How segregation of duties protects treasuries from fraud
15 Mar 18
With business email fraud a growing concern, Matt Packer provides a reminder of the segregation of duties
The latest figures on the scourge of business email compromise (BEC) – in which members of corporate finance teams are duped into making fund transfers by fraudulent emails ascribed to senior leaders – are disturbing, to say the least.
In new research covering more than 2,400 corporates across 150 countries, global cybersecurity consultants Proofpoint found that almost 89% of firms suffered such frauds in 2017. That’s up almost 14% on the previous year.
Last May, the FBI announced that, between October 2013 and December 2016, there had been more than 40,000 BEC incidents around the world, triggering financial losses of more than $5.3bn.
But a recent report from consultants Trend Micro predicts that the global loss figure could surpass $9bn by the end of this year.
Importantly, BEC does not discriminate. Proofpoint notes in its report: “We have seen almost no connection between [a company’s] size and how often it is targeted by email fraud since we started tracking this information in 2016.”
As Ferguson Group Services assistant group treasurer Royston Da Costa mentioned in our recent rundown of cybersecurity tips for treasurers, members of finance teams can sometimes feel “pressured to carry out financial instructions at the behest of a single, senior figure”.
That pressure would be particularly prevalent in smaller treasury teams – and, as the Proofpoint report indicates, they have as much cause to fear BEC scams as their larger counterparts.
DaCosta encouraged treasurers to implement a failsafe for emails containing fund-transfer requests. Under such a measure, teams would put each email of that type through a set series of steps, overseen by at least two independent members of staff.
However, another constructive way to fend off the risks of BEC fraud is to observe and maintain a strict segregation of duties between key arms of the department – the divisions traditionally known as the front, middle and back offices.
In an effective treasury, while those offices will certainly be required to communicate with each other transparently, each will fulfil its own distinct set of tasks.
Those tasks may be organised in the following way:
The front office…
- works with the business to identify exposures;
- provides market information and pricing advice to the organisation;
- handles cash management;
- overseas dealing (eg, money markets, FX, interest rates, long-term funding); and
- deals and enters those deals into the treasury management system (TMS).
The middle office…
- ensures that deals are transacted in line with policies;
- monitors limits and reports limit breaches;
- analyses and reports on exposures;
- handles performance reporting and use of counterparties;
- maintains bank account details and dealing mandates; and
- processes and reconciles changes in standing data, such as standing settlement instructions.
The back office…
- confirms treasury transactions in a timely manner;
- settles due deals;
- performs bank reconciliations in order to ensure all funds have moved as expected;
- accounts for transactions;
- provides all necessary reporting in cases where no middle office exists; and
- manages the TMS’s functionality and controls.
The advantage of this arrangement is that the offices essentially review each other’s activities. This ensures that questions will always be asked of any request that appears to be anomalous or incorrect in any way.
The front-, middle- and back-office structure neatly introduces layers of control into all the main treasury functions. It also creates a workflow, whereby actions initiated in one office will inevitably make their way onto the radar screen of another.
But in a world where incidents of fraud are a real threat, it’s vital to review internal structures and ensure all the necessary defences are in place.
About the author
Matt Packer is a freelance business, management and finance journalist