Financial departments are the prime targets of fraudsters and must constantly strengthen their protection measures. But what if the key to preventing fraud was better management of third-party data, which is both enhanced and continuously updated? Although companies are aware of these risks, they are still struggling to apply an appropriate data management model. By ensuring dynamic management of third-party control, financial departments can thwart the multiple facets of these risks, including identity theft, the number one threat to companies today. Ensuring control of third-party data is now an essential step. Find out in this article how optimizing your data management strategy can help your company fight against wire transfer fraud.
Third-party Data Management: a priority issue
The security of third-party data requires a dynamic approach and real-time updating. Indeed, a third party’s information may change over time. In this context, there are two levels of information:
- The information created: orders, credit notes, flows, etc.
- Subjected information: information relating to third parties with whom the company works
In order to properly process these two types of data, the following methodology, recommended by Altares, has four distinct phases:
- Creation: ensure that the information does not already exist in the database to prevent data inconsistencies
- Data enrichment: fill in all the necessary information, particularly when adding a third party: company name, address, VAT number, activity code, capital links
- Updating data: a company may change its address, manager, company registration number/SIRET, etc. These changes are made outside the company’s field of vision and may lead to payment errors or increased delays.
- Reliability of existing data: standardising data throughout the business relationship, according to various standards, to ensure that it is always correct and does not lose quality.
Given the high prevalence of identity theft over other techniques used by fraudsters, it is imperative to ensure that:
- The company is in business
- The third party partner does belong to this company
- The bank details are correct and not erroneous or falsified
Financial departments under attack
Supplier Identity Theft: The Number One Threat to Business
According to Altares, the following four profiles of fraudsters must be taken into account:
- Reptilians: These are real cheaters. They pretend to be good suppliers and deliver the service on time, only to get a higher price and use it to defraud. Despite all the processes, this type of fraudster profile remains unpredictable.
- Impersonators: they create a fictitious persona or documents, which echoes document fraud or impersonation such as in the case of president fraud, fake supplier fraud or phishing.
- Opportunists: the people involved work well and do not plan to commit fraud. But they take action when they see a flaw in the purchasing manager’s system or in the company’s system in general.
- The unsatisfied: present more at the customer level, the dissatisfied fraudsters complain a lot and disguise the fraud by litigation. Their objective is to not have to pay or, at the very least, pay as late as possible.
“By analysing consumption, common fraud patterns can be deduced. Beyond supplier onboarding and as long as the reference data is well defined, we can trust the data and carry out behavioural analyses to define and anticipate possible fraud attempts.” Michael Lisch, Altares
Attacks that do not spare Information Systems
The urgency of the situation can be seen in the fact that the cost of cybercrime to businesses is estimated to be $1 trillion worldwide each year. This exorbitant cost is generated by service disruptions, lost time and efficiency, and damage to the brand image of companies that are victims of cyber attacks.
“Data security is a key issue. As proof of this, recent ransomware attacks, which consist of stealing a company’s data and returning it on condition that a ransom is paid, have become a threat of great concern.” – Fanny Rabouille, Grenoble Management School
“Financial departments are aware of the risk linked to cyber security. But they are only consumers of cyber protection, and not in charge of it. Synergies must be created between those who manage cybersecurity and the Financial department.” – Laurent Morel, PwC
The TO-DO list to prevent cyber attacks
In order to combat the main cyber threats, companies need to implement a number of measures which, in addition to the deployment of cybersecurity solutions, also involve the definition of a more global governance. The main actions to be implemented are the following:
- Securing data and IS with a VPN, anti-virus and anti-spam solution and data encryption
- Regularly update passwords and access conditions to digital tools
- Measure the company’s “cyber” maturity by carrying out an audit (either internally or by calling in a specialist company)
- Continuously analyse your IS to monitor any intrusion over time (make sure there is no latency)
- Regularly test your device (via penetration tests)
- Make regulatory issues (i.e., GDPR) a priority and an opportunity to improve its level of maturity
- Work on your defence strategy (action plan in case of fraud)
- Getting support in case of a crisis
“Cybersecurity is a matter of use and training. We need to raise awareness and give employees the means to secure their Internet access, even when they are working outside. Most cybersecurity problems are caused by human error” – Fanny Rabouille, Grenoble Management School
Controlling third-party data to protect against wire transfer fraud
Just like the “Know Your Customer” (KYC) regulation within banks, the KYS (“Know Your Supplier”) procedure is essential in all companies, whatever their sector of activity.
In this respect, the ‘Sapin II’ law – which applies to companies with a turnover of more than 100 million euros – reinforces the fight against corruption by obliging them to set up procedures for evaluating their suppliers (“Know Your Supplier”).
To comply with KYS procedures, it is essential to follow the following steps:
- Carry out checks at the beginning of the business relationship
- Ensure communication between the Purchasing and Financial departments
- Systematise checks when adding or modifying a third party in its database
- Regularly update the third-party repository: audit and internal control
- Check bank details at the time of payment
- Include the IT department in the data control project to ensure the cybersecurity of databases (supplier portal, ERP, TMS) to prevent any intrusion into the systems, data theft or the spread of ransomware
To protect against fraud and to ensure quality data, the aim is to systematise and automate controls throughout the payment chain. It is also very important to ensure that the reference and characteristics of the third party come from secure, certain and verifiable data providers and registers. It is also important to separate them from the context, relationship and compliance, which remain company-specific.
Want to know more about Data Management and fighting fraud?
Get the last white paper “Data Management: the cure for wire transfer fraud ” paper co-branded by Trustpair and Altares!