COVID-19 shook up organizations’ efforts to digitize their treasury operations. Sure, businesses had already been adopting new digital tools, streamlining processes, and gaining greater visibility over cash flow when COVID-19 began. But the pandemic increased the pace of adoption, as many companies quickly instituted new tools and models to support remote work.
Now that the world is in pandemic recovery mode and treasurers continue their push to digitize, we’re understanding more about both the benefits and the new vulnerabilities of digitization. Over the past year, we’ve learned a lot about data breaches and other types of financial fraud, as well as the compliance requirements digitization creates.
Cyber criminals ramped up activity, such as phishing email attacks, during the COVID-19 crisis. Businesses need to protect entry points for these attacks now that organizations are over the hump of rushing to address pandemic-related crises. Organizations must take the time to put policies, tools, and security in place to protect their people and assets from newly identified and categorized risks.
Remote Treasury Operational Risks
Digital innovation is transforming the treasury function and creating efficiencies for treasury managers. Along with providing the ability to work remotely, technology assists managers in attaining real-time insights into cash flow. Automating and digitizing treasury activities is becoming a big priority, and the pandemic accelerated technology investment, according to a 2021 report by the Association of Corporate Treasurers.
The trend toward prioritizing automation is likely to continue as companies shift to a hybrid work model that combines remote with in-person. But PwC reports that companies frequently overlook their risk and change management processes as they implement these changes. Many employees access remote desktops with file sharing and applications that potentially put their companies at risk. Employees who work remotely often have unclear and ineffective security policies.
“Everything that was designed for these companies was made to be done in their offices, not in a remote environment. I don’t think anyone was prepared for being out of the office for this length of time,” says Rebecca Konkel, Director of Global Treasury Management at Bank of the West.
Types of Financial Fraud to Watch
Cyberattacks have become increasingly prevalent, and remote workers are an easy target. More than 60 percent of cyber incidents were caused directly by employees, often through social engineering scams, accidental disclosures, or inadvertent ransomware infections, according to Willis Towers Watson.
A business email compromise (BEC) attack is a very common type of financial fraud. A criminal creates a fake email address and poses as a CFO. They then ask a subordinate to approve a time-sensitive transfer of funds. These emails look authentic and have a sense of urgency and authority, so they are difficult, but not impossible, to detect if the right precautions are in place.
Treasurers can mitigate this risk by providing adequate training to employees that teaches them how to recognize common red flags for phishing email attacks. Phishing emails can include unexplained urgency, last-minute changes, email-only communications, requests for advance payment, and requests to change direct-deposit information, according to the FBI.
The Growing Risk in Paper Checks
While the pandemic has sparked a sharp decline in paper transactions and B2B check usage, 66 percent of companies experienced check fraud in 2020, according to the 2021 AFP Payments Fraud and Control Survey Report.
Checks handled by remote treasury management employees do not have the same safeguards as checks processed in a central office. These checks are prone to being intercepted by criminals as employees may inadvertently leave them in vehicles or drop them off in postal deposit locations that are not secure. Checks handled in a central office have specific processes and procedures that must be followed.
There are ways to protect account information, though, like sending check print instructions to a bank, so they’re printed and mailed in a secure environment. A bank’s positive pay service, which matches the amount issued for payment with the amount presented for payment, also serves as a safeguard to ensure the check amount or payee has not been altered.
ACH Transfers Are Attractive Targets
While more organizations are using the automated clearing house (ACH) for payment transfers, many don’t necessarily have the right security controls or processes in place for these transfers.
Fraudsters have shifted away from targeting checks and wires, according to the AFP Payments Fraud report, and targeting ACH and other payment methods that are not considered high risk. In 2019, 37 percent of organizations were the target of ACH credit fraud.
Treasury managers who access systems from their homes or own connections could put systems at risk of breach, but there are ways to identify fraud and safeguard operations. One way is to reconcile accounts regularly and increase oversight and security of ACH. Adopting their bank’s positive pay service for ACH payments to ensure the amounts and recipients have not been altered is another method. ACH blocks and filters can also eliminate unauthorized payments.
Managing Risk in the New Normal
The new digital tools and remote working arrangements adopted during the pandemic represent a permanent change in treasury operations. Organizations now need a stronger emphasis on security and reducing systemic risk, and they can do so by instituting security enhancements that would make the organization a difficult target for fraudsters. This includes limiting exposure of account information, securing sensitive documents, and eliminating paper statements.
Validation controls, such as third-party check printing and positive pay services, help prevent fraud attempts as well, and paying with single-use virtual card numbers (VCNs) reduces credit card fraud. A dual approval process to authorize transactions serves as an additional backstop while fraud monitoring services analyze banking information for suspicious activity.
There’s always a chance that even the most secure systems can be penetrated, but cost controls can help minimize losses by detecting various types of financial fraud early. In addition to monitoring and reconciling accounts daily, organizations can also set transaction limits and email alerts.
Separating accounts by purpose, payment type, or department can isolate losses when an account is breached. Adding fraud-related riders to your business insurance policy also reduces out-of-pocket costs in an attack.
With strong controls and secure cash management portals, banks can be trusted advisors and partners in the path to digitization.
“Companies are interested in the risks that exist as they continue to digitize processes and headlines about fraud and cyber-attacks become more prevalent,” Konkel says. “It’s become much more apparent and much more immediate than it ever was before.”