Payment Security 101
Learn about payment fraud and how to prevent it
The Vendor Master File (VMF) can be identified as the bible of any accounts payable (AP) department. With so much incorrect data resigning in several VMFs, how can your AP team act with confidence?
We explore the importance of an accurate vendor master file in stopping error and fraud.
A healthy vendor master file, or supplier database, is critical because the data is used to generate electronic payments and is also used in a huge range of business activities.
It’s fundamental to everything from business-to-business transactions to tax and GST reporting. And it touches on management reports, compliance, purchasing, sales, contracts, sourcing, performance and risk management.
So it’s vital to keep your VMF clean – and to protect it with sensible data management processes and policy. Inaccurate VMFs are the norm, keeping a VMF up to date manually is a time and labour-intensive task, and many businesses fall short.
A recent KPMG study discovered that 20% of vendor records may be inaccurate in a typical VMF, and Eftsure’s analysis reveals the number may be as high as 25%. For small to medium enterprises, a cyber attack can be ruinous, putting them out of business for good.
The good news? A well-maintained and automated VMF can be your secret weapon in combating fraud and error. Used wisely, it can improve governance and compliance reporting and protect your business from risk.
With fraud rising relentlessly in Australia and cybercriminals casting a wider net, business risks are accelerating. A 2014 PwC survey found that in just two years, 57% of Australian organisations experienced economic crime, 36% of them losing more than $1m.
Today’s fraudsters are determined and sophisticated, and even the world’s most tech-savvy companies, like Facebook and Google, aren’t immune to their schemes. Using fake email addresses and supplier credentials, they lay the groundwork for payment scams, waiting patiently to whisk funds away.
They also operate from within: in recent years fake invoicing schemes hatched by employees cost Channel Seven $8m and NSW’s Botany Bay Council more than $4m. KPMG says that while frauds by professional criminals rose an astonishing 300% from April to September 2016 in Australia, most were carried out by company insiders, with technology playing an increasing role.
Some suppliers quote fraudulent GST and ABN details to avoid tax, as tradespeople did in the recent Bunnings scam, exposing businesses to compliance risk. The black economy is now a $25b per annum problem, costing taxpayers and the economy. Many scams go undetected.
More mundanely, people make mistakes. Human error, pure and simple, can lead to significant financial loss through inaccurate or duplicate payments.
The simple answer is better controls. But what’s the best way to implement them without slowing your business down? In this eBook, we explore how you can improve digital payments controls and compliance while achieving best practice vendor master file (VMF) management. By validating payees and payments in real time, you can stay ahead of criminals and reduce errors that lead to financial losses.
US$100m lost by Facebook and Google in an email phishing and payment scam in 2013. Posing as genuine supplier, the swindler coaxed accounting departments into making wire transfers to a fake supplier account.
Duncan Steward from Breakthru People Solutions:
“Eftsure’s [adds] extra strength to our internal control environment.”
Your VMF reaches into every part of your business.
A healthy VMF, or supplier database, is critical because the data is used to generate electronic payments and also used in a huge range of business activities. It’s fundamental to everything from business-to-business transactions to tax and GTS reporting. And it touches management reports, compliance, purchasing, sales, contracts, sourcing, performance and risk management. So it’s vital to keep your VMF clean – and to protect it with sensible data management processes and policy.
Keeping a VMF up to date manually is a time – and labour-intensive task, and many businesses fall short. A recent KPMG study discovered that 20% of vendor details may be inacurrate in a typical VMF, and eftsure’s own analysis reveals the number may be as high as 25%.
The same study showed that a VMF anomaly rate of 20% results in a payments error rate of 1%. For corporations or government organisations making multi-million-dollar payments, this represents a significant and largely avoidable loss. For small to medium enterprises, a cyberattack can be ruinous, putting them out of business for good.
Well-maintained and automated, your VMF can be your secret weapon in combatting fraud and error. Used wisely, it can improve governance and compliance reporting and protect your business from risk.
Gary Gill from the Head of Forensic at KPMG Australia –
“Fraud continues to rise relentlessly in Australia”
Your VMF probably started out clean enough. But it degenerates over time.
There are many reasons why VMFs degenerate. The biggest is human error. It’s compounded by many factors – multiple owners, decentralised business operations, shoddy controls and the fast pace of business putting time pressure on workers. The sheer volume of vendors can make it difficult to keep up with changing address or banking details. Fraudsters expertly find and exploit these weaknesses.
Inaccurate VMFs are implicated in a swathe of payment problems – everything from duplicate or misdirected payments to overpayments and fraud. They can also cause your business to run foul of regulation.
It’s hard to guard completely against human error but, as we’ll explain later, eliminating manual processes and automating checks on VMF additions and changes can have a big impact. This is particularly important when onboarding new vendors. Fortunately automation solutions are now available to help you.
Large supplier ecosystems with frequently changing details make VMFs notoriously difficult to maintain.
Analysis of a wide range of VMFs reveals up to 25% of vendor details are incorrect, incomplete or duplicated, escalating risk exposure.
Managing your VMF should be ongoing and in real time – not something you do once in a while.
The best managed VMFs feature both internal and external controls and processes that are continuously applied to keep VMF data accurate. Where possible, they’re automated. This removes the risk of human error and partial checking.
External controls can deliver rich data verification capabilities, providing automated checks and balances that stop fraudsters from exploiting trust. By enabling third-party credentialing, you can catch many frauds and errors before a vendor’s details are even entered into your systems and before money leaves your company account.
There are many validation points you can use. For example, matching account names with account numbers and BSBs is a simple way to catch fraud and error. Banks don’t do this for you – software like Eftsure’s can handle it automatically. Validating ABNs and GST registration verifies that your vendor is legitimate business and genuinely remitting the GST they’re charging you. Matching addresses provides certainty that vendor details are accurate.
Where possible, allow your vendors to easily maintain their own data by using a third-party verification service, such as Eftsure, before entering their data into your systems. By giving vendors ownership, you can improve efficiency and reduce inaccuracies.
In the real world, keeping things clean requires ongoing effort. So while cleansing your VMF is an important first step, it’s only a stopgap measure unless you also commit to keeping it clean.
As a first step, you’ll need to validate all vendor data before it enters your systems. Then you’ll need to check, verify and correct your data continuously – plus protect it from human error and cyberattacks, such as malware, as records are updated and added.
From a compliance perspective, it’s also vital to evaluate how you manage your VMF against key metrics to make sure your approach is the most efficient and low risk.
Your objective: To transform a reactive VMF with poor controls into one that’s clean (for now).
First, scrub your VMF to ensure all vendor data is accurate and comprehensive, removing any duplicate and inactive records.
Your objective: To make your VMF more automated so it stays clean and consistent and becomes a tactical tool.
Keeping your VMF clean requires housekeeping. Establish processes to keep existing data tidy and complete and to minimise human error, preventing inaccurate data from creeping in.
Your objective: To make your VMF more self-maintaining so it becomes a powerful strategic asset that helps you comply with regulation, manage risk and protect against fraud
Are you getting it right? Use automation to improve compliance and governance. Plus review, evaluate and improve how you manage your VMF to ensure compliance down the track.
Defrauded, phished and scammed, these companies turned to Eftsure to help detect fraud and prevent future losses. Now their VMF management is best practice.
All payments are verified to make sure they’re going to the correct accounts. Real-time checks preserve the integrity of the VMF over time. And a full audit trial of alerts and reporting helps managers to stay vigilant to stay vigilant against future attacks.
37 cases of fraud over two years resulted in losses of $1.2m –
Eftsure verified all accounts payable transactions and the VMF against our database to revel phantom vendors, fake invoices, duplicate invoices and fake credit notes. All exploited flaws in confirming payee account information at the point of payment.
A phishing scam cost the company 457,288 in fake invoices –
A fake hotspot on free airport WiFi directed a finance manager to a spoofed web page that captured his email login credentials. The fraudster replaced emailed invoices from new vendors with fraudulent invoices from a false email address and sent them to Accounts Department with a request to update bank details.
Employees colluded to steal $128,706 over nine months –
The fraud used false invoices from an approved supplier. The gang changed the supplier’s account number and BSB, leaving the payee name, and colluded to authorise the payments. Later, they changed the supplier details back to the correct information to allow legitimate payments and audit.
Eftsure’s report uncovered almost 5,000 anomalies in vendor data in Company C’s master file.
Eftsure helps minimise business risk with three user-friendly products collectively known as the ‘Known your Payee’ (KYP) solution.
We’re a software company that helps organisations know their payees and achieve best practice vendor onboarding, payment controls and VMF management. Our crowd-sourced cloud solution helps you bring your internal control enviornment into the digital age we now transact in.
We save you time and money, and make you more efficient by helping you authenticate vendor’s details as you onboard them. We also verify your payees, clean your VMF and keep it clean by providing real-time continuous prevention and detection of fraud and errors in the payment process.
We have three products that work together to tighten your digital payment controls. Our three products – VENDORsure, PAYsure amd COMPLIsure – work together and make your Accounts Department more efficient, compliant and alert to fraud and error. Their key capabilities are outlined in the diagram.
Oliver Lefevre from Veolia –
“Eftsure’s third-party validation of bank account details mitigates the risk of collusion that could result in fraud.”
Your suppliers are onboarded through our portal for independent verification. Once that’s done, we verify your payment data against an independently maintaines single source of truth built from multiple reference points. When we find anomalies, we alert you so you can investigate and correct them – before erroneous or fraudulent payments are made.
In 2017, we raised $2m in venture capital to develop our products further. We also partnered with PwC, one of accounting’s biggest names, to take our innovation to more customers.
We validate the integrity of your online transactions and vendor data in real time and flag any problems so your accounts team can follow up. We also monitor for duplicate payments and other common errors and flag them before payments are made.
Shannon Davids from PwC (Audit partner) –
“We see a lot of value in our clients having access to this solution.”
Discover how your VMF compares to industry benchmark standards. Visit eftsure-vmfscorecard.com to request your company’s scorecard and learn where your organisation is at risk.
Book a demonstration with Eftsure and take your first step in securing your vendor master data with our VMF health check.Book a demo
Eftsure provides continuous control monitoring to protect your eft payments. Our multi-factor verification approach protects your organisation from financial loss due to cybercrime, fraud and error.