Remote working: security & efficiency for corporate finance teams
Large sections of the Australian economy are now working from home or in remote locations. Corporate Australia has had to quickly shift operational processes and adjust to new work from home arrangements, many for the first time.
Employees that normally sit next to each other at the office are now widely distributed geographically and time shifting their work hours.
Rapid operational and processes changes can expose new areas of risk for corporates in relation to payment security and authorisation processes. This can mean our customers are more vulnerable to fraud, giving fraudsters potential weak links to exploit.
Internally, organisations across Australia should be taking steps to ensure that controls and governance over individuals access rights for key IT platforms and systems are rigorous and remain appropriate for the needs of the business today.
From a banking perspective, centralisation and standardisation of banking services is an important factor to drive both efficiency as well as ensure appropriate risk controls and oversights on the day-to-day financial function of the business.
But what does that mean for our customers and corporates trying to rapidly adjust to new practices during the current crisis?
Review banking platform setups
All major banks today offer hosted platforms, accessible by up to date web browsers from any modern PC or from a mobile banking app. For NAB, the three most basic risk controls include login rights, payment authorisation and administration rights. Put simply, anyone with access to value release (payments) or can make configuration changes to the platform (administration) needs to enter a one-time-use token number (created from either a physical device or a mobile app).
Given the current crisis, corporate finance teams need to review the access and authorisation models in place for your banking and payments functions.
Some initial questions to consider include:
- Are there enough authorisers available for timely review and payment release?
- Are there enough platform administrators available?
- For the number of approved authorised users, is there enough available to cover business needs during the crisis if some become unavailable?
- Have they each tested that they can access and navigate the banking platform from their new location?
- Are authorisers made aware of the need to review and authorise in a timely fashion?
- Do any need physical (or software) tokens arranged? Can they be quickly provisioned with a mobile token via a smart phone app offered by their transactional banking provider?
- Are there any payment processes that are concentrated to a few key individuals (e.g. High value payments)? What is the back-up plan for making such payments if those individuals are unavailable?
- Is the payment authorisation review model appropriate? (e.g. if a business has been relying on other physical review mechanisms (perhaps a pile of printed approved invoices), then this potentially will not do under a remote working scenario).
- Is it appropriate to introduce another authorisation step to ensure appropriate review? Or is there a digital summary that can be provisioned from the originating payment system to match the loaded payments against. In any case, this type of process review is appropriate.
For payment files, it’s important for customers to consider also how these will be loaded into the platform.
For instance, if these files are being saved and moved via a personal computer in a remote working situation, it presents an operational risk for fraud. A flat text payments file is very easy to manipulate before being loaded into the banking platform and the small change of a BSB and account number can pass undetected through authorisers.
A review of the number of payments being created manually in the banking platform by your employees could be useful also. Modern banking platforms today can integrate directly with your ERP and accounting platforms to automate payment instructions using host- to-host connectivity. This type of process uses the industry standard *.ABA file format for domestic payments and would be available as standard functionality within most core finance platforms today.
Direct connectivity between the business systems creating the payment file and the bank reduce both the manual effort for payment creation and acts as risk mitigation to any manual manipulation of files. Further, any return reporting (e.g. for reconciliation) can be automated back into business systems as required, further reducing work effort for staff.
Longer term, consideration of other solutions that can reduce manual work effort for your employees could be considered. As an example, if your business is regularly manually reconciling the operational bank account for EFT payments received against open invoices. Our experience is there is typically inconsistency of data quality on the payment received and subsequently manual effort for bank reconciliation. A virtual account reporting solution would potentially reduce this effort, with no change to customer payment type.
Working remotely presents a range of operational issues that need to be dealt with in a short space of time. Australia is already seeing fraudsters targeting businesses and exploiting the crisis.
Simplistically, a payables team member that is used to in person contact with their team may suddenly be dealing with primarily internal email requests for payment creations. An undetected malicious actor in this new arrangement can potentially be missed, risking large financial losses for the business. An appropriate review of the current access and governance controls for key systems and banking platforms is therefore critically important.
It is important to remember that system based controls are typically only access control measures. Under rapidly changing working practices, our customers need to be hyper-vigilant for the broader threats that exist for payables fraud.
To discuss potential opportunities for further automation or efficiency measures for your organisation both now and into the future, please contact your local NAB Transaction Solutions Specialist.
- The NAB Connect help page contains a range of guides, step by step instructions and any required forms for amendment requests.
- A new Self Help section within the help section contains tips and timesavers for some of the most common questions the NAB Connect helpdesk receives.
Speak to a specialist
This material has been prepared by personnel in the Corporate and Institutional Bank division of National Australia Bank. It has not been reviewed, endorsed or otherwise approved by, and is not a work product of, any research department of National Australia Bank and/or its affiliates (“NAB”). Any views or opinions expressed herein are solely those of the individuals and may differ from the views and opinions expressed by other departments or divisions of NAB.
Any advice contained in this material is general and does not take into account your objectives, financial situation or needs. You should consider whether the advice is suitable for you and your personal circumstances.
This material is intended merely to highlight market developments and is not intended to be comprehensive and does not constitute investment, legal, accounting, hedge accounting or tax advice, nor does it constitute an offer or solicitation for the purchase or sale of any financial instrument or a recommendation of such product or strategy.
©2020 National Australia Bank Limited ABN 12 004 044 937