Securing Your Receipts

Announcer  00:35

Welcome everyone to today’s webinar titled Securing Your Receipts. This is Brian from Strategic Treasurer and we’re pleased you could join us as we discuss how you can assess and improve the security processes and standards for payments flowing in through your lockboxes. But before I introduce today’s speakers, I have just a few quick announcements. Zoom offers several different ways for us to interact today. If you would like to post comments or questions viewable by all attendees, please use the chat icon in the toolbar. If you’d like to ask your question. To adjust the presenters, please use the q&a icon in the toolbar. You can ask your questions at any time during the presentation and we’ll try to get to as many as we can. But if we don’t get to your question, someone from our team will gladly follow up with you. There will also be a few polling questions throughout today’s webinar, where you’ll be able to select your response from a list of multiple choices. You will need to click the submit button on the polling questions to have your response recorded. If you are here for CPE credits, you will need to answer at least three polls today. And last, please ensure that your zoom display name includes both your first and last name, so we’ll know to whom we should send the credits. Our speakers for today are Sarah Mille, Senior Lockbox Manager at Deluxe, Jim Woods, Director of Outsource Services at Deluxe. And Craig Jeffery, Founder and Managing Partner of Strategic Treasurer. Welcome Sarah, Jim, and Craig. And I’ll now turn the presentation over to you.

 

Craig Jeffery  02:19

Thanks so much, Brian. And it’s good to be speaking with you to folks today from Deluxe. Thanks for spending time with us going over today’s topic, there’s an agenda, you can see the rough outline of the agenda on the screen in front of you. I’ll just talk you through it for a moment. And then we’ll get into the content. So we’re going to be going through fraud, what is the situation with fraud, fraud is increasing, many companies have experienced it, almost all of you recognize that the threat is increasing on a year over year basis, either increasing or significantly increasing. And this brings about a required response. On the receivable side, there are a number of complicating factors, complexities and problems that need to be addressed in light of a growing fraud environment. Then we’ll talk about the role of the lockbox and as many of you know, Deluxe, not only makes checks, but does a significant amount of lockbox activity with a number of innovations there. So we’ll look at the role of a lockbox from a micro and a macro view paper electronic how that fits into a company company’s plan for efficiency, scalability, as well as control. We’ll touch on payment security, how do we improve the process? And you’ve probably heard the quote many times, improving part of the process sub optimizes the whole. And so this comprehensive look at payments, security, is really part of looking at the entire process from an end to end perspective that’s essential for managing the control. And then how do you evaluate lockbox services? What are some of the key pointers for looking at lockbox services? So we’ll cover some of that. And then finally, we’ll end with some of the key takeaways, what what’s a summary of what we learned? What are some of the the items that if you forget most of what said, what should you take away from from today’s webinar? And with that, I’ll bring it. We’ll start with fraud and I’ll turn it over to Sarah.

 

Sarah Mille  04:23

Hey, good morning. So, payment fraud is a complex and ever changing issue. Fraudsters continually adapt and adapt their tactics to exploit vulnerabilities in the payment system. Payment fraud is has been a significant concern for corporates for many years, not the whole corporation 73% have experienced fraud, or I’ve spent suspected fraud in the last 12 months. 78% of the respondents believe the threat level has increased in the last year. tactics that have been used such as phishing social engineering, malware hacking, In spoofing, or online fraud techniques that continue to become more and more prominent in the industry. So obviously having fraud on the top of the mind is important. And having the right controls in place is key.

 

Craig Jeffery  05:14

Yeah, that’s really good, sir. You know, the the idea that the threat level is is elevated, it’s been, it’s increased, and it continues to increase year over year, despite a lot of activity is the warning sign, right. Anytime you have a topic on fraud, it’s like, how do we get everybody scared? Because the threat level has increased. And so with that, we manage that properly. So some great points. So we’ll jump over to payment fraud controls. And Jim, you know, I know, I’ll probably let you jump in with. I know you have some stories about this. If you want me to do a little bit of overview about outbound and inbound, I could do that before after, but I wanted to get you talking as well.

 

Jim Woods  05:58

Sure, good morning, Craig.  Yeah, if you want to just give a general outline, we can do that. And then I can jump in about some specifics within these categories. And, you know, a story that I feel, especially on the inbound side touches just about all of the four things that are listed there below. So if you want to go ahead and take it away, and then I’ll jump in, that’d be great.

 

Craig Jeffery  06:18

Yeah, great. So you know, on the outbound so that we have time to think about payment fraud, as when we’re making payments, our companies are making payments, we’re sending things out, and we’re concerned about AP, we’re concerned about someone altering payment files we have creating fictitious invoices that get approved or changing address information. There’s a real heavy focus on the outbound side. Many companies aren’t thinking on the inbound side when payments are received by accompany someone who stands in the middle and perhaps redirects payments to the criminal site. And sometimes that’s the case because, or to a site or an account that the criminal can control. Only 10. Maybe we don’t think about that as much because the paying company tends to be responsible if they were spoofed. And it’s they still have responsibility to pay. But we think about some of these different areas. On the inbound side, it’s not something we think about as much. So things like postal fraud, internal fraud, you know, in an era of COVID, where people moved home and a remote, or you use a lockbox provider, we may not think about some things like internal fraud, or postal fraud as much. But to provide protection, and to think about controls requires both sides, both the AP side and the AR side, if you want to think about it that way. These are some of the vital areas that Treasury as the owner of payments security needs to be thinking about these and whether you’re an AR AP, you have vital vital activities to to undergo and to take on to protect inbound and outbound payments.

 

Jim Woods  08:01

Sure. And Craig I feel like a lot of the where you say the heavy focus on the outbound is because those are the very high tech levels of say fraud and scamming and hackers and you know, business email compromise, you know, the BC the redirects, things like that, you’re thinking there have this group of hackers sitting in a room and taking over your computer in this high level, you know, tech that goes into those types of frauds. But in reality, a lot of the frauds especially that we experienced in the lockbox world are at on the inbound side. And it’s things as simple as postal fraud. It’s, you know, things from, you know, you go in your put your payment in the mailbox. And believe it or not, the US Postal Service a couple of years ago began to read to some redesign how all mailboxes, you may notice this people when you go to a mailbox, it’s not the open wide, and it’s now a curve, because what they were finding was people were taking fishing line, and putting gum on the end of fishing line and going down into mailboxes and pulling out checks. I had that in one of my past jobs where a whole mailbox of payments was stolen. And that, you know, simple of a method. Other times I remember seeing a story in The New York Post about a mailbox that was ripped up off of the street and stolen, what payments in it, you know, think things like that to now there. You know, there’s been a lot of stories recently in the city of Chicago, where gangs are taking family members of theirs who have cleaned backgrounds and whatnot, and actually having them apply for jobs within the Postal Service. And this isn’t the throw of, you know, a negative light on the postal system. But payments are touched in a lot of places along the way from where you go, and you put your envelope in the mailbox until it’s actually received at its final destination. There’s a lot of places along that route that aren’t as complicated as trying to get your email and compromise your email. It’s a very simple you know, see a piece of mail, still a piece of mail, see that there’s a money order inside it, what they call check washing, which is our item at the bottom, wash out the money order and make it out to wherever you want, in a previous role that I had actually had the experience of having to go testify in front of the grand jury in New York City, because a client of mine, one of their employees, and this goes to internal controls, she’d worked at the company for 32 years, the owner of the company had sent her kids to college, paid for their college tuitions. And while she was working for this company, because that was like, Oh, everybody trusted, you know, Sally, you know, to use a fictitious name, she was great. But what they didn’t know was, she was very calculated about, she would reject money orders that needed to be decisions in an online decisioning portal so that the money orders would then be mailed back to the office, she would get them back in her office. And she would sometimes just white out over it and pay her Con Edison bill pay her optimum bill, just with somebody else’s money or that was meant to pay their rent that the management company, and she would do all of those things. She did it to the tune of about $250,000 over numerous years and went to jail for it eventually. But I wouldn’t say it was because of great internal controls that where she was working, it was actually on the other end that it was caught by the plays that she was making the payments because she got so brazen at the end that she was just crossing things out and writing like, she wasn’t even washing it or doing anything like that. It just got so you know, over the top that then it got caught and you know, but but that kind of touches everything in there. That’s postal fraud. That’s check Washington, that’s internal fraud and not having good internal control. So it doesn’t have to be a complicated send money to Nigeria scam, it can be a simple as stealing a checkout or stealing a piece of mail could trigger something like this.

 

Craig Jeffery  11:58

So I’m not sure if I should be like, as excited about the stories that you tell me. I just hope it doesn’t turn me to crime. But if you’re if your teenage son or daughter, if their name is Sally fictitiously says I’m going fishing where you’re going fishing near the post office, that may be a warning sign, especially if they have gone for bait that they’re trying to pull checks out of their or envelopes. That’s, that’s amazing. I know, our post office has issued warnings and removed some of the giant boxes there to prevent what uh, however, they’re stealing stuff out of there. Very, very good. Yeah, now. So that brings us right to our first polling question. So this is a select all that apply. These are organizational characteristics that show elements of complexity. We have over 100 bank accounts, that’s, you know, click it if you haven’t, we have over 10 banks, yes, click it or not, we have over 2 billion in sales, we’re in over 10 countries, or none of the above. So let’s just figure out it’s some or all of the first four or the last one. And so we appreciate those who take a poll question if you can’t see the poll questions showing up on your screen or on any of your screens. Look in the webinar chat box. Brian has posted some things that are about finance. We’ll give everybody a moment to complete that. And we will, we will ask people to type the word, the locks in the chat box. If we get we just see, see where I say we get? Let’s go with 150 people typing the word Deluxe or poll, if you type poll. As long as you don’t type words like Deluxe cubed, we’re we’re okay. Right, just to see that you’re paying attention. We’ll share the results of the poll questions. We’ll embed them in the deck when we send them out. So you’ll get those results now. Yeah, so Sarah, and Jim, the results are in just about half are probably highly complex with over 100 bank accounts. Over 10 banks and other 35 have complexity in that area. Over a third are 2 billion in sales and 30% or more than 10 countries. And if you guys had any comments on that, I guess I’ll see some things at the end. Anyone want to comment? Well, I’ll make a few comments on that. You know, it’s like you think about complexity, complexity comes in different sizes, volume of activity, number of countries. You know, all of these can add to complexity, we could add some other items on there like number of systems. On the billing side number systems on the payment side, those all add to complexity, and make the control process more challenging. We could have asked to how many different ways you receive payments. You know, in the US it might be we get checks in house, we get checks through a lockbox, we get Ach, we get virtual card, we get wires and etc. These are complexity elements. Very interesting to see how complex the group is here. All right. So you’re gonna be up again, talking about theory versus reality, you know, in, in theory, reality is just like theory. In reality theory is nothing like reality. That’ll be the setup.

 

Sarah Mille  15:33

So true. Yeah. So I’m sure that a lot of you based on your your answers to the first poll question that a lot of you are, are very understanding of this particular slide. So receivables theory versus reality, in theory, a simple receivables workflow reflects how a company manages and collects their payments. So invoices go out payments come in, seems very simple, right? But it’s not in reality payments may come in and money may flow out to various different receivables workflows, various payment types will flow into multiple accounts, multiple banks, even monies are concentrated and then swept into payables accounts, investment accounts, line of credit pay downs. So although in theory is just collecting the funds, those funds may come in in a variety of different payment methods, check ACH wire card, real time payments, but they may come into multiple different accounts, multiple banks, and then be concentrated. And then like I said, swept out into a payables environment.

 

Craig Jeffery  16:48

Yeah, for sure. Appreciate that. That explanation and yeah, reality realities, lot more complexity of that complexity can be added, you know, companies acquiring other companies that have their own structures, they get layered one on top of another, and the complexity grows. And so the need for simplification and clean, clean process comes to into being into focus.

 

Sarah Mille  17:16

Yeah, definitely. You know, as, as you look at fraud and securities, it’s, it’s definitely a situation where if you don’t have the right controls in place, you are opening yourself up for fraud, especially with complexities of the account structure. So you know that this causes reconciliation issues. There are several different variables that contribute to reconciliation issues. Differences in timing, such as cut off times or delays, differences are in the ledger balances versus collected, balances. Differences in the amounts, the net vs gross is the ledger balance and collective balance are impacted by those as well. There’s differences in the level of detail that come in on the as far as remittance information that is received, it can come in via paper based remittance, such as what accompanies a check or a money order on a check skirt. There’s electronic electronic remittance advice or era that accompanies the electronic funds transfers, or ACH is there’s online payment portals that may or may not capture all the right fields, and all the remittance information necessarily necessary to reconcile a payment. And then of course, you could you get email details sometimes as well. So the payment comes in in one form or fashion. And then the payee follows up with an email with all of that corresponding information. So the difference in timing, the banks differ in the availability schedules at times, as well. So you may have one bank that may give 100% Next day availability, whereas other banks follow two or fote. Schedule. So the timing of those payments definitely play in as a reconciliation issue as well.

 

Craig Jeffery  19:03

You know, Sarah, one of the things on the some people may say, why are we talking about reconciliation? If we’re talking about fraud and control? I don’t know if you wanted to start on that. I know, there’s sometimes that’s an obvious answer. Sometimes it’s a little more nuanced.

 

Sarah Mille  19:20

Yeah. You know, the ability to reconcile a payment is your first line of defense in, in identifying potential fraud. So not only is the timing of reconciliation important, but the amount of information received with the payment, or as a follow up to that payment, is what’s going to help you understand if there is potential for fraud with that payment.

 

Craig Jeffery  19:47

Yeah, that’s good. You know, when we’ve only looked at companies only see reconciliations behind and it’s very complex. Things get buried in there. They’re not found, like you said, it’s the first line of defense. When the process is designed too poorly, there’s gross and net amounts mixed in. So you’re trying to compare items that don’t match. It’s it’s one too many, multiple, too many spanning different timeframes and groups. And I always said, if you have six CPAs, doing bank reconciliation, you know, the process is designed wrong. And that that creates an environment for hiding, having problems be hidden, not that this is done intentionally, but it’s not going to be discovered. And whether it’s, you know, sometimes people are the target accounts, you know, oftentimes with a, let’s say, Ach, for example, they’ll they’ll debit an account, and then take money or take money out and send money back in for a small amount to see if the account is open. And if nobody’s reconciling someone or with doesn’t have a discipline of reconciling, they just marking these two things off and say, oh, you know, banks are crazy, they there’s a 25 cent and 25 cent out, we’ll just close it out, not recognizing that. So I just discovered that this bank account is open, and you can debit debit the account. That’s a good point,

 

Sarah Mille  21:10

I’d also say when it comes to the difference in the timing, you know, by the time of payment comes in, if you’re if your remittance information comes in days later, by the time you identify what that payment was supposed to be, it could already have been identified as a fraudulent payment, and the funds may already have gone out the door.

 

Craig Jeffery  21:32

You know that one of the 12 security principles that we outline is that speed matters, even if fraud has occurred, the faster you can detect it, you’re able to stop additional fraud from occurring. And you may be able to stop, the loss of funds are restricted the level of loss that you have. So these things matter. Reconciliation matters. It’s not just an accounting concern. It’s about payables and receivables, Treasury, and overall security. That’s awesome. Great job, Sarah. We’re going to bring Jim back into the, into the discussion on payment control. We’ve got a conversation going on here, Jim.

 

Jim Woods  22:15

Yeah, and this is a conversation you typically hear on the support side of lockbox, or if you know, if you would be at a bank, or in this case, you know, we’re providing as a lockbox reporting to our customers on a daily basis of who paid. So when let’s just use the example of a credit card company. The problem a lot of times doesn’t get like this phone call doesn’t happen a lot of times till two weeks, three weeks after the situation has happened. Because nobody knows there’s a problem until they get their next bill and see now they have a balance that’s higher than they anticipated. There’s no last payment date on the date that they thought they made the payment. So they call up their credit card company and say, or their electric company or their school where they were supposed to pay their tuition to whatever it may be, or their rent, and say, you know, why did I get my bill for this much I paid this month. And then you know, the company comes back and looks in the records and says, you know, I don’t see it. The person may come back and say, Hey, let me let me go back. I’ll check my banking, they go back, check the bank, and you say, Nope, it was cashed. And now all of a sudden, you start to think there’s a problem, because you as the lockbox is sit is saying, we don’t have a record of this payment being cashed. This person is showing me that this check number for this amount or This money order. They get a receipt of their money order, and they track it and that it was cash. Well, now, red flags go up. Okay, well, how did you send it? I send it through the Postal Service. I sent it FedEx. Well, it’s great if they sent it in a trackable way that speeds up the investigation, because now you can say, Okay, well, the package wasn’t signed for here. It was signed for somewhere, somebody intercepted the package signed for it. And now there’s no now we know there’s a problem. If it came Postal Service, though, you don’t know. I mean, you don’t know that. Because it’s not trackable. It’s just a regular piece of mail. Now, you know, it’s not lost because it was cached. The important thing is, was it cached or was it not cached? If it wasn’t cached, it can be lost in the mail. If it was cached. Okay, the next question becomes, as a lockbox provider, or probably the support departments at the your various clients have been trained to show us a picture of the back of the check so we can see how it was endorsed. And then that endorsement will start to really tell the story. And you know, as a processor, we know like our endorsements always look like this. Well, now we see an endorsement on the back of that check. That wasn’t us then that’s the situation where you’re able to identify okay, this was a bad actor. Somewhere along the way got a hold of this and you know, took it into a branch or remote captured it somehow into an ATM Whatever it is, and the funds are accredited to the wrong place. So that, you know, that starts a series of, you know, now maybe, you know, you got the best thing in those cases is what it’s generally the check writer who needs to open up an investigation. Okay, so us as a third party, were not the aggrieved party of the person whose payment was stolen as the aggrieved party. So we can open up like, I can’t call the postal service if I think something was stolen and open up the investigation that check writer needs. So now you’re inconveniencing the person twice. And they’re not happy, your customers not happy, because you’re asking them to open to do additional work for a payment of theirs that was stolen, not a popular thing, but they are the ones whose money was stolen. So they are the ones who need to do that. So this is just an example of the conversation that will come into place. It’s often times if you’re, you know, you can have the controls in place. And but if you’re a large scale lockbox provider, like, oh, like, we don’t know, the amount that’s supposed to be coming in. And you also don’t know somebody may have a $500 credit card, they’ll do but they might only send $100. So if you look at the end of the month, and say, well, there’s a difference. And, you know, what was invoiced? Versus what was paid? It’s not 100 was a fraud? Or was it? You know, or was it just somebody, you know, didn’t pay as much as they were going to? So you, it’s important to keep this line of communication. It’s important for the you know, you said previously, Greg, it’s honorable mentioned about speed and, you know, getting on things quickly, you know, your support departments knowing what to look for knowing the correct questions to ask when thing like when Red Flags start to go up? And to get that information as quickly as possible. Like, if somebody is a dentist, the copy of the back of the check right away? What is the check number? What is, you know, any of the when When did you mail it all that type of information? That’s, that’s what the these investigations along. And then if it becomes a situation where believe it was, you know, in the postal system, they’re gonna ask you something like, you know, what mailbox did you put it in on the corner of 57th, and Madison, and you know, what, now all of a sudden, their database, they see they have nine investigations open in a two month period from somebody, from people that mail from the same place that’s going to do that’s going to, you know, trigger their internal controls that we have a problem here, or things coming into one central processing station, or whatever it may be, they’re going to connect dots, but they can only connect dots if they have that data.

 

Craig Jeffery  27:39

Alright, so that brings us to our second poll question. So this one, this one will pop up again, it’s multiple choice. And this is asking about what are the security controls you have in place at your organization, account payment, validation, validating payment information, let’s say the banking information, you have employee general employee training with testing. Later on, there’s payment specific employee training with testing at least annually. And you can see how these, the different options are there. So go ahead and fill those out. And we were 40, 45. Deluxe, or bowl in the chat box to be able to send these out. So get that closed out. That would be awesome. And just go ahead and fill out the poll question. hit the submit button. And then Sarah, I’m going to go ahead and ask you to comment when it when it comes up when the polls showing. See if you have any, any responses, then we’ll go over to you. Sounds great. Right, yeah, there we go. So yeah, go ahead and make any comments that you have here. Yeah.

 

Sarah Mille  29:09

Yeah. So it looks like majority of you do have the account payment validation, which is fantastic. General employee training. Okay. Very good. So these are all really important areas for security control, to help to combat fraud. You know, we don’t like to think about our internal employees, you know, possibly being a part of a fraud for a corporation. But, but it is a reality and having these, these payments, specific employee training and testing and also just auditing the privileges of each the principle of least privilege, you know, only giving people access to what they absolutely must have. These are all really good, really good ways to tell identify or to help to combat internal fraud from employees. So this is good. I’m trying to think if there’s anything additional that I would have added to this list other than, you know, dual controls and such, in just the overall, like I said, auditing in the in monitoring and logging, what our employees are doing and how our payments are being being sent.

 

Craig Jeffery  30:30

Jim, any comments from you on this?

 

Jim Woods  30:32

The dual control is something that I noticed as well. And a lot of times, when will you be shocked, and I, you know, I’m actually going to comment on it in one of the future slides, but the amount of cash that’s still received at a lockbox, more so than you can believe that people actually do put cash in envelopes and send it in the mail. And when you have, when you have, you know, that’s, that’s the easy, I shouldn’t say, easiest kind of fraud. But that’s the, that’s a very risky situation is when somebody is putting cash in an envelope and putting it in, you know, the regular mail and not traceable, and not trackable. So that’s where the concept, you know, in our facilities, where dual control comes in all cash has to be handled by more than one person. So we have that checks and balances against each other.

 

Craig Jeffery  31:20

No control and maybe some cameras. Yeah, those are the payment, the payment assessment and the payment security assessment in the past year, just about a quarter, just under a quarter of the population on today’s webinar have done that. That’s, that’s a very good, very good number. I mean, sure, it should be well over 50%. Right, we would recommend people do a payment security assessment at least every two years. I think this reflects an audience that’s pretty well trained, pretty attentive, on payments, security, outbound and inbound payments. So really, really good. Good information there. I’ll draw your eye to the webinar chat section, you can pull that up in the Zoom screen and see what the chat box looks like. There is the ability to follow the Lux on LinkedIn, strategic treasure on LinkedIn, as well as our media channels CTM file for cash and treasury management file, go ahead and follow those on LinkedIn that helps us just communicate all of us communicate with each other, follow what’s going on in our in our different organization. So really appreciate your information. And we just need 14 More the locks or poles in the box. I prefer not to say anything again. Instead of belaboring the point, but really appreciate you guys paying attention to that. And liking data. I mean, this data is great. We’d love to see what’s what’s going on. It’s great getting a few 100 responses really rather quickly. Well, this is what I need to talk to. And so I’ll introduce it. And what’s the what’s the role of the lockbox? How do we how do we think of it as moving from simple to complex, Sara had outlined and showed a chart moving from left to right, on the horizontal axis of you know, check ACH and wires for the US going to a bank and then being sent to some different systems. Well, if we look on the complex side, what do we typically see we have checked maybe real time payments, ACH wire, may be going into a number of accounts for a number of different entities, that’s feeding through to the banking concentration system, as well as to the back end. And here on this chart, we’re just showing, we’re showing the payment types that are sent to a banking structure in the middle tier. And then at the lower tier is the receivable system. And so you can see and think and reflect upon how many payment channels are in play. And we asked a question earlier about complexities, how many banks bank accounts, we could also ask about payment types underlying back end systems. All of those add to complexity, how do we get our arms and our minds around the payment process? And how do we protect or put a fence around the security for these items, since there are so many different touch points or entry points. So the left side is a complex view on the right side is a conceptual simplification where those different payment types again, in the US here, for example, coming into a lockbox, maybe an E lockbox, it takes paper and digital items together combines those so payments coming in from different channels get combined to a single lockbox. And then there’s a file a digital update file that goes to the back end system. Simplifying how many accounts or how many payment type payment types of payment flows are that isolates most of that activity into a single stream into the the back office. So the role of the lockbox is to collect funds efficiently and securely. And the more money is a contact methods of making payments that works against some of the overall objectives. And the reason you offer so many different methods is you’re trying to collect however you can from your different customers in a way that benefits them, and not forcing them down a single channel. And so, from complex to simple, there’s ways to simplify the variety of options that your company probably needs to make and make it an easier process for your, for your clients. And for those that are doing accounting, those that are doing forecasting, cash positioning, I’ll pause there. I don’t know if Sarah, you wanted to jump in or Jim, if you have anything else to add on the role of the lockbox?

 

Sarah Mille  35:51

Yeah, I actually don’t have anything to add to this one.

 

Craig Jeffery  35:55

Yeah. So it’s a it’s a key thing that people have been been doing and pushing and moving towards it, you know, simplification is, is on most people’s minds like rationalizing, how many accounts, how many activities, how many payment types are made, and balancing that with the customer needs?

 

Jim Woods  36:18

Oh, sorry, Craig, not to interrupt, the only thing I would jump in there, if you pull it back up is you know, it not only is it simplifying, you know, reconciliation, or things like that, but you know, in the different channels to bring it into one place. lockbox is a very manual process, as we know, and very prone to human interaction, human error, things like that, the more electronic channels that can feed in, it’s also helping your business and it’s helping your your speed and your productivity, if you can get more things converted to ACH get converted to wire it, you know, you know, online bill pay checks that don’t come in as paper checks, but instead come in as a, you know, as as an ACH payment. You’re eliminating 1000s and 1000s of paper checks that need to be open touched key things like that, that put the risk for error into place as well, not just that a risk for fraud. So all in all these these systems as we go towards more II lockbox are really, really efficient and helpful.

 

Sarah Mille  37:14

Yeah, I think another thing is, is by blowing things through a lockbox, you have the opportunity to use exceptions modules to decision something that falls outside of what you’re expecting, or using Account Validation files to populate correct account information. Which leads to the data coming out of the lockbox being more accurate, meaning you can feed that into your ERP system and reconcile much quicker and identify fraudulent transactions much quicker.

 

Craig Jeffery  37:49

Excellent, thank you. Thank you both. A lot of people are saying I want my third poll question. I want it now. So here, here is your third poll question. What is your company’s greatest fraud, risk or security concern around inbound payment processing everything come in, coming in. So missing checks, stolen checks, lockbox employee fraud, employee fraud. So the last two would be concerns about the employees of a lockbox company like company or bank that’s providing that service. And the last one would be you process payments internally, and you’re worried about employee fraud. Give everybody a chance to look at that. And I know we’ve exceeded our number on the Luxor poll in the chatbox. Thank you, no additional items are needed there. So thanks for responding and loving data as much as we do. Even more than we do, look at that. Bank these for the next webinar. All right, GMO GMO ask you it’s it’s a pretty close heat with the stolen missing checks. And there’s there’s definitely more concern on the employee fraud side that you want to comment on those then sorry, you can jump into it.

 

Jim Woods  39:15

Well, just a couple things I’d comment on. But like, I think it’s important to remember not not all, you know that the missing check is 91 of the 167 replies, not every missing check is a fraudulent item, a lot of missing checks get found without any incidents of fraud, it’s just that delay of some sort of getting processed. So I think that that’s important for you know, to make that distinction. Stolen checks, obviously, because of the ramifications down the line that could be you know, that could be more than just a one time event a check can be stolen in cash and then that person’s account information can also be drawn from that check for multiple other transactions down the line. So I think it makes sense that that’s the number one and then you know, just to kind of you know, fly the flag for lockbox employees and outsourcing your lockbox service. lockbox facilities like ours do have the best controls in place and the best technology and things cameras, card swipes, logging of information, we have the best tools as outsource lockbox providers to monitor our employee. So it makes sense to me to be more concerned about your own employees and somebody that you may outsource the work out to. Because maybe, you know, at, you know, let’s just use a property management office of nine people or something like that, that isn’t outsourcing their lockbox, they may not have cameras, they may not have card swipes, they may not have all those institutional controls that we do have. So I could see being concerned about it. You know, at that level more than the outsource provider.

 

Craig Jeffery  40:50

Sarah, anything that you wanted to add?

 

Sarah Mille  40:53

Yeah, I would, I would agree with that assessment. Jim. I’d also add that obviously, although these are more paper based fraud concerns, I would add that if you are sending out invoices, via email, and if for some reason we had the business email compromise, and someone hacked in or spoofed, I believe, is the correct term, or one of the other terms, spoofed those invoice emails, change the remittance to address. That may be a payment concern that where you were anticipating that payment coming in, but it was redirected to the fraudster. So that’s another area that I think we need to you know, make sure that we have a focus on and have a plan around.

 

Craig Jeffery  41:40

You know, one of the issues on the male side was, it was maybe a month ago, we received a check we sent out and about it was two months before we’d sent it down. And they hadn’t received it. So we ended up reissuing payment. And then it was like it was almost exactly two months later, we get the envelope back and the address information was right. But it came back into the into our our mailbox. And I was like how does that happen? In a world of paper? But I guess those are some of the some of the challenges. Well, thanks, everybody for answering me. The third poll question. We appreciate it. And we’ve reached our number or count, which is great. So onto payment security. And, Jim, I’ll turn this over to you. You know, as we think about assessing the payment processes and standards, there’s a lot of areas to look at. And well, I’ve got a number of things to say too, so I don’t.

 

Jim Woods  42:39

Great. So yeah, a couple of things that I’ve touched on before, and I just mentioned some of them, when we looked at the poll question about, you know, the, the state of the art, things that are in place at outsource lockbox facilities, but a lot of the things aren’t as fancy as card swipes and great cameras, that it’s having documented detailed processes tracking mail, the entire journey that it takes when it enters your facility, you can only control it from the moment that it gets to your courier and gets into the facility. Beyond you know prior to that you really don’t have much control over it. So the two words, I would say if you don’t hear me say anything else, today, it would be audit trail, just have an audit trail on all of your payments that are coming in. And that that starts with you know, if you know if the outsource lockbox provider uses a courier, a fully bonded and insured licensed courier service to pick up the mail, which most of them do, when that courier gets to the post office, there should be a log saying, you know, first of all, he should need to show a photo ID when he gets there, they should have a list of the you know, the acceptable people from that courier company with their photo. So at the post office can match that up to who’s receiving that mail, they should be signing a lot. The post office should be saying I’m giving you 42 trays, they should be counting or we’re getting 42 trays that should be signed off. When the courier brings it into the facility that you’re using for your lockbox, they should be now you know, they would know the courier from coming every day but know if some if something somebody’s not the normal courier whatever you’d be checking those types of things against IDs and whatnot, and then you’d be doing your account Okay, post office said 42 trays to couriers at 42 trays, I’m now counting do we have 42 trays sign off on that? It starts at that basic of a level when you’re talking about lockbox then you know I can speak for office so every piece of mail is counted when it comes in and it’s so we know these mail counts on a day to day basis. You know we can use that not only for for fraud but also forecasting but if a year from now we see there’s drastically less at a certain time that may raise a red flag as to what’s going on. Everything’s attempt to sign a batch header based on when it needs to be processed by that batch header remain is with that payment all the way through the cycle. You know, so the payment maintains its batch integrity throughout, you know, when it payments are scanned, and they go to data entry you mentioned earlier like is that data entry being being done in a white room environment, especially if it’s offshore like that people don’t have phones on their desk, they don’t have post it notes, like it should be a clean environment where it shows them in the keyboard to do data entry. And there was a fancier term for what I have, I would say that you guys had up on the slide before, but about only show people what they need to say, I don’t remember exactly what the term was in the poll. But, you know, principle of least privilege, release privilege, exactly. So your data entry operators, they don’t need to see the Nikkor information on the bottom of a check, necessarily, they should just be seeing a block that has the amount and the legal written amount so they can keep from that, you know, so it’s things like that. And then it goes to, you know, further on like, out on the floor of the lockbox no phones, again, you know, people should be coming and putting their stuff in lockers, each employee should have a locker to put their phone in so that they’re not, you know, there’s no ability to snap a picture of a check, you shouldn’t be able at a data entry, especially offshore, they shouldn’t be able to screenshot anything that’s on you know, so want to check is for if for some reason the maker wasn’t blocked, maybe a supervisor can see the maker or a customer support person who a lot of times will need to see that maker information to do one of the the traces that we talked about before, well, then they shouldn’t have the ability to take a screenshot, you know, things of that nature. But the most important thing is the audit trail. shredding, you know, us Iron Mountain, you shred it, you know, and so when you get rid of your checks, maybe you only retain them on site for five to seven days, whatever it may be, you know, logs of all your shredding and your secure destruction, that that’s all monitored. So that something doesn’t happen on the back end, you know, with the payment. Also, a lot of times in lockbox. And I know I’m saying a lot right now, and I’m kind of just spewing some things. But in lockbox, it’s not just the incoming mail at a lockbox facility, you’re responsible for outgoing mail, also not every payment that comes in. So it needs to get processed. And, you know, going back to my story before about the grand jury, those were payments that were dispatched back to a company. Okay, so it was very easy. The first question, because what was it somebody in your lockbox who committed the fraud? And we were able to say, no, because those payments were were archived, they were imaged, they were rejected, they were sent out your dispatch, I can’t stress this enough this dispatch, it really should be going back in a trackable format, either a FedEx or UPS. So you could say, No, we sent that check out on this date, it was signed for by Sally at your office on this date. That’s where you need to be looking in your fraud investigation. So not only with lockbox on the incoming side, but also the dispatch on the outgoing side is really, really important to be to have controls in place. And then you know, the last thing I would just touch on would be the cash. As I said before, especially in the nonprofit world, if you’re working in not with nonprofit lockbox doing things for churches doing things for schools, if somebody may just said, you know, they give what you can give, and they send in, you know, $1, they send in $5, you know, we process hundreds and hundreds of 1000s of dollars in cash a month in our facilities, all under dual control. To get that money out of the safe, it has to be two people, five of them have keys to one lock, it’s two locks on the safe, five have keys to one lock five keys, nobody has a key to both locks. So you need to do it with somebody else to get that cash and then to write checks out for all that cash. It’s a it’s a very controlled process, like everything else that we do, because the temptation of cash, you know, it is a temptation.

 

Craig Jeffery  49:03

Now, some great points, Jim, you know, when you think about the the common phrases, people processes and technology, you can see these here, but that there’s services, there’s also structures, how we structure our banking system, and for those that are on from the Treasury perspective, designing your banking structure should be designed for optimal cash management purposes, to also support the accounting function not to be designed for the COUNTIF function, but to support that and to allow for that growth, scalability isolation so that any type of fraud will be discovered. So some good points there. Jim, so thanks. Thanks for that. As we as we continue on, sir, I didn’t know if you wanted to go first. On this one. Or if you’d like me to go first. I think we had a couple points you wanted to talk about and perhaps a story or two What’s your preference?

 

Sarah Mille  50:02

Why don’t you go ahead and kick it off and we’ll take over.

 

Craig Jeffery  50:04

Yeah, sure.  The fourth item down there employee security training, this idea of training, I think we’re pretty used to it, payment. Security Training is not as common as general cybersecurity training. I want to emphasize the point of having employee security training on payment security is often overlooked, there’s a couple of standards that are out there. The Swift customer security program, or Swift CSP, has a bunch of security standards, including training on a number of topics that are required. I feel like at PCI DSS the payment card industry, data security standards, they have annual requirements for protecting data, technology updates, as well as have have five different channels or paths for having training. And so you can see how some of these payment processes have made payment security training, vital and essential and recognize that I guess the last thing I’d say is, when we’ve done surveys on those who are doing payment security, training, cybersecurity training against those who do not know, the last time that we were able to get a substantial number of those who don’t do any training, the losses for those that don’t have training, were anywhere from two, two and a half times to five times greater than those who had security training. And that’s just those are those are awesome correlations, you can understand why there’s a correlation there, it’s like those that are more alert, and on top of things do better. So we’ve seen the growth that people having security training and payment security training, and the frequency of that training increase. And the reason that it increases is because it’s it’s paying dividends, it’s protecting organizations. Those are, those are some of the really important items, training the human factor, just like you update your firewall.  Go ahead, Sarah.

 

Sarah Mille  52:09

So, you know, when you look at the employee security training, you must have a plan for keeping your employees up to date on the most recent compliance and industry standards. The industry experience specifically as lockbox provider, you want to know that your lockbox provider follows all of the all of the industry standards, the access controls and authentication. Incident Response Plans are very, very important. And then segregation, segregation of duties. This is one that’s kind of near and dear to my heart. Similar to Jim situation where he had to testify the grand jury, I had a situation several years ago, where a were the person who was writing the checks was also the person reconciling the checks. And over the course of about 10 years, this individual stole over $2 million from their employer. She was very, very well trusted. She was the go to person she handled the cash and the checks and the money orders and everything that was incoming. But what she was doing is she was periodically writing checks that seemed legitimate to family and friends who would then get a kickback, and then give her the the true bulk of the funds. Have there been dual control and separations of duties. That would have been caught a long time ago, the principle of least privilege, making sure that each person only has access to the require the tasks required to do their job. And then also one that I don’t have on here, but as a security background check, because in this situation, had they done a security background check on her as a new employee, they would have found out that this individual was released from her last two positions, or embezzling?

 

Craig Jeffery  54:15

That’s a that’s a significant story in itself. Thanks. Thanks so much, sir. And, and, Jim, to get you back into the conversation. There’s a bunch of security questions here that many people would would want to ask themselves in their team?

 

Jim Woods  54:31

Yeah, and, you know, for purposes of time, we don’t have to go through every single one of them. But one that I hit on right away is Do you offer third party at a station? So what that is, or it’s basically, you know, certifying, if you hire an outsource provider, say to provide your lockbox or you’re sending out an audit team to certify that proper procedures are being followed the documented procedures of that company are they being followed. So, you know, about like I said was about a month ago I was on at one of our facilities for one of our largest clients came in to do an audit. And I just watched them go through that whole process of third party at a station, it was very detailed, they wanted to see documented procedures, and then they would walk the floor and make sure those procedures were being followed, touched on the offshore resources data entry. Before about the White Room, knowing your data entry provider, knowing how to structure is the business continuity plan, you know, I can recall right before COVID, getting a phone call from one of our clients saying this isn’t like the end of February, and then saying, you know, what do you plan on doing if you have to shut your offices down, I’m like, at this point, I was just starting to hear kind of was like middle of February is just starting to hear this COVID thing. And, you know, that was that my previous place and said, you know, we’re, you know, we’re going to be just operating businesses, you didn’t think it was gonna be a big thing. And all of a sudden business continuity came to the forefront for every single person in March of 2020. And it’s, you know, it’s so critical to have documents BCP to have redundant processes. One of the things that’s nice about our deluxe footprint is we’re in multiple sites with all can feed into the same place a hub and spoke model where mail can be opened in one place and keyed somewhere else. So we back each other up, and we’re redundant. So and then one other thing with the employee background checks just talked about if we did in the other story, if the background check had been done correctly, something like that might have been identified. Well, you know, it’s not, it’s not just when you hire somebody, like every five years or background checks, or ReadOn, on everybody, you never know, somebody could get be on their perfect behavior and get a job. And you know, two years later, they could have a situation in their life that turns them towards a crime or something like that. And, you know, all of a sudden, you know, if you never recheck anybody you don’t know, you may have a bad actor on your hand. So it’s critical to do that throughout the process of their employment.

 

Craig Jeffery  57:01

Yeah, excellent. So as we come to the takeaways, I’ll start, then Sarah, and Jim, if you can wrap us up. So what are some of the key points to leave with you, when you think about control processes and services? There’s services from your bank that protect accounts services from third party vendors. There’s what you do, however you interface with the payment process from an internal control perspective. But finally, there’s a standard of what’s commercially reasonable for the protection of your payments inbound or outbound. That changes over time because criminals are more efficient. So think about how do I continue to update those standards? And over to you, Sarah.

 

Sarah Mille  57:42

Yeah, so when you look at the takeaways for security and banking security standards, you know, compliant with industry standards, I mentioned that a couple times NIS T, cybersecurity framework. COVID are the control objection, objectives for information related technologies to help establish those controls and align the it activities, PCI compliance, ISO 27 002, that helps to identify that framework for identifying and managing and mitigating risks. A swift, the basic Committee on Banking Supervision, AML regulations, knowing your customer all very, very important. Access Controls, MFA, multi factor authentication, dual controls, role based access controls, single sign on physical address control, our access controls, regular audits and reviews already mentioned. And then incident response and recovery, make sure that your incident response plan, they first you have one, then identification and reporting Incident Response Teams important containment and mitigate mitigation, communicating and reporting, remediation and recovery in business continuity and disaster recovery all very, very important.

 

Jim Woods  58:54

And that that kind of leads right into my first point, which you know, taking a takeaway from today would be how prepared are you for disaster recovery and business continuity? Do you have multiple sites set up do you do testing to see if that plan needs to be acted enacted and how quickly it needs to be enacted? Make sure that if you’re choosing his blockbuster, using state of the art technology from a cybersecurity standpoint with servers, but also just as simply as you know, making sure it’s card swipe access to every room that cameras monitor the entire facility, and then you hear the term in banking KYC know your customer I would say in lockbox or what a KYV know your vendor. Know your courier company know your offshore data entry provider. Know your, your shredding company. Just know all the vendors that you’re using are critical.

 

Craig Jeffery  59:47

Great.  Sarah and Jim, thank you so much. We’re going to turn it back over to Brian, with our thanks for everyone for listening. Brian.

 

Announcer  59:56

Indeed, thank you for everyone for listening today and your CTP credits, today’s webinar slides, and the recording of today’s webinar will be sent to you within five business days. And to explore next generation payment trends with Deluxe and Strategic Treasurer, be sure to listen to the Treasury Update Podcast episode 255, that’s episode 255, by clicking the link in the chat box.  Thank you can we hope you have a good rest of the day.

 

Jim Woods  1:00:29

Thank you all.

 

Sarah Mille  1:00:31

Thank you