Learning from Financial Fraud Series Episode 12: Payment Flows – Understanding the Risk

Announcer  00:04

Welcome to the Treasury Update Podcast presented by Strategic Treasurer, your source for interesting treasury news, analysis, and insights in your car, at the gym, or wherever you decide to tune in.

Jonathan Jeffery  00:18

Welcome back to the Learning from Financial Fraud Series on the Treasury Update Podcast. In this series, we explore multiple major financial fraud cases, we discuss how each one occurred and was kept hidden for a period of time, and we’ll dissect how it was eventually discovered and get insight and guidance on how to prevent this type of situation from happening to you and your organization. I’m Jonathan media production specialist here at Strategic Treasurer. I’m here again with Craig Jeffery, managing partner. Welcome back to not only the Treasury Update Podcast, but this series, Craig.

Craig Jeffery  00:50

This is one of my top two series that I enjoy the most. I think there’s so much value for for people to be thinking about fraud. The other one, of course, is the Becoming a Treasurer, but thanks for having me.

Jonathan Jeffery  01:03

Yeah, of course. So today we’re talking about a payment flow scam. Do you want to walk us through what the situation was?

Craig Jeffery  01:11

Yeah, we call it a payment flow scam. This is a, this is a situation where it’s a, do we have, do we know what all our payment flows are? You know, our recommendation in working with companies is assess your payment processes, have a one of them, one of those items is, have a full inventory of all your payment flows, because they’re exposed. Other areas would include people, your banking structure processes and some of the controls that would both prevent or detect fraud quickly. So on a payment flow perspective, we were talking about a very large publicly traded company, asked them how many payment flows they have, and they had identified 27 then through the process, it became pretty clear that there were a lot more payment flows. Discovered the total number was over 55 and so I’ve shared that before certain. You know, as we work with companies, there’s oftentimes 50% more to 100% more payment flows than Treasury thinks there are. And just doing that inventory, you discover more that exercise is useful. And people can minimize that by saying, well, those aren’t big payment flows. Some of them are smaller. Most of them are going through these other items, and therefore we don’t have to have as much focus on it, but the fact that you have payment flows that you don’t know about should be a concern. So there should be a full inventory of all those payment flows and then an assessment of each of those payment flows. How do you protect something you’re not aware of? That question sort of answers itself. You can’t. You can limit things by having limits on accounts or limits on just on disbursements. But are you sure you have the right limits on there? If you don’t have those tracked, you should at least have them tracked. You should put limits in place. There should be a way of calibrating what that exposure is and identifying how you fix that.

Jonathan Jeffery  03:07

What qualifies a payment flow to be tracked?

Craig Jeffery  03:10

Yeah, that’s a good question. How we look at it is some of may think of by category of department like accounts payable or treasury or payroll or an admin area that makes payments. You could always think about those. You can also expand that to include inbound payments. If you’re debiting people’s accounts or flows are coming in, because those can be redirected. So depending on whether you look at we’re initiating payments out, we’re initiating payments in. Those are two different categories, and so I’ll leave that for the listener to decide how they want to look at it. But if you’re trying to protect all of your payment flows and your organization, you need to map all the outbound ones out for sure. That’s an initial process. The other area would be understanding the flow of funds throughout your organization, external and internal. Every area needs to be looked at and monitored, and your banking structure needs to support a good control framework. And that’s a that’s an issue. If you only only look at one area, where do you think you’re going to get an attack? So in this case of this, this one company, they have not suffered a loss on the outbound payment side, where their payment process was attacked compromised. There were certainly areas where their weaknesses but they could put in compensating controls. Did put in compensating controls on some of the areas that were files created, it’s uploaded to a portal. But they have had fraud. They have had fraud that’s been fairly extensive. The criminals were able to debit accounts for smaller amounts, but lots of debits over a long period of time, and the total loss reached between 10 million and 100 million. How did it go so long without being detected? Well, if you don’t look at your banking structure as well and monitor those flows and have good accounting controls and process, you can face. This real, significant issue. This happened over many months, and instead of reconciling the count, identifying an issue, finding out that there’s no place for it, and then rejecting blocking those items, they allow this to continue. And they they booked and recorded these things to a suspense account. And so basically, they keep booking things into the suspense account that had to be we’re looking for the other the book side of the transaction. We got the bank side. And some area hasn’t booked what should have been recorded? Well, there was no area that should have booked it. And so just because they’re asking, Is this yours? Is this yours? Asking multiple areas, the fact that it was originated by an outside party, where there was no internal booking, that exposed both a gap in terms of how you monitor the accounts, how things are reconciled, and that created a significant issue, you know, a loss of quite a bit more than ten million ensued from from a failure to, You know, establish those controls on the on the overall banking structure and methods of reconciling, reporting and treasury proof activities.

Jonathan Jeffery  06:10

Why wasn’t this flagged by accounting? Why didn’t they catch it?

Craig Jeffery  06:13

Well, I would say two things. I’d say one is every account should have a purpose, and your depository accounts receive money in your disbursement accounts, you’re originating the disbursements, or you’re isolating external debits. So that should, that should be a flag and treasury’s treasury proof, the daily process of looking at all the transactions see if anything is out of alignment, and having a structure that enforces that discipline. Okay, here’s a here’s a debit to an account. These are it’s only happening on these accounts that we have set aside. It’s not mixed in with a lot of other transactions. So there’s a treasury proof we’re looking at that should say this is anomalous, even though it’s small on the accounting side, on the reconciliation side, true reconciliation is not being performed. You can have transactions that you don’t somebody didn’t create the book entry to support them. And so there’s naturally an issue of, hey, let’s go ask, Is this yours? We don’t know who’s this is. There’s several, several areas that may share an account. That file process needs to be rapid. It shouldn’t extend. It shouldn’t roll over the month end. You can’t say, in our view, you can’t say an account is reconciled unless it’s resolved within a certain period of time. And so saying, I booked this to a clearing account or a suspense account, or a waiting to be reconciled account, however that’s classified, means you’re not reconciling the account. You’re just putting it into this bucket. And we’ve seen that in different types of organization, different ways. Sometimes they even put these items by year, by by quarter. And so they keep dumping items into this category. They record the entry, but to a suspense account, so it looks like it’s reconciled, but it’s not. And I think the discipline of defining what reconciliation is in reviewing. It is an essential action for any type of accounting role, for the reconciliation process. So the treasury proof should detect things pretty early identify any major anomalies. But when it’s going through accounts where things can happen, other people can debit that account, and that’s normally known. treasurer may not know that the accounting function, the reconciliation function, should find that out that should never go on for very long. Should certainly not roll over month over month.

Jonathan Jeffery  08:31

Makes sense. So it’s a shared blame between multiple different parties.

Craig Jeffery  08:35

Yeah. Well, in this case, in particular, debits were allowed from other parties. And so I would say that the core focus was on, on the accounting role and what a reconciliation is. But there is, there is some shared, shared responsibility as well as the is the banking structure design in such a way that only third party debits are coming out of designated accounts. Are you routing that through accounts with lots of activity? So it’s buried, if you want to, if you want to hide something, hide it in amongst a lot of noise, a lot of transaction activity. So well designed treasury system, banking system isolates activity by type, by kind, and you know, should spike these, these items out so they’re easier to discover.

Jonathan Jeffery  09:20

So what can we learn about this? What’s some best practices that were missed and that we need to keep in mind?

Craig Jeffery  09:27

The payment process assessment, or your overall treasury assessment on your structure, your systems, your processes, controls and your payment flows, is is essential that needs to be done at least every other year, at least every two years, you should go through that to identify 100% of your payment flows. You should also be able to define, here’s what our banking structure looks like. Here, here are the types of activity that can run through each account. And then, you know, do you have controls where reconciliation place, where reconciliation is done? On putting a plug figure, just because you call it suspense or clearing putting a plug figure, that’s not a one or two day timing difference, but having that plug figure hide things is a breakdown of the controls. So looking at controls from end to end, from when payments are originated or when debits are authorized or allowing another party to debit your account. All that needs to be documented, end to end, all the way through to reconciliation. So treasury proof, where files are, access to banking information, that assessment and that view, the schematics, the overall flows need to be documented, evaluated, compensating controls put in place, you know, and making sure that the human element as well is trained. So, you know, we’re all familiar with the phrase people process and technology. Well, it’s people process technology, controls, structure. Those are some of the elements, right, having a full inventory, understanding what people are doing, making it so it’s easier to discover things by the structure, having full information, reporting to see it and identify things quickly, and then having a plan for addressing those. Those are all that’s all a big list to what you ask, but you need to have a full assessment on how are you protecting your cash, the payment process is a significant part of it. Your banking structure is another. The human element is a third area that needs to that needs to be done.

Jonathan Jeffery  11:31

So from an accounting perspective, if you’re having trouble locating or categorizing these transactions, what’s the downside of being extremely conservative and blocking things, if you can’t get an answer from different departments?

Craig Jeffery  11:47

What’s the danger of blocking it? Having a false positive false negative. You block something that shouldn’t have gone through, versus you let something go through that you shouldn’t have or you block a utility debit or perhaps a tax payment that you didn’t see or didn’t recognize. You might have some fines or or fees with that, or have some damage with your counterparty. You can certainly block more items than you should, and you can certainly let items go through that you shouldn’t. And so what’s the danger of type one or type two error? Right? So there’s a pretty big risk if it’s a if it’s a large amount, and you don’t block it, and it was illegitimate, that’s a very negative consequence. One of the things that we’ve seen, you know, and I probably would have answered this differently, John, if we go back about six years, it would be like, if you think it’s it’s right, make sure you pursue it. You have a certain period of time that people can get back and then decide whether you reject it within the window or not. It would have been a little bit more flexible, some judgment on that. Hey, this really looks like it’s a payroll item or it’s a utility or this says GA state tax, tax department didn’t get back. Maybe let it go through maybe it didn’t. Now I’d be much more rigorous on blocking anything that you weren’t aware of and rejecting it. You give the different areas whatever limited time they have, two hours, four hours to respond or it gets returned. So criminals are quite good at sending messages through that, you know, identify the ACH type, and it might say tax payment, you know, merchant card fees, MasterCard fees, visa fees, bank fees. They put different codes in there that look like, Oh, this is the bank charging this. This is our card company. This is a taxing authority. They put those in there so it’s like, oh, I don’t want to reject that. You know, criminals have their own podcast. I’m sure they’re going, you know, how do you make it so that people don’t, don’t reject the stuff out of hand. Make it look like it’s real payment to the king. You know, it’s, I don’t want to reject that, because the king is going to get me, you know, some way of just creating it. So it’s harder. The other thing that they do that they’re doing more. We saw this really start around five years ago, and is extended is that removing security layers. I know we talked about some of that before, but if you have electronic pre authorization, a method of blocking all payments other than authorized ones, the criminals will go around trying to remove those pre authorization blocks or debit filters or other blocks, or they’ll try to add rules that allow certain payments to go through. They’ve done that for a long time in different areas, but now we see it going after banking systems. I want to remove that. Oh, I want to change where you’re emitting payment. Oh, you do a callback confirmation. That’s a control. How do I get past that control? Well, I’ll change, I’ll work on getting you to change who the contact information is, or who the authorization person is, so and so’s left. This person will be handling, you know, banking, AP, any changes that exist. And so that person is there. They’re communicating over time. Then when a change is put through, you go back to your record and say, We need to confirm this. They go and call. Now they’re calling the changed person who’s like, oh yeah, send it to the account I control. That’s fraudulent. And so they’ll change that. And so they keep going, how do I remove that? Or how do I get around the controls that you have in place? So just think like a criminal, how do I do it directly, if they blocked it? How do I remove it or work around the controls that they have? And then you’ll and you’ll do better on your on your controls, if you just think like how a criminal would think.

Jonathan Jeffery  15:39

Think like a criminal, I like it. Any other final thoughts before we close out this episode?

Craig Jeffery  15:45

I would say everyone should inventory all their payment flows and look at their banking structure to ensure that it’s designed to support not only good cash management, but effective controls, both from accounting standpoint and a treasury proof standpoint.

Jonathan Jeffery  16:01

Cool. Well, thank you for sharing, and there’s a link in the description if you this is the first episode you’ve heard from this series. We’ve got 11 other episodes so far. Head down there and check them out. Thanks.

Craig Jeffery  16:11

Thank you.

Announcer  16:15

You’ve reached the end of another episode of the Treasury Update Podcast. Be sure to follow Strategic Treasurer on LinkedIn. Just search for Strategic Treasurer. This podcast is provided for informational purposes only, and statements made by Strategic Treasurer LLC on this podcast are not intended as legal, business, consulting, or tax advice. For more information, visit and bookmark StrategicTreasurer.com .