The risk of fraud is never far from a treasurer’s mind, with ever more sophisticated cyber risks emerging alongside longstanding causes of fraud.
Although banks do (or at least should) have their own fraud prevention and detection checks, these checks do vary significantly in utility and effectiveness. As a consequence, companies should assume as much responsibility as possible for fraud prevention and reduction by adopting a series of actions as part of their payment processes.
These measures should start with the account verification measures and checks on changes to settlement instructions:
- Beneficiary/payer account verification. Prior to the first credit (or debit), the beneficiary (or payer)’s account information should be verified, i.e., to confirm the account is valid and is held in the name of the correct counterparty. There are different tools available: Some may only indicate that an account exists (e.g., prenotes and micro-entries), whereas more in-depth account verification services will also provide an account name. Verification may involve the use of a combination of standalone services, bank-supplied solutions and internal controls. Understanding the limitations of any particular check will help to target the company’s own internal checks on the remaining unknowns.
- Review any request for change, as it also represents a major risk of fraud. For example, seeking to change settlement instructions is a major component of business email compromise (BEC) fraud.
As well as checking settlement instructions, the following will also help to protect against fraud, especially for electronic payments, and ACH payments specifically:
- ACH positive pay, which is a protection against unauthorized ACH credits and debits. At its simplest, a company will be sent a list of ACH debits on each account, and the company will then need to determine whether to authorize each debit. When authorizing the first payment, the company can set rules within ACH positive pay for the future, so any payments outside those rules will be flagged as exceptions and require a decision from the company on whether to authorize.
- Strong internal controls, including appropriate segregation of duties between the initiator of a transaction and the person responsible for reconciling accounts or determining whether to approve a transaction highlighted via positive pay.
- Separate accounts for collections and disbursements, with debit blocks on collection accounts. Companies that use checks may also decide to have separate accounts for check disbursements and ACH disbursements to reduce the risk that account information supplied on the check can be used for unauthorized debits.
- A daily ACH reconciliation, which will help to identify any potential fraudulent activity as soon as possible.
- A regular training program for all employees with responsibility for payments (from initiation through to reconciliation).
- Adherence to proper procedures at all times, especially following a request for quick action to effect a payment.
Payments fraud continues to represent a significant operational and financial risk, so adopting a multi-layered approach is likely to be the best approach to reduce the company’s exposure.
Want to learn more? Check out the AFP Payments Guide to ACH: What Corporates Need to Know.