Questions answered - The journey towards better protection against payments fraud

Questions answered for the ACT webinar

Chaired by ACT, Naresh Aggarwal, Associate Director Policy & Technical at Association of Corporate Treasurers hosted a webinar and welcomed Erol Bozak, CPO and Co-Founder of TIS (Treasury Intelligence Solutions GmbH). In this webinar, Erol shared his insights on how a journey towards better protection against payments fraud looks like, what aspects need to be considered and which technology helps your organization to establish processes to mitigate payment fraud.

Please click here to watch the recording of this webinar. 

Below you can find the questions which were posed by the participants during the Q&A session. We appreciate that Erol found the time after the webinar to answer all these questions. 

Due to COVID-19, a lot of businesses have staff working from home using their personal computers, which may be more vulnerable to hacking. How can the business maintain a strong firewall around its payment systems under these circumstances?

Erol Bozak: COVID-19 is a proof point that the architecture of payment processes in many organizations must be revisited or even to be re-invented. One of the biggest risks, for example, is the fact that there are still a lot of manual steps in payment processes. The crisis is a good starting point towards end-to-end payment digitalization. It is important to have centralized governance and centralized control over mission critical processes such as corporate payments. 

Is the Whitelist/Blacklist feature currently in production at TIS?

Erol Bozak: This feature is part of the TIS Transaction Screening module. It enables the clients to configurate different rules according to their needs and screen the out-going payments in-house for any abnormality before they reach the bank. The advantage is that potential violations can already be flagged and reviewed internally before it gets more complicated. This saves time, cost and more importantly, guarantee a high level of compliance.  

In old days, we tried to integrate multiple systems/programs into one universal platform or ERP; now that we are embracing various APIs due to cost-effectiveness and ease of installation, how can we get a right balance so as to avoid overload of software whilst maintaining proper control?

Erol Bozak: We believe that “best-of-breed” enabled by API is the future. This means, customers can pick and choose which solution works best for their needs. In other words, solutions without lengthy internal IT implementation or customization projects, with the right enablers to do so. Vendors ensure seamless integration with independent products and services and data synched via APIs. This is a new approach to customization and flexibility while providing the best solutions to meet client expectations. Payment processes are very well suited for best-of-breed approach as it has natural boundaries and limited internal dependencies. At the same time other processes (accounting, HR and treasury) crucially depend on it.

How should we best mitigate the risk around interception of customer bank account detail changes?

Erol Bozak: With the TIS Bank Account Manager it is possible to set up permissions and controls to protect the most valuable part of your payment platform: the master data. Simple principles, such as segregation of duty and multi-approvers, have always proven to be very effective to mitigate the risks around data theft, because no master data can be altered without a double check by at least one other person. 

Do you have controls around blocking the maximum amount of payment per supplier?

Erol Bozak: Yes, this feature is integrated in the payment approval process. TIS users can configure different rules for payments according to their individual needs. 

Do you have all the bank account settlement details for all the “trustworthy” counterparties?

Erol Bozak: I believe the Whitelist feature on TIS platform serves this purpose. Customers can store master data related to all their counterparties or partners, including payment beneficiaries. For example, name, address, bank and account details, relevant attachments (contracts and invoices) plus the legal entity this counterparty is associated with. Combined with the principle of multiple authorized approvers, no master data can be altered without a double check by at least one other person. This prevents payments being sent to a fraudulent beneficiary.

How do you prevent fraud by internal IT payment system administrators?

Erol Bozak: This is another typical case of internal fraud. As mentioned before, the focus to prevent internal fraud should be around internal process standardization and centralized visibility. Besides, simple principles, such as segregation of duty and multi-approvers, have always proven to be very effective to mitigate the risks around internal fraud. 

What makes TIS different from other providers?

Erol Bozak:  We believe that for most companies, a clear-cut, multitenant cloud architecture is a better solution than going with a vendor who is a jack-of-all-trades. And when it comes to the technology behind the cloud, we are at the cutting edge. What’s more, corporates feel more comfortable spreading their risk among multiple banking partners. Giving clients the ability to make multi-bank payments and leverage data for a variety of key, value-added services is the future. Our payment format library is the best in the market, and we are a leader in bank connectivity and ERP integration.  Last but not the least, we believe in ‘best-of-breed’. We want to enable treasurers and financial leaders to choose specialized solutions connected via API to get the exact features they need to efficiently reach their goals. Therefore, we actively look for meaningful partnerships to deliver a best-of-breed experience for our customers. For example, recently we announced our partnership with Cashforce, a leader in next-generation cash forecasting & working capital analytics.

You are referencing to “The 4-eyes-principle for administrative workflow configuration”. If this is saying 4 people should be involved in payment authorization process. Whilst it is critical to have segregation of duties too much can be a weakness.

Erol Bozak: The ‘4-eye-principle’, or ‘N-eye-principle’, means to ensure that no payment instruction can be sent to any bank or no master data can be altered without a double check by at least one other person. This is a basic principle not only valid for payments, but also for any mission critical processes in organizations. 

Can you give an example of a fraudulent payment and how TIS stops it?

Erol Bozak: One example is the CEO fraud, also know as Business Email Compromise (BEC) or “Phishing”. In a typical attack, several email messages or calls will be exchanged with the target, for example somebody works in finance department or HR team.  Usually such message contains an ‘urgent’ payment request from the C-level with an attempt to victimize the target to release payments to the attacker’s bank account. TIS provides sophisticated cloud-based solutions that are integral to the financial operations of our customers. Our system allows our clients to create process controls around all activities in payments for better protection against payment fraud. You can find more details in our executive briefing about CEO Fraud

What data would you put on the white/blacklist?

Erol Bozak: A Blacklist allows customers to build and maintain a list of untrusted parties (counterparties, banks or countries) on the TIS platform. Once implemented, every outgoing payment is checked against the list. This feature has a high level of flexibility. For example, a counterparty can be blocked by adding the ‘name’ only, or just the IBAN, or by a full set of available data (name, country, bank account details). If a payment is in the system for a blocked party, it will be stopped immediately and flagged. A Whitelist, namely, is the opposite of a Blacklist. On TIS platform our clients can create a beneficiary address book to store master data related to all their partners, including payment beneficiaries: name, address, bank and account details, relevant attachments (contracts and invoices) plus the legal entity this partner is associated with.

Please visit to find out more or get in touch with us via 

Scroll to top