The growing risk of payment transaction fraud

Business payment transactions are massive. In 2020, business transactions in the US alone were $23 trillion. By 2028, the value of business transactions worldwide is expected to increase to $200 trillion[1]. Such growth should make increasing the security of business payment transactions a priority.

The objectives of this research, conducted by Ponemon Institute and sponsored by Creednz, are to understand the vulnerabilities in organizations’ current payment transaction processes and if controls in place are effective in mitigating the risk. We surveyed 659 professionals in finance, accounting, treasury and risk and compliance. All respondents are familiar with their organizations’ approach to managing payment transaction fraud.

A key takeaway from this research is organizations’ lack of confidence in their existing controls and the ability to keep enough staff to address the risk of payment transaction fraud. Eighty-eight percent of respondents say their organizations had at least one payment transaction fraud in the past two years. The average cost of these incidents was $149,225. Seventy-six percent of respondents say it took more than a month to more than a year to discover and remediate these incidents.

As payment transactions grow, fraud is expected to increase. Fifty-four percent of respondents say fraud will increase significantly (23 percent) or increase (31 percent). The primary reasons are the increasing sophistication of fraudsters (59 percent), lack of resources and technology systems to proactively identify accounts payable/receivable fraud (56 percent), and vulnerabilities in business processes (53 percent).

“A manual process leads to fraud, and those that get blamed are the ones who literally clicked the ‘send’ button,” said Creednz Co-founder and CEO Johnny Deutsch. “It makes no sense in today’s world that technology isn’t being utilized and applied to prevent this in the first place. Creednz was built from the ground up to give finance teams the tools to fight back and protect against payment fraud and safeguarding corporate finances.”

The following findings indicate why payment transaction fraud is a growing risk

 Finance and Treasury may be considered most responsible for preventing fraud, but IT security/SecOps is in the accountability hot seat. Finance and Treasury are most responsible according to 17 percent and 13 percent of respondents. Most accountable for reducing payment transaction fraud is IT security/SecOps (34 percent of respondents),

Confidence in banks and current controls to prevent payment transaction fraud is low. Only 32 percent of respondents are confident or very confident that their banks would verify and stop a suspicious transaction and only 30 percent of respondents have confidence in their current controls.

IT security/SecOps and IT operations are most likely to get fraud-related alerts from their banks. IT security/SecOps (67 percent of respondents) and IT operations (55 percent of respondents) are most often notified about payment transaction fraud. Fifty-two percent of respondents say Finance and 37 percent of respondents say Treasury are likely to get fraud alerts. As discussed, IT security/SecOps is the function considered most accountable for preventing fraud.

Most organizations have experienced at least one payment transaction fraud incident in the past two years. Eighty-eight percent of respondents say their organizations had at least one payment transaction fraud incident in the past two years. More than half (51 percent) of respondents say their organizations had at least four incidents.

The average cost of these incidents (not including internal investigations, legal fees and fines and loss of shareholder confidence) was $149,225. Seventy-six percent of respondents say it took more than a month to more than one year to discover and mitigate these incidents.

Following the fraud, the primary step taken was to invest in technologies. Sixty-five percent of respondents say their organizations purchased technologies to reduce the time it takes to detect the fraud and technologies that would prevent business transaction fraud (63 percent of respondents). Only 44 percent of respondents say the fraud was immediately reported to senior management.

Concerns about the organization’s ability to be good custodians can damage reputations. The number one negative consequence following the fraud incident was damage to the organization’s reputation with business partners and consumers (60 percent of respondents). This is followed by non-compliance with regulations (51 percent of respondents) and loss of shareholders’ confidence (46 percent of respondents).

Keeping staff is the number one challenge to mitigating payment transaction fraud. Staff shortages (56 percent of respondents), the inability to systematically control risks created by third parties or vendors (54 percent of respondents, and the worry that staff would leave in the event of payment transaction fraud (51 percent of respondents) are the top challenges.

Organizations (69 percent of respondents) are most likely to use bank account access privileges to minimize payment transaction fraud.  User entitlements determine the level of banking application access. A user must be entitled to account access to perform tasks. Unless a user is given full entitlements, each account user is to have access and level of access that is defined when entitlements are granted.

Sixty-four percent of respondents say their organizations conduct a daily review and approval of all outgoing payment transactions, 61 percent of respondents say their organizations have added ACH blocks or ACH filters and 60 percent of respondents use multi-factor authentication.

Perceptions about the security of banking relationships from 46 percent of respondents who are in Corporate Finance and Treasury.

Almost half (48 percent) of corporate finance and treasury respondents say their organizations have bank accounts outside the US and Canada. Seventy-five percent of these respondents have a minimum of 21 to more than 50 bank accounts and 48 percent say these accounts are located outside of North America. Seventy-seven percent of respondents say bank accounts are located in EMEA, 69 percent of respondents say LATAM and 64 percent of respondent say Asia-Pac.

Review of user entitlements is not frequent. Sixty-one percent of respondents say their organizations review user entitlements. However, almost half (47 percent) of respondents say these reviews occur annually (23 percent) or as needed (24 percent). In addition, organizations are not auditing bank accounts as often as they should. Fifty-five percent of respondents say their organizations are auditing bank accounts to verify such factors as permissions, stale users and signatory rights policies. However, 68 percent of these respondents say they only conduct the audits quarterly (28 percent), annually (19 percent) or as needed (21 percent).

The inability to know all users with entitlement privileges is the most significant challenge to managing user entitlement privileges, according to 40 percent of respondents. Forty-one percent of respondents say there is no formal process to monitor changes to their user bank account entitlement process and 36 percent of respondents say monitoring is only done as needed. Only 23 percent of respondents say IT security is relied upon to monitor changes. Other challenges not as significant are the lack of information related to signatory rights (28 percent of respondents) or the inability to conduct regular reviews (27 percent of respondents).

The findings from all respondents are shown below.

Most organizations are concerned about potential fraud when making payments to third parties and vendors outside the US and Canada. Fifty-nine percent of respondents say payments are made to overseas organizations and 76 percent of respondents say they are concerned or very concerned about the potential of fraud when making payments to these regions. Of the 59 percent of respondents making payments overseas, 70 percent of respondents say payments are made to third parties in EMEA, 65 percent of respondents say LATAM and 55 percent of respondents say Asia-Pac.

The results of risk assessments determine how many payment policies are applied. Sixty-one percent of respondents say payment policies are applied consistently without consideration of risk, location and the length of time the relationship has lasted. However, 39 percent of respondents say payment policies are not applied consistently. If payment polices are not applied consistently, 58 percent say payment policies differ based on risk assessments. This is followed by 45 percent of respondents who say application policies are based on location of vendor/third party/contractor.

Most organizations are using a third-party service to validate bank account details. Only 36 percent of respondents say their organizations validate bank account details all the time. If they do validate, 64 percent of respondents say they use a third-party service. This may be due to the challenge of not having enough staff dedicated to mitigating payment transaction fraud. Forty-nine percent of respondents say a phone call is made to validate vendor bank account details.

Sixty-two percent of respondents say email is used to exchange account details with vendor’s/third parties/contractors and 59 percent of respondents use a more secure exchange through a vendor portal.

Concern about the corruption of the payment file is the reason many respondents are not confident in their vendor management vetting process. Fifty-two percent say possible corruption of the payment file and 48 percent of respondents say it is human error that the third-party vetting process is not reducing the risk of payment transaction fraud.

To read the full report, visit the Creendnz.com website

Leave a Reply

Your email address will not be published. Required fields are marked *