly susceptible to fraudulent activity • When the two-person rule is not applied to payments or when managing payment authorizations

EXECUTIVE BRIEFING

www.tis.biz/enVisit our website for more information 2

1 CENTRAL BANK ACCOUNT MANAGEMENT IS ESSENTIAL

A CENTRAL RECORD OF ALL ACCOUNTS PROTECTS AGAINST RISKS

Incoming and outgoing payments form part of everyday life for com-panies. „Payments are the lifeblood of companies,“ notes Jörg Wiemer, CEO at TIS (Treasury Intelligence Solutions). Incoming payments to a company‘s accounts do not present a risk, whereas money paid out to others is always a risk.

Bank accounts are an organization’s central nervous system, keeping it alive; payments flow through them. An account is needed for each pay-ment. Hence, security in payment transactions starts with professional bank account management – a cen-tral record of all existing accounts is indispensable. Fraudulent payments occur via accounts that are not regis-tered on the main ledger.

GOOD GOVERNANCE MUST BE ESTABLISHED AND IMPLEMENTED A globally valid set of rules is vital for payment transactions, providing detailed instructions for a company’s management of bank accounts along with its regulation of the underlying processes. Who can open new accounts? Who must issue the related permit? What checks must be conducted? What do the processes look like? What documentation must be prepared?

Terrible cases of what can happen if a company fails to implement such requirements have generated nega-tive headlines in recent years.

HIDDEN ACCOUNTS AT A LARGE CORPORATE GROUP?

One example involved a problem with hidden accounts at a large corporate group. The company was not in control of its bank accounts. In 2009, media reported on secret bank accounts in Switzerland and elsewhere. In 2011, courts ruled the company guilty of corruption, and its CEO was forced out. Large fines were imposed in the USA with the total loss amounting to between three and four billion dollars – an amount that does not include loss of image and reputation.

2 HIGH RISKS DUE TO LACK OF TRANSPARENCY

The earlier attempted fraud is discov-ered, the more effectively the conse-quences can be contained. Payment processes in corporate groups and large companies are nevertheless. It is also difficult to gain an overview of these processes as such companies normally have very complex matrices of bank relationships.

CONFUSION IN THE BANKING JUNGLE

It is not just the head offices, but also the subsidiaries and branch oper-ations of companies that maintain a large number of individual bank relationships as well as ones that have evolved over time. This creates a banking landscape characterized by numerous accounts and banks, which in turn work together with quite dif-ferent e-banking tools. Upstream of these are various input, ERP, treasury and HR systems generating payment files for different bank accounts.

NIGHTMARE FOR ANY CFO

The lack of transparency in payment flows nevertheless fosters manipulation. The rerouting of $10 million from a company‘s branch operation at the start of the month is a scenario that any finance department member would wish to avoid. If bookings are based on manual processes and if balances are only checked at the end of every month, a fraud incident might lie undiscovered for as long as 30 days. For this reason, any company should be informed about its cash position daily – and better still, in real time. The prevailing regional allocation of work within companies also makes life easy for fraudsters. Firms should ensure that they automatically collect all statements from every one of their bank accounts. Companies collecting bank account statements in paper format locally at individual branches often need weeks until head office managers notice that an account statement is missing, along with the items it includes. Service providers such as Walldorf-based Treasury Intelligence Solutions (TIS) collect statements on behalf of their customers and evaluate liquidity positions in real time so that companies no longer encounter this problem.

SWISS AIR THOUGHT ITS FUNDS HAD RUN DRY

It sounds crazy, but there have been situations in the past in which com- panies have announced insolvency because they simply no longer had an overview of their financial positions. The companies were not bankrupt at all, however. On October 2nd, 2001, for example, Switzerland‘s airline Swiss Air grounded its aircrafts.

EXECUTIVE BRIEFING

www.tis.biz/enVisit our website for more information 3

CEO AND FOUNDER OF TIS, JÖRG WIEMER:

„The roots of TIS lie in the pains I myself suffered with payment

transactions during my time as a treasurer.“

Worldwide, 36,000 passengers were stranded. In reality, the company still had 50 million Swiss francs in its accounts on the morning when the company suspended its flight ope - ra tions. The company’s management team had no insight into the level of liquidity that it still had, as auditors from Ernst & Young later discovered. Lufthansa took the company over in 2005.

3 PAYMENT PROCESSES MUST BE STANDARDIZED AND AUTOMATED

Companies have many different systems in individual parts of their organization and use different e-banking tools to connect them-selves with banks. The SAP system generates payments. This is compli-cated and complex. Different pro-tocols and formats exist, as well as many reasons as to why this situation creates high costs and significant risks.

Companies such as TIS provide medium and large- sized companies in all sectors with a payment trans-action platform that combines com-panies’ bookkeeping systems with banks. They are positioned between the core systems – which the cus-tomer does not need to change – and the banks. The platform thereby becomes a single point of contact, a benefit in terms of process stand-ardization and automation. The basic idea behind a central payment solu-tion consists of automating all pay-ment processes and then aggregating them in a standardized form within an enterprise-wide unified manage-ment, monitoring and evaluation system. This creates a high degree of transparency, enabling the central monitoring of all company payment transactions.

Tools such as the TIS Bank Statement Manager generate transparency, and thereby control.

A $500 MILLION GIVE-AWAY

Standard platform allows complete controlling of worldwide payment flows and cash positions. KfW Bank in Frankfurt am Main could have made good use of this type of payment solution. On Monday, September 15th, 2008, 8:37 a.m. local time –

and consequently exactly one hour before Lehman Brothers filed for Chapter 11 – it still paid $500 million to the US bank.

The transfer occurred automatically. Two Management Board members were dismissed as a consequence of the incident.

RISKS IN PAYMENT TRANSACTIONS ARISE HERE:

• Bank account management • Visibility in Payments • Payment processes • Employees

What is certain, however, is that risks are significantly lower if companies utilize payment platforms. Automa-tion and standardization of processes are the keys companies use to pro-tect themselves against manipulation and fraud, and thereby ultimately against losing money. The accompa-nying centralization of all payments and integration of enterprise appli-cations serve the same goal – they reduce IT project complexity and provide audit security.

PAINPOINTS IN PAYMENT TRANSACTIONS

• Files saved locally on unencrypted hard drives and servers

• A number of different tokens for different e-banking systems

• Many different e-banking tools running on standalone PCs without transparency and controlling of user authorizations, and without implementing the two-person rule

• Unauthorized user accounts with administration rights which were set up in e-banking tools without the two-person rule to carry out fraudulent payments

• Lack of audit protocols

Transparency and insight - in all bank accounts- signatory rights and bank documents

Automation - workflow and alert system for reducing manual work and non compliancy

Electronic collection of banks statements no manual upload of bank statements

Straight through processing (STP) in ERP system via plug-in or TIS agent

Dashboard of liquidity and cash status and daily reports of bank changes

EXECUTIVE BRIEFING

www.tis.biz/enVisit our website for more information 4

BEWARE OF PAPER AND FAX PAYMENTS ...

... and manually implemented electronic payments. Companies should avoid outgoing paper and fax payments. Inform your banks that you are discontinuing these payment types.

THE “BOSS SCAM”

The state criminal investigation Department of North Rhine-West-phalia has issued a recent warning about the “boss scam”, which has already led to the theft of dou-ble-digit amounts in millions of euros across Germany. Social hacking and information gleaned from websites and social media pages is enabling fraudsters to trick bookkeepers into believing that their bosses urgently need money to be transferred to a previously unknown account. This swindle is resulting in the theft of enormous sums of money.

In North Rhine-Westphalia alone, 39 cases have already come to light, entailing the misappropriation of €31 million, although €20 million have been recouped. The trick has many names according to newspaper reports, including the “CEO Fraud”, “The Long-Lost Relative Trick 4.0”, “Managing Director Trick” or the “Fake Chairman”.

If it is nevertheless still impossible to avoid manual, voucher-based payment orders to banks in individual cases, then it is absolutely essential that you arrange obligatory callbacks from the banks to specific managers at the companies. In addition, do not delay in determining regulations for handling exceptions to standard processes in emergency cases.

WARNING SIGNAL FOR DEFICIENT SECURITY

A high level of manual payments is a warning signal that the security level

in payment transactions is too low and the company does not have its processes under control. It should be the case that all payments in compa-nies must be recorded in compliance with generally accepted accounting principles – no booking without a voucher, and no payment without a prior booking.

Under certain conditions, however, deviations and exceptions are made to this principle (“exception han-dling”), and manual payments occur. These situations always require rules for exceptions, including accurate process documentation.

Restrict the ability to record and approve unautomated payments to specific user groups. Only permit this in combination with preapproved payment templates (unmodifiable templates e.g. for internal transfers) and exclusively to particular payment recipients.

The Old World Challenge The New World Solution

Payment orders need to be routed to different bank accounts, each bank using different interfaces, data and bank formats and authorization processes – it is costly to maintain.The multitude of manual steps involved creates extensive governance, legal, audit and compliance risks, while also representing a significant cost factorGeneral lack of transparency over liquidity status and cash flow at any given point in time, given complex systems of payment routingHigh dependency on IT with high cost and upfront investments

•

•

•

•

You need only one Secure ID keyA single, multi-bank-capable, audit-proof SaaS platformEnd-to-end data processing (straight-through processing) with ERP integration (through plugins or agents)Comprehensive library of payment formats, bank communication and security channelsFull transparency into corporate cash flow and liquidity,and complete control of all bank relations and cash movementsImmediate cost savingsFast roll-out, no IT projects and IT investments

EXECUTIVE BRIEFING

www.tis.biz/enVisit our website for more information 5

4 EMPLOYEE RESPONSIBILITY

It is astonishing how many companies do not know exactly how many corpo-rate accounts they actually possess at all their branches and subsidiaries.

Additionally, uncertainties also exist concerning who is an authorized signatory for which account, or which employee can authorize payments in what amount. Time-consuming man-ual research is then required to find this information.

The core issue is the lack of central-ized visibility across bank accounts and payment processes. In such cases, it is extremely difficult to control, resulting in a high level of manipulation and fraud risk.

Companies must take many different points into consideration if they fail to deploy tools that perform these processes for them. For example, employees who have left a company long ago can still be authorized signa-tories within e-banking platforms. The clear recommendation here is that companies should introduce single sign-on solutions integrated into their personnel department’s central data - base. Individuals recorded in this data- base as having left the company should no longer have access to the corpo-rate network and payment platforms.

CLEAR ROLES AND RESPONSIBILITIES

Standard processes and workflows should be defined centrally, removing the need to list them individually for all accounts.

A set of treasury guidelines should be in place, as well as a process descrip-tion as a “Single Source of Truth”, in which the following is set for the entire company:

• Who can open new accounts?• Who must approve new accounts?• Who can sign for which accounts

and approve payments?• Who can approve which payments

together with whom and to what level?

• Audit trails document who has instigated and approved what.

• The two-person rule or “two sets of eyes principle applies to both payment approvals and the user administration of electronic pay-ment approvals.

EXECUTIVE BRIEFING

www.tis.biz/enVisit our website for more information 66Weitere Informationen unter: www.tis.biz 6Weitere Informationen unter: www.tis.biz

© 2017 by Treasury Intelligence Solutions GmbH. All rights reserved. BAM, BTM, BFM and other TIS solutions and services mentioned herein as well as their respective logos are trademarks of Treasury Intelligence Solutions GmbH in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifi cations may vary. Printed on environmentally friendly paper. These materials are subject to change without notice. These materials are provided by Treasury Intelli-gence Solutions GmbH for informational purposes only, without representation or warranty of any kind, and Treasury Intelligence Solutions GmbH shall not be liable for errors or omissions with respect to the materials. The only warranties for Treasury Intelligence Solutions GmbH solutions and services are those that are set forth in the express warranty statements accompanying such solutions and services, if any. Nothing herein should be construed as constituting an additional warranty.

TIS GMBH Altrottstraße 31 | 69190 Walldorf | Germany T +49 6227 69824-0 | info@tis.biz

www.tis.biz/en

PAYMENT PLATFORM DELIVERS EFFECTIVE RISK MANAGEMENT

A Software as a Service solution enables efficient administration and management of authorized signatories and account managers, and makes it easier to adhere to compliance guidelines in order to

avert fraud and foster legal security. Tasks such as payment approvals can be performed both centrally and on a decentralized basis in this context. The platform provides standardized and automated processes, adapting itself to the corporate culture via workflows and flexible role concepts.

By deploying the right tools and pro-cesses within the company – such as a payment transaction platform that delivers visibility across all payments – CFO’s, CIO’s and financial decision makers can already minimize the existing risks in advance.

EXECUTIVE BRIEFING