Corporations Building Strong Defenses Against Payments Fraud

Fraud continues to be one of the most widespread and broad-based challenges corporations face in their payments operations, causing most organizations to institute policies and practices to protect themselves against check, ACH and credit card fraud. Increasingly corporations also must have strong internal controls in place and develop disaster recovery plans to mitigate vulnerabilities in their payment systems.

"Organizations today are engaged in a variety of initiatives to strengthen payments risk controls and protect the security, integrity and continuity of financial transactions," said Arlene S. Chapman, CTP, the Association for Financial Professionals' Senior Consultant, Technical Services. "They are building strong defenses against fraud, tightening internal controls over the payments process and testing disaster recovery plans."

Although many (68%) of the organizations responding to the survey were targets of payments fraud in 2005, only a minority actually lost money as a result of check and ACH debit fraud. An organization that was a victim of ACH debit fraud in 2005 was more likely to suffer a financial loss than an organization hit by check fraud. Twenty-seven percent (27%) of organizations that report an incident of ACH debit fraud lost money because of the fraud, as opposed to 19% of the victims of check fraud. Credit card fraud was more likely to result in a loss. The majority of organizations (54%) that experience fraud associated with accepting card payments suffer financial losses, primarily because they are a "card-not-present" merchant who assumes liability (e.g., online retailer).

The use of well established tools and services help corporations defend against payments fraud. Sixty-seven percent (67%) of organizations that successfully defended themselves from check fraud cite positive pay or reverse positive pay as the fraud control measure most responsible for the loss prevention. ACH debit blocks are most responsible for preventing losses by organizations who experienced debit fraud. Daily reconciliation or monitoring of balances and transactions was cited by almost as many respondents.

Corporations also must protect against internal fraud. As a result, most organizations have written payment controls plans. Most of these written payments policies provide for separation of duties and specifically identify the departments that are authorized to request and execute payments. While nearly nine out of ten organizations (88 percent) have a written payments policy, only 38 percent update their policies on an annual basis. Fifty-four percent (54%) of organizations made material changes to their payments controls as a result of Sarbanes-Oxley. Forty-six percent (46%) made no change; they are more likely to be organizations with annual revenues under $1 billion.

Organizations that strengthened payments controls as a result of Sarbanes- Oxley perform more frequent audits (28%), require additional approvals (26%), or require additional documentation related to payment requests (20%). To ensure compliance with payments control practices, 53% of organizations report that internal and/or external auditors perform surprise audits.

The Gulf Coast hurricanes last year highlighted vulnerabilities of many corporations' payments operations. Most organizations (75%) have written disaster recovery plans that would enable them to continue making and receiving payments in the event of a natural disaster or systems outage. However, more than one-third of them test their plans only infrequently and less than half (44%) have authorization and approval procedures specifically for employees working off-site or at home. Only 45% of organizations indicate that their banks have communicated their disaster recovery plans for processing payments in the event of a disaster at the bank.

The results are from an AFP survey conducted in February 2006 to highlight best practices for mitigating two categories of payments risk -- fraud risk and operating risk. The survey also was designed to increase awareness of actions that treasury and finance professionals can take within their organizations and in cooperation with service providers, to prepare for the unexpected. The 352 responses to the survey are the basis of the report. The typical respondent works for an organization with annual revenues slightly higher than $1 billion. A copy of the survey can be found at http://www.AFPonline.org/research.