David Stebbings, Head of Treasury Advisory, PwC UK
A high level perspective on the payment fraud environment
© 2016 Kyriba Corporation. All rights reserved. PROPRIETARY & CONFIDENTIAL.
The payment fraud challenge - it’s big news!
PwC Global State of Information Security survey 2016
38% increase in cyber security incidents in 2015
PwC Global Economic Crime Survey 2016 20% of UK companies had a significant fraud event in past two years
Recent high profile incidents Bangladesh Bank lost USD 81m early 2016Recent reported incidents at Ecuadorian and Vietnamese Banks
But the effect is not just financial !!!Regulatory, reputation and also potential criminal effects
Treasurer and team control cash and are often responsible for treasury and commercial payments - so this is an area of increasing focus
© 2016 Kyriba Corporation. All rights reserved. PROPRIETARY & CONFIDENTIAL.
Your money paid into a bank account of a fraudster. Fraudster launders money so not recoverable.
Can happen on all types of payment mechanisms - Cheques, Credit / P Card and Electronic Payments.
Focus on electronic payments - fraudster needs to create fraudulent payment or change details of a genuine payment.
What is payment fraud and how might it happen?
Third parties - Banks, SWIFT etc. Within control of company - systems maybe externally hosted
Payment initiationPayment approval
and releasePayment execution to final
destination
Cyber HeistExternal
Phone / Business Email Compromise (BEC) - e.g.. UBIQUITI
Hacking into internal systems
Hacking into internal or external systems. Or connectivity between systems. E.g. BANGLADESH CENTRAL BANK
Internal -process
More traditional source - either from internal IT, finance etc.,Up to 50% of payment fraud from internal sources. (18% management)False invoices, changing details/data etc. Bypassing internal controls
Fraud more likely when
More decentralised payment processes, many different systems, no defined standards in place, more countries, more banks, more bank accounts. Treasury, finance, legal, IT not aligned. Fraud not taken seriously by executives. People not a focus.
© 2016 Kyriba Corporation. All rights reserved. PROPRIETARY & CONFIDENTIAL.
How might you prevent it - you can not rely others !!
Payment initiationPayment approval and
releasePayment execution to final
destination
Your Finance System (s)
TMS may be hosted Swift/Bacs/ACH Bureau
Your bank (s) Receipt bank (s)
Swift
RisksUndertake a payment process review to confirm key risks for your organisation and regulations you must comply with. Then agree what are acceptable and unacceptable risks given your business, your geographies, your culture and your IT landscape.
Yourpayment process
Global standards and policies, segregation of duties within key systems, particular care over settlement instructions and vendor details, approval limits and regular updating of approvers, checking of system audit logs, regular audit / fraud reviews, regular reconciliations and checking of bank accounts (daily or even intra day). Not just Treasury but also finance, legal, IT etc.;
Be suspicious of emails and calls asking for payments that are outside normal process (BEC); Make use of technology solutions for whole business - agreed design and set up of key controls within them, payment factory?; Focus on people - hiring, training, make sure people take holidays, make sure finance/legal / HR linked on this.
IT solutions Cyber controls, surveillance procedures, monitor traffic, up to date versions of software, investigate failures or odd traffic; and Encryption of data going between systems, secure interfaces, use of authentication to validate payments and payment failures.
Use of thirdparties -TMS, Swift Bureau, Banks.
When choosing - thorough selection process - including IT Security. Make sure they comply with your IT / cyber security, requirements. Check regularly. Consider your own penetration testing on their environment; and
Check liability of third parties within payment process if they are compromised and money is taken from your account via a Cyber heist or their negligence. (Banks, SWIFT, TMS, Swift/ACH/BACS Bureau. Consider Cyber / payment fraud insurance.
© 2016 Kyriba Corporation. All rights reserved. PROPRIETARY & CONFIDENTIAL.
Its not if but when it will happen so you need a clear incident response plan
Who tells who and who gets involved - particularly internal (HR, senior management, finance, IT etc.)
In what cases should payments be blocked - easier if before release?
If released - how can your banks block a payment?
If the payment can not be blocked from going out - how can it be recovered?
Who liaises with your banks - treasury / legal etc.?
Whilst this is going on how do you make other payments safely?
What are the differences in incident response between jurisdictions?
Identify the cause to learn for next time
Make sure the plan is known by all
A clear incident response plan - tested !!
Payment InitiationPayment approval and
releasePayment execution to final
destination
Your Finance system (s)
TMS providermay be hosted Swift Bureau
Your bank (s) Receipt bank (s)
Swift
‹#›© 2016 Kyriba Corporation. All rights reserved. PROPRIETARY & CONFIDENTIAL.
It is “when” not “if”
Process and Cyber heist risk
Not just your systems and process -third parties are important
Centralised process, policies & use of systems generally reduces risk
People are key
Have a response plan
Summary of thoughts…..
‹#›© 2016 Kyriba Corporation. All rights reserved. PROPRIETARY & CONFIDENTIAL.
Fraud is a current growing concern 62% of organizations have experienced
attempted or actual payments fraud1
20% year-on-year increase in number of companies which recorded an actual fraud2
20% of corporates report fraud committed by employees3 with a maximum loss of $2.5m4
61% of business leaders recognized cyber attacks as a threat to growth5
Cyber attacks as likely as Natural catastrophes and more likely than Large-scale involuntary migration6
Sources: (1,2,4) ACT 2015-16; (3) AFP, 2015; (5,6) PWC Insurance 2020 & beyond, 2015
© 2016 Kyriba Corporation. All rights reserved. PROPRIETARY & CONFIDENTIAL.
Five technology areas with preventative measures
Architecture
User Administration
Business Workflow
Information Exchange
Reporting
© 2016 Kyriba Corporation. All rights reserved. PROPRIETARY & CONFIDENTIAL.
Rely on a secure architecture for your payments
Be aware of building and physical security
• Building access, CCTV, Intrusion alarm, Visitor security escort
• Environmental hazard protection, Uninterruptible Power Supply
Be trained on network anti-intrusion measures
• Firewalls, Anti-Virus, Network Zoning, Daily Intrusion Testing
• Distributed Denial of Service, Intrusion Detection System, Log Analysis
Demand a resilient hardware architecture
• Password policy, removable and hand-held device management
• Encryption of data at rest & in transit, Resiliency, Latency
Ensure personnel and functions segregation
• IT and System Design Roles & Responsibilities
• “Chinese walls” multi-tenant database, Application Penetration Testing
© 2016 Kyriba Corporation. All rights reserved. PROPRIETARY & CONFIDENTIAL.
Kyriba
26% of declared fraud activities are internal*
Open safe passages to computer and applications
IP filtering
Date and time of access per user
One-time password
Dual factor authenticationincl. 3SKey and USB tokens
Workstation timeout
Segregation of duties
Segregation of data
Password policy setup
*2015 AFP Payments Fraud and Control Survey
Single sign-on
© 2016 Kyriba Corporation. All rights reserved. PROPRIETARY & CONFIDENTIAL.
Design collusion-free workflows
• Dual admin
• Templates lockdown
Reference Data
• “Robot” user
• Consistency checks
Import• n-eye
• ABC Panels
• Settlement limits
Signature
• Token(s)
• Automated reminders
Release
© 2016 Kyriba Corporation. All rights reserved. PROPRIETARY & CONFIDENTIAL.
Enter a maximum file security space
To Bank From Bank
Encryption
Pattern Analysis
Sanction Filtering
Decryption
Handshake (XML)
Checksum (MD4)
ACKs (MT, camt)
From ERP
© 2016 Kyriba Corporation. All rights reserved. PROPRIETARY & CONFIDENTIAL.
Craft control reports to close the fraud loop
• Next-day Recon
• Next-day Statement
• Same-day Reports
• Same-day ACKs Export
& Report
Listing & Audit
Trail
Daily Recon
Export &
Report
© 2016 Kyriba Corporation. All rights reserved. PROPRIETARY & CONFIDENTIAL.
Be trained
Be demanding
Besmart
Rulein
InquireCheck
Strengthen
NegotiateBe aware
Where to start?
© 2016 Kyriba Corporation. All rights reserved. PROPRIETARY & CONFIDENTIAL.
Contact Us
facebook.com/kyribacorp
twitter.com/kyribacorp
linkedin.com/company/kyriba-corporation
youtube.com/kyribacorp
slideshare.com/kyriba
kyriba.com/blog
020 7268 3499