BankTEL Compliance Journal by BankTEL

C O MP L IAN CE JOU RNAL FALL 2018 CYBER SECURITY: Preventing Accounts Payable Fraud A Guide for Financial Institutions

How To Create And Design a

COMPANYâ&#x20AC;&#x2122;S EXPENSE POLICY DARK WEB: What is it and how does it affect Financial Institutions

CLIENT CASE STUDIES: Cadence Bank Seaside National Bank & Trust University of Iowa Credit Union

YEAR-END COMPLIANCE:

1099s and Use Tax

BankTEL Compliance Journal

TOPICS:

Letter from CEO Welcome to BankTEL’s Compliance Journal! We have put together relevant content from our broad customer base. Our new ASCEND platform provides us a modern stage to innovate our solutions. For instance, in 2018 we have rolled out several industry leading expense report features that give you better control and experience with OCR receipt capture and business rules. We continue to work with our customers to deliver innovative solutions to your accounting challenges. I hope you find value in the materials! Thank you for your business.

Cybersecurity:

What is a virtual card?

Preventing Accounts Payable Fraud: A Guide for Financial Institutions

12 Boyce Adams CEO

Quick facts on BankTEL: »» Serve only financial institutions »» Industry leader in integrated, single-source AP automation solutions »» Over 1,700 financial institutions utilize the products »» Partnerships with most core vendors in market »» Client references in all 50 states and over 30 countries

Secure Payments: A Guide for Financial Service Providers

18 How To Create And Design a Company’s Expense Policy

29 Strategic Vendor Management Vendors play a crucial role in the productivity of businesses, especially those operating in the financial services sector.

36 Dark Web: What is it and how does it affect Financial Institutions

Case Study:

How $13B bank automated their entire accounting process

A Guide for Businesses & Financial Institutions

Use Tax

BankTEL Compliance Journal

CYBERSECURITY: PREVENTING ACCOUNTS PAYABLE FRAUD A Guide for Financial Institutions

We live in a digital world now. The boogeyman isn’t just in the van, he’s also in the computer and in your bedroom. ‘Strangerdanger’ is in your pocket all day, because your phone is a computer. We have to, as a society, start training ourselves to protect ourselves.” — Dr. Sarah Lee, Assistant Professor, Computer Science & Engineering, Mississippi State University

ACCOUNTS PAYABLE FRAUD: AN OVERVIEW 1. What is AP fraud? 2. Profile of a Fraudster 3. Ways to Prevent AP Fraud 4. The Role of Software in Preventing AP Fraud

FRAUD & CYBERSECURITY 1. What are the risks? 2. What makes your institution vulnerable? 3. The Role of the IT Department in Preventing Fraud 4. The Role of the Inadvertent Actor in Allowing Access 5. The Employees’ Responsibility 6. Cybersecurity Recommendations

BankTEL Compliance Journal

ACCOUNTS PAYABLE FRAUD: AN OVERVIEW

1. What is AP fraud? BankTEL designs accounting software for Financial Institutions, which means we have to safeguard our clients’ accounts payable process. Many people think of accounts payable as a quiet, possibly even boring department, churning away behind the scenes to keep the lights on and the mileage checks coming. But when money goes out, a business is vulnerable, and accounts payable fraud can translate into big losses for the bottom line.

14% FRAUD CASES

The Association of Certified Fraud Examiners 2016 Global Fraud Study found that organizations lose an average of 5% revenue to fraud each year, and that check tampering alone resulted in a median loss of $158,000 per business. And the 2017 Hiscox Embezzlement Study found that over half of check fraud was committed by managers. The Hiscox study also found that false billing accounted for only 14% of fraud cases but 42% of dollar losses.

The moral of this story is, don’t underestimate your accounts payable department—both it’s potential to initiate fraud, and it’s potential to catch and prevent fraud. There are three general types of fraud—internal, external and collusion. »» Internal occurs when employees who have access to bank accounts, cash and company checks steal funds and cover it with false accounting entries. In 2012, Jessica Harper, a former head of digital fraud and security for the international Lloyds Banking Group, was convicted of pocketing £2.5 million, through creating false invoices paid to a dummy IT firm. »» External fraud is when someone outside the company accesses accounts or check stock. In 2015, Jae Ho Chung, of Los Angeles, was convicted for his role in defrauding area banks of

BankTEL Compliance Journal

In 2013, two Army Corps of Engineers employees colluded with representatives from an external technology firm to inflate government invoices and funnel the excess funds to shell companies, defrauding the government of about $20 million.

$15 million through a counterfeit check scheme. Chung deposited fake checks and then promptly withdrew large amounts from the inflated account, before the banks realized the checks were counterfeit. »» Collusion is when someone inside the organization works with someone outside the organization, usually a vendor, to falsify invoices and divert resources. Owners/ managers should keep a close eye on vendors who have personal links to employees. In 2018, Mohinder Kumar Sharma, an internal auditor at the National Bank of Punjab, was charged with attempting to defraud the lender of $2 billion, in a conspiracy with external actors. Sharma is accused of deliberately ignoring transaction irregularities and allowing this fraud to occur. In 2013, two Army Corps of Engineers employees colluded with representatives from an

external technology firm to inflate government invoices and funnel the excess funds to shell companies, defrauding the government of about $20 million.

2. Profile of a Fraudster According to KPMG’s 2016 report, “Global Profiles of the Fraudster,” fraudsters are typically: »» Male »» Between 36-55 »» In a management or executive position »» Employed by the company for at least six years

42% DOLLAR LOSSES

3. What are general ways to prevent AP Fraud? A) Separation of Duties Ideally, you should have multiple employees handling different parts of the accounts payment process. The person who approves purchases should not be the one receiving orders, and neither of these people should approve invoices or review

BankTEL Compliance Journal

records. Nor should the same person be approving invoices and reviewing records. B) Investigate Bank Statement Red Flags »» Invoices that are out of order, usually denoted on a bank statement with a # or * »» Invoices that are just below the expenditure threshold for warranting further review; Many accounting programs will allow you to set a range of two amounts and run a search for checks that fall within that range, but it’s also a good idea for senior management to look manually every once in awhile. »» Payments made for small amounts (sometimes fraudsters try small invoices first, as a test) or in whole dollar amounts. C) Monitor Vendors & Invoices »» An unexpected bump in the number of invoices could mean fraud. »» Unusual vendors, addresses that appear to be residential, invoices missing key information—an address, number or service description— or invoices that seem “amateur” or photocopied are red flags. »» Watch for stop-payment and refund patterns. If one vendor seems to have a large amount of canceled checks or incidents of overpayment, investigate the account. »» If a vendor requests a change to their bank account number, make a follow-up call to a different point-of-contact at the vendor’s company to make

sure the change is legit. »» Compare invoices against original packing receipts to catch payments being misdirected to shell companies. D) Monitor Mileage & Entertainment Pay special attention to travel and entertainment expenses. If you find something alarming, check other places where the employeein-question has dealt with money.

4. What is the Role of Software in Preventing AP Fraud? With a solid accounting software that provides a strong audit-trail, it’s much easier and quicker to follow a suspicious invoice and understand who dealt with that invoice at each step along its journey. If an employee made multiple changes in a short period of time, or changes were made by an employee who doesn’t generally deal with that vendor, it’s worth looking into. You may also be able to use your software to block all transactions except those previously or pre-authorized. Financial Institutions may use accounting software to run a retroactive audit and uncover fraud that was missed in the past. In some instances, institutions are then able to recover assets. Software also makes it possible to run a vendor scan, inputting risk factors and running a report of the most risky vendors. The company can then keep a close watch on financial transactions with these vendors.

Here are some other ways banks and other institutions may use accounting software to prevent and detect fraud: »» Set very specific permissions for particular employees. BankTEL’s ASCEND software offers 203 different permissions, which means that certain employees are allowed to perform certain duties, and other employees aren’t. This feature allows you to enforce and essentially automate the crucial step of separation of duties. »» Cross-check your vendors against your employees, using your master vendor file. If a social security number matches a tax ID number, or a vendor address matches an employee’s address, you’ve got a problem. »» Cross-check invoices against previous invoices from the same vendor. With today’s technology, it’s simple to duplicate checks or invoices, which means check forgery and fake invoices are a common form of accounts payable fraud. These invoices may seem to be from a legit vendor, but the final destination— the direct deposit account or mailing address—is different. »» Run a scan for invoices from high-risk countries. According Sift Science, the countries with high e-commerce fraud rates include Latvia, Egypt, Mexico and the Ukraine. Cyberattacks often originate from China, the US, Turkey, Brazil and Russia. Unfortunately, the US also has the third highest e-commerce fraud rate in the world. »» Routinely review all accounts payable data for inconsistencies.

BankTEL Compliance Journal

FRAUD AND CYBERSECURITY

Customers expect quick, seamless, cross-border financial transactions. This means financial institutions have to make fast decisions about the integrity of a transaction, which can lead to mistakes. The financial services sector moved from the third-most cyber-attacked sector in 2015 (behind healthcare and manufacturing) to the most cyberattacked sector. In 2016, there were over 200 million records compromised, as opposed to less than 20 million in 2015.

1. What Are the Risks? »» Account Fraud/Takeover - A criminal gains access to an account through an employee or customer, often through phishing or vishing schemes. The customer then adds their own credentials to access the account. The FBI is currently investigating over 400 cases of reported account takeovers, in which criminals have initiated ACH and wire transfers from the bank accounts of US businesses. »» Social Engineering - A criminal researches a victim and approaches

that victim by email or phone, pretending to be an individual they know and trust. The objective is to get credentialed information from the victim. »» Synthetic Identity Fraud - Criminals create fake identities to open accounts and obtain lines of credit. »» Identity Fraud - Fraudulent use of a real person’s identity or sensitive personal information. »» Botnet - A network of infected machines controlled by a criminal and sometimes used in-tandem with stolen identity and payment information, so that the machine’s location appears to match the credit card being used. »» Data Breaches - Personal data is stolen, which may then be sold and/or used in identity fraud. »» Real-time/Innovative payments

400

CASES OF REPORTED ACCOUNT TAKEOVERS

BankTEL Compliance Journal

- Customers expect quick, seamless, cross-border financial transactions. This means financial institutions have to make fast decisions about the integrity of a transaction, which can lead to mistakes. Additionally, each new payment system will be an immediate target for fraud and should be designed with security at its core. »» Mobile threats - According to Kaspersky Cybersecurity Index, 35% of people use phones for online banking and 29% for online payment systems, up from 22% and 19% in 2016. Malware is often used to steal credentials and gain access to accounts. »» Clean Fraud - A transaction passes internal checks and appears to be entirely legitimate because the fraudster has managed to steal every validating piece of billing and account

information. These are extremely difficult to catch. »» CyberWars - Hackers with political agendas, often from international locations, seek to disrupt and destroy American financial institutions.

2. What Makes Your Institution Vulnerable? »» Using out of date systems and software »» Lack of patching »» Bad passwords »» Lack of monitoring »» The human factor; Inadvertent actors are people (usually employees) who unwittingly introduce threats to the target organization’s systems. 58% of cyberattacks originate inside an organization, and 53% of these are the consequence of decisions made by inadvertent actors.

(Five percent of these attacks are malicious. Forty-three percent are external.)

3. The Role of the IT Department According to the Association of Certified Fraud Examiners, IT only detects 1% of fraud. Almost half of these losses are unrecoverable. Ways the IT team can help protect your institution include: »» Network Segmentation, which can limit attacks to a specific computer and systems that a specific employee has access to »» Monitoring the network for security and changes to configurations »» Monitoring, investigating and reporting security incidents »» Monitoring third-parties that handle credentialed data

BankTEL Compliance Journal

»» Monitoring the dark web for credentials for sale »» Implementing an Information Security Framework that includes an employee education plan, a crisis response plan and identification of key risks »» Conducting information security audits »» Creating a Virtual Private Network (VPN) for employees to use with public wifi

4. The Role of the Inadvertent Actor As we already mentioned, only 5% of cyber attacks from within are malicious in nature. The other 53% come from inadvertent actors who play into an external malicious design. These cases often involve social engineering. “We can’t load a person with an anti-virus software, the way we can a computer,” says Dr. Sarah Lee. “No one is building layers of safety around their people, the way that the IT team does with their software and hardware. The only way to do that is through awareness and training.” Fraudsters target employees through phishing, or sending an email purported to be from a reputable party, seeking sensitive information. This includes: »» General phishing, such as a generic email informing the victim that their credit card has been compromised and asking them to click on a link—the victim who clicks may be directed to a shell site that resembles a legitimate site, and asked to log in with their credentials. »» Spear phishing is a targeted form of phishing, where the sender has researched both the victim

and the alias. The sender will collect information from social media accounts or from a hacked email, and may mention things like a recent work conference (perhaps insinuating you met there), a project or topic of interest, to convince the victim that the sender is reputable. Another common scenario is the fraudster pretending to be from the IT Department and asking an employee to complete a task or hand over passwords. »» Whaling is a type of phishing that attempts to go through a lower-level employee to collect the credentials or personal information of a senior level employee or high value target. The criminal may pretend to be the person s/he is attempting to collect information on. »» Clone phishing clones an email that the victim received before, with the perpetrator sometimes explaining why the victim is receiving the email again. This method is often used in

We can’t load a person with an antivirus software, the way we can a computer,” says Dr. Sarah Lee. “No one is building layers of safety around their people, the way that the IT team does with their software and hardware. The only way to do that is through awareness and training.”

BankTEL Compliance Journal

Accounts Payable Fraud, to “notify” a victim that payment of an invoice didn’t come through and needs to be re-issued. They may include an account number that’s different from the first invoice or a web address where they can capture the employee’s login. If an employee receives this kind of email, they should notify IT, since it means the employee’s email is likely hacked. »» Vishing is when a fraudster uses a phone call to solicit personal information and gain access to an account. In the situation of a bank, the fraudster would pretend to be an account’s true owner and likely know enough details about that owner to sound convincing. The fraudster may request to change a password or pin, which would allow access to funds at a later date. »» Smishing is when a fraudster uses sms/text to solicit information that would help them gain access to an account.

5. The Employee’s Responsibility: Tips from Dr. Sarah Lee »» Check a sender’s email carefully, particularly if someone is asking you to move money or offer credentials. A fraudulent email is usually close to the real one, but may have a spelling variation or a .net instead of a .com. »» If an email includes a “click here” link, hover your mouse over it. If you see an IP address, it is not a valid link. »» Look for bad spelling or grammar, such as a lowercased, selfreferential “i.” »» Don’t respond directly to suspicious emails. Instead, contact the sender through a new email, using the contact information in your address book, and ask if they really sent the suspicious email.

»» Be careful on public wifi, such as coffee shops, hotels, etc. Use a VPN, even from your home network and even for non-work related tasks, such as checking social media. (A “sniffer”— a hacker “sniffing” on an unprotected network—can capture your logins and sell them on the dark web.)

6. CyberSecurity Recommendations »» Better Employee Training and Awareness - This may be the most important step your financial institution is not taking. Your institution should have a cybersecurity policy in place, and employees should be throughly trained on what they are and are not allowed to access on devices they use for work. Simulate phishing, vishing and smishing scenarios during training and use repetition. Distribute cybersecurity tips daily. “Part of cybersecurity awareness training is helping employees understand what the IT team is doing to protect servers and network. If they can understand the IT team’s day-to-day, at a very basic level, that will help them understand things like why public wifi is not a great idea,” says Dr. Sarah Lee. »» Provide employee mobile phones with biometrics, antivirus and security software. Prove a VPN for secure logins for all employee devices from non-office networks, and regularly remind employees to use this network. Dr. Sarah Lee’s take: “It’s really just about training our brains to remember, similar to how we teach our children not to take candy from a stranger and look

both ways before crossing the road. If some man stood in the parking lot and told you to get in the van with him, you don’t have to think to know you’re not getting in that van. But that’s because your brain has been trained. You weren’t born knowing not to get in the van.” »» Make sure you IT department is vigilant. »» Use the most up-to-date operating systems on all devices and the most reliable software for accounting and fraud prevention. »» Have manual checks and an internal work-flow process that not only screens for employee fraud but screens for employee satisfaction, since fraud is often committed by disgruntled employees. BankTEL’s ASCEND Accounting Suite Anti-Fraud Mechanisms BankTEL’s ASCEND software has built-in flexibility and functionality to allow financial institutions to define processes that should reduce or eliminate errors and/or fraud. »» Workflow Approvals Process. Allows automated tracking and auditing of invoices and lets users design approval processes at the vendor level. Allows an unlimited number of approval officers, and assigns an approval officer to each invoice as soon as it’s scanned. Notifies approval officers of invoice links by text, so that they are aware of requests the moment they are submitted. Alerts officers to new and updated invoices and enforces system rules across all invoices, mandating compliance. »» Permissions. Functionality throughout the application is protected by role-based permissions. For example, an

BankTEL Compliance Journal

institution could allow users to create and enter invoices, but not process the payments. Through limiting user-access, an institution can set up multiple channels of control in regards to payment processing. »» Invoice Approval. Users can define rule-based processes applicable to all invoices entered into the system, setting certain approval standards prior to allowing a payment to process. This allows

mangers or executives the ability to identify errors in data entry, as well as to detect fraudulent transactions. »» Vendor Approval. Users can define rule-based processes applicable to all new vendors and in instances of changes to existing vendor accounts, setting approval standards prior to allowing payment to process. This allows approvers to easily catch and identify changes to the payment setup or account

Sources/Resources Dr. Sarah Lee, Assistant Dept. Head Computer Science & Engineering, Mississippi State University sblee@cse.msstate.edu 2017 IBM X-Force Threat Intelligence Index Security Trends in the Financial Services Sector Types of Phishing Attacks and How to Identify Them https://www-01.ibm.com/common/ssi/cgi-bin/ssialias?htmlfid=SEL03129USEN

number for a vendor. »» Duplicate Invoice Detection. ASCEND will identify and notify users of duplicate invoices (same vendor, date, amount). »» OFAC Name Scanning. All transactions are scanned against the US Department of the Treasury’s SDN (Specially Designated Nationals and Blocked Persons) list prior to payment processing, and users are notified of potential matches.

Kaspersky Cybersecurity Index https://index.kaspersky.com/ KPMG: Global Profiles of the Fraudster, May 2016 https://assets.kpmg.com/content/dam/kpmg/pdf/2016/05/profiles-of-the-fraudster.pdf Association of Certified Fraud Examiners, Inc.: 2016 Global Fraud Study https://www.acfe.com/rttn2016/docs/2016-report-to-the-nations.pdf 2017 Hiscox Embezzlement Study https://www.acfe.com/rttn2016/docs/2016-report-to-the-nations.pdf

BankTEL Compliance Journal

SECURE PAYMENTS: A Guide for Financial Service Providers

1. What is a secure payment? “Secure payment” means that when someone pays for something with a currency other than cash, that person’s account details have been encrypted to prevent identity theft and fraud.

A. Payment Card Industry Compliance The Payment Card Industry Data Security Standard (PCI DSS) was established to protect consumers and businesses by creating a certain regulatory framework that provides a universal standard for how to process and store credit card information.

Compliance with PCI is not a federal law, but certain tenants of PCI are required by some state laws. Compliance is also a required by specific credit card issuers (such as Mastercard, and in some cases, Visa) before they will agree to partner with you as a merchant or financial institution.

BankTEL Compliance Journal

B. Steps to Ensure PCI Compliance 1. Host data on a secure network, protected by a firewall. 2. Use secure, non-vendor supplied passwords. 3. Protect stored card/account data. 4. Encrypt transmission of account data across open networks. 5. Secure your system with antivirus and anti-malware software. 6. Develop and maintain secure systems and applications. 7. Restrict access to account data to a “need-to-know” basis. 8. Authenticate attempts to access system components. 9. Restrict physical access to cardholder/account data. 10. Track and monitor access to account data. 11. Regularly test your network security for weak points or breaches. 12. Have an information security policy in place for your institution/employees.

2. What are the different types of secure payments? A. EMV Chip Cards EMV cards (chip cards) have been the new credit card standard in the US since 2015, and they’ve been the European standard for over a decade. The data on the card is encrypted and changes constantly, which fortifies it against armchair fraudsters. Data from the chips can still be cloned and stolen, but it takes a sophisticated criminal with access to expensive technology to successfully accomplish this—which means most criminals will go for easier targets (magnetic strip cards). B. Virtual Credit Cards Virtual credit cards process transactions using randomly generated numbers assigned to a user’s actual credit card, in a process called “tokenization.” A transaction made with a virtual card occurs in the same way as a regular transaction (the merchant gets paid, the charge

appears on the consumer’s billing statement), but it shields the card owner’s actual account information from the merchant at the other end of the transaction. This service, which is provided by banks and other financial institutions, sometimes allows users to set a spending limit or an expiration date on the virtual card, further safeguarding against misuse. C. Mobile Payments Mobile payment replace a consumer’s primary account number with a series of randomly generated numbers (a token), just as a virtual credit card does. This token is used to process the payment, shielding the consumer’s actual bank data.

3. What are the different types of payment fraud? A. Card Present Fraud Card present fraud occurs when a physical credit or debit card is used to make an unauthorized face-to-face payment. The card may be stolen

BankTEL Compliance Journal

When a website is protected by EV SSL, a consumer knows they are visiting a secure website because the company name in the browser bar turns green.

or illegally duplicated. Merchants can help prevent card present fraud by asking for consumer ID in face-to-face transactions, although identification documents may also be forged. Banks and merchants who have made the switch to chip cards help eliminate the duplicate-card issue, since the information on chip cards is much more difficult to access and duplicate than that on magnetic strip cards.

get consumer card information. A fraudster installs a skimmer at the card terminal of a gas pump or ATM, and the skimmer records the data of every card used at that terminal. When the criminal returns, they remove the skimmer and plug it into a computer to access the information. Skimmers only work with magnetic strips, but for now, most US-issued cards have both a chip and a strip—which means most cards remain vulnerable.

B. Card Not Present Fraud Card not present fraud is three times more common than card present fraud, and occurs when a credit or debit card number is used to make an unauthorized payment either online or by phone. Fraudsters may steal card information in a variety of ways.

Chip-only cards aren’t immune. Shimmers are basically internal skimmers. They are thin devices inside the machine that reads data from a chip card when it’s inserted into the payment terminal.

1. Skimmers & Shimmers Card skimmers—essentially malicious card readers—are one of the fraudster’s favorite ways to

Financial institutions must educate consumers. To prevent skimming and shimming fraud, consumers should check for signs of ATM tampering— around the speakers and the keyboard, near the side of the screen,

and most importantly, at the card reader itself. This means tugging at the payment terminal at ATMs, self check-out terminals and gas pumps, to see if anything seems loose, before inserting a card. Consumers should also compare their payment terminal or ATM to the one beside it, and if the terminals don’t match exactly, they should alert a manager. Additionally, consumers should always assume there’s a camera and cover the keypad as they type their pin. ATMs located inside banks are generally safer than those in other locations. 2. Data breaches In 2017, identity fraud in the US affected 16.7 million victims, according to a Javelin Strategy & Research study. If a fraudster has a consumer’s identify information, there’s a good chance they also have that consumer’s payment

BankTEL Compliance Journal

information. Data breaches that occur when a financial institution or a merchant has been unable to protect consumer data allow fraudsters to access and sell valuable information. But consumers bear some of the blame for propagating fraud, due to their own irresponsible behavior. Even after a business notifies its clients of a data breach, most clients fail to cancel their affected cards, which means that fraudulent purchases can be made from those accounts even years after the information was stolen. This is where consumer education comes into play. Before issuing a credit or debit card, a financial institution should emphasize the responsibility consumers have to keep their own information save, as well as providing a consumer with best-practice guidelines. 3. Malware Fraudsters can install malware on

a personal or business computer, often through email attachments or embedded hyperlinks—which is why it’s so important to educate employees and consumers about cybersecurity and how to open emails intentionally, rather than distractedly. 4. Phishing Fraudsters target employees through phishing, or sending an email purported to be from a reputable party, seeking sensitive and/or account and payment information. »» General phishing is when a generic email informs the victim that their account information has been compromised and asks them to click on a link. The victim who clicks may be directed to a shell site that resembles a genuine site, and asked to log in with their credentials. »» Spear phishing is a targeted form of phishing, where the sender has researched both the victim

and the alias. The sender will collect personal information from social media accounts or from a hacked email and use this information to convince the victim that the sender is reputable. Another common scenario is the fraudster pretending to be from the IT Department and asking an employee to complete a task or hand over passwords. »» Whaling is a type of phishing that attempts to go through a lower-level employee to collect the credentials or personal information of a senior level employee or high value target. The criminal may pretend to be the person s/he is attempting to collect information on. »» Clone phishing clones an email that the victim received before, with the perpetrator sometimes explaining why the victim is receiving the email again. This

BankTEL Compliance Journal

method is often used in Accounts Payable Fraud, to “notify” a victim that payment of an invoice didn’t come through and needs to be re-issued. They may include an account number that’s different from the first invoice or a web address where they can capture the employee’s login. If an employee receives this kind of email, they should notify IT, since it means the employee’s email is likely hacked. »» Vishing is when a fraudster uses a phone call to solicit personal information and gain access to an account. In the situation of a bank, the fraudster would pretend to be an account’s true owner and likely know enough details about that owner to sound convincing. The fraudster may request to change a password or pin, which would allow access to funds at a later date. »» Smishing is when a fraudster uses sms/text to solicit information that would help them gain access to an account. C. Check Fraud Check fraud is using an unauthorized check to pay for a product or service. Much check fraud is due to counterfeit or illegally duplicated checks. Often these counterfeit checks are created from a real check or some other financial document that is stolen from dumpsters, homes or cars—or sometimes, by an employee, from a business. There is also a newer way that fraudsters are getting heck images for counterfeit checks—banking virtual deposit apps that require photos of actual checks. Fraudsters may access these apps through hacking into or stealing personal electronic devices. Other types of check fraud include

forgery (when someone writes an unauthorized check from a personal or business account), altercation (removing written information from a check using chemicals such as acetone or bleach), paperhanging (writing or re-ordering checks on closed accounts) and check kiting (opening accounts at various institutions and withdrawing the funds—which actually don’t exist— before a check has time to clear). Financial institutions and merchants should train their employees to recognize fraudulent checks. Some warning signs include: 1. A lack of a perforated edge 2. A missing or duplicate check number 3. Mismatched fonts 4. Missing addresses for the consumer or issuing bank 5. A low check number 6. A stained, discolored or visibly altered check 7. Missing or mismatched account or routing numbers D. Mobile Payment Fraud Mobile payments include point-ofsale purchases where consumers make payment in-store with their smartphones; carrier payments through a smartphone service provider, where the payment shows up on a consumer’s phone bill; mobile payment apps, such as Venmo, PayPal, ApplePay; virtual wallets such as Google Wallet; and corporate payment apps for specific businesses, such as Starbucks and Walmart. According to Juniper Research, online and mobile payment fraud cost consumers, merchants and financial institutions $10.7 billion in 2015. That cost is projected to jump to $25.6 billion by 2020.

Here are some of the most common types of mobile payment fraud: 1. Identity theft—ranges from the theft of a physical mobile device, to make use of the virtual wallet data and pre-logged in accounts, to intercepting data to use for fraudulent purchases. 2. Friendly Fraud—occurs when a customer disputes an order that was placed and a merchant is forced to make a refund. Sometimes this is a valid mistake, when a customer actually forgets that they authorized this purchase. Other times, this is a ploy, used by fraudsters to get a product or service for free. 3. Loyalty Fraud—the selling or transferring of loyalty points or benefits. 4. Subscription Fraud—gaining fraudulent access to a consumer’s information and using it to sign up for subscription services. 5. Cybersecurity Attacks—gaining access to mobile apps and stealing consumer’s account information 6. Phantom Apps—convincing consumers to download fake apps in order to steal money or information from them 7. Account Takeover Fraud—gaining access to an account; may result in changed permissions and credentials, stolen and sold information and fraudulent purchases.

4. What are the different methods of securing payments? A. Tokenization Tokenization substitutes a randomly generated series of numbers (called a “token”) for a genuine account number throughout a transaction. This limits the merchant’s access to actual account information.

BankTEL Compliance Journal

B. Extended Validation Secure Sockets Layer (EV SSL) Protocol EV SSL encrypts data while it is transmitted from one server to another. To use SSL, a financial institution or merchant must first obtain a Certificate issued through a Certificate Authority. (A Certificate Authority is like a digital Notary Public. To be accepted into a Certificate Authority “membership” program, a company or government entity must meet strict criteria.) This Certificate Authority validates the Certificate Requester’s details, making sure they are who they say they are. Then the Authority issues a Certificate with a private key. This private key is linked to a real account and a public key, and the public key is used to process the transaction. This means that throughout the transaction, the only information transmitted over open networks is the public key, which protects the real account information. EV SSL has several built-in layers of security checks. When a browser connects with an SSL-protected website, it retrieves the SSL Certificate and ensures that the Certificate is being used for the site it was issued for, that it is not expired, and that it was issued by an authority the browser trusts. If any of these checks fail, the consumer is warned that they are entering an unsecured site. When a website is protected by EV SSL, a consumer knows they are visiting a secure website because the company name in the browser bar turns green. C. Biometrics Biometrics rely on biological identification measures that are unique to an individual, such as fingerprint scanning, eye scanning,

facial imaging, vein patterns or voice recognition. D. Address Verification System Verifying the address of a someone attempting to access an account is a simple additional layer of security, to ensure that the address given matches the one associated with the account. (This should be used with additional layers of security, since it is not strong enough to stand on its own.)

5. What are some other tips to help prevent payment fraud? Financial institutions used to be charged with protecting their own networks. Now that so much information is stored and accessible on the cloud, financial institutions not only have to protect their own networks, they have to verify that people trying to access accounts are who they say they are. This requires a multi-layered approach that relies on customer data and automation, as well as careful human oversight. Here are some best-practice recommendations:

Financial institutions used to be charged with protecting their own networks. Now that so much information is stored and accessible on the cloud, financial institutions not only have to protect their own networks, they have to verify that people trying to access accounts are who they say they are.

1. Use an algorithm to alert customers by text and email, as well as to alert security officers at the issuing institution, when a payment causes concern (i.e. it seems geographically impossible or inconsistent with that consumer’s purchasing habits or exceeds the currency amount to trigger alert). 2. Have current fraud-detection software and tools in place 3. Use two-factor security authentication (i.e. a password and a one-time pin, biometrics and a preselected personal question, etc.) 4. Educate customers and employees as to best-practice processes

BankTEL Compliance Journal

An expenses policy is a document which outlines how an organization handles businessrelated expenses.

HOW TO CREATE AND

DESIGN A COMPANY’S EXPENSE POLICY Having proper guidelines in place is critical to maintaining control especially when it comes to employee travel and expenses (the second largest controllable cost after salaries). So, the first logical step to finding a better way to manage costs is to create an expenses policy. A correctly implemented policy will save the organization valuable time and resources, as well as helping to protect against fraud and compliance breaches. This guide provides an overview of how to create, manage and maintain a robust expenses policy.

What Is an Expenses Policy? An expenses policy is a document which outlines how an organization handles business-related expenses. It guides employees on what they can and can’t claim. It provides a guide to the process of making claims, as well as what happens if there are disputes over expenses.

The principal objectives of the policy, therefore, are to; be fair and transparent, control costs, Prevent fraud and Ensure compliance. If employees view the plan as being fundamentally fair, it prevents expenses from developing into a breeding ground for low, morale, discontentment and exaggerated claims.

The primary aim is to provide a fair system of compensation for employees who incur personal expenses for business reasons. Without an effective policy, an organization leaves itself open to spiraling costs and legal risks.

Why an Expenses Policy is Important It helps the employees to know what the rules are – so they can comply, and be reimbursed more quickly. The company’s finance team will know which claims to accept or reject.

BankTEL Compliance Journal

simple, people are more likely to comply. If your systems are bogged down with layers of administrative complexity such as triplicate forms and MI6 security clearance to spend a penny, it’ll have a demoralizing effect on the claimants and tie up precious work-hours. By making the process too complicated, companies also run the risk that people may exaggerate their expenses to compensate for the pain of claiming them in the first place. Therefore, the policy should avoid unnecessary jargon and corporate speak, be concise; provide only the information needed, find a tone appropriate to your organization’s culture.

Senior management will be able to control costs better and calculate travel and expenses spend. Revenue agencies will know you have rules and can demonstrate that you’re following in line with the letter and spirit of the law. Best Practices for Effective Policy. The adoption and consistent application of a best practice expenses process are proven to save time and money and also improve your employees’ experience. Moreover, having a best-practice solution that is available online and on mobile devices leverages the investment that companies have already made in existing technology. Lastly, a best practice expenses process provides access to data for analysis and review that can continue to inform the policy and highlight opportunities for further cost savings. Some of which we discuss below

a) Fairness The most effective policies are those which employees view as being fundamentally fair. They may not agree with all of the rules and limits, but they accept them as being fair and transparent. The way the company presents an expenses policy to employees plays a large part in how it will be perceived. Allowing employees to have an input into the process of creating or revamping an expenses policy can help to engender acceptance. Meetings and presentations where the policy is communicated and employees can provide feedback will foster collectiveness rather than being something imposed from above, to be battled against. b) Simplicity No matter how fair, reasonable and robust a policy is; it’s of little use if nobody reads or understands it. When a process is kept straight and

It is vital, therefore, to present the policy in a concise, simpleto-understand and user-friendly manner. It should be viewed as a guide to help employees understand. One option used by many companies is to present the expenses policy in the form of a company ‘wiki’ allowing it to be easily searched and accessed via the company intranet. c) Regular Updates An effective policy should be thought of as a continual work in progress. It needs to be regularly updated and adapted to match changes to both the organization and the broader legislative world. A policy should be reviewed and revised every few months to take into account price inflation, legislation updates, and technological advances. d) Collect the Right Amount of (Relevant) Information Capturing relevant expenses information will help to ensure there are no delays in administration and help avoid potential problems with

BankTEL Compliance Journal

compliance later on. Having the right amount of information also means that you will reach the minimum requirement for revenue and customs agencies. Different expenses can require different information for tax or VAT purposes. For client entertainment claims, for example, it is a requirement to capture the company name and the name of all attendees for tax purposes. It’s also essential to capture business mileage data because mileage is an expense type that’s easy for the claimant to get wrong.

for the application and enforcement of the company policy, but, often, approximately half of employees say they don’t understand their policy – and this goes for managers too. By engaging with the management team and explaining the rationale behind the procedure, it is possible to get their buy-in. Not only does this drive compliance, but it can also promote behavioral change which leads to long-term cultural shift and ongoing savings and policy compliance improvement in the long run.

e) Timely Submission and Approval of Expenses Best practice means having a definite, published time frame for submitting expenses. It’s important to do the right things by your employees and pay them as quickly as you can, in line with your published payment timetable, but it works both ways – it’s also essential to ensure that claimants are submitting their expenses within a subscribed time frame. When employees delay claiming their expenses for months, not only does it hurt their pockets, it can also cause cash-flow challenges for the business and associated accounting nightmares.

g) Make it easy to submit and approve expenses away from the office In these days of mobile and global staff workforces, trying to catch up with someone to sign off your expenditures is quite tedious. If people have to wait and continuously chase their management, it can lead to delays and frustration. Slow and cumbersome paper-based process has been of recent, replaced by fast and efficient cloud-based systems as a result of advancement in technology. Rather than being a static document, the company could make use of tools that will seamlessly integrate policy into the day-to-day life of the organization.

A delay in sign off can also lead to increased credit card fees, which might incline employees to pad their expenses down the line. This is less of a problem if managers can approve expenditures as quickly as possible. It’s also good practice to make sure that managers are reviewing expenses claims too rather than merely signing them off. f) Check Expenses and Make Managers Accountable While we advocate swift sign-off of expenses, it’s also crucial that managers dare to push back on inappropriate or non-compliant expense claims. Best practice means making the enforcers accountable

Best-practice processes, however, allow for managers to check and signoff on expenses while they are out of the office. It helps if you can use a tool that will enable approvers to say ‘yes, this is okay to pay’ while they’re out and about; so they can sign off claims anytime, anywhere. The beauty of having access to a mobile tool is that it’s faster for people to submit expenses on the go and it’s faster for managers to authorize. They’re never too far away from being able to approve expenses unless they’re on vacation. h) Audit Your Processes and Receipts

i. Auditing your processes How good is your end-to-end expenses process? Do you know? When was the last time you conducted an audit? Some see expenses reviewing as an unwelcome intrusion. On the contrary, in fact, regular auditing can make your expenses procedures work better. Auditing can help iron out the glitches in your operational procedures and help to maintain a fair system. Proper auditing makes for good practice – and a best practice process should include receipt validation and auditing. ii. Auditing your receipts Are you checking that your employees are claiming what they say they are and that the receipts match and are valid? For example, are they submitting credit card slips or receipts, or both (and thereby claiming for the same expense twice)? Although expenses fraud is not common, it’s not unheard of. You need to have some guidelines within your processing functions around random audits. You might also choose to audit items that particularly tax-sensitive or items over a particular value. If you can, you should check everything. But it’s not always possible.” It is possible, however, to outsource this process. i) Pay People on Time Have you ever waited for someone to pay the money they owe you? It’s not fun. Once employees have gone through the processes, complied with policy, filled out the right claim forms and attached receipts it’s only fair to pay them, and that, on time. However, if people know they’re going to be waiting for their money they may think twice about making those expensive trips that build your business. Or, worse, they might consider fiddling their expenses to compensate.

BankTEL Compliance Journal

Company expectations and policy compliance (employees and managers Responsibilities)

DESIGNING AN EXPENSE POLICY In developing a company’s expense policy, some certain sections are essential to consider. These include; An introduction to the policy, Employees’ and managers’ responsibilities, Fraud, bribery & corruption, Suggested costs for expenses that would generally be reimbursed (including travel, accommodation, food, and entertainment) and Exclusions. Other areas not listed above can also be considered based on the organization’s goals and what they stand for. Some of these sections are discussed below;

Introduction / statement of purpose This section should set the pace for Why there is an expenses policy and Set some basic guidelines – it should be factual, not scary, and Include who the policy applies to (managers and employees), date of policy implementation. For example, This policy applies to all employees of (insert company’s name here – e.g., Our Company) as of the Xth Day of Month, Year. It is a framework that covers how an employee can claim and be reimbursed for reasonable and authorized expenses incurred while doing business for Our Company. Please also refer to the following company documents: (e.g., HR policy, VAT/ tax/benefit documentation).

This section should contain a brief note here to explain what employees should do to comply with the policy when managers should approve claims (or not), what happens if they fail to comply with the policy. For example, As an employee, we expect you to; Behave honestly, responsibly, and within the guidelines of this policy (e.g., keep costs low), Submit expenses as soon as possible and with enough details to explain why you’ve made the purchase, Keep all receipts and provide VAT receipts (not just credit card slips) so we can reclaim VAT and because the revenues and costs agencies require them. As a manager, we expect you to:

All bookings should be made in economy/standard class (unless you can beat the price by booking early, in which case higher levels are acceptable).

Check that purchases comply with the policy, approve them promptly and ensure they are claimed on time. If employees do not adhere to the policy, we can delay reimbursement or reject claims. Persistent or deliberate non-compliance may result in disciplinary action. Fraud, bribery & corruption This section presents your company’s stance on fraud, bribery, and corruption. E.g. Our Company has a zero-tolerance approach to corruption – in compliance with relevant anti-bribery laws in all the regions in which we operate. Offering or accepting a bribe, or behaving corruptly in anticipation of a bribe or advantage is not acceptable. The nitty gritty: types of expenses— what’s allowable This carries the main body of your expenses policy and should cover

BankTEL Compliance Journal

the standard expense categories – complete with rules about what is or isn’t permitted. a)Travel-related expenses This section should cover the basics such as: which suppliers and booking methods (if any) are preferred, what range of fares is acceptable – e.g., lowest logical fare vs. the cheapest, what class of travel can be booked?. It should also include a section on the use of company cars (if applicable), Mileage reimbursement rates and Insurance. You might also include answers to the following questions: Do you encourage sustainable transport use? Does public transport take precedence over taxis vs. personal cars? If so, when? How far in advance must trip be booked? Is pre-approval needed before employees book travel (like flights/trains) or only if over a particular value? For example, The following travelrelated expenses can be claimed:

»» Mobile phones and Internet connectivity: Use free Wi-Fi whenever possible. Reasonable Internet connectivity charges can be added to a hotel bill unless already part of the negotiated rate. »» Air, rail and road travel: All bookings should be made in economy/standard class (unless you can beat the price by booking early, in which case higher levels are acceptable). »» Taxis: Always try to use public transport instead of taxis (unless you are in an unsafe area). Always keep a receipt that includes the date. You can’t claim trips from work to home. »» Car hire: You can rent cars overseas if it’s more cost-effective than taking public transport (or if it’s not practical or public transportation isn’t available). b) Additional travel-related expenses This section should be a list of travel-related expenses that are acceptable and in policy. e.g., The following travel-related expenses are acceptable and will be reimbursed:

Baggage (no more than two bags) and advanced-seat bookings, Parking, Foreign currency charges, Visas, Tips (up to 15% - unless already included in the bill) and The hire/use of a GPS with hired cars in unfamiliar locations. c) Accommodation List preferred methods of booking and acceptable rates. This section should also include the per diem rate for each region. e.g. »» Hotels: Book hotels either through the booking system/ travel management company or your means. If booking outside of the system or TMC, costs must be lower than those available through the first two options. You are responsible for all hotel cancellations. »» Per diems: These cover costs for meals when away from the office on business. Only claim these in countries where personal expenses are generally not reimbursable (e.g., Germany). Rates should be set in line with local legislation.

Always try to use public transport instead of taxis (unless you are in an unsafe area). Always keep a receipt that includes the date. You can’t claim trips from work to home.

BankTEL Compliance Journal

The duty of care: This is important. Always inform others of your overnight location so we can comply with Duty of Care requirements. Tell your line manager (or a team member if they’re away) or share your travel itinerary using TripIt®. d) Food & entertainment This section should set limits on meal prices, provide guidelines on when to claim meals and explain any other ambiguities surrounding food/ entertainment, not forgetting that revenues and customs agencies and various other laws require the names and companies of all participants at entertainment events. Meals: e.g., You can claim for meals while staying overnight, or if traveling for business before 7 am or after 8 pm and are away from the office for more than half a day. The maximum spend limits are: »» Hotel breakfast - $XX »» Other breakfast - $XX »» Lunch - $XX »» Dinner (including one alcoholic drink) - up to $XX. Client meals/entertainment costs

may be higher. All entertainment claims must include a business reason and the name and company of all attendees – even those who work for Our Company. Alcoholic drinks will only be reimbursed if consumed with a meal. e) Other expense types This section should be a list of other expenses, and that is acceptable and in policy. E.g. The following expenses are acceptable, and Our Company employees will be reimbursed for them. Professional membership fees (where relevant to your profession and agreed with your line manager), postage for business purposes, annual eye-testing fees, visas, agency booking fees. f) Exceptions A list of things that your expenses policy won’t cover – so people don’t try to claim for these. e.g., The following travel-related expenses will not be reimbursed. Credit, debit and charge card fees (including interest, annual costs), laundry service/drycleaning (unless trip is longer than 4 nights), mini-bar contents, movies/

videos, newspapers, parking fines, the loss/theft of goods, childcare or pet care, Any personal elements, damage to private vehicles, spa and health/fitness clubs, clothes, flowers, sweets, confectionery, birthday cakes or cards for employees, tourist attractions*, bar bills*. *You can claim these if the event is part of client entertainment. There might be other things that we won’t pay for, so make sure you explain the business reason for each claim. Finally, more and more companies are looking to technology to help automate business processes, and employee expenses are no exception. Managing expenses are about more than just balancing your budget. It’s about efficiency and cost control; knowing where your money is going, what your employees are spending, and where you might be able to reduce costs. An automated process will ensure an end to long hours spent inputting receipts, faster, more productive processes overall, and better data visibility – which means better business decisions.

BankTEL Compliance Journal

HOW $11B BANK AUTOMATED THEIR ENTIRE

ACCOUNTING PROCESS In late 2016, Cadence Bank embarked upon a company-wide mission to streamline invoice capture, expense reimbursement, and processing within the organization. An 11-billion, soon to grow to 16-billion dollar bank with 1,220 employees, Cadence has grown rapidly in the past eight years and needed a comprehensive, seamless approach to tackling these timeconsuming tasks. The seven-person accounting department at Cadence’s Birmingham, Alabama headquarters was spending a lot of time keying in invoice data, sent from their 65 branches in five states. Administration found it unacceptable to have an entry-level duty take up so much of its highly skilled employees’ work-week. Cadence was already using BankTEL software to handle its company-wide accounting duties—in 2011, it made the switch from Flexi—but Administration decided to upgrade to BankTEL’s latest package, the cloud-based ASCEND. This allowed the bank to make several innovative changes. Because ASCEND has 203 different permissions, the first step was for Cadence to set up 1,100 different employee users, who were able to access vendor and invoice information to varying degrees. Now these employees are able to enter expense reports remotely, by phone, tablet, or PC, and management is able to approve reports the same way—even when they aren’t at their desk “At end of the year, most everybody takes vacation...but that’s also the time everybody puts in their end-of-year invoices to be paid. So you’ve got all these invoices from workers, and

the managers are off, and we’re trying to get these invoices processed,” says Janice Mosely, Accounts Payable Supervisor. “With ASCEND, the managers can go in on their phone and approve these invoices, and they don’t have to be in the office.” But the big time-saver for the accounting department is remote-scanning. In the past, when non-HQ employees received branch invoices, they would manually fill out a form, and scan and email it or physically mail it to HQ, where the accountants entered the invoice data into the system. (This process begin in 2014. Before then, Cadence was filing everything on paper.) Now the remote employees scan their invoices into the system, choose an approver from the preset list, and do their own data-entry and coding. All the accountants need to do is check the data and coding, and make sure all the invoices are coded

BankTEL Compliance Journal

correctly. This means rather than entering data, they spend their time checking for accuracy in vendor assignment, use-tax, 1099 applicability, and other important information. Once the invoice is approved and/ or modified by an accounting associate, the workflow process moves on to management. According to Mosely, this saves the accounting department about 12 hours of work a week. “It was a constant, daily process, keying invoices, because you were getting them all day long. Now it’s much more efficient, because our team can actually look at what’s been keyed in, but they don’t have to do the data-entry.” These days, the accountants are able to spend their time on other department responsibilities, but they also have more time to go back and check the work of their co-workers in the accounting department. This flexibility allows Cadence to implement an extra protective step in the process, to guard against human error and fraud.

Remote-scanning capability has also allowed Cadence to outsource some of its data entry to international employees, saving even more time and money. Additionally, ASCEND has made it easier and faster for the accounting department to find documents and information as requested by their in-house auditors. “We do audit reports daily, new vendors, updates to vendors, things like that,” says Mosely. She appreciates the flexibility that comes with ASCEND. “ASCEND stores everything and keeps a history of what you’ve done, so if you’ve missed something, you can always go back and recreate it.”

Before upgrading, “If there was something wrong, you’d have to call BankTEL, and they would have to re-run the report for you. Now, if there happens to be an error, you can correct your error in-office and go back and rerun your end-of-day. You have more independence and more control over the processing.” Mosely appreciates BankTEL’s part in the evolution of the role of Cadence’s accounting team, and she’s glad they made the switch—both to BankTEL and to ASCEND.

BankTEL Compliance Journal

WHAT IS A VIRTUAL CARD? Virtual credit cards are online cards that are not physically issued by the credit card provider.

It is usually a service provided by the original card issuer to their customers who want to perform an online payment with the help of their credit cards. Virtual credit cards include a one-time-use credit card number created by the respective credit card provider. This one-time-use card is issued for the specific amount of the bill/invoice it is represented for payment of. Typically, virtual credit card numbers can be used only once, and may expire within a short time period if not used. This helps protect the customer from becoming a victim of online credit card fraud.

A virtual credit card is, in fact, just a credit card number. The virtual card issuers generally work in tandem with a software application to be accessed on the customer’s PC or device. This software helps the customer to generate an interim credit card number, linked with their permanent card or demand deposit account held at a financial institution. Customers can then use this interim number for making online purchases. This temporary number cannot be traced back to the original credit card or to the customers’ identity. This protects from online hackers or deceitful

merchants who would look to steal sensitive data.

What would my company need in order to implement a Virtual Card program? Credit cards, specifically virtual cards, can be a valuable tool in business’ efforts to eliminate the antiquated process of issuing paper checks, offering lower processing costs, better security, and additional financial benefits. So why aren’t businesses paying more vendors by card? Companies

BankTEL Compliance Journal

that have implemented card programs realize that not all vendors will accept payment by card, for a variety of reasons: low margins, pre-negotiated early payment discounts, and other contractual obligations. However, for many vendors, there are strong reasons to accept card as a form of payment, so most businesses could be paying a lot more vendors by card than they are now. To do so, they need three things: »» The right virtual card product »» Support for vendor enablement »» Integration into an automated payments system

Why virtual cards? Since Diners Club introduced the first corporate card in 1975, there has been a slow but steady introduction of new card products to meet different

business needs. The choices can be confusing, and part of the reason card adoption is low is that a lot of companies pay vendors with card products that were designed for another purpose. Corporate cards, first introduced in 1975 by Diners Club, offer convenience for employees that travel and entertain clients, and give companies the ability to put parameters and controls around where employees spend money and how much. Card issuers today offer corporate cards with a lot of different perks that companies can choose from to keep travelers happy—access to airport lounges, free internet in the air, and so forth. Smaller companies will often use their corporate cards for everything. But that’s not ideal.

The problem with plastic Neither of these products were intended for paying invoices, but thanks to another program

Card issuers today offer corporate cards with a lot of different perks that companies can choose from to keep travelers happy—access to airport lounges, free internet in the air, and so forth.

BankTEL Compliance Journal

pioneered by Diners Club in 1984— Club Rewards, the industry’s first rewards program—AP seized on corporate cards, and later P-cards to pay vendor invoices. There’s no reason they can’t be used that way, but there are a few problems with doing so. First, someone in AP has to have a piece of plastic. That’s a risk. Then, they call someone at the vendor and give them the card number over the phone. If they pay that vendor often, maybe they have a card on file. That’s also a risk. The other problem is that paying with plastic doesn’t scale. Phoning in credit card payments is an exception to the traditional AP workflows for check, ACH, and wire payments. So, although you get points and rewards, it results in manual work for AP. If you were to consider the soft costs of paying someone to call in credit card payments or enter credit card numbers on websites and then do the manual reconciliation on the back end, well, those indirect costs start to eat into any reward you are receiving from your card provider.

The virtual card Around 2009, we started to see virtual cards enter the industry. There are several types of these, but they all share one commonality: there is no plastic card. To use, AP creates a randomized single-use, 16-digit card number along with a CVV. This card number can then only be used for a single transaction to a specific vendor for an exact amount.

If you send a remittance to a vendor for $100 through a virtual card, the vendor can’t charge the card for $101 or $99 for that transaction. And, if the card number ever falls into the hands of someone other than the intended recipient, it can’t be charged at all. That dramatically reduces the possibility of payment fraud, and introduces the opportunity for automation, since you can perform batch processing for single-use card payments much the same as you would for ACH or check payments. The recipient gets remittance advice along with the card information, and then the payment can be input into their system like a regular card transaction. This makes virtual card is the most sensible card-based product for paying invoices.

Beyond plastic and paper That’s where a lot of companies are now—doing some card payments, along with ACH, wires, and a whole lot of checks. The irony is that if companies just stuck to checks, there would only be one process to contend with instead of four. But, in today’s world, paper processing is not a viable long-term option. The ultimate solution is automating all payment types, including card payments, in a single workflow. When people in AP think of payment automation today, they still think of different types of electronic transaction processing, but that’s only partial automation. True automation is pushing a button and off goes the payment, and you

never have to think about it again. Suppliers are continually enabled, with the payment automation company collecting, maintaining, and securing the data.

Attributes • Virtual (no plastic) • MasterCard • 16 Digit Code, CVC Code, Expiration Date • Unique single-use number • Issued for exact number

Virtual cards have an important role to play, as the payment type of choice for all vendors that are enabled for card. Not every vendor will want to absorb the discount fee, and that’s okay. They can usually be enabled for ACH and paid that way, but vendors who can’t be enabled for either are paid by check as a last resort. That’s the best practice going forward: Complete end-to-end automation. Paper checks will eventually go away. Corporate cards and P-cards may stay in people’s wallets for inperson transactions. But in AP, you receive an invoice electronically, it gets approved electronically, and it gets paid electronically. There are no more piles of checks to sign, and no more folders with checks paperclipped to paper invoices. There are no plastic cards in AP and no more card numbers written down on slips of paper. That’s what the future of B2B card payments looks like.

Virtual cards have an important role to play, as the payment type of choice for all vendors that are enabled for card. Not every vendor will want to absorb the discount fee, and that’s okay. 28

BankTEL Compliance Journal

HOW BANKS CAN BETTER MANAGE THEIR VENDOR RELATIONSHIPS

Vendors play a crucial role in the productivity of businesses, especially those operating in the financial services sector. Banks depend on these vendors, which act as thirdparty service providers, to offer them a wide range of specialized services. The services include control implementation, cost reduction, transaction processing and consulting. To provide these services effectively, vendors need to access sensitive company information.

Why Vendor Management is Important for Banks Over the years, cybercriminals focused on attacking vendors instead of their clients (banks). Most of the cases regarding security breaches target third-party service providers. It is up to businesses such as banks to have the right vendor management programs in place. These programs will help them secure the availability, integrity and confidentiality of data that they share with the vendors.

Financial institutions will find it difficult to avoid third-party service providers. They may expose themselves to risks such as strategic risks, liquidity risks, compliance risks, interest rate risks and reputation risks as they seek thirdparty services. With the right vendor management programs in place, they can mitigate such risks.

Considerations for an Ideal Vendor Management Program Banks should always adopt an effective risk management program for their IT and non-IT vendors. The program should match the level of the risk for them to take the right steps for strengthening their relationships with vendors. Explained below are the key components of a vendor management program. 1. Risk Assessment Financial institutions such as banks should first list all vendors that they conduct business with. They also need to rank them depending on the

potential risks that face them. They should also consider factors such as operational activities and access to critical data when making the list. 2. Due Diligence Due diligence should take place after a bank conducts the risk assessment. The process focuses on resilience, information security controls in place and the background of vendors. It also focuses on the vendorsâ&#x20AC;&#x2122; familiarity with banking regulations, reputation, and current condition. 3. Regular Monitoring By reviewing service agreements against actual performance, financial institutions can monitor their relationships with vendors. The monitoring process should also include the review of audit reports and frequent on-site visits to the facilities of the vendors. These institutions need to assign such a task to qualified staff. 4. Nondisclosure Agreements (NDA) Banks should have a written

BankTEL Compliance Journal

confidentiality or nondisclosure agreement with their vendors. The agreements will help them prevent information leaks especially when the vendors have access to critical data. The NDA can apply to third-party service providers such as contractors, cleaners and security guards. 5. Contracts Contracts signed by both banks and their third-party service providers should address various factors. These include contingency plans, procedures for terminating the relationship, right to audit and nature and scope of the services. Banks also need to have relevant documentation for the services for accountability purposes.

Trends in Strategic Ways to Manage Relationships As the financial services sector is changing, key players in the sector are changing how they manage their relationships with the service providers. The modern trends in managing relationships help companies to develop strategies for supporting these entities. Explained below are the top trends that help companies maintain their bond with vendors. ‘Longer-Term for Better Prices’ Policy The secret to surviving for the everchanging financial services sector lies on the life-cycle of vendor-business relationships. Financial service companies are now opting for thirdparty services that are long term. This is because they want to score better prices for the sought solutions. Channel Programs Channel programs are helping companies in the financial services world to strengthen their bond with outside partners. The programs help them to develop strategies they can use to react to partner requests,

retain existing partners and attract more partners. Channel programs tend to put more emphasis on activities that would lead to longterm relationships. Pursuit for Subject Matter Knowledge Executives of institutions such as banks pay more attention to vendor management talent these days. They are also recruiting top talents to boost their existing vendor management strategies. They also believe that knowledge on the vendors’ activities can help them maintain the agreements they both have. Automation and Cloud-enabled Platforms Companies are increasingly upgrading their relationship management software solutions. This means that they are seeking software solutions that focus more on meeting modern relationship management challenges. Artificial intelligence and machine learning applications are also making it possible for them to monitor their activities with vendors. Selective and Targeted Outsourcing A company may choose to outsource relationship management help if it lacks adequate resources to do so. In this case, it will seek the help of a company with several years of experience in managing relationships. Outsourcing helps companies save thousands of dollars needed for hiring permanent staff or purchasing software solutions.

How to Build Relationships with Vendors to Your Advantage Building a strong relationship with your vendor is key to the productivity and success of your business. Besides paying attention to customers’ needs, you also need to focus on how you

can retain your existing vendors. The key strategies that would help you strengthen this bond include focusing on the future, communication and regular service monitoring. Here are other strategies that will help you. Frequent Communication with the Vendors Sharing priorities and information with your active vendors should be part of your vendor management strategies. You should come up with an agenda and rhythm for the meetings you hold with the thirdparty service providers. Regular communication can help both of you agree on your priorities and learn from each other. It can also help you monitor performance and drive accountability. Include them in Key Strategic Sessions Companies use strategic sessions or meetings to broadly cover issues that affect their business activities. Vendors can also take part in the meetings especially if they supply the products or services under discussion. When invited to the sessions, they can give their perspective on the issues under discussions. Always ask them to sign a nondisclosure agreement before participating in the sessions. Balance Competition and Commitment As you focus on getting competitive bids of third-party services, remember to gain the commitment of the providers. When supplying you with the services, the providers expect some sort of commitment from your company in return. They can support your business priorities only when you meet their end of the bargain. At the end of it all, a working relationship will exist between them and your business.

BankTEL Compliance Journal

Think of Long-term Partnerships Short-term partnerships with service providers aim at achieving temporary gains and low-cost savings. Businesses should focus their vendor management strategies on long-term goals. This mindset will help them stay abreast with their product updates and releases. It also helps to enhance long-term shared accountability, preferential treatment, and trust. Pay the Vendors Promptly Delaying your vendors’ payments can weaken the bond your business has with them. As you’re focusing on paying your employees on time, do the same to your vendors. Ask your accounting staff to come up with or use effective payroll management systems to handle the payments. Avoid incurring arrears in the process and inform the vendors early if there will be any payment processing delays.

Build Good Relations with the Vendors’ Representatives Third-party service providers use their representatives to conduct business with your company. You should always be courteous to these representatives regardless of their job titles when you meet them. Their role is to present the interests of the service providers to your company. The way you treat them will determine whether they’ll do business with you in the future.

Constantly Review and Renegotiate the Trade Terms The terms of trade that your company and vendor used a few years ago may be obsolete in the present. You need to review and renegotiate these terms with the service provider regularly. Both of you should reach a consensus regarding the most important and least important terms. The goal of this activity is to improve accountability in your trades.

Have Effective Crisis Management Systems in Place You should always refer damaged, faulty or ineffective solutions to your vendor with relevant documentation. This strategy should be part of your firm’s crisis management efforts. Your vendor will get back to you with working solutions if you use this strategy. Failing to provide supporting documentation in times of crisis may prevent you from getting the required help.

Avoid Rush Orders Even though your business may be under pressure to vet certain third-party services, you shouldn’t rush to choose them. Your employees should combine efforts and critically choose solutions that matter. Rush orders may put significant stress in your firm’s operations. They can also put a strain on the bond you share with the service providers.

Conclusion One of the ways companies can constantly meet their business goals is by forming long-term relationships with their vendors. Companies should also acknowledge that the third-party service providers play a crucial role in their growth and development. They need to have effective management programs in place to build and maintain this relationship. They also need to promptly address any arising issues that affect the relations between both parties.

BankTEL Compliance Journal

Bank Takes Payment Processing Times From Weeks to Days with Virtual Credit Cards

SEASIDE NATIONAL BANK & TRUST

CASE STUDY

BACKGROUND In October of 2006, Seaside National Bank & Trust made history when it opened its doors as the largest de novo, federally-chartered bank in the United States. Since then, they have provided their clients with private and commercial banking products and services as well as wealth management and insurance solutions that rival that of large, regional banks. As a testament to their dedicated approach to building client relationships, they also managed to maintain the same close-knit accounting department throughout those years of growth. Within their

small team of four, the facilities director was handling most of the accounts payable (AP) and vendor management, all of which was 100 percent manual and dominated by paper check payments. With 14 offices across the state, the process for paper check approvals was incredibly labor intensive. First, invoices needed to be sent from regional offices to the branch office for approval, then the check was printed, circulated for signatures, and finally put in the mail for delivery. Vendors were waiting two to three weeks to get paid. “As a financial institution it’s really

hard to explain how you can have money sitting right in front of you but you can’t pay your vendor right away.” said Nicole Hulbert, Senior Accountant with Seaside. In November 2015, the facilities director sadly passed away and suddenly the accounting department found themselves looking more closely at their AP processes, fixed assets, and prepaid systems. They knew they needed to make adjustments on how to manage things moving forward. They looked at a couple of different options and decided they wanted to go paperless; not only in AP with invoices and approvals, but also with payments.

As a financial institution it’s really hard to explain how you can have money sitting right in front of you but you can’t pay your vendor right away. - Nicole Hulbert, Senior Accountant with Seaside 32

BankTEL Compliance Journal

In January 2016, Seaside found the solution they were looking for in the nation’s leading financial services accounts payable provider, BankTEL Systems. Through BankTEL’s ASCEND solution, Seaside was able to easily automate their workflow including integration of electronic invoicing and approvals. Within the first year they added ACH, and while it was much quicker than paper checks, it was still taking 3-5 days to process and pay vendors.

“It’s not a time-intensive process. It’s not a new module integration. It’s seamless and painless.” - Nicole Hulbert BankTEL had recently entered into a partnership with Corporate Spending Innovations (CSI) bringing virtual card payments to their ASCEND platform. Seaside was intrigued with this potential integration; their only concern was how their vendors and clients would be communicated with. Their highest priority was ensuring that their relationships were handled appropriately and that their reputation of quality client service was not compromised. SOLUTION In October 2017, Seaside made the leap. The BankTEL ASCEND Accounts Payable module is integrated with CSI’s platform, so the payment process was simple. Seaside processes payments as normal within BankTEL ASCEND, and the file is automatically sent to CSI for card distribution. Now Seaside is delivering payments in one business day with virtual credit cards. The only thing that Seaside needed to

do in order to prepare for integration was review their vendor list to ensure only appropriate contacts were included. BankTEL ASCEND allows clients to create reports any way they want, which made it easy for Seaside to go through their vendor list and exclude groupings of vendors that they knew would not be candidates. “It’s not a time-intensive process. It’s not a new module integration. It’s seamless and painless.” Implementation included a kick off call between Seaside, BankTEL, and CSI and the entire training process took only 15 minutes. From the initial kick off call to when Seaside was up and running was only a couple of hours. “It was awesome, and everything was exactly as promised. The website is extremely intuitive, and everything is exactly where I expected it to be. You’re never hunting for things.” Seaside played a large role in their own vendor enrollment process beginning with an internal communications campaign. An initial email notification went out from Seaside explaining their intention of updating records and providing electronic payments. “We wanted to get ahead of it so that there were no surprises when CSI called our vendors. And it was a simple question. Do you want to get paid faster? Most vendors do.” RESULTS Vendor Enrollment As of January 2018, Seaside has a 10% enrollment rate, which they consider to be very good considering it was introduced at the end of the 4th quarter when many companies are typically focused on an end-of-year push. They also have a vendor enrollment initiative scheduled for March 2018 to contact vendors that

It was awesome, and everything was exactly as promised. The website is extremely intuitive, and everything is exactly where I expected it to be. You’re never hunting for things. - Nicole Hulbert, Senior Accountant with Seaside

have expressed interest or whom they know would benefit from CSI’s virtual credit card payments. Increased Revenue CSI offers a cash rebate on all virtual card spend, allowing Seaside to increase revenue just by paying their vendor invoices. “Anytime our CFO doesn’t have to worry about something in AP and sees additional revenues being made at the same time, we can expect his full support.” Time and Money Saved Not only did Seaside increase revenue by earning a cash rebate on payments, but they also eliminated costs associated with manual labor and time, as well as materials needed for printing paper checks. “My advice to other financial institutions considering this program is to just do it. If you’re already using BankTEL ASCEND, it doesn’t make sense not to.”

BankTEL Compliance Journal

UNIVERSITY OF IOWA CREDIT UNION CASE STUDY

Credit Union Makes Move Away from Paper Checks and Gets Immediate Benefit of Time and Money Saved

BACKGROUND As part of University of Iowa Community Credit Union’s (UICCU) overall vision to be one of the top 10 financial institutions in the US, they knew they needed to move to an electronic payment platform, rather than processing 100% of their payments through paper checks. They had experienced some issues with their paper payment system,

including checks getting lost in the mail. When this happened, staff resources had to be devoted to researching, tracking, stopping payment and reissuing lost checks. Maintaining check stocks and the time staff spent stuffing checks and invoices also added up. In 2016, UICCU saw an opportunity when they were introduced to the nation’s leading financial

services Accounts Payable provider, BankTEL Systems. After the successful BankTEL implementation, BankTEL suggested an even more innovative approach to payment efficiency through CSI’s virtual card payment program. BankTEL began a partnership with CSI in early 2017, and BankTEL clients have continued to see success with the program. UICCU was ready to get started.

BankTEL Compliance Journal

Their only concern was whether vendors would accept the new process.

SOLUTION In making the transition, one of the biggest selling points for UICCU was the vendor enrollment support provided by CSI. This support included vendor engagement to accompany the UICCU payments, which introduced the program and informed the vendor of enrollment steps. CSI also fielded all the outreach to vendors to secure enrollment.

“If it’s something that could work for your organization, then you really need to get onboard. It has been a great relationship and using CSI’s platform as a part of our BankTEL Accounts Payable system has made us more efficient in every way.”

- Jennifer Grecian

Implementation was easy and didn’t take much of the UICCU team’s time. It included three initial calls between UICCU, BankTEL and CSI, to get things

up and running. The BankTEL ASCEND Accounts Payable module is integrated with CSI’s platform, so the payment process is simple. The institution processes payments as normal within BankTEL ASCEND, and the file is automatically sent to CSI for card distribution. “It really was a no-brainer for us, and the platform technology proved easy to navigate with reporting features that created smooth reconciliations,” said Jennifer Grecian, Accounting Specialist, UICCU. CSI also assigned a dedicated relationship manager, and additional training was made available upon request to support a seamless integration.

RESULTS Time For UICCU, the biggest benefit of integration with CSI’s payment platform has been the time saved, now that the staff is stuffing a lot less envelopes and mailing a lot less checks. Reconciliation time has also been drastically reduced, creating an overall time savings of approximately 4-5 hours per week. Money The rebate and potential revenue growth was another huge selling point for UICCU. As the company continues to grow and enroll more vendors, they are making plans to discuss how the additional rebate revenues can be invested back into their organization and/or other community initiatives.

“It really was a no-brainer for us, and the platform technology proved easy to navigate with reporting features that created smooth reconciliations” - Jennifer Grecian, Accounting Specialist, UICCU

There was an additional cost savings due to eliminating postage and paper check stocks. This, combined with the rebate, created measurable additions to the organization’s bottom line. “If it’s something that could work for your organization, then you really need to get onboard. It has been a great relationship and using CSI’s platform as a part of our BankTEL Accounts Payable system has made us more efficient in every way.”

BankTEL Compliance Journal

THE DARK WEB

ITS RELATIONSHIP TO BANKING & FINANCE The Dark Web is a collection of websites that keep their IP address and other ID info hidden from the entire network. Their use of anonymization tools (most notably TOR and the TOR browser) ensures their packets of information are scattered among random computers to remove encryption. This should not be confused with the Deep Web. The Deep Web makes up 90% of the internet, and includes internal networks and things protected by passwords, like paywalls. In the 1990s advances in computing and file storage incentivized online pirates to share easily transferable files. Any type of media could be stored in a digital repository that is scattered across thousands of computers, thanks to the decentralized nature of the network. In 2002 the U.S. Naval Researchers built TOR (The Onion Router) for undercover U.S. operatives. The 2000s saw an explosion of illegal websites (everything from copyright infringement to arms dealing and child pornography). By 2005 millions of movies were distributed illegally every day. Since then the Dark Web has grown in number of sites and capital exchanged. Terrorism flourishes beneath a shroud of anonymity. Operations on the Dark Web The Dark Web serves many functions, some more illicit in nature than others. As mysterious as users of the Dark Web are, the types of activities they engage in are well-known. They

sell drugs. They exchange bombmaking tips. They form terrorist cells. They buy weapons. They speak to each other away from voyeuristic intelligence agencies. In 2015, a single website facilitated $180 million in transactions alone. However this same technology allows people to engage with people across borders for humanitarian reasons. The network of hidden websites and anonymous user base is a safe haven for people in highly-censored regions of the world. It gives them freedom of speech and a degree of economic enfranchisement prevented by governments. Facebook has created a version of its service that is hosted on Tor, giving oppressed users around the world access to the worldâ&#x20AC;&#x2122;s biggest social media site. Other sites operate within a grey area of the lawWikiLeaks is a website on the Dark Web that allows whistleblowers to leak documents, many of which result in high-profile consequences.

Unfortunately, it is also known as the gateway to a global, borderless, and ever-present black market. A study from Kingâ&#x20AC;&#x2122;s College London found that 57% of websites built for Tor are used to facilitate crimes. Notorious sites like the Silk Road facilitated the transaction of billions of dollars from buyer to seller. Top purchases included drugs, weapons, child pornography, identities, financial data, and counterfeit documents. Hackers can post instructions to forums, reducing the barrier of entry to commit sophisticated cyber attacks. This promotes the growth of the hacker community. Not only is the number of human hackers increasing, but improvements in automation and bot-creation allow for outsizedleverage in the cyber world. Relevance to Banking and Finance The financial markets control the flow of capital throughout the global economy. However complex financial markets and their foundations

Cyber security is not just about IT. Just as important is teaching employees about their security responsibilities.

BankTEL Compliance Journal

become, they will always resemble the pipes that carry water and gas throughout a region- they connect entities to an important resource. Similar to a pipe underground, financial institutions can be accessed by unauthorized agents and tapped for their resources. The Dark Web is a multifaceted tool advantageous to those seeking access to capital by allowing them to target any crack in financial system. Dark Web Crime: Financial & Other Sensitive Data The Dark Web is a market for classified financial information about companies both big and small. Tech, media, healthcare, utilities, and financial/professional services industries are especially targeted due to the sensitive nature of their operations. Choice targets include health records, credit card and bank info (#1 for financial firms), and access to power grids. Customer data is not the only asset that can be hijacked via the Dark Web. Hackers have taken over a bank’s entire operation for several hours, with smart database technology that records the user’s sensitive info. Recent research shows a increase in the frequency of attacks against Enterprise Resource Planning applications. These attacks allow hackers to gain access to the Business Intelligence Tools that operate on top of the Data Warehouse Database Management System. Once hijacked, the operations supporting the firm’s value chain can be clandestinely controlled remotely, allowing them to create invoices, control the firm’s marketing and public relations unit, and extort both money and sensitive data. The Dark Web represents an alternative to the legal financial

markets. It is important to be aware of the financial activity hosted on the Dark Web; hopefully attacks can be prevented. It is also beneficial to be aware of their innovations, especially as it relates to decentralization and encryption of payments, for the industry’s own advantages. Bitcoin has substantially expanded user capability and features of the Dark Web. Identity theft is a real threat to the integrity of financial transactions. Information that is bought and sold can be used to fake an entire population, sometimes discreetly. Fake accounts can be created using SSN and address info, and Unfortunately, there is no way to be 100% sure that your personal data hasn’t already been exchanged and utilized for nefarious purposes. Attacks are often coordinated by a team of hackers working together (remotely or physically). Their communication is protected by the anonymized nature of the Dark Web. Digital attacks are different than conventional warfare- the enemy can be anywhere in the world at once, disguising their location and leaving no trace. Instantaneous and silent transfer of information is made possible by the Dark Web, and is one reason that these groups can punch above their weight. Firms vary on their preparedness and response in the event of a cyber attack. However, they all share the industry techniques with each other. Some are familiar at the consumer level: antivirus and antimalware protection, firewalls, cookies, and two-factor authentication. Others require a degree of technical knowledge to understand, like Secure Socket Layers (SSL) and credential confidentiality.

The Threat Ahead The Center for Strategic and International Studies released a report in October 2017 outlining the future of financial cyber crimes. Key areas of concern include the rising digitization of developing markets. Early users of IT have fewer security measures and are exposed to the international community of hackers. Attacks are getting more sophisticated as well. The prolific saturation of digital devices among large segments of the population fuel an ever-expanding list of potential vectors of attack. Traditional methods of wealth and data extortion relied on attacking the point-of-sale systems; now mobile banking and tap-to-pay services are becoming more popular. Geopolitical tensions have increased the number of attacks perpetrated by nation-states. Government competency in both offensive and defensive cyber warfare is necessary to engage in 21st century statesmanship. They target both government and private institutions/ firms. In 2014, a group of hackers stole the personal information and private correspondence of hundreds of Sony employees. U.S. intelligence officials blamed North Korea for sponsoring the attackers, Guardians of Peace. Your Counterattack The Center for Strategic and International Studies argues that only improving a firm’s own IT security is not sufficient for their security dilemma. Customer info is transferred frequently in a data supply-chain, and a threat to your supply-chain partners is a threat to you. The structure of the internet will change as more and more devices are connected, most rapidly those of the Internet of Things (IoT). A dynamic

BankTEL Compliance Journal

threat requires a dynamic defense and a talented team of engineers. This is reflected in the job marketunemployment for cyber security professionals is 0% as of March 2018. The need for their skill set will increase by 6 million by 2019. Also important is the need for cooperation and collaboration within a firm and between a firm and its partners. Communicating with and advising smaller partners will strengthen the global supply chain, with every firm fighting together against hacks. Improving technoliteracy in emerging markets in both businesses and individuals will reduce the most preventable attacks. This will also give the generous firm a foothold

in emerging markets that are just coming online (an extremely lucrative market being chased by internet giants like Facebook and Google). Practical Guide Recognize your firm’s attack surface. This is the array of entry points for an attack against your firm’s hardware and software. Analyze all of the types of data that is at risk- not necessarily individual data, but the categories and their varying levels of sensitivity. Use this info to determine the consequences of losing that data, how much could be lost, and what that would entail logistically. Once you have this mapped out, you can state the estimated cost of a breach. Identify the data that is most sensitive and most expensive to

lose and determine a risk appetite. Cyber security is extremely expensive, and determining how much risk the firm is willing to accept will correlate into budgeting. The amount of extra security measures needed is determined by the firm’s current state of security. A penetration test is commonly used to recognize gaps in defenses. Once recognized, a firm can take the steps specific to its situation to improve its security. Cyber security is not just about IT. Just as important is teaching employees about their security responsibilities. No matter the sophistication of the software, hackers will always try to target the human user’s own fallibility. Phishing links and contextual deceit capitalize on the employee’s haste and carelessness.

Sources/Resources “Alert (TA16-132A).” Virus Basics | US-CERT, www.us-cert.gov/ncas/alerts/TA16-132A. “Center for Strategic & International Studies.” The New Southbound Policy | Center for Strategic and International Studies, 2017, www.csis.org/programs/ technology-policy-program/cybersecurity-and-governance/financial-sector-cybersecurity-0v. Greenberg, Andy. “Hacker Lexicon: What Is the Dark Web?” Wired, Conde Nast, 20 July 2017, www.wired.com/2014/11/hacker-lexicon-whats-dark-web/. Greenberg, Andy. “How an Unprecedented Heist Hijacked a Bank’s Entire Online Operation.” Wired, Conde Nast, 3 June 2017, www.wired.com/2017/04/hackershijacked-banks-entire-online-operation/. Guccione, Darren, and IDG Contributor Network. “What Is the Dark Web? How to Access It and What You’ll Find.” CSO Online, InfoWorld, 19 Jan. 2018, www. csoonline.com/article/3249765/data-breach/what-is-the-dark-web-how-to-access-it-and-what-youll-find.html. Jaslar, Stan. “Financial Information on the Dark Web.” Sqnbankingsystems.com, www.sqnbankingsystems.com/sqn-blog/financial-information-on-the-dark-web/. Jeffries, Adrianne. “Researchers Are Trying to Map the Dark Web Economy to the Real World.” The Outline, The Outline, 22 Feb. 2017, theoutline.com/post/1136/ dark-web-mapping-project?zd=1. McCormick, Ty. “The Darknet: A Short History.” Foreign Policy, Foreign Policy, 9 Dec. 2013, foreignpolicy.com/2013/12/09/the-darknet-a-short-history/. “Serious Security: How Online Banks Keep Your Money Safe.” Do It Right, 12 Mar. 2018, www.ally.com/do-it-right/banking/online-banking-security/. Sweet, Carson, and IDG Contributor Network. “State-Sponsored Cyberattacks Are Now the Preferred Method of Warfare.” CSO Online, InfoWorld, 30 Oct. 2017, www.csoonline.com/article/3235270/hacking/state-sponsored-cyberattacks-are-now-the-preferred-method-of-warfare.html. “What Is the Dark Web?” Marketing Forward Blog, 18 Apr. 2018, www.experian.com/blogs/ask-experian/what-is-the-dark-web/.

BankTEL Compliance Journal

USE TAX A Guide for Businesses & Financial Institutions

A. Sales Tax vs. Use Tax

jurisdiction where the product or service will be used, rather than the jurisdiction where the product or service was sold.

that vendor didn’t have a physical presence in the state.

Most of us understand sales tax as a tax imposed on retail transactions involving tangible goods and sometimes services. Sales tax can be imposed at a state and municipal level and varies from geography to geography.

B. Sales Tax History Lesson

However, a 2018 Supreme Court ruling, South Dakota vs. Wayfair, Inc., superseded Quill, making it legal for state and local governments to collect sales tax from online retailers, despite those retailers having no physical presence in a jurisdiction.

Use tax is a tax customers/businesses must pay to their own state or city, following a purchase on which sales tax was not collected at the outset. Use tax must be paid to the

I. Contradicting Court Cases In the 1991 Supreme Court case, Quill vs. North Dakota, the Court ruled that a state could not require a vendor to collect sales tax if

The Court’s decision hinged upon the fact that the Quill verdict came prior to online retail and that forbidding the collection of sales tax gave online retailers—who already have

Customers will only have to pay sales tax or use tax. They will never have to pay both.

BankTEL Compliance Journal

considerable cost-cutting advantages— an unfair edge over brick-and-mortar retailers. Additionally, the Court was troubled by how e-commerce causes local governments to lose tax revenue that they depend on to sustain public services. (According to the Government Accountability Office, state and local governments could have collected an extra $13 billion in revenue in 2017, if they had been able to tax online retailers.) The Wayfair case centered upon a South Dakota law requiring retailers with greater than $100,000 in annual sales in the state, or over 200 annual transactions, to collect and pass along a 4.5% sales tax per purchase. The Supreme Court’s decision affirmed that to be subject to sale tax regulations, a business’s operations in a state must exceed a substantial threshold. The Supreme Court also stated that retro sales tax (for transactions made prior to this ruling) could not be collected. II. What Does South Dakota vs. Wayfair Mean? The Supreme Court’s verdict in this case means that online retailers can no longer assume sales-tax exemption if they have a “substantial nexus” in a state. Thus far, 16 states have e-commerce laws similar to South Dakota’s law, and this verdict solidifies the validity of those laws. The additional 29 states that collect sales tax will likely implement similar laws in the future. It also means that customers may be charged their local state and city sales tax on both e-commerce or face-toface purchases from out-of-state vendors. III. How Does SD vs. Wayfair Affect Use Tax? It doesn’t. If a customer is charged sales tax on an item or service,

whether the transaction occurred online or in person, they do not owe use tax. Use tax is only paid on a transaction that has not already incurred sales tax.

C. How To Determine If/Where Use Tax Is Owed I. Purchases Subject to Use Tax Use tax is almost always owed on any purchase of a tangible product, whether made online or face-to-face, if no sales tax was collected during the transaction. However, some products or services are nontaxable. These nontaxable items vary for state to state. You can contact your state tax agency to find out what items/services are taxexempt in your state. Exempt items may include food staples (certain groceries), sales to government entities, prescription drugs, or medical devices. Legal and medical services may also be tax exempt. II. Use Tax For Businesses With Multiple Branches/Franchises Use tax is paid in the geography where the goods or services will be used, regardless of where the goods or services were purchased or where the franchise is headquartered. This can be confusing for financial services providers, who may be headquartered in one state or municipality, but have branches in other states or municipalities. If a bank is headquartered in one city but buys an ATM for a branch in a different city, and that ATM purchase did not incur a sales tax charge, the bank must pay use tax for the city where the ATM will be installed. III. Transactions Involving States With No Sales Tax Customers who purchase an item from a state that doesn’t charge sales tax must still pay the use tax for the location where the item will be used.

Additionally, states that don’t charge sales tax may still charge use tax on specific purchases made outside of the state and used within the state. a. Alaska has no state sales or use tax, but it does allow municipalities to charge sales and use tax. b. Oregon has no state or local sales tax, but use tax may be charged on specific items, such as the vehicles purchased out of state. c. Delaware has no state or local sales tax, but it does charge vendors a gross receipt tax (a percentage of total annual sales). It also allows a use tax on certain leased items, such as vehicles, furniture, and medical equipment. This means that many items leased for a limitedtime use, rather than purchased outright, may be subject to use tax. (Other items, such as leased farm machinery are exempt.) d. Vermont has no state or local sales tax, but it does collect a use tax for items purchased outside the state and used in the state. e. New Hampshire has no state or local sales tax, nor does it collect use tax.

D. Steps To Calculate/Pay Use Tax The use tax a customer/business owes is based on the sales tax rate of the location where the product will be used. For example, if the state sales tax rate is 7%, businesses/customers need to set aside 7% of the total cost of the product(s) for use tax. Use tax is itemized on state tax forms and paid directly to state tax agencies. I. Shipping Charges If you use a common carrier, shipping charges are generally exempt from use tax. However, if shipping charges are higher than the actual cost to ship the item, they may be taxable.

BankTEL Compliance Journal

Customers who purchase an item from a state that doesn’t charge sales tax must still pay the use tax for the location where the item will be used. Additionally, states that don’t charge sales tax may still charge use tax on specific purchases made outside of the state and used within the state.

II. Downloadable Software Purchases Software purchases are sometimes subject to different regulations than “tangible” purchases. TaxFoundation. org has a map to help you determine how software is taxed in your state. (https://taxfoundation.org/statessales-taxes-software/)

E. What Happens If A Business Fails to Pay Use Tax? I. Audit/Fees It’s difficult for states to enforce use tax for individuals, but businesses—and particularly financial service providers— are much more likely to be audited. If the auditing agency finds that a business has failed to pay use tax, that business could be subject to late fees, penalties and interest, in addition to the amount originally owed. The “audit negligence” penalties vary from state to state and can range

from 1-30% of the total amount owed. These penalties are levied because the government deems it the business’s responsibility to correctly asses and pay use tax. If your business is charged audit negligence fees, you should ask the auditor about the reason for the fees and if you can take any steps, short of paying the fees, to remedy the matter. In some cases, penalties may be lessened if a business agrees to the audit’s findings and pledges to pay the amount of back-taxes owed. Penalties may be even higher (50100% of the amount overdue) if an auditor determines that the failure to pay was “an attempt to defraud the state” rather than an oversight. II. Voluntary Disclosure/Late Fee Waivers If a business fails to pay use tax for several years, about 10 states have voluntary disclosure programs that

offer a degree of amnesty. A business can reduce penalties and interest by voluntarily coming forward to a state tax agency and paying the amount owed. Call your tax agency to find out if your state has a program like this. If a business isn’t going to pay its use tax on time, it generally has 30-60 days to file a request to waive the late-filing fee. This is a written appeal submitted to a state tax agency that explains why the business won’t be able to file on time. Often situations beyond the business’s control, such as a natural disasters, sudden death of an accounting employee, or unexpected employee turnover will result in fee-waiver—particularly if that business has a history of paying taxes correctly and on time.

F. Automating Use Tax: BankTEL’s ASCEND Can Help Trying to manually configure the use

BankTEL Compliance Journal

tax your business owes can be a tedious and time-consuming process, but beyond that, it can leave a business vulnerable to human error and ultimately, audit fees. Automating the process with software is a much more efficient way to calculate, and it allows you to run an itemized report to file with your tax agency. I. How It Works BankTEL’s ASCEND is the premiere accounting software for financial service providers, and as such, it has built-in components to help you track your use tax in every branch.

In ASCEND, you can specify the use tax rates by branch through entering the corresponding rate for every state/city where you provide financial services. When you input an invoice that is subject to use tax, ASCEND automatically calculates the tax and details it as a general ledger item. The user can also specify which line items to tax (i.e. deactivate shipping or labor charges, as appropriate). II. Reporting In ASCEND, a user can run extensive, customizable, timestamped use tax reports, by month, quarter, or year.

Summary Use tax is owed on purchases of goods and some services which did not incur sales tax during the original transaction. Use tax rates are calculated using the sales tax rates for the location in which the product will be used, not the location in which the product was purchased. However, use tax may apply even if the location where the product will be used doesn’t have sales tax. Neglecting to pay use tax may result in large fees and tax penalties. The best way to safeguard against these fees is to automate your use tax calculation, pay your taxes in full and on time, and keep detailed use tax records. BankTEL’s ASCEND will handle all of these details for you and help your financial institution stay in compliance and avoid extra costs.

If you have questions about this information or about how BankTEL’s ASCEND can calculate the use tax owed by your institution, please contact Nathan Turner, Chief Customer Officer, at (662) 228-4535 or at nathan.turner@banktel.com.

BankTEL Compliance Journal

BEST PRACTICES RELATED TO THE 1099s FILINGS IN THE US

1099’S FILING BEST PRACTICES Submitting tax compliance forms is among the taxation requirements any organization should prioritize. If your company is doing business with independent contractors, paying dividends to shareholders, acting as a broker for your corporate stock, or paying interest on deposits, you will be required to send and file the appropriate 1099 forms.

VARIANTS OF FORM 1099 The variants of the Form 1099 depend on the nature or source of the payment or transaction. A notable use of the form entails reporting the total amount of cash paid by a business to independent contractors for their services. These payments are synonymous with non-employee compensation that the IRS considers

reportable on a 1099MISC. The independent contractors also may be referred to as “1099 Vendors” within your organization. The 1099 form is for reporting sales proceeds, dividends, income from interests, rental property income and payments made to independent contractors. Its variants include 1099MISC for miscellaneous income, 1099B for sales proceeds, 1099-DIV for dividends and 1099-INT for incurred interests. Business owners should always file these forms with the IRS by January 31st and remember to mail the recipient copy as well.

BEST ACCOUNTING PRACTICES FOR THE 1099S The key to meeting the January 31st deadline and fulfilling other IRS requirements lies in good record keeping. Always categorize

Prior planning is the best way to get a handle on the filing and reporting of 1099s in your organization.

BankTEL Compliance Journal

the payments made to 1099 Vendors in your Accounts Payable system as 1099 applicable, with the correct notation of the type of 1099MISC that applies. Remember to request a form W9 from any vendor you do business with to obtain accurate information for reporting. The form W9 will give you the vendorâ&#x20AC;&#x2122;s federal ID tax number and let you know whether the IRS excluded the vendor from 1099 requirements. Prior planning is the best way to get a handle on the filing and reporting of 1099s in your organization. In your planning, be sure to check with software providers for any resources or training they may offer for their products. BankTEL will begin to offer 1099 training for its ASCEND suite of accounting

products on September 5th of this year. You can also go through the manual for the 1099s available on the IRS website to familiarize yourself with what the IRS requires you to do.

MISTAKES TO AVOID Classifying employees as 1099 vendors when they are actually W2 full-time employees (according to the IRS) is one of the mistakes to avoid. Obtaining inaccurate W9 forms from your vendors can also be a costly mistake. Waiting until the last minute to order necessary forms, or to request and setup a transmission account with IRS F.I.R.E (https://fire.irs.gov/) can also prove to be costly and in some cases will dictate that your forms are filed after the 1/31/2019 deadline.

TAKE ACTION Filing your 1099s with the IRS is part of your duties as a corporation operating in the United States. Waiting until the last minute can take a toll on your energy, time, and prove to be costly in potential fines incurred from late or incomplete filing. Be sure to keep your accounting systems up-todate, and consider consulting with a competent accountant for any gray areas or concerns you may have during the process. Take full advantage of any resources offered by your software application vendors in these areas. Staying consistent and committed to filing the 1099s every year electronically will improve your credibility with the IRS and keep your organization in compliance.

BankTEL Compliance Journal

ASCEND ACCOUNTING SUITE

CORE S O LU T I O N S

W O R K F LO W S O LU T I O N S

COMPLIANT S O LU T I O N S

Accounts Payable

Effortlessly schedule transactions and pay bills with a completely automated process.

Approval Workflow

Approve invoices and vendors via an electronic process with detailed audit trail.

Purchase Requisitions

Manage requisitions and purchase orders to vendors with approvals.

Shareholder Management

Automate management, reporting, and dividend payments to shareholders.

BankTEL Compliance Journal

Fixed Assets

Prepaid & Accruals

Track and maintain a complete book and tax asset schedule for your financial institution.

Expense Report Reimbursement

Manage employee expenses, reimbursements, electronic receipts, and credit cards transactions.

Automate setup and tracking of monthly prepaid and accrual items.

Remote Imaging

Scan and submit invoices at the receiving point anywhere within your organization.

Vendor Portal

Directly receive vendor invoices and documents in Accounts Payable for approval.

Vendor Management

Easily track and maintain risk assessments, contracts, and important dates of your institutionâ&#x20AC;&#x2122;s vendor relationships.