We asked the AFP community to submit their questions on payments fraud.

At an AFP Member Meet-Up, Tom Hunt, CTP, Director of Treasury Services and Payments, discussed a wide range of payments fraud questions with a panel of payments experts:

• Doug Knebel, Sr. Treasury and Risk Director, Proterra Powered LLC
• Sassan Parandeh, Treasurer, ChildFund International
• Chris Ward, Head of Enterprise Payments, Truist

What should be the policy for manual checks and check stock?

Knebel: At the companies I’ve worked for, the policy on check stock has always been very clear. It doesn't have to be complicated. It's really just a matter of where your check stock is stored and who has access to the keys, whether you're naming names or just naming roles or titles.

Your policy should also assign a dedicated printer for checks. Your system shouldn't be able to just print checks from any printer in the office.

Parandeh: If you are issuing a manual check, make sure you log into the bank and add it to positive pay. Otherwise, the check will bounce because the bank is doing the right thing and saying you didn't report it in positive pay. Also, make sure your positive pay does not default to automatic pay; instead, make sure they have to receive a response from your company to okay or decline the check.

Banks are pushing positive pay and payee positive pay, but the positive pay and payee positive pay products and processes are old, cumbersome, complex and expensive. Is there a Positive Pay 2.0 on the test track or on the drawing board?

Ward: I think there’s still value in positive pay. Your bank can validate and compare the posted checks to your issued check data. Any checks that do not match your data file are flagged as exceptions. You can even go one step further and add payee verification to your positive pay solution.

Parandeh: We use positive pay at my company. We have reduced the number of check issuances and have gone fully electronic as much as possible. So right now, we only have one check run probably every other week, and it comes to only about 150 checks.

Positive pay has been around for a lot of time, and I'm a little bit surprised by the insinuation that positive pay is cumbersome. Maybe for us it isn't because we don't issue our checks directly and aren't doing anything manually. We actually prepare a check file that is uploaded directly to the bank, and our settings for positive pay are already in there, so they mail the checks out for us with positive pay.

If you are someone who has a process that is truly cumbersome, keep in mind that it is a lot more cumbersome when you lose checks that you have to pursue and hope to recover. The bank is going to have to do your favor because you chose not to have positive pay. So, I think positive pay is something that is critically important to adopt and implement.

If check payments were an option in the past, how do you convert the more headstrong vendors or payees?

Knebel: It's a delicate situation. A lot of it depends on how crucial that vendor is to your operation. You also need to be aware that your actions could have consequences elsewhere within your company.

But if there are no restraints on you, I would suggest that you just play hardball with the vendor and tell them, “We don't write checks. If you're not willing to accept another form of payment, we're going to go elsewhere. We're going to buy your product or service from one of your competitors.”

Hunt: When procurement is sourcing vendors, early on in that conversation, have the payment format be written into the contract or the agreement. Be part of the solution ahead of time so treasury is thought of as a business partner.

What should the process be for an ACH payment that cannot be validated through account validation because the bank does not participate in GIACT or Early Warning?

Ward: No technology provider in this space has a hundred percent coverage. For the ones you can’t validate through the solution you’re using, you’re going to have to have a rock-solid other compensating control. It can't just be responding to an email or calling somebody. You have to actually know who you're doing business with and who you're interacting with on the other end.

The primary vector of fraud with business email compromise is asking to change banking information. So, for the handful of items you can't validate through a service, you might actually have to see the vendor in person.

Parandeh: At my company, regardless of what the system of verification is, we still demand that you call someone of record who you know and ask for a second verification. It's just part of our process.

I am a huge supporter of putting an interruption in one hundred percent electronic systems because fraudsters are counting on everything you do being electronic. This means every tool and every step within the process has to be a hundred percent correct. In other words, they have to be right once; you have to be right always.

When it comes to payment systems, the last thing in the world you want is to act in haste. In our policies, we have provisions in place that our staff are fully authorized to stop a payment and make it late. If you have questions, there is no consequence. This is in our written policy, and even our president and the chairman of the board of directors have to follow the internal control process. You have to go on the rail, and that rail has multifactor authentication and is only available through our VPN. That's verification, verification, verification, confirmation. It is inconvenient, but it is much better than losing millions.

Why are U.S. banks not confirming the match between the bank account and beneficiary?

Ward: In the U.S., it is not in practice because of the regulatory framework to be done in line with when the transaction is actually processing live. The irony is that fraudsters are actually good about not using the wrong name. So, in some regards, it doesn't feel as though it's a great protection relative to others.

How often do you recommend having your auditors, either internal or external, conduct a review of your internal controls?

Parandeh: Treasury uses itself as the eyes of the company. We report things all the time for our internal auditors to look into, and we ask them to review us. We want to know what is broken so we can fix it. Never take an audit as an attack against your department; it’s an opportunity for improvement.

We had a full review about three years ago, and on the cyber side, we’re going through a review of our electronic controls — both internal and external — which is being done by an external auditor.

There are aspects of this that happen every year when we go through our financial year. When external auditors come, we cooperate; they are our friends, not our enemies. I always say to give as much information as possible because even when it's reported to the board that there is a vulnerability, that's an opportunity for you to become better and stronger.

Ward: Money movement is probably one of the highest-risk things that occur in any company, so I would say, at a minimum, you should be audited for the high-risk portion of what's going on in the treasury function annually.

---

---