“Woman Who Embezzled $10.2 Million Sentenced to More Than Six Years in Prison.”
According to court documents, the woman electronically transferred $10.2 million from payroll bank accounts to her personal bank accounts on more than 800 occasions. Could your organization be next?
When it comes to fraud detection, earlier is always better. Financial institutions offer a multitude of beneficial services that can strengthen fraud prevention controls and assist in detecting abnormal activity. Following are a few of the most commonly offered services.
- Positive Pay. Positive pay can be one of the most effective antifraud tools available today for check disbursements. Here’s how it works: when a check is written, a file is transmitted to your financial institution. This file contains important information about the disbursements, such as check number and amount. When checks are presented for payment at the institution, they’re compared against the transmitted file. If a check is presented that doesn’t match any of the checks in the file, it’s flagged as an exception item. You’re notified of all exceptions and given the opportunity to determine whether those exceptions should be paid.
There are two other services similar to positive pay: Automated Clearing House (ACH) positive pay and reverse positive pay. The difference with ACH positive pay is that it’s solely for ACH disbursements versus check disbursements. With reverse positive pay, the institution sends the transmittal list to you, and you must determine if there are any exceptions.
Generally, any form of positive pay will reduce the risk of unauthorized, altered, or forged checks — unless you don’t have the proper segregation of duties. If the same individual who creates the checks is also the individual responsible for authorizing the checks, he/she can easily include a fraudulent check in the transmittal list provided to the institution. Two individuals should be involved to realize the benefits provided.
- ACH Debit Block. All electronic debits (drafts) against your account are held until you either accept or reject them. Every morning, your organization is provided with a list of pending ACH debits from the day before. You have a predetermined amount of time to identify which drafts to approve or deny. While it’s recommended that you review all pending drafts, a “default” decision can be set, allowing you to either automatically accept any drafts not specifically rejected or vice versa.
This service will generally prevent an unrelated third party from generating unauthorized electronic withdrawals from your account, even if the list is reviewed by only one individual. However, if you don’t have at least two individuals reviewing the list provided by the institution, this service will not prevent unauthorized debits from a scheming employee.
- Dual-Control Security. You can establish dual-control security for multiple banking activities, including the authorization of wire transfers and acceptance of changes to account information. With dual control, requests submitted by a predetermined administrator will require approval by a second predetermined individual within your organization before the request is performed.
While this will reduce the risk of a rogue employee initiating wires to personal accounts, this control is rendered entirely ineffective if there’s employee collusion. However, while controls are overridden by collusion, a subsequent review of activities by a third employee will reduce the risk of this activity going undetected.
- Security Tokens. These are small electronic devices that generate authorization codes. Many devices frequently generate a new code, as often as every minute. The code is required in order to release your funds. All employees with wire transfer authorization receive their own tokens, and the codes generated are exclusively theirs.
The use of these tokens prevents unauthorized users from issuing wires. Additionally, the exclusivity of the codes allows your organization to identify who authorized individual wire transfers. However, if transfer activity isn’t reviewed by an individual separate from this process, the control will not mitigate the risk of fraudulent activity by an authorized user.
- IP Restrictions. You can provide your financial institution with a list of IP addresses that are authorized to log in and conduct banking operations. Users will be denied access if they try to login from an IP address not on the list you provided.
This will reduce the risk of non-employees obtaining online banking access and deceitful employees gaining unauthorized access to your accounts should they obtain your login information. However, if activity isn’t reviewed by an individual separate from this process, the control won’t mitigate the risk of malicious activity performed by a user logging in from an authorized IP address.
As you evaluate whether to begin using these tools, keep the following considerations in mind:
- Not all tools are appropriate for all organizations, so be sure that the tool you select is relevant to your operation prior to investing in it.
- These tools may involve an additional fee from your financial institution. What’s the cost of the tool versus the benefit?
- These tools work best as an additional layer of protection on top of a strong foundation of internal controls. The Association of Certified Fraud Examiners 2012 Report to the Nations stated that the majority of reported frauds are due to a lack of internal controls. Do you have adequate internal controls to help ensure the effectiveness of the tool?