There are bad days. And then, for corporate treasury professionals, there are really bad days.
The kind of days when systems go dark, cyberattacks run rampant and managing cash flow is akin to flying a plane without instrumentation.
In the latest Treasurer’s Need to Know series, Mark McNulty, who serves as managing director, head of clearing and FI payments at Citi, told Karen Webster that security must always be top of mind. After all, he said, “the risks of running a corporation, and specifically of executing a number of financial functions, are greater than they ever have been before.”
The Two Categories of Risk
Those risks fall into two broad categories, he told Webster.
“First, there’s good old-fashioned fraud,” he said, “which is alive and well, is not going away and continues to increase.”
Alongside that risk, he said, exists the danger of cyberattacks, where attacks are also growing in number and scope — and where motives and objectives can be diverse, ranging from stealing customer data to stealing money to simply causing disruption.
And yet even with those heightened dual risks, corporations across the banking ecosystem cannot afford to trade off convenience for the sake of security, or vice versa. As he told Webster, a balancing act materializes.
As payments professionals seek to remove friction from the payments experience, they must also be mindful of the impact security has on the process.
“We need to implement the right controls based on the innovations, and the enhancements that are happening in the markets,” McNulty said.
Such concerns about external threats — and balancing acts focused on minimal friction — are especially urgent when it comes to faster payments, he said.
In a world that is increasingly moving toward real-time and instant flow of funds, faster settlement of transactions means that a fraudster or cyberattack has a greater chance of getting away with ill-gotten gains. As funds move across banks, from accounts to account, they can be hard to track.
Thus, treasurers need to beef up controls at transaction endpoints, he said. There’s also a heightened importance, in a world where payments are getting faster and faster, on establishing recovery protocols at banks and corporates for when payments do go awry.
The earlier a fraudulent payment is identified, the greater the chance to recover funds, he said, especially with robust communications and documentation flowing between banks and corporates. Constant, real-time intelligence in essence creates a positive domino effect of fraud prevention.
Lines of Defense
McNulty noted that the focus on increasing security and controls across the financial ecosystem has become more collaborative, with positive results.
He cited the example of the U.S. body dedicated to information sharing among financial institutions, with a cyber focus — the Financial Services Information Sharing and Analysis Center. Through that center, institutions are able to give each other “heads ups” about attacks and concerns as they occur.
He cited other risk-reduction programs that cut across the banking ecosystem including SWIFT’s customer security program, which mandates that every institution, including corporates, connected to the payment messaging system have a minimum set of controls — and participants need to attest the controls that are in place.
In addition, SWIFT gpi represents a significant upgrade in transparency and how banks communicate with one another, he said. SWIFT gpi has digitized the inter-bank processes for stopping and recalling payments that have been sent in error and standardizes how messages are routed and delivered. As a result, he said, recall messages are delivered to the right banks in the shortest amount of time, which can increase the chance of successfully recovering fraudulent payments.
There’s also value to be found through enhanced messaging capabilities with the ISO 200222 standard. McNulty said the standard is the norm among instant payment schemes taking shape around the world — and beginning in 2021, the migration of major RTGS systems to that same standard will foster greater interoperability.
In the always-on economy, cross-border payments are fraught with friction. In this podcast with @pymnts, we discuss how supply chains are stretching across borders and currencies and how treasurers must respond: https://t.co/U8lMiIOJkG pic.twitter.com/TbGYZJ6iDE
— Citi (@Citi) November 6, 2019
Gearing Up for the Worst Days
All of these trends — toward information sharing, digitization of processes and interoperability — will help treasurers and payments executives grapple with the “worst day” scenarios that lie ahead.
Those are the dark days — literally, where entire operating systems go dark. Past experiences have taught corporate payments professionals to institutionalize processes, said McNulty, including documentation that directs various professionals within a firm who to contact, when to contact them and who has decision-making authority across a multitude of urgent situations.
Back to Basics
The best non-technological defense mechanisms can often be traced to what might be thought of as housekeeping, said McNulty, but it’s housekeeping that needs to be prioritized and constantly kept up to date. Centralization of treasury functions can be a powerful enabler to ensure that the right controls and contingency processes are applied consistently.
For treasurers that means making sure that if systems are down they know how to instruct transactions that need to move with their bank through alternative means and ensuring clarity exists on where the chain of command lies in a crisis.
That mindset goes well beyond firewalls and other technological defenses against threats, and in the case of fraud prevention, proactivity includes such measures as ensuring there are robust validation of customers at the onboarding stage and before payments are made, said McNulty.
In prepping to prevent and prepare for those bad days, he said, treasurers need to embrace the mantra “protect, detect and respond” continuously through their operational processes and procedures as they seek to improve security.