To improve efficiencies and reduce costs, organizations are digitizing many aspects of treasury operations by adopting new digital tools, streamlining processes, and gaining greater visibility over cash flow.
While this trend has been growing for years, COVID-19 increased the pace of adoption as many companies quickly instituted new tools and models to support remote work.
Digitization offers great benefits, but it also opens new vulnerabilities for data breaches, fraud, and compliance. Organizations can identify and categorize these new risks, then ensure they have policies, tools, and security in place to protect their people and assets.
The New Risks in Remote Treasury Operations
Digital innovation is changing treasury functions in many ways, enabling treasury managers to work remotely, be more efficient, and attain real-time insights into cash flow.
A survey by the Association of Corporate Treasurers found 90 percent of organizations are investing in automation and digitization of many treasury activities. When the COVID-19 pandemic struck, many organizations furthered their digital journey by quickly adopting new technologies to support remote work.
Yet PwC reports that in the rush, companies frequently overlooked their risk and change management processes. Many employees now use remote desktops and unapproved file sharing and applications that could put their companies at risk. In addition, they often work remotely with unclear and ineffective security policies.
“Everything that was designed for these companies was made to be done in their offices, not in a remote environment. I don’t think anyone was prepared for being out of the office for this length of time,” said Rebecca Konkel, Director of Global Treasury Management at Bank of the West.
Phishing and Business Email Compromise (BEC) Attacks
Since the start of the pandemic, criminals have increased their attacks on remote workers.
Willis Towers Watson noted in a report that more than 60 percent of cyber incidents were caused directly by employees, often through social engineering scams, accidental disclosure, or inadvertent ransomware infection.
In a business email compromise (BEC) attack, a criminal might set up a phony email address posing as a CFO, then ask a subordinate to approve a time-sensitive transfer of funds. These emails often use a sense of urgency and authority, and are so realistic that they can be hard to detect.
Treasurers can help reduce the risk by ensuring they have adequate training for employees to recognize common phishing attacks. According to the FBI, common red flags include unexplained urgency, last-minute changes, email-only communications, request for advance payment, and a request to change direct-deposit information.
Growing Risk in Paper Checks
While B2B check usage has declined in recent years, nearly three-quarters of companies experienced check fraud in 2019, according to the 2020 AFP Payments Fraud and Control Survey Report.
When in the hands of remote treasury management employees, checks likely are not as safeguarded as they would be in a central office. Employees can leave them in vehicles or drop them off in unsecure postal deposit locations, each of which increases the risk of interception by criminals.
One way to reduce the risk of theft of account information is to send check print instructions to a bank, which can print and mail the checks in a secure environment. A bank’s positive pay service, which matches the amount issued for payment with the amount presented for payment, can also serve as a safeguard to ensure the check amount or payee has not been altered.
ACH Transfers Are Attractive Targets
While more organizations have moved to using the automated clearing house (ACH) for payment transfers, many don’t necessarily have the right security controls or processes in place.
The AFP Payments Fraud report notes that as fraudsters have shifted away from targeting checks and wires, they are looking to ACH and other payment methods typically not considered high risk. Thirty-seven percent of organizations were the target of ACH credit fraud in 2019, according to the AFP report.
Treasury managers who access systems from their homes or own connections could put systems at risk of breach.
To help safeguard the operations, organizations can look to reconcile accounts regularly and increase oversight and security of ACH. One method is to adopt their bank’s positive pay service also for ACH payments to ensure the amounts and recipients have not been altered. In addition, ACH blocks and ACH filters can help weed out unauthorized payments.
Managing Risk in the New Normal
Even when the pandemic subsides, new digital tools and remote working arrangements will likely represent a permanent change in treasury operations. Organizations should now consider putting a stronger emphasis on security and reducing risk in the systems they have adopted.
One way to begin is by instituting security enhancements that would make the organization less desirable to fraudsters. This includes limiting exposure of account information, securing sensitive documents, and eliminating paper statements.
Validation controls, such as third-party check printing and positive pay services, can also help prevent fraud attempts from becoming successful. Organizations might also reduce their risk of credit card fraud by paying with single-use virtual card numbers (VCNs). Setting up a dual approval process to authorize transactions can serve as an additional backstop while fraud monitoring services can analyze banking information for suspicious activity.
While there’s always a chance that even the most secure systems can be penetrated, cost controls can help minimize fraud losses by detecting attacks early on. In addition to monitoring and reconciling accounts daily, organizations can also set transaction limits and email alerts.
Separating accounts by purpose, payment type, or department can also isolate losses in case an account is breached. Adding fraud-related riders to your business insurance policy can also reduce out-of-pocket costs in an attack.
With strong controls and secure cash management portals, banks can prove to be trusted advisors and partners in the path to digitization.
“Companies have become much more interested in the risks that exist as they saw how long current conditions were lasting and started to see headlines about the fraud that’s occurring,” Konkel said. “It’s become much more apparent and much more immediate than it ever was before.”