The Treasury Update Podcast by Strategic Treasurer

Episode 138

2021 Treasury Fraud & Controls Survey Implications

On this episode of the podcast, Host Craig Jeffery joins Omri Kletter, Vice President of Fraud and Financial Crime at Bottomline, to discuss the results from the 2021 Treasury Fraud & Controls survey. This annual survey evaluates the current and projected impact of fraud on the finance and treasury environment. Practitioners from a broad range of industries are polled on their experiences with fraud and on the range of controls, safeguards and security practices employed to protect their financial assets and information. Listen in to this insightful conversation to learn about the results.

Host:

Craig Jeffery, Strategic Treasurer

Craig - Headshot

Speaker:

Omri Kletter, Bottomline Technologies

Omri Kletter - Bottomline Technologies
Bottomline Logo

Subscribe to the Treasury Update Podcast on your favorite app!

The Treasury Update Podcast on Spotify
The Treasury Update Podcast on iTunes
The Treasury Update Podcast on Google Play
Stitcher
Episode Transcription - Episode 138 - 2021 Treasury Fraud and Controls Survey Implications

Craig Jeffery:

Welcome to the podcast, Omri. 

 

Omri Kletter:

Good to be here. 

 

Craig Jeffery: 

So, in 2021 we completed the Treasury Fraud and Controls survey, this was a six annual survey underwritten by Bottomline. We had over 330 respondents across the globe and there’s quite a bit of information, quite a few assets that are available in the show notes, where you can download reports, infographics, and get webinar replays, so feel free to use those resources. Omri, to provide a little bit more context for our audience, could you give us a brief overview of your background in security and what you do in your role as global VP of CFRM at Bottomline. 

 

Omri Kletter:

Sure, Craig, and thank you for everyone who’s listening to this it’s again a great opportunity to engage in such an important topic. And to reflect on where we are, what we’ve achieved so far, but also at the walk ahead of us. So, as you mentioned, I am the global VP for our fraud and financial crime business within Bottomline. I started my career, interestingly enough, in a global counterterrorism on intelligence side in the Israeli NSA. And I can tell you that once you start your career with chasing the bad guys it’s very hard and difficult to change drastically and I’m glad to certain degree I’m still focused on helping organizations and financial institutions to fight financial crime and fraud.  I’ve joined Bottomline a year and a half ago, after a long career in this field and with some of the market players and in my current role I’m really focused on building the right strategy and products and solutions to protect business payments, if you think about Bottomline we all about business payments as a company, right? We are helping organizations to pay and get paid and we’re helping banks to facilitate these services for payers and payees. 

 

Omri Kletter:

And what we’re doing you know foreign financial crime business within Bottomline is really extending at the business payment, a subject matter into the protection from foreign financial crime which is different to on the rise. I think generally, and that’s one of the themes that were seeing in the statistics, the combination of payments and the concept of how we protect these payments is becoming much more embedded and hence I think here at Bottomline we have unique a point of view, to combine or to address the problem of payments from this important angle, too. 

 

Craig Jeffery:

So, we’ll have to do another podcast on counterterrorism that sounds like it’d be interesting, it might be a bit of a stretch from the Treasury side, but we’ll focus on… 

 

Omri Kletter:

I can tell you one thing Craig, when you think about a global counter terrorism and obviously after 911 era and everything, I can tell you what we’ve seen very clearly. Follow the money, right follow the money is critical that’s why I think in the last 20 years or so we’re seeing great focus on understanding the funding sources of these activities and, obviously, for them, financial crime for them and money laundering, are played for these activities which we obviously want to find. 

 

Craig Jeffery:

Have you read does Zarate’s book Treasury War, I’m not sure if I have the title right. 

 

Omri Kletter:

I think I heard about the book I didn’t read it, nope. 

 

Craig Jeffery:

Okay yeah, that’s a lot about following the money and tracking it down so, well, with that with that little discursive, you know, will begin, you know and just for those that are listening, Omri and I are going to be discussing several different themes that were highlighted through the survey. And we’ll use this pattern of we’ll share some of the key findings from the survey and then expand that out to a discussion about some of the implications and get into some prescriptive advice as well, in many cases, so with that we’ll begin on the escalation of fraud. Now any discussion of fraud is always this idea we want to scare people. But if you’re listening to a podcast on fraud, you know that the fraud has continued to increase, the perpetrators of it are more sophisticated, their automated. There’s enough to be scared without being unduly dramatic, but I just want to share two things, two survey points, and then I’ll invite you to weigh in on this Omri from an escalation standpoint, year over year over year, I mentioned this with a sixth annual survey. Going back a few years 84%, 73%, 76%, and 87% are the percentages of year over year view that the threat level of fraud has increased or significantly increased. So, we have multiple year over year heavy increase in the threat level, that’s the reality that’s the recognition of, if you’re listening to this, that’s the recognition of your peers of the situation on the ground. 

Craig Jeffery:

 I’ll tie one other element in here, this idea that criminals are both thoughtful tricky and opportunistic and they took advantage of whatever’s on the ground. But in the COVID environment, fraud that had a tie into the pandemic, so leveraging information from emails or whether it’s PPE or identifying that the office is closed, please redirect payments over here, in this concept of tying in some truth with lies. 21% of fraud that occurred from through the survey respondents had some tie into to COVID. So, in terms of the threat level it’s increased, it’s escalated. So, criminals are improving, Omri, there they’re far more automated and more effective at getting information and cash out of organizations, so you know feel free to start with what you think is necessary to comment here but also any other thoughts in this area. 

 

Omri Kletter:

So, you know Craig you’re framing perfectly, we’re seeing a constant rising in for across all segments, by the way, which is another interesting thing well you know it’s very hard to take one segment of size of organization or location of organization that’s actually going to rise compared to others, so I think you know the notion that this is actually across platform across segments problem is definitely one of the interesting takeaways from  your annual survey. You mentioned automation and I will touch about that in a second, but I think what I would like our audience to think about when we think, to try to answer the question “why we’re seeing this rise?” and my response to that would be, “wait a minute, why not?” 

 

Omri Kletter:

Why not numbers will go up, is there a) super connected to the going number of digital transactions right? So, generally, as fraud is tied to know how much traffic, how many signals we’re producing. I met with one of the heads of fraud in a global bank with headquarters in NY. You know we are producing as human beings, more signals are than ever, and it was kind of interesting point of view to realize that just thinking about how much signals we are producing and to certain degree fraud can ride on the signals so again, the question is, “why not?” to a certain degree and I don’t think that we provided, yet a strong stop to it, to change the trend or to change the direction, I will give some data to certain degree. 

 

Omri Kletter:

Are we are we seeing new controls or new methods that are completely solving the problem business email compromise? The answer is no. Do we have, any you know, we we’ve chatted with many of the Treasury representatives after the great webinar we had and asked you know, “Do you have a head of fraud in your organization?” Answer: “Well, not yet we think to have it” and also from the other side, think about from the tax side if they’re not being stopped enough their motivation is also a becoming bigger and again, maybe a bit connected to how we open the discussion around Homeland Security in relation to that to set them the view we also seeing a rise in the magnitude of attacks, because of the nature of the nature of the attack. And it’s becoming an issue of state level type of attacks and that’s exactly connected to automation. So, the level of sophistication from the technology side on the outside, the ability to create longtail attacks, really go into the small organization tells us that the level of automation of a IP that is being invested can have invested in these type of attack is higher than before. So, I think you know when we think about the escalation of fraud and we asked why I suggest, to start with question, “Why not?”, and then realize that we, we need to do something different. 

 

Craig Jeffery: 

Yeah I like that, wishful thinking won’t stop it, and this idea of their payoff is higher, they’re making substantial pay on all of this activity, they’re able to be more efficient, with automation and like you said, the long tail catching smaller organizations that’s creating this whole new fertile ground where it wouldn’t be efficient enough to go after many smaller organizations and I’m sure you’ve heard people say, it’s like well, “Who would go after us were too small?” Well, you’re too small for maybe a very targeted attack, but if you get someone responding to emails and they can compromise the system well now you– low cost of acquisition. 

 

Omri Kletter:

And by the way, I’ll give you a few anecdotes about an organization that they try to figure it out so, for example, one of the things we’re, seeing as a response to the escalation of fraud, is to you know to change how incoming phone inquiries from customers from treasuries, but also from consumers, are being routed into call center. So, to have much more analytics if, like around new, quote, unquote, case management or disputes and we’re involved in several projects were actually the focus is not the detection, but, actually, what are we doing that something is coming in, so we maybe we have enough time, especially on non-real time payments to stop the fraud from happening, what we’re at least to recover, some of it, because the funds haven’t been moved yet. So when we think about the escalation down there it doesn’t mean obviously, they’ll know me these outer and some interesting cases where banks and corporates and I’m working more together to you know, to build, for example, these types of processes. 

 

Craig Jeffery: 

This idea of the fraud is escalated we are exposed is achieving a much greater level of understanding across organizations and this year study, I think there was a bit of a reality check for smaller organizations, they were feeling the pain and the more dramatic fashionable. Larger organizations have been attacked more heavily, more consistently, and smaller organizations are seeing and feeling that. There’s a lot of information in the survey from that and, you know, in response to that, over time, we’ve seen an increase in spending, a growth in controls. It stepped up on the year over year basis, multiple year basis of people spending, and so this has the spending it’s helped tech and controls in different areas. I’ll share a few items there, few stats so spending significantly more, 28% of organizations are spending more significantly more this year over last year. 

 

Craig Jeffery:

21% prior year over the year before that and also 21% the year before that, and so, in keeping with this escalating threat there’s a significant more spend a solid three-year trend of a significant minority of companies spending more and I’ll mention one other aspect on that. The focus on business email compromise or the spoofing activities where banks perceived business email compromise, authorized fraud, is their most identified, select up to three, as one of the biggest issues over the next one to two years–86% identify that. Account takeover showed up 40% of the time. And we look at corporate side because we took, you know, we branched the survey, so we looked at what banks are seeing and they’re looking at all of their customers, then we’d look at what corporates are seeing: business email compromise, imposter fraud that was the top issue of what corporations were seeing. And there’s other issues too that show up but there’s an element of banks see a lot of this, so I guess the question I want to explore, that’s the stats from respondents, but is the spending that corporations are doing, is this focused?. Are they spending enough, is something missing, I suspect, you probably have some stories here too, Omri? 

 

Omri Kletter:

So, few thoughts on that, first of all, the numbers you’ve shared definitely in-line with what we’re seeing in our networks and you know, we are not just I think you know, one of the most unique positions we have, is the fact that we are using our protection tools to protect all also our own network. So, as you know, Bottomline will also provide a payment networks, and we have the ability to monitor it and the numbers that you’re saying around kind of again that the number of organizations being attacked and also different focus around business email compromise and accounting takeover differently at the survey is aligned with numbers that we’re seeing in the field, which I think is interesting. When you think about spending in the question, obviously, if it’s if it’s well spent, I think few things to think about, and I mentioned before, and talked about it on the webinar, we can almost imagine you know from a best practice perspective, a triangle. Once, when we could still meet people in person, I traveled to one of our customers in the Nordics and kind of took like a panel on the whiteboard and created a triangle, which is, I think perfect. Personnel, processes, and technology. And so I think if we put ourselves for a second from a treasure perspective to make sure that we have people that can have their baseball cap with fraud, “I’m the head of fraud”, “I’m dealing with Fraud I’m accountable for that” is critical. And from expertise perspective we’re seeing more and more organizations spending and investing in hiring data, scientists and people that are focused on the data, because you know as I’m sure to talk also about later, data is king and data is key for protection.  

 

Omri Kletter: 

So, on one hand, no question about it, to bring people with relevant expertise and maybe with relevant background if it’s come from banking or from other industries like insurance. And the second part is processes, which definitely is the bread and butter of every control right to make sure that the controls are out there. It’s also a cultural thing you talk about business email compromise. I tell you a story, we have one for customers are serving a big health kind of health organization or hospital and they had a few cases of business email compromise where it looked like few physicians are asking them to change their destination of salary, but practically it was fraud and emails were not genuine. You can definitely see differences between cultures. I’m talking about like a company culture or organizational culture between organizations that are saying sure something wrong, even if it comes from you know, it looks like from very senior person in the organization feel free to challenge it.  

 

Omri Kletter: 

We have a process around whistleblowing, you know we have a process around finding, you know, reporting, something that looks bad on the payment we have four eyes or six eyes review when it goes into certain amount. Processes, and, I would say, culture, in our key in as part of this triangle. The third part, and definitely related when we talk about spending, is technology, and I think what I’ve seen, the organizations that took successful approach are definitely investing in securing different junction in the journey, right. So, we’ve seen, I think, too many organizations, putting so much resources invested, for example, on the phone game or the portal, right, on the customer to bank interaction or something like that, but forgotten the other junction that could be risky. So, for example, intelligent monitoring and I think we’ve seen in other places in the survey actually higher concern a from telefraud than ever before, I would say, also connected to COVID. And you want to have different connections when it actually connect to the gateway, so it’s like maybe bank to gateway connection or different again different junction so spending is critical, on hiring the right people and obviously always updating the technology, but making sure that you have different controls in different junction and you’re not over investing in one a part of the life cycle of a payment. 

 

Craig Jeffery: 

I liked how you talked about processes and then gave the example of all these handoffs and you can’t just protect the front door, the side door, you have to protect the entire payment process, and is that an area where you see that people may not be looking at the entire process? 

 

Omri Kletter:

So, I would say, you know I would say that one of the best practices around that and we’re doing it with many of our customers, the first just to create a map of the of the process and map of the life cycle, you’ll be surprised how many heads of compliance or heads of fraud, even heads of payment all are not necessarily 100% clear on how the different processes of payments are taking place in the organization. So, taking the time to really map the process and then identifying maybe, the points that are more vulnerable is key too, and so, like many other things in life planning is critical and building maps of different places where you want to inject technology. I strongly believe that we are as an industry move to situation that more and more transactions will get analytical score in real-time and will then the score these type of risk that will be based on advanced analytics and will impact how this transaction will be handled moving forward. So, I’m quite sure that we didn’t yet unleash the full potential of analytics and AI. We talked about the bad guys before, they are releasing this full potential that’s part of the ability to do automation and I don’t feel that the sophistication yet arrived to how we handle business payments is the good news and the technology is there, so you know, in a perfect storm situation where we can actually utilize it. But for that we need to have much more engagement between the different entities in the industry, regulators, banks, corporates, and vendors like us. 

 

Craig Jeffery: 

yeah, your point about this real-time monitoring their scoring is useful, we seen that, on the network front, you know vulnerability scanning. I know we’re not a particularly large researching consulting firm but we run we run vulnerability scans, detailed vulnerability scans, every single month and  it’s amazing what you find and you keep shutting stuff you shut the stuff down you put things in place, but it gives you a lot of really useful information, then you obviously have to have the more detailed pen test on your network and it’s what’s the same thing with the payment process. How do you monitor the strength through the process, how do you identify issues real time? And then and then there’s the design front, making sure it’s tight. And you talked about processes, technology, and people, we tend to fit in this idea of structure and so that might be your banking structure, how your group is structured, because structures don’t always fit into those three categories well and we see you know people set up their banking stuff wrong, yeah great process and people, but you created an environment where there’s a greater opportunity for exposure and I know we’ve  covered some of those topics before, but I wanted to bring that up for the for the audience to think about too. I don’t know if you have any comments on that before we shift. 

 

Omri Kletter: 

First, I strongly agree with the observation here, and I know that you’re also very focused on helping organizations to benchmarking, I think is also key, to understand, will you out to measure it generally, I would say, and you start talking about what you’re seeing on kind of when you’re doing network analysis and generally many of the best practices that we learned that a critical in in network protection, cyber protection and cyber analysis are absolutely 100% relevant on payments fraud and on financial crime generally. One of the critical things is to assume data and to assume the data that you think is secured, is already out of the organization and can be used, for example, to facilitate that business email compromise. I think that once that you are under the assumption that bad participants, bad entities, we know information that will facilitate you know they will know the password or whatever, then say: “Okay, if I knew all that if I know that sorry. Maybe that’s time for me to use unbiased analytics and to score payments to look for abnormalities”. So, it’s unusual amount and unusual things again methods that are heavily used in cyber today should come more and more available for treasuries and when they’re scrolling and monitoring payments. 

 

Craig Jeffery: 

 Yeah, just a few things on that before we move to accountability, you know this idea of you know, “Hey how do I protect payment information?” Well, I can encrypt it. I can tokenize it so that if people steal it, they have a token they don’t have the data or, in some cases, and you know Bottomline being a payment hub provider of many sorts well I don’t even have to keep it I can have someone else take care of protecting that managing the changes so I’ve shifted it from making it, you know basking it covering it, moving it, to outsourcing components of it. That’s really just the beginning of some of those controls that we’re talking about, but I wanted to shift our conversation over to, you know organizationally, and personnel-wise this concept of accountability and accountability with fraud, we have, we have a number of questions and responses in the survey on this, one thing we found really interesting, and you and I’ve had conversations about this.  

 

Craig Jeffery: 

We have we asked areas of specific accountability for people to do different tasks or to track things and one of the areas of the best level at the highest level of accountability had to do with specific accountability to track and manage fraud and this direct accountability has grown 50% with the respondents from about 24% in 2019, to 36% in 2021. I think that’s fantastic where there’s specific delegated authority to track this type of fraud and have accountability that’s one area that, I want to set up on the verbal whiteboard, if you will. The second thing that that we found was encouraging about accountability was that employee training has really stepped up heavily with corporations. Banks have been really good at this for multiple years corporations were horrible at it. There still as a tremendous way to go, but it’s moved over to the majority are doing, you know some payment specific fraud training. We think this is we think this is really good movements in the right direction, but there’s a lot of room, you know, 64% don’t have specific accountability. Many organizations aren’t doing training on payment security, but they might do it on you know fishing, watching your emails. When we think about this accountability and requirements for compliance, Omri, what is this meaning and what’s next in this area? 

 

Omri Kletter:

Right, I started with quoting one of my best friends, Spider man, “With great power comes great responsibility” and the power entities have today with you know the payments going in and out is greater than before and I think what we as a society and definitely the regulators are expecting us to do is to make sure that we understand the responsibility related to that. So, you know that’s true for fraud and money laundering too, I can tell you that on one of our main focus areas and is actually not just on the traditional for but also to make sure that payments are not going to sanctions entities, right, so sanction is also a very big story around accountability and how we make sure we also have a cooperate, we are doing better to scrutinize payments and with that regards. 

 

Omri Kletter:

I think, you know, the market was long waiting some disruption on this front and we’re seeing at least great interest in in engaging with this front and obviously I would say that everyone who is listening so whenever I have a problem with this issue with sanctions, I have a problem with making sure that I’m scrutinizing these payments, give us a shout out because I think we’re definitely seeing a very clear trend around more and more corporates, especially the big ones, to be honest, on this front. So, that’s kind of in order to around sanctions, and that is super related to accountability, you talked about education, I think it’s critical. Few anecdotes here around at few organizations, I know that stopped use gamification in order to do it, so there is something to just break the ice, but really leave something that it stays. If you want to find business and compromised it’s not enough just to compulsory send something that all employees needs to sign off, but really, for example I know a new bank in in the UK that sat through a game with you know some challenging emails and you need to detect them will have or detect them first get the prize so there’s something around modernizing education in on this front, which is, I think, quite interesting. And I mentioned before the concept of finding the right stakeholders in the organization, making sure that, there with the relevant background. So no question about it, and we will, as a society expect corporates and banks to do more and to be more accountable and I’ve mentioned, I think, through the webinar what’s happening in the UK, which is super interesting with confirmation of pay and in the notion that victims for victims of business email compromise or one of the UK terms, for that is authorized push payment, but practically the same scams. It can be compensated if it will be proven that day, the bank or the corporate whatever didn’t do enough in order to protect the consumer. So, there is an assumption here that smarter entities or bigger entities and, unlike consumers should be more accountable for facilitating wrongdoing and unfold. 

 

Craig Jeffery:

 Interesting data on the UK front, you know, on this compliance and sanction filtering so there’s these organizations that are either you know, on a fraud or terrorist or crime list, and the accountability to make sure that those payments aren’t made no longer falls solely on the banks there’s a responsibility and liability, depending on the jurisdiction, depending on the type of situation that’s falling on organizations, I don’t know if you have any thoughts about, that is the threat of the penalty bigger, or is the issue of the potential bad headline you know you made a payment to a terrorist organization or to someone who’s on a sanction list is the reputational risk of bigger driver or the financial? 

 

Omri Kletter:

I think both are acting hard and I think even that you know I wouldn’t forget the personal liability, so you know, in addition to the fines, in addition to obviously to the reputational concern, and I think it was right to ask a senior people within the organization to see themselves responsible and hence take like kind of level, the actions against. By the way, this is no I admired the many a fraud and enable leaders in in banks and corporates really working so hard to protect the organizations and are super committed to do it, we need, obviously, to make sure that they have the relevant tools and relevant processes and be ready for that for this fight. But you know, to answer your question I think it’s the combination of the reputational concern and actual fines we are seeing differently growing and a personal liability and there is also notion that it can be done right. So, we know that, with the right investment and focus our tools out there that can properly help you to scrutinize payments for sanction all tools out there to fight business email compromise and with the right investment and right engagement you can please be better than the competition, which is a good start. 

 

Craig Jeffery:

And let someone else get the get the headline. Omri, we’ve only scratched the surface on some of the data and the discussions that exists from the Treasury Fraud and Controls 2021 Report. Any final thoughts that you want to leave us with?  

 

Omri Kletter: 

So, I would say so, first of all thank you that’s the first thing is saying, and I think that this you know, thank you obviously should be said to all the people who took part in the survey. We are stronger together, I think, as an industry working between banks and corporates and I get regulators and solution providers, like us. I would recommend all of us to take this opportunity, not just to reflect on where the data is, but really to think what are the calls for action. And I think between the different statistics, between the different graphs, there are many things that can drive us to do more and we are welcoming any further engagement to translate the need into programmatic approach. 

 

Craig Jeffery:

For those listening, in the in the notes for the podcast just see links to the survey report, additional information on the assets, like the infographics, and a link to Bottomline’s website as well, thanks for listening, again, Omri, we thank you so much for both underwriting the survey and for your comments today.  

 

OUTRO: 

This podcast is provided for informational purposes only, and statements made by strategic treasurer LLC on this podcast are not intended as legal, business, consulting, or tax advice. For more information visit and bookmark StrategicTreasurer.com. 

 

 

Related Resources

2021 Treasury Fraud & Controls Survey Report Download

Treasury Fraud & Controls Survey Results

Download the 2021 Treasury Fraud & Controls Survey Results Report and Infographic today to get the latest data on fraud and security in the treasury and finance industry.

Episode 130 - Treasury Update Podcast
2020 B2B Payments Survey Implications

Host Craig Jeffery joins Brian Greehan, Senior Vice President of Channel and Network Success at Bottomline Technologies, to examine survey results around shifting technologies, strategies, and practices used by organizations across the Business-to-Business (B2B) payments landscape. They discuss the overall payments complexity and challenges being experienced by practitioners within the treasury and finance environment, and unique solutions and tactics employed by organizations to optimize payment processes and maximize efficiency. Listen in to the discussion to find out more.