Internal fraud is a growing concern for companies, as citied by 38% of respondents in Bottomline Technologies’ report UK Business Payments Barometer 2017.
The figure is a sharp increase on the 13% of respondents who considered it an issue in the 2016 survey by the business payment technology company.
The survey also found that 56% of companies are unaware if they have been the victim of payment fraud, and the need for greater security was found to be the biggest driver for change in the payments industry for the second year running.
With a number of high-profile cases involving internal fraud in recent years, it is a legitimate concern.
In 2015, an employee at BMW in the UK was found guilty of stealing £5.9 million from the company over a four-year period. The money was taken in 59 separate transactions listing the employee’s own bank account details under that of a supplier. The true recipient of the funds was only discovered after an audit.
More recently, the South Korean subsidiary of Swiss company ABB fell victim to a treasurer taking $31 million, spread over 73 transactions. The sum is believed to be around 4% of the company’s 2016 net profits. The employee is thought to have forged documents and worked with third parties to complete the payments.
While insider fraud is a growing concern, companies are not always taking adequate steps to challenge the risks.
James Richardson, head of market development, risk and fraud, at Bottomline Technologies, says: “To tackle insider fraud, companies need to identify the flaws in their present processes, ensure systems are continually updated and that staff are regularly educated.”
Understanding the pattern of transaction flows will flag up problems when payments for unusual sums, or at different times of the month, are made. Internal checks can highlight issues in payroll, such as ghost employees, when an account has been created for an individual that does not work at the company, or duplicate bank details.
Under accounts payable, it can identify payments made at weekends, or those to unauthorized vendors.
To know what is indeed a typical transaction involves the monitoring of daily business flows.
Richardson explains: “To understand how the payment flows work, first we need to set up the rules and anomalies. We need to understand what normal payments and suspicious payments look like to a company.”
Monitoring payments does not require in-depth interception that might intervene with the data privacy requirements outlined by the General Data Protection Regulation.
Andrew Davies, vice-president, global market strategy, financial crime risk management, at Fiserv, says: “Understanding what arises in transactions can prevent financial crime. It is not intercepting transactions, but informing the patterns needed for anti-money laundering. It helps to increase understanding of the transaction lifecycle.”
The outcome of falling victim to fraud extends further than loss of funds.
Bottomline’s Richardson says: “Companies are very aware of the reputational risk they face now. The more they know about a transaction, the more they can be sure of who it is they are paying.”
Keeping pace with changing payments might mean companies asking themselves some difficult questions about their own processes. Applying two-step authentication on making changes to account details or before a payment is sent might prevent some internal frauds.
The accuracy of detection is another vital component in ensuring that when an issue is flagged it is taken seriously.
Fiserv’s Davies says: “There is a greater need for accurate detection, as there are often too many false positives. These mistaken fraudulent transactions feed into the idea of fraud not being a serious issue.
“But falling into complacency about what is a false positive will not negate the likelihood of financial crime.”
The arrival of real-time payments will make these scenarios more difficult to detect.
The Bottomline Technologies survey found the move to real-time was the second biggest driver for change.
Further, to the instant nature of the transactions, Faster Payments are irrevocable. Whether the money is sent to the wrong account through fraud or a simple mistake, the outcome is the same.
“With companies moving towards using Faster Payments, they have to be sure of the security of the transactions and the certainty of where the money is going,” cautions Richardson.
Davies adds: “To combat crime there needs to be a set of capabilities drawn up around payments processing. As the global payment initiative moves towards real-time payments, there is a need to maintain the standards.”
|Hamish Thomas, EY|
Hamish Thomas, partner, EMEIA financial services advisory at EY, says the current methods of fraud monitoring cannot continue as the risks increase.
“The costs of managing financial crime compliance are becoming unsustainable,” he says. “Managing down the cost base whilst maintaining the necessary controls and risk management is very challenging and requires new approaches to be taken.”
Richardson says the methods used to tackle fraud are best if it is seen as one overall issue, whether the threat is external or internal.
“It would be a better approach not to think of protection
s in siloes,” he says. “Applying standards across the board will help in keeping the protection of all payments processes to the same level.”
The solution lies in the move towards embracing technology, even if it requires short-term investment.
EY’s Thomas says: “Understanding and use of emerging tech, such as advanced analytics and AI [artificial intelligence], enables new and improved ways of understanding and managing risk that can also be more efficient.”
AI is, for example, already being used for predictive modelling to reduce false positives.
Having real-time analytics on future payments can enable transactions to be stopped in real-time, avoiding the problems that can be created by Faster Payments. And having a body of easily accessible data can assist if and when investigations into suspected fraud are needed.