Known to be a highly cash-dependent economy, India has opened doors to electronic payments and cashless transactions only recently. The switch from Manual Payments to Electronic Payments has been rather quick with more and more businesses as well as consumers preferring to transact through e-payment systems.
Manual Payments are those where transactions primarily happen with the help of cash. The other instruments include cheques, demand drafts and letters of credit.
Whilst, Electronic Payment Systems refer to transactions done through digital processes. Some of the methods of e-payments include credit/debit cards, net banking and mobile wallets.
Listed below are some of the risks associated with Manual and Electronic Payment methods and some best practices to offset them:
What are the risks of Manual Payments?
Manually initiated payments carry an inherent fraud risk because of the manual intervention required to complete the transaction.
Manual payments include the following associated risks:
- They’re easy to counterfeit, particularly with modern desktop applications that allow anyone with a computer to print cheques, company letterheads and so on. Signatures are easily forged. Authorised company signatories can easily be obtained by intercepting cheques or company documentation in the post.
- They’re easy to intercept. Multiple vulnerability points make them easy to amend.
- Paper transactions can be intercepted en route to the bank where beneficiary details can be captured and subsequently altered to redirect funds to fraudulent third-party accounts. Delays in account reconciliation increase the late detection of any fraud and the risk of internal fraud. A manual paper transaction request could be entirely fabricated by an internal source and placed in a batch of daily paper transaction requests to redirect funds to an external fraudulent account. Manual payments can often be initiated without adhering to control processes.
- They cannot generally be completed remotely, which leads to work around exception solutions such as pre-signed cheques and documents that create more unnecessary risk.
What are the measures to fight them?
- If you regularly make payments to a particular supplier, you set up a standard settlement instruction that is properly authenticated. Once this is set up, all payments should only be made to that account.
- Do not accept amendments without proper authentication. For example, a request to amend a supplier’s bank account details should be verified by a call back process using a properly authenticated and independently sourced number with a designated supplier contact.
- Manual transfer requests should be executed with additional levels of approval.
- Pre-established, verifiable forms that do not deviate from prior transmissions should always be used.
Why are Electronic Payments more secure?
- They are secure and encrypted and can be protected with a secure one-time password (OTP) and with multilevel authorisations and approvals.
- They are swift to deliver and have no risk of being intercepted: funds transfer requests are securely encrypted.
- Signatures cannot be forged. Entitlements and authorisations are supported by secure OTP and multilevel approvals.
- There is immediate and automated reconciliation. Accounts can be proofed or reconciled in real-time allowing for the detection of anomalies in a timely fashion.
- Internal processes can be enforced systematically. Entitlement and authorisation limits can be set in accordance with risk.
- They allow for remote access. Transactions can be carried out without the need for high-risk contingency or exception processes if key personnel are out of the office.
What are the risks of Electronic Payments?
In spite of their greater security, electronic payments aren’t without risk. Either intentionally or unintentionally, passwords can be compromised, for instance. This can happen if passwords are shared or recorded in unsecure locations. There is also the risk of collusion, which involves two parties or employees working together to compromise payment integrity.
Find below Some Best Practices to Mitigate Electronic Payment risks:
- Always ensure to keep safe word cards and pins separately.
- Do not compromise or share passwords.
- Entitle employees only with appropriate authorisation levels.
- Have all transactions approved at least by dual control, e.g., impose maker-checker functionality.
- Impose a timely proofing or reconciliation of accounts so that anomalies can be quickly identified.
- Always ensure to have multiple approvers for high-value transactions.
Important RBI guideline on electronic payment products while processing inward transactions based solely on account number information:
As per RBI’s guidelines on electronic payment products, credit will be affected based solely on the beneficiary account number information and the beneficiary’s name particulars will not be used. Responsibility to provide correct inputs in the payment instructions, particularly the beneficiary account number information, rests with the remitter / originator. Given credit is being applied solely basis beneficiary account number information provided by you, it is strongly advised to design & adopt robust process for validating all the beneficiary details before submitting a payment request to your bank.
The increase use of Electronic Payment Systems brings along the Fraud and Cyber Security threats. They continue to evolve as more sophisticated attacks emerge. Individuals with malicious intent continue to try to gain unauthorized access to information.
Business Email Compromise (or BEC) is happening to businesses, large and small frequently. It occurs when a scammer targets a business or individual in order to fraudulently transfer funds. The scammer grooms the victim via email, sophisticated social engineering, and pressure, and eventually attempts to fool the victim into transferring funds into the wrong hands.
To Counter BEC, Ensure to:
- Avoid using publicly-available email accounts for business purposes
victims with open-source email accounts are the most targeted in BEC schemes as these accounts are easiest for the attackers to access and impersonate.
- Closely examine email addresses
Ensure that you check the entire email address and do not rely upon shortened addresses that some email providers substitute for the actual address – i.e., JohnSmith instead of [email protected].
Some Important Personal Computer Best Practices:
- Only install applications and software from well-known companies you trust.
- Install anti-virus, anti-spyware and malware detection software – one way to defend against computer attacks is to utilize preventative software. You should update the software and the browser regularly to guard against new risks.
- Use a pop-up blocker – set your browser preferences to block pop-ups. These pop-ups can contain inappropriate content or have malicious intent.
- Log Out – make sure you log out and exit your browser or close the browser window when finished using Bank portal.
- Password protect – Ensure devices (personal computers (PCs), desktops, laptops, etc.) used to access Bank Portal are password protected
- One should immediately contact the Bank Representative if he notices suspicious account activity, experiences information security-related events, or has any questions regarding security.
Banking today is more digitised than ever. Despite the ever-increasing move towards e-payments and the more efficient means of managing payments to suppliers that they offer, sometimes it’s still necessary to manually transfer funds.
Across markets and industries, fraud is increasing as perpetrators seek ever more creative and sophisticated means of achieving their ends. The approaches taken by fraudsters may be ever-changing but that only makes it all the more important that we frequently review our internal processes. Doing so gives us the opportunity to ensure that there are strong procedures in place to manage such matters.
