Head2Head: A United Approach to Tackling Fraud and Cybercrime
by Bruce Meuli, Global Business Solutions executive, and Jonathon Traer-Clark, Head of Strategy, Global Transaction Services, Bank of America Merrill Lynch
BM Accuracy, confidentiality and security are fundamental to every financial transaction. Over time, these conditions haven’t changed but the methods of executing transactions have been transformed into a complex collection of global electronic payment networks with myriad participants and flavours. However, just as the means of transacting payments have evolved, so too have the risks: for example, cybercrime is now widely cited as a primary risk to the global economy. Has digitisation really changed everything?
JTC Well, not quite. Yes, we have been forced to adapt to a world where technology is often the foundation of fraudulent enterprise risk, but the risk to a corporate treasurer is the same today as it always has been – humans doing bad things. Cybercrime is simply a digital version of human (mis)behaviour.
BM I agree that the human element of any process can be ‘the weakest link’. Automation is a significant part of any financial transaction but often the core processes don’t change dramatically – and the human aspects are now just performed by technology. A safe and secure business must be founded on ethical human behaviour and robust technology-enabled processes. With automation there has been a big shift towards creating standard operating practices. Controls that manage the transaction flow have been embedded as business rules in treasury and payment systems. These rules must be carefully applied and audited. In addition, controls over human interaction are needed. These may take the form of multiple levels of authentication, segregation of duties between those executing and approving transactions, and expanding the often limited number of people who are authorised to validate transactions.
JTC Ultimately, treasurers need to maintain control and be responsive to human behaviour, especially when a payments instruction breaks the norm. For instance, when a CEO instructs the treasury department via email to immediately wire $100,000 for a confidential legal disclosure settlement, the treasury analyst is inclined to oblige. Yet the treasurer should never authorise $100,000 to an unknown recipient without proving the authority and testing the instruction. This is also why you need strong, visible C-suite and board support for processes that strengthen security and reduce fraud. After all – how do you know the email isn’t a phishing attempt? Encouraging treasurers to feel comfortable challenging and verifying instructions, no matter what level of apparent seniority the initiator of the transaction has, should override our natural propensity to trust, and this is only possible at the human to machine interface.
BM Let’s not underestimate the importance of applying technology to enhance cybersecurity. After all, with every threat, there is an opportunity. Optimising the use of learned behaviour is central to effective risk management. Through the application of standard processes and expected transaction flows, and the interrogation of data, systems can identify unusual behaviour patterns and transactions. This can be within the process on a real-time basis or as part of an ‘after the event’ control.
JTC A learned process does not rule out cyber risk – and data can be mined for the wrong reasons. Crucially, the abuse of real information, which is increasingly available through cloud-based data management, is cybercrime at its most unpredictable. When technology is penetrated, then trust is eroded. With hackers spending an average of 205 days in compromised systems before being discovered, the treasurer must look to the strength of internal systems and the knowledge of its partners to safeguard against intrusion. Letting your IT vendor, shared service centre and bank share the control of risk helps analyse the weakest link, building KYC into everything you do. For the treasurer, fraud will always be a threat to a corporate’s security, whether cyber or human. It’s a combination of both that will help defeat it.
The TMI Verdict - by Helen Sanders, Editor
At a recent meeting of senior European treasurers, fraud and cybersecurity were identified as the most significant concerns. Cybersecurity, i.e., the risk that an external party can take control of systems or data and misuse them is a serious concern, but as recent events have shown, these attacks often take advantage of weaknesses in human behaviour rather than flaws in the systems themselves e.g., the use of simple or default passwords, and falling foul of IT or bank security scams where users unwittingly give control of the system to criminals who are posing as a bank, system vendor or internal IT department.
Security risks do not need to involve the misuse of technology, however, as the ‘CEO fraud’ described by Jonathon illustrates. More than one treasurer has been tricked by this sort of fraud, including those of very large multinational corporations. One treasurer of a large MNC mentioned recently that her department receives tens, and sometimes hundreds of these attempts a day. Similarly, internal fraud remains a major challenge, and the people statistically most likely to commit crime are often those in senior positions responsible for defining or enforcing controls: as the cover story in TMI edition 238 (November 2015) discussed, according to a KPMG report in 2011, the typical fraudster is not a teenager holed up in a garage, but a middle-aged male in a senior finance position who has worked for the company for 10 years or more.
As Jonathon rightly indicates, a combination of human and technology factors is required to tackle fraud and cybersecurity, whether internally or externally initiated. Training of both senior management and finance employees is essential: CEOs and other senior executives must be aware of processes, and communicate clearly to the business that payments will never be requested outside the normal controls. Systems too must not physically permit payments to be made without the mandated level of authorisation, with auditability of user actions and alerts on attempted irregular behaviour. Everyone has a role to play in minimising risk and increasing transparency over activities, so it is important to develop a business culture that enables individuals to challenge controls and procedures, whether those individuals are employed by the company, bank or technology vendor.
CYBER SECURITY WORKSHOP
Concerned about cyber threats to your treasury?
Join TMI and 8com for an intensive 1-day workshop designed to give treasury professionals the skills to protect their company and their department from the dangers of modern cyber crime and fraud.
Leave the session armed with a cybersecurity action plan - able to immediately implement progressive security measures in your business.