Valerio Trinchi | Senior Manager| Ernst & YoungBob Stark | Vice President, Strategy | Kyriba
April 27th 2017
Reducing the Risk of Fraud through Treasury Technology
© 2017 Kyriba Corp. All rights reserved. PROPRIETARY & CONFIDENTIAL. 2
Valerio Trinchi
Senior Manager
Ernst & [email protected]
www.ey.com/treasury
Today’s speakers
Bob StarkVP, Strategy
Kyriba [email protected]
@treasurybob
© 2017 Kyriba Corp. All rights reserved. PROPRIETARY & CONFIDENTIAL. 3
Today’s Discussion
Increasing importance of fraud prevention
Protection from unauthorized use of systems
Standardizing your workflows
Detecting fraudulent activity
Agenda
© 2017 Kyriba Corp. All rights reserved. PROPRIETARY & CONFIDENTIAL. 4
Fraud is a driving concern
74% of organizations have experienced attempted or actual payments fraud1
36% of treasury teams have seen fraud attempts increase in the past year2
63% of corporates report fraud attempts by external parties3
63% of executives report that majority of fraud goes undetected4
Average = 18 months before fraud detected5
Sources: (1, 2, 3) AFP, 2017; (4) ACL, 2017; (5) ACFE, 2016
© 2017 Kyriba Corp. All rights reserved. PROPRIETARY & CONFIDENTIAL. 5
Incidents of fraud are increasing
Source: Kroll Global Fraud and Risk Report 2016
Source: AFP Payment Fraud Report 2017
PERCENT OF ORGANIZATIONS THAT EXPERIENCED
ATTEMPTED AND/OR ACTUAL PAYMENTS FRAUD
Source: AFP Payment Fraud Report 2017
DID NUMBER OF FRAUD INCIDENTS INCREASE SINCE
LAST YEAR?
© 2017 Kyriba Corp. All rights reserved. PROPRIETARY & CONFIDENTIAL. 6
CFOs and Treasurers need to ask…
Fraud
Detection
Payments
Access to
Treasury
Technology
Supplier
Account
Verification
Investments
& Trading
Bank
Account
Mgmt
Do I have visibility into every payment?
Are my controls consistent for every
bank, every region, every person?
Do I review my ACKs?
How many bids before a trade?
Can Settlement Instructions
be modified?
How many layers of
protection exist after
your password
Are there controls to prevent
unauthorized change to
supplier payment info?
Do I know my account signatories?
Who can change them?
Does my bank have the same list?
Do I use payment watchlists?
Do I have a control center to
view all transactions and
modifications?
Connectivity
Can connectivity be
compromised?
Fraud & Cybercrime in Treasury
Protection from unauthorized use
© 2017 Kyriba Corp. All rights reserved. PROPRIETARY & CONFIDENTIAL. 8
UserID/Password should not grant access to the system
Attacks prey on weak login/authentication – the easiest entry point to hack a software solution and access data
Require combination of password controls:– Password timeouts, resets, history, alphanumeric requirements– Virtual Keypad–Multi-factor authentication (hard or soft token)– IP Filtering– Single Sign-On w/ internal IT environment
You need more than just UserID and Password
© 2017 Kyriba Corp. All rights reserved. PROPRIETARY & CONFIDENTIAL. 9
IT thinks treasury data is safer hosted externally
Cloud technology can offer more safeguards than internal hosting
– Encryption of data - in transit and at rest
– Hosting within audited certified data centers that feature 24/7 security, biometric access
– Separation of duties & other policy driven protections to restrict access to hosting infrastructure and client data
– Firewalls to protect externally and between tiers
Data Security
© 2017 Kyriba Corp. All rights reserved. PROPRIETARY & CONFIDENTIAL. 10
Cloud technology can offer better protection against data loss and unauthorized access
1) Data is encrypted at rest in both active and backup environments
2) Customer application encryption– Encryption of most sensitive database
fields in application itself– Unique encryption key for each
customer that only they have access to
Data Security
© 2017 Kyriba Corp. All rights reserved. PROPRIETARY & CONFIDENTIAL. 11
Report
SOC1 Only an assessment that controls exist
SOC2 AICPA’s recommended report for cloud service providers: • Assesses the security behind the controls
Penetration Testing Most vendors hire security firms (McAfee, Qualys, etc.) to test external vulnerability
Audit Reporting
Much confusion around SOC1 vs. SOC2
Must evaluate details of audit; there is no pass/fail
Evaluating Data Security
Standardized global workflows
© 2017 Kyriba Corp. All rights reserved. PROPRIETARY & CONFIDENTIAL. 13
You should plan to have the following covered:
Formalized/standardized protocols for managing both incoming and outgoing transactions involving corporate bank accounts
– Supported by technology (prevention/detection/forensic)
Identified oversight responsibility
An established and reliable control framework
A readily accessible audit trail and log
Governance of payments
© 2017 Kyriba Corp. All rights reserved. PROPRIETARY & CONFIDENTIAL. 14
Ensure all exposure points are secure
1) Secure access to software used for payment initiation, approval and transmission
2) Separation of duties and approval limits within payments software in all geographies, for all users, across all payments
3) Secure and monitored transmission to bank connectivity channel
4) Real-time Payment Confirmations and Acknowledgements
5) Full Reconciliation of Payment Transactions
6) Monitored Workflow Changes within Payments Systems
Payment Controls
© 2017 Kyriba Corp. All rights reserved. PROPRIETARY & CONFIDENTIAL. 15
Standard settlement instructions (SSI)
Many organizations lack SSI automation
– Impossible to audit a disparate trading/payment workflow when it involves walking paper down the hall
SSI avoids redirection of funds to unauthorized accounts
Payment template should be automatically attached to trade and require approval to edit/remove
Ideal to have alert notification when SSI are changed with audit workflow
Settlement Instructions
© 2017 Kyriba Corp. All rights reserved. PROPRIETARY & CONFIDENTIAL. 16
Establish protocols for communicating payment instructions to your customersStandardized communication of banking instructions - internal
Formalized process for set up/change requests with your existing or new customers – identify oversight responsibility
Establish and Customize controls
Document validation/confirmation and complete test transaction before changes become effective
Reconciliation process to have pre-identified escalation procedure, point of contact (Treasury) and trail log
Receipts – when payments are coming to you
© 2017 Kyriba Corp. All rights reserved. PROPRIETARY & CONFIDENTIAL. 17
Control of Bank Accounts
As organizations expand/decentralize, easy to lose control of accounts and signatories
Need to establish:1) Central repository – visibility into accounts, tracking of
authorized signers, and one source for documentation
2) Structured workflows – mandate approval processes to ensure no ‘under the radar’ bank accounts or signatories
3) Reconciliation procedures – with the bank(s)
Bank Account Management
© 2017 Kyriba Corp. All rights reserved. PROPRIETARY & CONFIDENTIAL. 18
Treasury Payments
System
Approved payments transmitted to banks1
2
3
ACKs/NACKs sent back to treasury
4
1
4
1
4
Approved payments transmitted to banks
ACKs/NACKs sent back to treasury
Bank Connectivity
Is my bank connectivity safe?
From prevention….to detection
© 2017 Kyriba Corp. All rights reserved. PROPRIETARY & CONFIDENTIAL. 20
Daily monitoring of bank activity will find suspicious/fraudulent transactions:
–Daily bank reporting will proactively find suspicions transactions; especially via use of dashboards and automated reporting
–Daily cash positioning forces review of transaction variances
– In addition to reviewing payment acknowledgements and matching what you sent vs. what bank received
Reconciliation
© 2017 Kyriba Corp. All rights reserved. PROPRIETARY & CONFIDENTIAL. 21
Review of audit trails will identify specific actions
Audit trails should be:
1) At transaction level
2) Centralized log tracking system-wide activity
• Filtered by any variable: activity, user, etc.
• Sufficient detail and descriptions to determine what happened
• Available directly in the system (not a report you have to request)
Identifying Unauthorized Transactions
© 2017 Kyriba Corp. All rights reserved. PROPRIETARY & CONFIDENTIAL. 22
A visual dashboard or daily summary report is critical to monitoring suspicious activity
Examples of monitoring
Number of payments and payment files transmitted to bank(s)
Internal workflow changes (e.g. limits and approvals)
Bank Accounts & Signatories
Daily monitoring & reconciliation of all transactions
Fraud Monitoring
© 2017 Kyriba Corp. All rights reserved. PROPRIETARY & CONFIDENTIAL. 23
A visual dashboard or daily summary report is critical to monitoring suspicious activity
Setting up detection rules in your payments system will flag transactions that meet predetermined conditions, requiring further attention
e.g. payments to North Korea or payments to a bank account that was just changed in the system
Fraud Monitoring
© 2017 Kyriba Corp. All rights reserved. PROPRIETARY & CONFIDENTIAL. 24
A visual dashboard or daily summary report is critical to monitoring suspicious activity
Also want rules that search for deviations in payment patterns
Proactive alerts can often be viewed in dashboards making it easy to decide what activity merits further action
Fraud Monitoring
Potential Actions:• Change the Status• Change Assignees• Block User• Change Password• Attach Documentation
Conclusion
© 2017 Kyriba Corp. All rights reserved. PROPRIETARY & CONFIDENTIAL.
CFOs and Treasurers need to ask…
Fraud
Detection
Payments
Access to
Treasury
Technology
Supplier
Account
Verification
Investments
& Trading
Bank
Account
Mgmt
Do I have visibility into every payment?
Are my controls consistent for every
bank, every region, every person?
Do I review my ACKs?
How many bids before a trade?
Can Settlement Instructions
be modified?
How many layers of
protection exist after
your password
Are there controls to prevent
unauthorized change to
supplier payment info?
Do I know my account signatories?
Who can change them?
Does my bank have the same list?
Do I use payment watchlists?
Do I have a control center to
view all transactions and
modifications?
Connectivity
Can connectivity be
compromised?
Fraud & Cybercrime in Treasury
© 2017 Kyriba Corp. All rights reserved. PROPRIETARY & CONFIDENTIAL.
CFOs and Treasurers have answers
Fraud
Detection
Payments
Access to
Treasury
Technology
Supplier
Account
Verification
Investments
& Trading
Bank
Account
Mgmt
Separation of duties and multi-approvals
Standardized Controls and Processes
Digital Signatures
Recorded multiple bids
Standard Settlement Instructions
Multi-factor authentication!
+ IP Filtering, VPN, SSO, V-keyboard
Applied for business continuity
Standardized review/
approval of changes to
supplier bank instructions
Single system of record
Controls for changes to bank data
Full visibility to monitor activity
Watchlist filtering for pmts
Overall visibility into audit,
controls, activity
Connectivity
Encrypted communications
IT Evaluation of connectivity-
as-a-service provider
Fraud & Cybercrime in Treasury
© 2017 Kyriba Corp. All rights reserved. PROPRIETARY & CONFIDENTIAL.
Additional Resources
eBook: Reducing the Risk of Fraud with Kyriba
Get PDF at: info.kyriba.com/reduce-fraud-with-kyriba-ebook
eBook: Six Ways to Prevent Financial Fraud
Get PDF at: info.kyriba.com/Fraud_eBook_LP
© 2017 Kyriba Corp. All rights reserved. PROPRIETARY & CONFIDENTIAL.
Thank You for Attending
facebook.com/kyribacorp
twitter.com/kyribacorp
linkedin.com/company/kyriba-corporation
youtube.com/kyribacorp
slideshare.com/kyriba
kyriba.com/blog