The Treasury Update Podcast by Strategic Treasurer

Episode 168

Payment Fraud: Rules for Security

Host Craig Jeffery joins Rajiv Ramachandran, Senior Vice President of Product Strategy & Management, and Ahmad Sadeddin, Director of Product Management at Coupa, to discuss concepts featured in their eBook on Payment Fraud: Assessing & Responding to an Escalating Threat. Topics of discussion center around the current situation of payment fraud, the threat levels of various types of fraud, common areas of vulnerability, and rules for compliance. Listen to this episode to learn how to protect yourself and your organization against the rise of payment fraud.

Host:

Craig Jeffery, Strategic Treasurer

Craig - Headshot

Speaker:

Ahmad Sadeddin, Coupa

Ahmad Sadeddin - Coupa
Coupa

Speaker:

Rajiv Ramachandran, Coupa

Rajiv Ramachandran - Coupa
Coupa

Subscribe to the Treasury Update Podcast on your favorite app!

The Treasury Update Podcast on Spotify
The Treasury Update Podcast on iTunes
The Treasury Update Podcast on Google Play
Stitcher
Episode Transcription - Episode #168: Payment Fraud Rules for Security

INTRO  0:07   

Welcome to The Treasury Update Podcast presented by Strategic Treasurer, your source for interesting treasury, news, analysis, and insights in your car at the gym, or wherever you decide to tune in. On this episode of the podcast, host Craig Jeffery sits down with Rajiv Ramachandran, Product Executive and Ahmad Sadeddin, Director of Product Management at Coupa to discuss concepts showcased in their ebook on payment fraud, assessing and responding to an escalating threat. Topics of discussion centered around the current situation of payment fraud. The threat levels of various types of fraud, common areas of vulnerability and rules for compliance. Listen in to learn how to protect yourself and your organization against the rise of payment fraud. 

 

Craig Jeffery  0:44   

Welcome to The Treasury Update Podcast. 

 

Rajiv Ramachandran  0:46   

Hey Craig, nice to talk to you today. 

 

Ahmad Sadeddin  0:50   

Hey, Craig, nice to talk to you. 

 

Craig Jeffery  0:52   

Thanks for Thanks for joining in. Yeah, Our topic, as was said on the intro is a discussion about payment fraud and this is a, for those that are listening, this is an extension of some of the concepts that we covered in a payment fraud ebook which you can find in the show notes and download to see what’s there, and there’s a few areas you want to cover and our discussion today first the situation of fraud payment. So, what’s in scope and what are some exposures to fraud? And we want to explore want to ask Rajiv and Ahmad about the manual and automated situation, what’s the difference between a manual payment process and the exposure there, but also how attackers are being more automated and how those that are defending their payment systems can leverage automated systems and support. So, this will touch on the tech, as well as the automation and centralization of data from a protection standpoint. We’ll have a shortlist, and explanation, of a few payment fraud types maybe some examples. And then they have five rules for compliance which are great and we’ll try to get through as many of the five as we can, but let’s start our discussion talking about the external situation of payment fraud I know, of course, you talk about fraud, we try to scare people, but maybe Rajiv you could start us off and give us a headline, maybe the first paragraph or comments on what’s going on with payment. 

 

Rajiv Ramachandran  2:21   

Definitely to break. It was interesting. So just before this podcast, just for the sake of fun I just Googled payment fraud. And I saw 400 million search results. Right, so it’s interesting to see this topic so prevalent now as an individual, right, or as a business, or as a government entity. Everyone is impacted by it, you could be an individual thing and other individual, you could be an individual being a business, you could be an individual thing, the government, like I mean, how many of us have heard about scams from the IRS or people calling you asking you about your social security number for your tax return checks and so on. So, individuals, are impacted. Same goes with the businesses, when a business wants to pay an individual or a business has to pay another business or business with government. I think this topic has become so prevalent now that everyone’s life is affected by it one way or the other. We will all have some form of exposure to the other, we live in a highly connected world today highly digital world today, we cannot think of our lives without being connected, right? As an individual, I cannot go through my daily life if I cannot buy things online, as a business, you cannot survive if you cannot sell things online or buy from other businesses online. And same goes to government entities as well. Now, acknowledge the ability for us to control access to what our data is, how we are paying with the data that we have, technology is improved so much. Right? You know, you’ll have so much more control, encryption, the protection, your privacy. So much more controls available, but so have the hackers who kind of trick you to give that data, they have become sophisticated as well. And that’s the reality. That’s the reality, that’s the world we live and now everything is not bad, right I mean, this is, this is a simple example or relationship that I like to draw. We’re living in the pandemic, right, we talk about COVID. You know it’s a pandemic that affected all of us it’s affected everybody globally, but to control it, what’s the first thing that they tell you they tell you wash your hands with soap, basic hygiene, and the same thing applies for payment fraud right? If you can follow a basic set of core principles when it comes to your data, when it comes to your infrastructure, when it comes to your roles and responsibilities and permissions, when it comes to educating your community, your users, when it comes to testing and validating what you have set up in the systems. You can control payment fraud and the most important thing is, when it happens, you also need to know how to recover from it, how quickly to detect it, how to understand what are the steps you need to take? And that’s what we can talk about today because this is the reality of the world that we live in. And this is how do those basic principles of controls around your infrastructure, your application, your users, your testing and validation, you will be able to bring in so much more control as an individual, as a business, as a government, to overcome this topic of payment fraud. 

 

Craig Jeffery  5:32   

Yeah, Rajiv you made a lot of good points there and, you know, your, your point about every company being rolled up in this 400 million search results is, I think is indicative of the automated threat, and as we think about defenses that requires both structure, human defense, as well as system organization, data organization as well and I appreciate you setting the stage there. I want to bring Ahmad into the conversation too. Ahmad, if attackers represent the external threat of external situation, there’s also some exposures within the organization itself, it can be weak processes, structure, and structure of data banking systems, as well as controls those factor into the situation, they either support security or allows for fraud and creates exposures. What do we need to be thinking about with this in terms of these dimensions? 

 

Ahmad Sadeddin  6:33   

I think one of the things that we’ve seen with a lot of our customers and people we talk to is the insider threat is really a big one that a lot of folks are talking about. And I think you’ve seen a lot of laws being passed over the last couple of decades around insider threats, as you know accounting fraud has happened, payment fraud has happened inside, you know security threats. You see a lot of laws and I am sure everyone on your podcast is pretty familiar with them. It’s a really big concern right more so probably, statistically, a concern, than an external threat. We see that in a lot of numbers being thrown out in the field about how important it is to protect from the folks within your own company. When it comes to how do you trust folks, you know, there’s that great thing trust but verify, right? Is making sure that you have a lot of good controls, knowledge, and awareness like Rajiv spoke about, and a certain level of systems and processes to govern what’s happening. At the end of the day, we’d all like to trust each other internally in our own organizations and as much as Rajiv and I trust each other, but sometimes when it comes to money and payments, you really have to have the necessary controls in place to alleviate the insider threat. I’m sure a lot of people have seen in the news a lot of insider stories that are happening where people act fraudulent and wire money across the board, pretending to be a supplier, sending things to the wrong location, corroborating with a supplier, and paying them. I think that’s a really big component. I also think what is often not spoken about is also the insider threat of the beneficiary. Oftentimes when you’re paying someone, although that might be an outsider threat to the organization itself, you’re a beneficiary who’s your partner, a supplier that you probably work with more so than some of your other internal folks might have someone inside that’s malicious as well. So, working together, you know, in partnership as a payer and as a beneficiary to protect against the holistic insider fraud I think is a really, really important thing that a lot of companies need to put on top of mind. 

 

Craig Jeffery  8:42   

Just a follow up on part of what you said, I mean you talked about suppliers, internal, and a few other components there, but the thing that stuck out is, you’ve talked about I think segregation of duties and insider fraud. How much of is the problem with the segregation of duties isn’t there and the internal people farm the company the most, and how much of a concern is it that if you give too many rights, you know you don’t employ the principle of least privilege that if someone gets their credentials from outside, they also expose the organization is that, is that just the other side of the coin or do you have any way of calibrating that? 

 

Ahmad Sadeddin  9:25   

I think a lot of things come up from, from the question that you asked, right? I think, when you think about it is, there is what is mandated by law and what companies need to follow as just now even table stakes right, this is like zero, you have to do that. Otherwise, you’re in non-compliance–like let’s not even talk about risk, yet. We’re talking about compliance on a very basic compliance level, everyone should be thinking about this holistically view about to be governed. That minimum standard. That’s the minimum, right, and that’s not even a debatable thing. If you’re struggling with that, I think most companies should seek help, right, that shouldn’t be maintained that shouldn’t even be spoken about as something that is nice to have. On top of that is what is best practice and what you see as well, a lot of companies implement best practice when it comes to separation of duties, separation of concerns, having the right, you know token rotation or two factor authentication, having the right rotation of user, you know, security and passwords and all of that stuff, making sure your infrastructure and not many people can access it, and who can support it. All of these things are really important things that companies need to think about. I look at this topic as really an enterprise risk management topic. Every company has to understand the vectors of fraud, and where risk lies, come up with appropriate mitigation plans for it, and most importantly and where I see failure, and my backgrounds in the risk management field where I see failure is enforcement and making sure that they’re maintained. Because, risk management, and fraud prevention isn’t a snapshot that you just do this exercise once and you know Bob’s your uncle, you’re done. It’s a continuous cycle that you need to stay on top of it because fraudsters are becoming more sophisticated, they’re changing their approach your infrastructure is changing. You’re becoming a bigger attack vector, right? So, all of these things need to be properly done in a way that there’s a strong level of enforcement that there’s accountability being held over enforcement, and that the processes, maintain, and evolve, if it doesn’t fit the business needs anymore.  

 

Rajiv Ramachandran  11:37   

And I think there’s a very important thing here Craig is that if you put those internal controls right, you’re solving for both scenarios you’re solving for external threats, and internal, let’s give a very simple example, right? You know, typical example that we see where fraud happens, it’s not the sophisticated hacker trying to do some encrypted algorithm breaking and trying to do fraud, right, that’s simply somebody trying to say, “Hey, I’m a supplier I work with your enterprise payment this account”. Now, think of that scenario, that same scenario could happen if there’s somebody within your company who is saying, “Hey, I know this entity that we need to do business with just pay to this account”, in both those scenarios that data could come from an external source or from an internal source. If you have the same kind of structure in place to say look, anytime we have payment data that comes to us, we have a rule which says that there is a person who will review and approval, and there’ll be a second person who has to go and do it too. It doesn’t matter whether that sources internal, that Ahmad knows that person in the company who gave him that data versus somebody external who was giving them data. So, my point is the pitfalls that you need to put in place as a business, right, the roles and responsibilities, the processes, simple things like, if you create a payment batch to release a payment you cannot release that payment. You cannot be a creator and releaser of the payment at the same time, these are compliance rules like SOX enforces this. They want to make sure that not only do you have those, even if you have those roles, you did not do it if you are the creator right that permission level granularity is required. Even if you do a single sign on, you need a two-factor authentication before you go and release the payment. So, these are all good hygiene, good principles that you can enforce within an organization that can help you both against external threats, as well as insider threats and like Ahmad says that you know people always think about payment fruad, they think about it as external threats, but the impact of insider, insider fraud, is huge, and these kinds of principles bring one set of controls that allow you to prevent both and that’s what enterprises need to call. 

 

Craig Jeffery  13:47   

Payment fraud oftentimes is well it can be cyber fraud related or not, like you said it could be internally based, but maybe it could describe some of these payment fraud types in a way that, you know, we can think about them either from cyber fraud or from the human element or the internal threat that exists. What’s happening and why are the issues? I know we started some of that already, but maybe you could expand on it. 

 

Rajiv Ramachandran  14:13   

Yeah, I think we started some of that already, I agree with you. I think this is a great, I mean, Ahamad and I were discussing this. It’s an AFP report on payment fraud and controls, and you will be surprised, right? I think they quoted like 12% of threat, this is a 2020-2021 report, 12% of the threat, was related, like I said, to sophisticated cybercrime, but 60% of payment fraud, 60% happens because of phishing emails, simple phishing emails that are sent and people make the mistake. You could be an individual, you could be working for a business, these are simple mistakes that people make in sharing information that should not be shared. It could be credentials that allow you to release a payment data, it could be bank account information from which you’re making a payment, it could be even just User ID and Password into systems that you’re not supposed to give. And this is where I feel it is important for people to understand this topic and the latest something right, this, this doesn’t have to be some, you know, sophisticated hackers sitting in some part of the world trying to hack your systems. This is a simple phishing email and 60% of payment fraud starts there. Right? And another 30 to 40% of fraud happens in just data collection, right? Data collection around who to pay, where to pay, and how to pay. Right? So, this is just pure data collection. This is where 30 to 40% of fraud happens. Craig, we should discuss this. This a good topic discuss. I talked to a lot of customers they told me, “Hey, I want to do a penny test, and I want to validate this account”. I’m like great, but you know what, if Ahmad or I, let’s say I represent a supplier to your business. Let me just log in and say, “Yes, I’m Ahmad, I represent ABC Corp”. But I give my bank account, and you do a penny test, to my bank account and I know exactly how much came in. I have just put that number out there, and then they’re paying my bank account, not my business bank account. Just that fallacy, so many customers even today that simple things like, I want to do a penny test, and that gives me confidence that, there’s no fraud. No, it’s not. You’re not validating identity with a penny test. Truly, what you need to do is validate identity. Is Ahmad’s bank account in the name of Ahmad, or is it in the name of the business that you represent? And it’s a tough thing to do because there are no universal standards, you ever talk to a bank and ask them how they manage that identity data, it’s different. Every bank talks about it differently, every country captures a different, right? We have done some really interesting ways in our platform by which you can still collect information about identity as part of your payment data collection process and use that duality. We use patterns, AI, and fingerprinting patterns that we use with data that we collect across our community of customers and suppliers that helps us uniquely identify and tell every customer we provide insights to every customer around the validity of this payment data. So, you know, as you look at this, it’s important to understand that payment fraud is not something that has to be just a sophisticated cyber hacking crime. It happens in these basic principles, right, phishing emails, collecting of payment data, right, and like the example that I gave you your systems where you can, Craig, you can create a payment batch and you can use that payment. Just imagine what you can do you have the full power to create a payment, and release the payment, and the system allows you to do that. That should not be possible. If you’re the creator of a payment request you cannot release the bill, even if you have all the privileges, the system should have an override control, right? So, these are simple things and don’t let us get started on, you know, manual processes where people have all these key fobs floating around, it’s right on their desk. Now people are sitting and, you know keying in user IDs and passwords to upload a file, to make a payment, just imagine how many people have access to that data, right? You just walk into an office, and there you go you open a cabinet and you see key fobs, simple things, simple things. These are the, these are more reasons why payment fraud happens than anything else. I just wanted to give those examples, Craig, so that the listeners can understand around day-to-day real examples of how fraud happens in the business. 

 

Ahmad Sadeddin  18:50   

I think what Rajiv mentioned, is it’s super important for companies to really distinguish between a sense of false sense of security, and actual appropriate risk management. The joke I always like to make as a sophisticated hacker with a penny test, you made them a penny richer. Right, so they’ll probably get away within you get that false sense of security that I’ve done my due diligence. 

 

Craig Jeffery  19:13   

Yeah, let me go back to you, Ahmad, you know, the idea that there’s also a bunch of rules that you have, you’ve created, or you have a list of five key rules for ensuring compliance and good governance on the payment side. You know, this idea of we don’t want to get defrauded generally, of course, but that’s easy to say we want to make sure that the layers of security are there, segregation of duties, the principles of least privilege. But how can we do that, and I think these, these rules you have help us think about those there’s five of them, hopefully we can get through all of them, but maybe you could start with one of the rules, tell us what it is, why does it matter. And we’ll get through as many as we can. So, why don’t you want to start us off? 

 

Ahmad Sadeddin  19:59   

Rule number one is Central Master Data Change Management Process. And what are the things that we often see is around setting up you know, payment destination, whether that’s a remit to address for vendors, whether that’s a remit to address or where to mail a check, whether that’s an email to send a virtual card or a PayPal transfer or a bank transfer of bank accounts, what often happens with a sophisticated fraudster whether internal or external, what they’ll do is they’ll try and route what is actual, an actual transaction into the wrong account. Right? And so, what often happens is securing that and not securing it can make or break the entire fraud management system of a company. And so, what we try and do and what we try and advocate is best practices, anytime you’re setting up a beneficiary’s payment account data, it requires a few things. It requires that data is valid from both your name and content and what it’s structured as so that you don’t try and pay the wrong person or it bounces back right you’d have issues with it, that it’s created by someone, you can try and trust, and even if you don’t trust them, you have the necessary documentation, supporting evidence, and it goes through an approval process. So, we try to enforce the simple separation of duties, we try and enforce that whoever creates an account cannot be the approver of the account, and anytime approvals do happen, we create a little bit of noise around it, we notify people we tell them, “Hey by the way, something was created here”, so that you’re aware that something new is done here. On top of that, we ask suppliers, and we try and get them to provide supporting documentation. What are the things that I think is super cool, is from our vantage point, because we see the same supplier payment account or where as far as getting paid to multiple different customers. We’re trying to surface how other people use them. So we want to provide some social proof, as well. So, one of the things we’ve noticed some of our customers doing is they call each other and say, “Hey, what do you know about this supplier, are they trustworthy”. I’m sure a lot of folks, you know when they go buy something or try and pay for something, they look online is this trustworthy. Is their entire company’s built on trustworthiness, so what we want to try and do is also bring that into that experience. So, you know, really controlling master data, really having the right data points to be able to check things, being able to approve them and being able to deactivate them when something goes wrong, I think those are really important things that most companies need to consider, just a small one is payment again.  

 

Craig Jeffery  22:43   

Excellent. Yeah, so, Master Data Change Management across the board. Rajiv, number two, that you have in your list is Centralized Monitoring of Group Wide Payments. Maybe you could tell us what they mean by group wide payments? 

 

Rajiv Ramachandran  22:57   

Yeah, so, I think Ahmad kind of touched on, two and three as well, I’ll kind of give you a little bit… 

 

Craig Jeffery  23:01   

So, he cheated, he took some of your stuff. 

 

Rajiv Ramachandran  23:03   

And that’s why we said he will play ping-pong with each other… 

 

Ahmad Sadeddin  23:08   

That shows you, it’s an intense process, right? 

 

Rajiv Ramachandran  23:13   

I mean, these, these rules and this is what is important about these rules, right, if you look at these rules, they kind of they kind of flow with each other. When Ahmad was talking about that centralized system, with the right kind of master data set up, whether it’s your user data, whether it’s your counterparty data like your supplier data, whether it’s your account data, we talked about the controls that need to be put in place. When we talk about monitoring, think about it this way, businesses are global. You have teams in different parts of the organization, you have let’s say a business that is in a worldwide business with operations especially operations in the US ,Treasury operations in Europe, Treasury operations in Asia Pacific, it’s a global organization, and what you want to make sure is some of your core processes are identical while you are truly, truly, making sure that you’re also meeting the local compliance rules in the region. Now, in that model, we try to make sure that, you know, ensuring that visibility and access to these kinds of payment instruments, actual payments and data, is controlled for a legal entity based on their roles and permissions, but at the same time within that legal structure, we also want to make sure that we do the right amount of noise. So, that we know that if there is a fraud happens, I give you a very simple example, when we release a payment, there are users who are given the role of a payment releasers, and these are a small subset of very trusted users who are actually set up with two levels of authentication before they are given that permission, but even in this kind of a group setup where you’re in global you have multiple teams that do that. But it’s a good hygienic practice that then one person is releasing it, two other counterparts in that same group get a notification that somebody has to release the payment, especially if it is greater than, let’s say X million euros or X million dollars, because now you’re creating a little bit of noise so that even if one of them, who is a trusted representative of the treasury organization wants to commit something, they cannot do that because that level of noise has created that education and that noise is around how smaller groups and bigger groups can start monitoring, some of these critical things, right? Large value payment, especially when you’re making a wire payment for an acquisition or something like that’s a huge payment going out. You want to make sure that there are multiple people who not only just approve and release but once the payment is released, are also getting that kind of notification so think of it as your third level of controller. Your first level of control is your setup, your roles, and permissions, second level of control is all your approval, and your third level of control is now, you still cannot get away, right, because immediately there are two other people who are kind of your peers, you may be like the VP of Finance, there are a couple of people otherwise, who are also getting notified that you will release this, right? So, even if you want to do something. Yes, you might have done something immediately there’s a notification going up, and why this is important Craig is like I said at the very beginning. 

 

All of us want to completely eliminate fraud. 100%. None of us want to ever, but that might not happen right? There may be still cases where this happens right, you’re not completely. So, what is more important is how quickly you detect it, and how quickly you respond to it. If you can detect it within seconds, within minutes, the amount of control you have, and how you can recover from it, it’s so much more powerful. And in that same report in AFP, we were laughing when we read that there are companies who couldn’t detect fraud for six to 12 months. Just imagine that versus you being able to recover from this within hours. Right? It’s a very very different scenario. So, that’s why we talk about, you know, monitoring of payments, you know a little bit of chattiness and notification in a very controlled way, because we don’t want this information to go to a lot of people but that trusted group of people, even within that trusted group you’re putting that control in place so that Craig can be a treasurer, but even Craig knows that when he releases something, you know there are his assistant treasurer or his controller, he’s getting a notification if it’s a high value asset that you’re purchasing and you’re making a payment for. So, those are some of the rules and I think it’s in the interest of time, the fourth rule, and this is extremely, extremely important when the Treasury teams don’t think just about payment fraud prevention, also think about recovery. Very important. You asked a lot of finance team and treasury teams, okay, what would you do if it happens, and I don’t know. How you communicate, who do you communicate with, what are your obligations to communicate internally with your board with your, with your counterparties? That plan needs to be in place as well. So, some of this is system oriented some of this is you know process oriented as well because a lot of times, problems happen because you don’t have that recovery plan in place, right? If you had a good solid recovery plan in place, you know how to communicate this you have obligations and you have industry standards which say, “Okay, it’s a credit card base PCI base,” you know, a component that you’re using. You have to notify certain authorities about what has happened, if the amount of fraud is over a certain threshold. So, these kinds of things need to be thought about and planning for by these treasury teams and that’s a very important principle. And it’s not just about you know people saying that, like I said I believe honestly that we will have to live with, you know, an element of fraud that can happen. We can reduce it, a lot but there could still be a potential to happen and how you come out of it also is equally important, but I think it’s more important because that tells the majority of your organization that shows the financial majority of your process. 

 

Craig Jeffery  28:59   

Ahmad if you could, I think you wanted to talk about raising awareness with everyone who makes payment. So, let us know about that role. 

 

Ahmad Sadeddin  29:06   

No, of course, I think we did touch on this a little bit but a good way to think about it is, you know, the movie is romanticize the hacker that sitting in a room with a hoodie on and trying to break into some systems like you know I hacked the Pentagon and goes and does some crazy stuff. But I think you know the reality is far from it. I think what is being hacked, are people. I think, you know you can hack systems, but you can also hack people. And I think what Rajiv talked about is you know phishing emails 60%, that shows there’s a certain level of success with the human gullibility and I don’t mean that in a negative way. I mean, people are, you know, think about things in the best intention and if they see an email from their boss, saying ” Hey could you make a payment to the following account” or from the CEO of a company, they believe it. Right? And so, at the end of the day, what we have seen what makes a huge difference, on top of everything that you do, and I think it’s table stakes on a lot of people forget that is educate everyone, truly educate everyone about where this fraud come from, what’s the impact of fraud, why these processes are in place, or what processes need to be in place. I think a lot of people in this process their eyes roll, and they sigh a little bit, why am I doing processes, there’s a reason for that, and I think when people understand the context, they’re in, and why it’s so important, it makes them feel much more relatable to why they’re enforcing a certain level of process. And so, education I think is probably one of the biggest components that companies need to invest in, and it’s not a one time, you know, you do an online course on payment fraud and that’s and you get your little nice certificate after 15 minutes of participation. This is one of those things that I think needs to be a constant reminder that there’s a risk because the risk doesn’t diminish when you just educated people once, it constantly evolves changes, and people need reminding, right? So, I think it’s a really important function. 

 

Craig Jeffery  31:09   

Yeah, especially with the threat level increasing the attack methods changing, just like you update your regular firewall, one of our good friends always says the human firewall may be updated to. Thanks, thanks so much for your comments, Ahmad. Now Rajiv, the last rule is Find Suitable Security Measures and Technologies. What are the top things to think about? 

 

Rajiv Ramachandran  31:32   

Yeah, so Craig, this is this is great, right? So, look, we’ve talked about these, we’ve talked about, you know like Ahmad said, and you said the human firewall we’ve talked about people, we have talked about master data, we have talked about processes. At the end of it, let’s also say this right? The right platform with the right kind of controls, with the right kind of infrastructure is your solution to have in place to overcome to overcome. Again, that same report I’ll quote the AFP report, 66% of fraud, happened on paper-based check payments. The fraud percentage when it came to electronic payments, when it came to you know virtual card but what’s much much lower in what was either like 3% and … was like, 15 or 20%. There’s a reason for that, right, and, and what, what we also understand is a lot of businesses are a little backward when it comes to digitizing their back office, they have a lot of manual process paper processes, and they struggle when it comes to really getting a control process in place. So what we definitely guide your listeners and businesses while listening is around thinking about the right platform to have and today there are very modern cloud based platforms that are really really efficient when it comes to putting in place the infrastructure security, the application security controls that are required, and these platform providers are kind of doing this for their own business in the sense that they’re doing it, you know, day in, day out, they’re putting teams, they’re putting people in place, to do this kind of sophisticated control so that they can give a holistic solution to their customers. And what my recommendation to businesses is, this is where they can easily think about in today’s modern world, a platform to buy rather than a platform to build. Many of these businesses think that they have to solve all these problems by themselves. So, when we talk about these things like how do I solve it, how do I build all this into my component, and they don’t have to. And that’s why I keep saying, as an example, our own document that we talk about right, I mean Ahmad and I own our Coupa payments area of our overall group of business and management platform and this is day in, day out, this is exactly what we think about every day. How do we put the right controls, how do we bring the compliance, how do we show the visibility of a transaction, how do we make sure that every data point that comes into us is audited. And that’s what we do for a living and that’s what we want to bring to our customers, and we want to give them the right tools, the right technologies with that right foundation to help them overcome some of the challenges that can happen in a purchasing process, in an invoicing process, in a payments process. And I think that’s what businesses can now think about using because there was a point in time when they didn’t, they didn’t have access to these kind of modern platforms they had to build a lot of this themselves and it’s very difficult for them. And I think that are part of education has began what we can do with your listeners is help them understand that there are platforms that provide this today, out of the box, and these are platforms that can lay the foundation for a good digital transformation and a secure digital transformation for businesses. 

 

Ahmad Sadeddin  34:59   

I want to add as well that I think a lot of folks think, you know, we can just bolt on a solution to something existant that we have, and rarely does that work. When it comes to risk management and especially when it comes to fraud, there are so many investors, and the surface area is so big that you kind of have to protect it. I mean we haven’t even spoken about is the invoice even fraudulent, right, to even begin with, we have spoken about payments, but what are you paying? Has that been verified, has that been trusted? And so when we talk about fraud and risk and talk about how do you protect against these things and systems, I think what a lot of people think, Okay, well let me go find that point 10 solution to try and bolster on top over I do and now affords me the protection I need. And that’s rarely the case, I find that the best ways to protect against fraud, is if you take the fabric of what is a business process, your risk management controls is a thread that weaves into every single part of that fabric. And if you don’t weave it through the entire part of the fabric you will have a weak part of the fabric and they will rip at that seam, and so it’s a really important principle to think about how do we instill, all of these controls and business processes and systems throughout the entire journey of $1 going out of the company. 

 

Craig Jeffery  36:23   

This last year about technologies, certainly the platforms can help, and I think one of the things that was discussed earlier was the power of networks where you can leverage the inventory or the universe of what’s going on. These are a great set of rules. I guess we wrap up the podcast, I’d hear a just a final point closing points from each of you to begin with. Rajiv, and then Ahmad, thank you. So, Rajiv, what, what should we be thinking about at a summary level? 

 

Rajiv Ramachandran  36:54   

Great first and foremost thank you for the opportunity to come and speak to you and your listeners about this topic. I think it’s a great conversation to have because it’s an important conversation to have, right? This is a topic that people need to be educated about people need to understand what are the threats out there. People need to understand how they can protect themselves. Education is very important and, and the last part, like I said is, you know, people need to also be aware that, you know, this is this is going to be with us. It’s not something that’s just going to go away one day, but what you can do with the basic steps you can do to, to control, to protect the hygiene that you need to put in place, it’s not difficult. And if you do that right, you know you are looking at a very mature finance organization. A financial maturity model at which you will be at the top, putting the right platform in place, defining those right processes, looking at your control structure, using the rules and principles that we’re talking about, is really a way to help you overcome this, right? And most important like I always say, it’s very important to prevent it from happening, but it’s also equally important that if it does happen, you know how to recover from it, because the faster you recover from it the impact for us is very very less. And I think with that, I like to wrap my thoughts, and thank you again, Craig, for giving us an opportunity to talk to you. 

 

Craig Jeffery  38:18   

Thank you Rajiv. Ahmad, your closing thoughts. 

 

Ahmad Sadeddin  38:21   

Craig, thank you so much for having us. This is a topic you can tell Rajiv and I are pretty passionate about, it’s one of the things that we think day in and day out and I just want to say, you know, as we’re talking to is probably someone listening on the other side and I’m trying to imagine what’s this person thinking about, and most likely they’re thinking what I do next. So, I’ve listened to this podcast, what are some next steps do I need to take, do I share this with some folks, do I think about reading and knowledge and all of those are valid, right? I think one of the most important things as a next step and I would encourage your listeners to look into is how to now have a conversation in your organization about leveling up all of these, you know, principles and processes, systems, and education. Because, like Rajiv said, it needs to be a holistic thing and you as a listener can’t do it alone. It takes it’s a multi stakeholder journey. It’s one of those things that you need to involve your IT admins, it’s a lot of people in controlling and accounting field, it’s the Treasury field, right? And so, it’s a multidisciplinary effort. I think is not going to be the easiest journey, but it’s a journey that a lot of people need to take and, you know, I think all of the points that we mentioned today is probably, you know, at the surface level makes a lot of sense, but every organization is different as well. And you should really spend some time investigating what makes sense for you as a company, 

 

OUTRO  39:49   

You’ve reached the end of another episode of The Treasury Update podcast. Be sure to follow Strategic Treasurer on LinkedIn, just search for Strategic Treasurer. This podcast is provided for informational purposes only, and statements made by Strategic Treasurer LLC on this podcast, are not intended as legal, business, consulting, or tax advice. For more information, visit and bookmark strategictreasurer.com. 

 

Related Resources

Payment Fraud: Assessing and Responding to an Escalating Threat

Payment Fraud: Assessing and Responding to an Escalating Threat

This eBook is intended to help treasury understand and fill that role most effectively by covering the current situation, the threat levels of various types of fraud, common areas of vulnerability, and frameworks and tactics for constructing a solid defense.

Episode 129 - Treasury Update Podcast

2020 AFP Technology Panel Discussion

On this special episode of the Treasury Update Podcast, Strategic Treasurer features its panel discussion on technology from the 2020 AFP Virtual Conference. Moderator Tom Gregory of TD Bank interviews Todd Yoder of Fluor Corporation, James Lock of J.P. Morgan Chase, Dr. Wolfgang Kalthoff of Coupa, and Craig Jeffery of Strategic Treasurer on the value of new technology and its potential future place in treasury management.