Friday, June 16, 2023
12:00 PM – 12:30 PM EDT
This is an online event
Craig Jeffery, Strategic Treasurer
A formal assessment of a company’s payment processes typically reveals 50-100% more payment processes than they believed they had. Every payment flow is a point of security exposure, and it is difficult to protect what you don’t know exists. This webinar will discuss the principles of a payment assessment, offering practical insights and leading practices for completing a thorough inventory, formally documenting it for institutional knowledge, assessing controls and types of payment flows, and examining your organization’s overall situation with regards to payments.
For more on payment security visit securetreasury.com
For a free security snapshot: strategictreasurer.com/snapshot
If you encounter any issues with this webinar replay, please contact our team.
Okay, well welcome everyone to today’s webinar titled, Principles of Payment Assessment, the second in a series of webinars on payment security. This is Brian from Strategic Treasurer. And we’re pleased you could join us as we take a look at practical insights and leading practices for completing a thorough inventory and examining your organization’s overall situation with regard to payments. But before I introduce today’s speaker, I have just a few quick announcements. Zoom offers several different ways for us to interact today. If you would like to post comments or questions viewable by all attendees, please use the chat icon in the toolbar. If you would like to ask your question to just the presenters, please use the q&a icon in the toolbar. You can ask your questions at any time during the presentation, and we’ll try to get to as many as we can. But if we don’t get to your question, someone from our team will gladly follow up with you. We’ll also be a few polling questions throughout today’s webinar, where you’ll be able to select your response from a list of multiple choices, you will need to click the submit button on the polling questions to have your response recorded. And last, please ensure that your Zoom display name includes both your first and last name. So we’ll know to whom we should send the credits. Our speaker for today is Craig Jeffery, Founder and Managing Partner of Strategic Treasurer. And welcome, Craig. And I’ll now turn the presentation over to you.
Craig Jeffery 02:19
Thanks, Brian. Good day, everyone. It is good to present on this topic to have a conversation. I know it’s mostly one sided, other than responses through the chat box and the q&a panel. So appreciate you taking some of your time to cover this important topic about principles of payment assessments. This may not be a topic or a title that you’ve heard about much or thought about it too much. Maybe the description helps you. But let me begin by going through our agenda for today. So we’ll start off with the situation, the fraud, threat and trend. What are we seeing? Why this is important. It’s probably why you’re on this particular webinar, because you know the threat level, and you’re trying to do the best you can to make sure your company is protected for existing threats, as well as prepared for new ones. Then we’ll look at the topic of an inventory, an inventory of your payment flows. It’s really hard to, in other words impossible, to protect what you can’t see or what you don’t know about. There’s an element of magnitude, if we look about all, if we look at all of a company’s payment flows. Oftentimes, that’s not what’s in treasury’s mind, they think about the main payment flows, the main systems that generate payments, but it’s not comprehensive. And so things are left off. And this is particularly common. The larger the organization is, the more complex it is, as you’ve added and acquired companies, new payment flows, payment streams come on board. And so we’ll talk about what does it mean to have an inventory of those and the importance of that. Then we’ll look at banking structure, we think about the common phrases people use, about people processes and technology. And those are really good ways to look at how an organization runs and fits when we think about payment security. Those thoughts should also include the structures we use the organizational structures, but we’re going to be talking today about the banking structure. How does your banking structure support good security as your payment flows to help detect a problem to help prevent problems from occurring, to provide a type of discipline and to support the services and security features that banks offes, as well as the information tools and methods of securing payments, payment processes and accounts used for payments in an organization? So this is quite, quite important. And then finally we’ll look at improving standards. This idea of your standards of secure payments. What was acceptable five years ago is probably below standard today, what you’re doing today, if it’s not continued to improve will fall short in the future, we see this changing standards or changing minimum standards in many different areas of life and in the business world. And so we’ll talk about that continuing standard and how we can stay current with what’s what’s going on what we need to be doing to protect our organizations. So we’ll begin with many types of things with security and fraud is to scare people. It’s kind of like a requirement to say things, you know, what’s the threat, the four types of attack methods, criminals want to take your money directly, if they can control an account, they can move it themselves, they’ll do it, they’ll do it right before a long weekend, like some of you have a long weekend with Juneteenth on Monday, the banks are closed. They’re going to do that, take it directly at the time that suits them. If they can’t take it directly, they will look at how they can convince you to send money. So we’re familiar business email compromise. Still important is locking up data for ransom, or locking up data, and selling parts of data for ransom. Or they’ll steal your data and sell it. So those are some of the different methods and protocols that the criminals use to lift money out of organizations or steal data and convert that to funds for them. What’s going on with fraud? You’re on a webinar about fraud, you know, it’s a significant issue. Here’s a couple of data points from the Treasury Fraud and Controls survey done with Bottomline in the last year to three quarters experienced or had suspected fraud happen. I guess it depends on how broadly define it because there’s some definitions that would make that 100%. But had experienced or suspected fraud, not necessarily just gotten emails that were phishing emails, of course, and nearly all 85% of your peers plan to spend more or significantly more than last year, treasury fraud prevention, payment fraud detection, or different types of controls. And this is multiple year over year, stacking up, plans to spend more significantly more. So your peers are spending more because the threat level. So with that, dispersing or dispensing with the standard issues of fear and concerns that are real, that’s a good reminder. But let’s go to our first poll question. A single choice. Have you had a payment security assessment? If you have when was the last time? Was it within six months was it within a year, six to 12 months ago, within two years, one to 12 to 24 months, more than two years, or we’ve never had one that I’m aware of. Now, what I’m saying it’s not just that there was some audit, but something that looked at the different payment processes, and the payments security that existed in your organization. So I’m really interested to see in this group of people who are attuned to payment security, how many have had this type of assessment, and my hypothesis would be it’d be even lower with those that aren’t on today’s today’s webinar may not have as much interest in payment security. We’ll give everybody a moment to enter that hit the submit button. There are some instructions on the side. And today’s Friday. So we’ll be nice. We’ll just say if we get 75 people typing the word poll, in the chat box, we’ll send out all the responses to the poll question. So 75, I don’t want to mention again, so just type that in, and then you get it. For those who are new the first time. It’s just something we ask. All right. This is this is highly encouraging to me. 30% did it within six months, another 22%, so just over half have done some some type of payment security assessment. In the last year, this is a truly, I’ll call it enlightened crowd on payment security. I really like that. Another 7% had done it more than a year maybe more than two years ago. And then 41%. That 41% would be a lot larger, another organization, so. This is a significant issue for many, many, many organizations. So kudos who have had, we’ll go through some more detail. So maybe you can be patting yourself on the back. Maybe there’s some other ways to pick up things to learn from. Or just consider incorporating into your assessment. We’ll go ahead and close that down. And we’ll move on to security needs. So when we think about the security needs, the subtitle here is “Treasury’s Role as Superintendent of Payment Security.” So we believe and make arguments that Treasury is the superintendent of payments. And by default, they’re the superintendent of payment security, necessarily, because they’re the superintendent of the broader category, what do we mean by superintendent? If you went to school, or you had schools where there were superintendents, they were responsible for overseeing the overall operation of the school, they didn’t serve in the cafeteria, they didn’t teach all the classes, they didn’t mow the lawn, they weren’t the janitors. But they had a responsibility overall, for the school. And the superintendency, or superintendents of payments, treasury is responsible for protecting cash, treasury owns cash. That is pretty easy to understand. And as part of owning cash, they’re responsible for protecting it. And they manage payments, payments, run through banks, they have, they’re in the best position to manage and oversee payments, while not necessarily doing everything related to payments, and not necessarily doing everything necessary for payment security. You would certainly use your CISO, your chief information security officer, or data security, there’d be AP, there would be other areas that have key and vital needs, as a company be responsible for protecting it. But this idea of treasury is the superintendent of payments. Treasury’s also the superintendent of payments security, relying on other areas, that’s so vital. So with that, we think about what is this include? And there’s a lot more than I could say than on just this one slide. But we have another 18 minutes in today’s short webinar. So I’ll try to be brief, as hard as it is to control how much they say. So treasury’s responsibility. We just put a gray box around process and structure here. There’s much more Treasury at the top on the human element side or the human firewall would be making sure people are trained and tested not just on cybersecurity, but on payment security about payment processes, about the criminal playbook, which we talked about four examples of what they’re trying to do. But from treasury’s responsibility on the process, and on the structure, a few things to consider and evaluate. One is on the payment flows. The first step is those needs to be identified and inventoried. And a complete inventory of those payment flows is vital. How do payments flow through your organization? What’s the starting point? How does the data or the information or even checks, if you have them, how are they created? How do they move forward all the way until it lands in someone else’s bank account? You get confirmation that’s come out of yours, and everything’s reconciled. So a full inventory is an essential first part, right? Just knowing what all of those flows are. Payment types, payment system, bank, all the way back through returns and exceptions. And then assessing those payment payment flows, calibrating what level of security exists, where are their issues or gaps, as well as identifying some compensating controls that may need to be put in place to provide a minimum level of security. And those processes should be documented in a way that’s useful for treasury or for leaders to say, here’s what’s going on, here’s what makes sense. Four pages of swim lane flowcharts oftentimes doesn’t provide that level of information that’s useful or is used. But making sure that it’s documented. From a structural standpoint, we’ll talk about this for a moment, but how you set up your banking structure that allows you to spot anomalies, to gain access to information, to use and leverage the services that your banks provide for security. These are some of the key areas that treasury plays a part in and technology you know, your IT group is going to have a lot of really significant things to say and and help in protecting the organizations they do their part of the IT from. So we’ll move on to the payment process. What do we mean by a full inventory of all payment flows? One thing is interesting. We do assessments with companies on their payment security. One of the first things we do is we come up with a full inventory of all payment flows. One thing that’s really really consistent is that most companies have 50% more to double the number of payment flows than they initially think in the beginning. And I’m not saying this is the case for a tiny company that has one or two payment flows. But for multinational companies, you know, 500 million or more to 50 billion and more in revenue, there’s a significant number of those. So what do we mean by all the payment flow? So it would be what systems are these payments being originated from, out of what entities, running through which bank accounts? So as you look across these four domains, the different entity structure on the far left to types of payments to payment methods, right, we didn’t even put payment methods like low value payments, high value payments. In the US, you might think of ACH or wire, maybe running through some different channels, real time payments, and as you cross the globe, there’s a range of different payments. So there’s different flows, different cycles that need to be looked at. At the same time, they are hitting and going through different bank accounts. And so the inventory is, look at all the different entities, examine the different payment types. Where can you find that information? You might look in your chart of accounts on the GL on the cash side, full inventory there. Sometimes one GL cash account touches a significant number of payment flows, or it’s all rolled up. And so you have to have some detail within those areas. Count analysis, statements from your banks, will show payment volume types of payments to give you some additional insight into where they may be. And same thing with bank statements, bank statements are usually pretty comprehensive if you have a full inventory. And then I’ll leave the right side from ERP accounting platform, the Treasury platform for exchange platform, HR, like payroll, there’s a lot of systems, some companies have more than 30 different systems that generate payments, and usually generate more than one type of payment. So this is areas, you need a full inventory that needs to be reviewed across the organization formula, formally documenting the complete inventory. Now I think about a payment process, when I think about a payment process, I think about it from start to finish. And people can pick things up earlier on the payment process, maybe they put it down to procurement. And you can perhaps go farther than reconciliation , like close of books, for example. But just a couple of things along the way, when we think about the handoffs for making payments. And you’re probably familiar with business email compromise, where the situation where someone gains control of someone’s email, says we’re changing our payment information. So that payment information has changed in the, let’s say, accounts payable from this account to another account. It’s changed to an account that the criminal controls or has access to. Regular payment gets approved. Now it’s sent to this new account. And the criminal transfers that offshore somewhere, removes the money from the banking system and the fraud has occurred. That’s just one example, near the beginning of the process, or if someone gains access to the payment files. An internal user, or someone who’s gained access to someone’s credentials, and now can alter a file. So as you look at the start to finish, how are these things, how are these things set up? How are payment records changed? How is the batching process working for today’s AP run for treasury payments? How are we getting those information? How are we getting that information to the bank, sending it along, and eventually reconciling it so that we know that all the payments are accounted for from an accounting perspective, which can sometimes identify missed items, fraudulent items or problem with the process? But as we look at the bottom below the start and finish line, you can see validating information, controlling the handoffs, making sure nothing is captured, controlling the files, file controls and other type of reconciliation. Does it keep track of the number of individual records and there’s a control total? So you know, there’s 705 transactions there? Are there amount totals? Are there some types of hashing totals so a mathematical calculation that shows the file couldn’t have been altered? And limiting access? You know, I can give a number of examples. I’ll give just one today is, a file is placed on a server. And then someone takes that file, sticks it on their desktop, and then loads it maybe even changes it, loads it into a bank portal, and then maybe they have the secondary control, someone releases it and sends it to the bank then. That payment file now can be altered with any kind of editor, editing file and sent on. And that’s just one example. There are also different methods of accessing files. Even when you have a schedule of looking every three minutes to find a file, send it on into a more secure environment, someone can turn off the scheduler, especially if there’s not the limiting the access to the principle of least privilege. And document that and alerting that, altering people to those types of changes. So this is a quick run through of what exists here, when think about the start to finish of payment processes. What controls need to be put in place? How do you store and protect this valuable information? Those are all part of the assessment needs to consider the handoffs, the data, how that’s controlled, how that would be how that could be compromised, and what methods stop that from being compromised. We’ll move over to the reviewing the banking structures. So you know, these are just two hyper simplified models. The one on the left is a small company may have a single operating bank account where everything flows into that one bank account and everything flows out of it. This is a common way that organizations start and then as they grow, they add collection accounts disbursement accounts, maybe payroll accounts. The fact that the complexity changes over time, is reflective of the size of the organization, the flow of information. And volumes of transactions. How intensive is the company with regards to payments for example. The header or concentration account structure here is all the collection accounts feed into the concentration account. And the disbursement accounts on the right hand side are funded by the header or concentration account. Again, this is a simplified picture. For maybe one bank where there’s seven accounts. But this type of model says now I can have standardized controls. In an operating account, maybe I couldn’t do as much debit filtering or debit blocking, because I have everything going in and out. I have to be very careful. But I can still use what the banks offer at the account level, or at the individual transaction level. There’s different services that block everything, or allow for certain transactions for certain counterparties to go through. And so when you have a header, a concentration account, you move this structure helps you see at the macro level, I only see summary information going through my concentration account. I only expect deposits going into my collection accounts or NSFs on the collection side of the disbursement side. It would be similar I expect disbursements coming out from individual accounts. Maybe I’ll have some of the debit and account, and we’re looking we’re monitoring that. And then the leverage and use the services the banks provide to protect those particular accounts. And that brings us naturally to our next stacked poll question. And so we still need 18 people type the word polls, but payment flows. First question is regarding payment flow inventory, do you have an inventory, we have a formal list of all flows, a partial list of all flows or most flows, maybe it’s a little bit informal, and we have no central list. That’s the first one. The second one is check all that apply. The first one, most of these should be I think select one, right. Regarding payment flow documentation, we have documentation of each payment flow and the handoffs and controls, documentation of some, and limited or no documentation of payment flows. I’m really interested to see where this elite group sits, especially since it was over 50% had identified that activity. All right. We’ll leave that up. I’m going to move the next slide while you answer that. Just because these 30 minute webinars are quick. So, you know, what are the organizational standards for assessing improving your status? These are four different levels that we could refer to world class, leading practice or strong, standards of good corporate conduct, and below standards. And below standards are, this is not something that’s commercially reasonable. You have, you’re saying well, the bank is going to protect me if there’s an issue as long as I do reconciliation every once in a while. You’re not using any of the standard offerings that the bank provides, despite them asking you numerous times, because you haven’t had a fraud. And standards of good corporate conduct is the minimum side, and you can improve those with compensating controls, or overall process changes. World class, some organizations, if you’re a payment, heavy company like, like a health company that makes lots of claim payments or an insurance company, anybody else who generates, you know, hundreds of 1000s, millions, 10s of millions of payments a month probably wants to be world class. But there’s different levels. What does each level mean? And so those are some things. Where are you, and where do you want to be? Not everybody needs to be world class. But it’s very important to know, in your inventory, where each payment flow sets. How you evaluate it. Going back to the poll responses, I’ll just make a few comments on those. And you’ll get a list of those. I see we’ve exceeded our poll, we’ll type of word poll there. Payment flow inventory, 50%, just about 50% have a formal list of all flows, that’s very, very good. Partial list and no central lists, you can see those numbers 38 and 15%. The documentation of each flow at 51%. That’s the handoffs the control points. That’s, that’s, again, quite excellent. Documentation of some payment flows. This is really this is really common with what we see. And I suspect that this is a, this is a generally more aware audience on the fraud side attending the webinars. So we’ve selected down a little bit that way. And that’s only a hypothesis, I don’t know. But limited or no documentation of payment flows, about one and nine companies. So yeah, a very, very big mix of the haves and the have nots. And so those that have it, what’s the next step to make your standards better? Those that don’t have it, let’s get the inventory going and move on to the next section. Just really quickly, you know, as you look and you have the inventory, so here are the entities, the different areas and payment flows, what system is being used, what bank, and then the ability to score. What’s the current status, so you can use the A to F range, you can use your own standard. Do you have compensating controls to help make that better? If you put compensating controls, doesn’t move it up to something that’s considered acceptable, if you have a C? It’s not not adequate, but compensating control gets you. And now you’re making some changes. Maybe you’re putting in a payment hub offered directly from a vendor from a TMS that is a payment hub. This provides some opportunities there. So scoring and seeing what these are with the compensating controls and the list of actions is vital. Now, as we continue our sprint through today’s topic, what are the takeaways? It’s really important to have a complete inventory and evaluate and assess your payment flows. If you’re treasury, this is required. Every bank accounts a point of exposure, it’s a point of cost. If you don’t have an inventory, you can’t protect it. If it’s not evaluated, you don’t know how to improve it. So those are foundational concepts. I know they’re not hard. But it just helps talking through those. And this is how we protect against criminals. Be thorough, that idea 50 to 100% or more payment flows are found and previously thought. This is, it’s really interesting to see how this comes comes about. On an outsourcing basis, do you use someone to help you with this inventory and documentation? Do you pass that on to a third party, maybe your audit company, maybe a consulting firm like Strategic Treasurer. We find this as it’s really helpful to have a separate set of eyes, go through it quickly, document things, and get your list of actions, which you may or may not need help implementing changes. But it provides you with that base. So quite a few takeaways. Thank you for your time today for responding to the polling questions, and engaging us on this. I’ll turn it back over to Brian, for the final announcement.
Thank you, Craig. And thank you, everyone, for joining us today. The CTP credits, today’s webinar slides, and a recording of today’s webinar will be sent to you within five business days. And consider getting your free security assessment snapshot by clicking the link in the chat box. Thank you and we hope you have a good rest of the day.