Strategy for Reducing Payment Risks
Payment is defined as the transfer of value from the payor to the payee in exchange for a product or service. As simple as it sounds, payment data risks for companies continue to increase due to complexities and sophistications driven by technology and the various options now available to make payments. Evolved regulation and compliance requirements also expose companies to greater financial losses, which can impact their reputation as well.
The payment process normally involves five steps: creating an obligation, approving that obligation for payment, initiating and executing that payment, funding and settling that transaction, and lastly reconciling that transaction.
Businesses are inherently in danger of the risks associated with these five steps in the payment process. Losses can occur regardless of the payment method used (i.e., checks, electronic or credit cards). To minimize and mitigate payment risks, a business must implement proper governance policies and procedures to identify and describe risks, which will involve setting up guidelines and risk management practices that are best suited for their business.
When a business initiates and executes a payment, the payee’s (beneficiary) banking data is needed, which is typically collected in advance and stored in a system. Having a controlled process for collecting, storing and maintaining accurate and complete payee (beneficiary) master data is essential in managing the risks associated with beneficiary master data management. Having a good understanding of the drivers and the risks associated with beneficiary master data is critical when setting up guidelines to manage them.
Top Payment Risks & Reasons
A couple of areas that require careful focus and consideration are the process of collecting beneficiary’s banking data and regulatory requirements. Businesses often don’t have a formal and automated process in place for payee onboarding and collecting beneficiary mater data.
Emails and phone calls are still widely used which can be inefficient, prone to error, and expose a business to the risk of fraud. Incomplete and inaccurate beneficiary master data will cause the payment to fail, which will require rework and may incur a financial loss with interest and penalties because of non-payment on its due date.
Companies must also use caution while navigating the regulatory requirements of real-time validating the payee. For a business that operates under United States jurisdiction, the company, its subsidiaries, and affiliates must comply with the OFAC rule globally. Before entering into a contract during the payee onboarding and payment execution processes, it is critical to check the SDN list for the name of the person or entity with which the business is dealing. Some companies rely on third parties such as banks to perform payee validation, and don’t have their own process in place to take on this task internally, exposing them to a risk of non-compliance. The company may end up making a payment to an SDN listed payee not complying with OFAC requirements, only to face consequences with sanctions and penalties.
Additional risks related to beneficiary master data include the lack of a secure and automated process, using multiple methods to collect master data, storing that data in multiple systems, and having a lack of ownership (data stewardship). These may result in errored, incomplete, and duplicate data. The risk of outdated data and potential for someone to commit fraud heightens when there is no master data governance process in place within the overall payment process.
Taking a proactive approach to managing beneficiary master data is crucial, and companies must implement measures to mitigate risks to prevent financial losses due to not having an effective data governance process.
Governance & Mitigation Strategies
The first step in creating a payment risk management strategy involves understanding risks that businesses are exposed to throughout the payment process steps. The next task is designing solid payment governance principles with policies and procedures to manage payments effectively across the company.
In relation to beneficiary master data, businesses must implement a formal process and have a platform for payee onboarding and collecting payee’s banking data. The established policies and procedures should ideally require all beneficiaries to submit their master data via the company’s designated secure online portal. The company will receive data directly submitted by beneficiaries in an automated fashion and there will be less reliance on emails and phone calls, minimizing the chances of errors and risk of fraud.
Having the capability to periodically acquire and maintain the SDN list within the system where beneficiary data is stored will help to check a payee’s status when needed to comply with OFAC regulations. Before entering into the company’s dealing with a third-party, it is critical to check the SDN list for the name of the person or entity with which the company is dealing.
A workflow process within the payment system should be set up for payee validation during onboarding and when processing the payment, to ensure that a payee is screened against the government list before they are set up for payments in the system. The search tool should be maintained in the system where the payee records are entered and maintained for payments. Any form of payment to a party listed on the SDN list should be strictly barred.
Teams where payment obligation originate normally submit requests to the payment processing team. Teams that are obligated to pay should be responsible for ensuring accuracy of data, approval by authorized individuals, and the requests should be submitted through centralized platform. Each team responsible for processing payments (i.e., Accounts Payable, Payroll, and Treasury) should be accountable to perform transactional due diligence that complies with company protocols via the payment data governance process.
The company staff that are responsible for managing payee data should not be involved in the payment initiation and execution processes. The data governance process should also have a change management procedure in place to update and maintain master data where a periodic review of the data is performed to remove outdated, duplicate, and ghost payees. More information on change management can be found here. All changes to payee data where updates are not made directly by the payee should be validated with a payee callback. Changes to payee banking data should require dual approval.
Clearly designed policies and procedures to manage payments must incorporate payee data management guidelines that define preventive and detective controls to prevent fraud and make the payee onboarding and data maintenance processes more efficient. Company processes focused on using a one source system with controls regarding the integrity of payee data, segregated duties, and data security protocols, should be able to combat against fraud more effectively.
Elire’s Treasury Management Services can help your organization keep up with today’s constantly changing payment environment. Our Treasury Advisory Services can modernize your payment operations and address associated risks with our expertise in managing global payments and risks. Reach out to [email protected] with questions, and in the meantime register for the 2022 Elire Treasury Experience!