Payment Fraud what are potential risks and how can they · 07/01/2020 · Blend cyber with fraud,...
Transcript of Payment Fraud what are potential risks and how can they · 07/01/2020 · Blend cyber with fraud,...
Treasury Webinar Payment Fraud – what are potential risks and how can they be mitigated
2nd July 2020
2
Introduction to speaker
Webinar speaker
Peter Nobs, Head Treasury Advisory Services, Deloitte Switzerland
Tel: +41 79 296 5797 Mail: [email protected]
Klaus Julisch, Cyber Lead & Partner Risk Advisory, Deloitte Switzerland
Tel: +41 77 438 9207Mail: [email protected]
Alexander Hänsel, Manager Solution Architect, Serrala
Tel: +49 172 454 09 87 Mail: [email protected]
Agenda
09.00h | Welcome & IntroductionPeter Nobs, Head Treasury Advisory Services, Deloitte Switzerland
09.05h | Cyber SecurityKlaus Julisch, Partner Risk Advisory, Deloitte SwitzerlandC-Level introduction to cyber security, covering how cyber threats affect organizations and how senior executives can think strategically about cyber security. The objective is to enable them to better oversee and manage cyber risks in their organizations.
09.30h | How to achieve more protection with state-of-the-art technologyAlexander Hänsel, Manager Solution Specialist, SerralaThe world of payments has become more complex than ever. Therefore, it is getting increasingly important to use state-of-the-art technology to support a company's payment processes safely and on time - topics such as "cloud" and "managed services" are playing a vital role. Companies are facing sophisticated challenges in regards to increasing fraud mechanism and attempts.
10.00h | Q&A Session10.15h | End of the webcast
© 2020 Deloitte AG. All rights reserved.
3
Introduction to Zoom
How can you interact? Webinar support
• To optimize your view, you can toggle between speakers and slides by clicking on the button in the right top corner
Optimizing your view
• You can use the “Q&A box” to ask your questions during the first part, please do so using your name (not “anonymous”)
Ask questions
• Everyone is on mute by default in the beginning of the webinar
• During the second part of the webinar, you can click on the microphone icon on the bottom left to unmute yourself to comment/ ask questions
On sound
• If you have any technical difficulties or require assistance with Zoom, please write to Eleonora Zelger in the Chat box and she will try to help you as soon as possible.
Chat for technical difficulties
Kristina GjiniFacilitator
Eleonora ZelgerZoom Master
© 2020 Deloitte AG. All rights reserved.
Cyber RisksWhat questions must the C-Suite ask itself
Dr. Klaus Julisch, Managing Partner, Risk Advisory
5
Threats are Intensifying
78%
Increase in supply chain attacks in 2018
14 secondsHow often a business falls victim to ransomware
90% Portion of attacks that begin via phishing or other social engineering tactics
$1 TrillionEstimated annual cost of cyber crime to the economy
© 2020 Deloitte AG. All rights reserved.
6
So, what is Holding us Back?
• Denial / being naive (“not me”, “not now”, “just media hype”)
• Underestimating the critical dependence on IT & Digital
• Hope that IT will do it
• Long delays between today’s inaction and tomorrow's damage
• Technical complexity and difficulty of understanding / leading cyber
© 2020 Deloitte AG. All rights reserved.
7
Technical Complexity
© 2020 Deloitte AG. All rights reserved.
8
DestroyValue Permanently
Services without sufficient resilience can be destroyed without hope of recovery
Clients: loss of sensitive data Regulators: market confidenceSuppliers: collateral damage
ErodeReputation & Trust
DepleteAssets
DisruptOperations
Recovery time and costs; lost sales, penalties, regulatory / legal fines; stolen assets (cash, IP, etc)
ExtinguishPresenceAttacks* with sufficient
ferocity and speed can overwhelm organisations to a
point where recovery is not possible, causing business
collapse
Direct loss of productivity (employees, platforms unable to function) and indirect loss due to effort of incident response
© 2020 Deloitte AG. All rights reserved.
Setting PrioritiesBeing clear on the business impact we seek to avoid
9© 2020 Deloitte AG. All rights reserved.
Setting AmbitionBeing clear on the calibre of attacker capabilities we want to withstand
Like third-party risk, on a larger scaleWhere the attack doesn’t stop at the target; it spreads indiscriminatingly between organisations; with no direct link between the origin and ultimate victims.
Contagion
Nation States Sophisticated, dedicated cyber teamsFocus on defensive and increasingly offensive campaigns. Some states engage in industrial espionage for strategic goals, and cyber crime to raise funds.
Constantly targeted as a weak spotBeing inside the business often means fewer protective measures apply, impacts are greater. Also includes disgruntled employees, or accidents by employees.
Employees
Third-Parties
Sophisticated capabilities, ongoing investment and advancementBlend cyber with fraud, money laundering, identity theft, drugs and human trafficking to maximise profits. Evade prosecution by leveraging trans-jurisdictional operations.
Org. Crime
Terrorists
10© 2020 Deloitte AG. All rights reserved.
Choosing a Defense ParadigmTrading off security vs. cost
Incident
Threat
Threat
Threat
Consequence
Consequence
Consequence
Prevention: Detection & recovery: Stop the incident Stop the consequences
11© 2020 Deloitte AG. All rights reserved.
Balancing Control TypesAvoiding the fallacy of “overdoing” technical defenses
DynamicStatic
Technical
Organizational
Preventative
technical
controls
Technical IR(SOC, Hunting, IOC, dynamic architecture, etc.)
Crisis management
GRC, risk mgmt.,risk acceptance, etc.
12© 2020 Deloitte AG. All rights reserved.
Doing the WorkNow that priorities are clear, work can start
Current (red) & target state (green)
Cyber capability catalogue
Plan and deliver change
13© 2020 Deloitte AG. All rights reserved.
Outlook: The Changing Threat Landscape
Collateral damage – you don’t have to be a target to become a victim
Disruption rather than monetary gain as a motive, and changing diplomatic norms
Supply chain attacks
Proliferation of nation-state cyber weaponry & changing diplomatic norms
Convergence of crimes: Cyber, fraud, AML, physical, and social
1414
Thank you!
?
Cyber is about starting things. Not stopping them.
Sparking the confidence that builds the freedom to create.
How to achieve more protection with state-of-
the-art technologySmart & Secure Payment Management with Serrala FS² solution
FS² Payments Solutions – Universal, SAP Integrated
16
1. Payments challenges & needs
2. SAP integrated solution approach
18
Payments Challenges &
Needs
19
Payments Challenges & Needs
Fragmented,
manual processes
Streamline &
digitize “paper
based” flows on a
central platform.
Risks of late
payments
Reduce the risk of
late payments with
automation & real-
time status monitor.
Formats & bank
connectivity
Outsource all
format &
connectivity needs
to our experts.
Fraud & ComplianceVisibility
Monitor the full
payment lifecycle &
all bank account
activity.
Proactively control
risks with fraud &
compliance
screening.
20
Solution Approach
21
FS² Payments – Universal Payments at a Glance
• Integrates in SAP, leveraging your
master data and procedures.
• Allows inclusion of all ERPs for
centralized visibility and control.
• Delivers end-to-end payments
workflow with true straight-through
processing.
• Provides SAP drill-down to original
journal postings.
• Unifies all payment processing on one
platform: payment runs, manual
payments, approval workflows, status
monitoring….
• SAP FIORI ready, delivers full
dashboard transparency.
Standardize and
Centralize
• Combines on premise advantages
with cloud agility.
• Outsource formats and bank
connectivity to our experts for fast
expansion to group-wide coverage.
• Choose between SWIFT, H2H,
EBICS. Easily adopt API for instant
payments and other bank information.
• Build out your payment factory with
payment optimization functionalities.
• Extend in-house banking services with
POBO (payments on behalf).
• S/4HANA ready when you want to
upgrade.
Be future-proof
• Ensures end-to-end security, through
tight integration and encryption.
• Automated real-time fraud checks on
every single payment.
• Stops illegal payments through
compliance screening.
• Customized separation of duty and
approvals.
• 2 factor authentication via tokens or
mobile app.
• Provides full audit and payment
lifecycle tracking.
Protect and prevent
22
Fraud & Compliance integrated within FS² Payments
Compliance screening
Our definition
• Establish a single point of information / source for all payment
files from multiple sources (e.g. SAP FI, TRM, IHC, FS²
modules, external sources)
• Standard connectivity to external compliance providers (e.g.
ID.prove, DNB, Bisnote, etc.)
Our solution
• Extract required information from payment files and send it to
the compliance provider
• Real-time processing of provider feedback
• Integration into payment approval workflow
Fraud screening
Our definition
• Establish a single point of information / source for all payment
files from multiple sources (e.g. SAP FI, TRM, IHC, FS² modules,
external sources)
• Screening process based on pre-defined rules (patterns) to
identify suspicious payments
Our solution
• One single solution integrated in the central SAP environment
• Preset of Fraud detection rules
• Engine to design customer specific Fraud detection rules
• Fully integrated within payment approval workflow
23
Scoring & Fraud Monitoring Processes
Based on the calculated total score
of a payment, the possible follow-up
processes are defined.
• Fraud Alarm 1:
The entire file is passed to the Fraud
Monitor for checking
• Fraud Alarm 2:
Identified single payments are
transferred to the check
• Fraud Alarm 3:
Fraud suspicious payments are
placed in the fraud report
• Fraud Alarm 4:
No fraud, normal process will persist
Fraud Monitor
Fraud suspicious paymentsare fetched from the usualrelease process and requirean additional check. Separateapprovers check the paymentsand decide whether or not thepayment may be executed.
Fraud Report
All fraud-identified paymentsare displayed in a report.
Exeception Lists
Certain regular payments canbe identified by the fraudcheck. These payments canbe defined in exception-lists inorder to exclude thesepayments from the regularfraud review.
Flexible integration in overall process
It is possible to flexibly decideat which point of the processthe fraud check and follow-upprocesses are carried out
!
24
FI
Integration of the Fraud functionality within FS² Payments
FS² Payments
Customer
Bank
Invoice
Processing
Payment file
importFraud Check Fraud Monitor
Suspicious to Fraud
“Compliance”
Rejection & Reversal
Fraud
investigation
check: OK
No hit or no
sufficient score
TransmissionPayment approval
process
Hit
Generate Payment
file (F110 / F111)
25
Target Operating Model
Flexibly implement all functions needed to
centralize payment processingThe Serrala Cloud provides out of the box
connectivity and collects all important files
Bank A
Bank B
Bank C
Bank n
Other SAPs
Other ERPs
HR systems
TMS
HR
SAP
Environment
Global Payment Factory
Central control,
optimization & POBO
Payments Processing
All payment types
using any method
Workflows
Customizable
payment workflows
Hybrid Cloud
Combines cloud
with on premise
Real-Time Analytics
Achieve full transparency
Fraud & Compliance
Stops and review all
suspicious payments
Payments
Send SAP iDOC, Bank-Ready,
Payment Data, Confidential
Account statements
Payment Statements
Serrala CloudPayment as a Service
Leverage all SAP set-up
FS² Payments
26
Features & Key Take Away
Monitoring
• Monitor all cash flows (inbound and outbound) at a glance
Workflow Standardization
• Centralize and standardize process flows, while still
maintaining decentralized operations.
Security & Auditability
• End manual file handling and segregated systems for
payment processing. All information is collected and
processed in one trusted system (SAP)
Direct Postings
• Standardized SAP FI connect
• Automatic posting of intercompany payments without
any required interface
Central Payment Hub
• Eliminate existing bank portals and/or software, and
centralize bank format creation and connectivity.
Fraud & Compliance
• Screen and secure external payments to the
maximum. Ensure that payments comply with
sanction and embargo rules and regulations.
Automation
• Reduce manual processes to a minimum
Flexible Scalability
• Scalable from domestic usage up to International
Payment Factory
Contact us to
find out more!
Alexander HänselManager Solution Architect
+49 (172) 454 098 7
serrala.com
This publication has been written in general terms and we recommend that you obtain professional advice before acting or refraining from action on any of the contents of this publication. Deloitte AG accepts no liability for any loss occasioned to any person acting or refraining from action as a result of any material in this publication.
Deloitte AG is an affiliate of Deloitte NSE LLP, a member firm of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”). DTTL and each of its member firms are legally separate and independent entities. DTTL and Deloitte NSE LLP do not provide services to clients. Please see www.deloitte.com/ch/about to learn more about our global network of member firms.
Deloitte AG is an audit firm recognised and supervised by the Federal Audit Oversight Authority (FAOA) and the Swiss Financial Market Supervisory Authority (FINMA).
© 2020 Deloitte AG. All rights reserved.