Article
PodcastCombating Payment Fraud
Understanding How Payments Work and Revisiting Sensible Internal Controls
As the lifeblood of our consumer-driven economy, payments are fundamental to the business-as-usual fuel that propels us from day to day, one reporting quarter at a time. And as technologies have evolved, so too have the ways in which businesses, consumers, and financial institutions exchange money. While there are multiple payment channels, many organizations do not appreciate how these different payment networks actually work.
For businesses, this lack of understanding can lead to a failure of deploying simple business process and technical controls that could dramatically mitigate the risk of payment fraud.
Automated Clearing House (ACH) Transfer
In the 1970s, the United States had a growing volume of paper checks with corresponding ever-growing concerns that technology could not keep pace with the demand of processing all of that paper. The Automated Clearing House (ACH) was created to solve this issue and became an electronic payment network for payments transfer. Administered by the not-for-profit National Automated Clearing House Association (Nacha), ACH transaction requests are processed in batches that settle within a one- to two-day timeframe. The most typical uses of the ACH network are recurring payments, such as bill pay and payroll. ACH is also often used for one-time payments because fees are lower than credit cards, wire transfers and other payment types. Because settlement is not immediate, ACH payments are revocable.
Wire Transfer
In the United States, wire transfers are electronic payments between financial institutions, using the FedWire (domestic payments), SWIFT (international payments), and CHIPS (domestic/international payments) networks. FedWire and CHIPS are considered clearing and settlement networks, meaning, they handle both the message (instructions for the transfer) and the actual transfer of funds. By contrast, the SWIFT network handles only messages that ultimately use FedWire or CHIPs for the actual transfer of the funds. Wires are most often used for international or domestic payments that require same-day processing. They are not revocable, and fees range from $10 to $35 per wire.
Credit and Debit Cards
Credit and debit card payments are the most used form of consumer payments in the United States. Because of their convenience, many businesses also use credit and debit cards for such non-recurring purchases as office supplies or travel. Each credit or debit card brand (e.g. Visa, Mastercard, Amex, Discover) maintains its own networks for authorizing, authenticating, clearing, and settling transactions. Cardholders typically see a debit almost immediately on their payment card, but the merchant usually does not receive the funds for 24 to 48 hours, because transactions are processed in batches. Credit and debit card transactions come with an interchange, assessment, and payment processor fee, typically ranging from 1-3%. This is also known as a merchant discount rate that is paid by the merchant. Credit and debit cards come with built-in fraud liability protection that varies depending on the card brand and issuer.
Real-Time or Instant Payments
Real-time or instant payments through peer to peer (P2P) apps, such as Venmo or CashApp, have revolutionized the way people exchange money. Much like the payment evolution that took place for consumers, businesses are beginning to access real-time or instant payments through The Clearing House Real-Time Payments (RTP®) network and the upcoming FedNow service of the Federal Reserve Banks. Unlike wire or ACH transfers, these services settle and clear funds in real-time, allowing organizations to use the funds immediately after they are sent. Due to the design of these payment solutions, the fees are only a few cents and are considered irrevocable.
Checks
While electronic payments have soared as a result of advances in technology, checks continue to be an everyday form of payment for businesses within the United States. In the past, check processing was done by mail but, with the advancement of electronic payments, physical checks are often converted or digitally scanned and transferred using the ACH network or Check21 (Check Clearing for the 21st Century Act) process. When using the ACH network, the financial institution receiving the check for deposit converts the check to an ACH transaction that is sent to the check issuing bank to transfer the funds. When the Check 21 process is used, the depositor’s financial institution sends a scanned image of the check to the check issuing bank to transfer the funds. Banks generally will cover fraudulent check payments, assuming there was a good faith effort by the business to protect the checks.
Simple but Necessary Steps to Mitigate Payment Fraud
These channels are being exploited to extract funds from businesses at a faster pace than ever before. To combat fraud in today’s digital payment world, businesses must take a defense in depth approach by pairing legacy business process controls with baseline but effective IT controls. In tandem, these controls can effectively mitigate the risk of criminals successfully extracting funds from the business.
| Business Process Controls | IT Controls |
|---|---|
| Dual control and segregation of duties. Split the duties of personnel initiating and approving transactions. | Require multi-factor authentication with at least two different factors for all authentication attempts into banking and payment tooling, as well as into networks and email platforms supporting the business. Factors could include something you know (password), something you have (physical/e-token generator), and something you are (fingerprint). |
| Call-back verification process. Call back vendors on pre-determined or publicly available numbers to confirm payment instructions prior to setting up a new vendor or making changes to an existing one. | Limit logical control to payment data and process documentation. Limit logical and physical access to accounts payable/receivable files, payment instructions and other process documentation. |
| ACH positive pay. Setup alerts to make real-time decisions before funds leave your account. This can include creating vendor lists with expiration dates and caps on the amount submitted for any single payment. | Perform regular user access reviews. For online banking and check printing software, access should be limited to specific individuals, based on job function. |
| Regularly review bank and credit/debit card account activity. Have independent personnel (that is, not the cardholder) perform regular reviews of account activity. | Endpoint protection. Deploy technical solutions across systems to detect and to remediate suspected or known malicious activity and system processes. |
| Documented accounts payable and cash disbursement processes. Formally document Accounts Payable and Cash Disbursement processes. Define and track approval requirements for all transaction types and values. | Develop a vulnerability management program for the identification, mitigation, and remediation of vulnerabilities across systems and networks. Vulnerabilities should be risk-rated and remediated based on defined timelines as established by a risk assessment. |
| Dedicated bank account for wire transfers. Set up a separate bank account to use only for wire transfers. Maintain a zero balance and block all other activity on the account. | Protect checks like you would cash. Physically secure checkbooks to authorized users. Limit physical and logical access to check printing software and supplies. |
| International wire transfer blocks. If your business does not regularly perform international wires, place an international wire block on your bank accounts. | Automated fraud/risk monitoring. Deploy third party fraud/risk monitor tooling that compares banking activity to baseline or “normal” activity to identify and/or prevent anomalous transactions. |
| Job rotations. Periodically rotate employee job responsibilities for key disbursement and review roles. | Conduct periodic training. Develop a cybersecurity awareness program that includes periodic training for identifying common social engineering techniques and other malicious activity. |
| Conduct social engineering tests. Perform periodic tests of accounts payable and cash disbursement processes through independent social engineering assessments. | |
| Check your cyber insurance policy. If you have cyber insurance, confirm that the policy covers fraudulent payment instructions. |
You don’t need to go it alone as your organization tackles these problems. Payment fraud is a big business for criminals, and it will continue to be a key risk facing every organization for the foreseeable future. Weaver has a diverse group of cybersecurity, banking, finance, and accounting professionals with the prowess to help organizations comply with standards and regulations, improve cybersecurity processes to protect payment data, and identify sensible methods for reducing fraud. Contact us today.
© 2023