Operational risk gets the short shrift in banking. Credit and interest rate risk are the big men and woman on campus (just to throw in a back to school metaphor) while operational risk is usually relegated to the shallow end of the pool. That is unfortunate because operational risk is real and often realized more than both credit and interest rate risk. Take payment risk for example.
According to the Association For Financial Professionals (AFP), in a 2015 study sponsored by JP Morgan Chase, 62% of corporations, including banks, have experienced some type of payment fraud. Now a bank experiencing payment fraud for its own account is a little like a police department being robbed. Sure it happens, but it is embarrassing when it does.
Today, we want to highlight expenditure control for two reasons. One, in an informal survey, we found that a majority of banks we reviewed had inadequate controls. Two, we found that checking expenditure controls at companies that banks lend to was rare. Expenditure control, it turns out, is an excellent topic that banks can take a thought leadership role in and help educate their corporate customers. In doing so, banks not only help build the bank’s brand as an educator but also serves to reduce the credit of the borrower. In addition, since banks often bear all or part of the liability for payment risk that they are associated with reducing expenditure risk at the customer level also reduces operational risk for the bank.
Expenditure management is a central part of financial management and a material component in enterprise risk. The risk is twofold. The main risk is preventing fraudulent activity. The secondary risk is making sure organizations have good corporate governance to prevent a manager from misappropriating funds or spending on items not aligned with the organization’s goals.
Central to expenditure management is strong internal controls around payment signing limits and procedures. Signing limits are approved by the board and set the largest amount a corporate officer is authorized to make on behalf of the company. Proper expenditure control breaks down into having spending limits which is the maximum amount an officer is authorized to spend and an approval limit which is the maximum amount an officer is authorized to approve based on some form of evidence such as contract, purchase order, expense report, invoice or purchase requisition.
What Proper Expenditure Controls Look Like
The blind spot in corporate America is the small business that is transitioning to a mid-sized company. Here, expenditure controls are severally lacking and even non-existent. Banks can play a very important role with these accounts. For example, banks can provide a sample set of expense control policies and procedures.
Even for banks, expenditure control is often put in place and then not given a second thought. Duel controls, approval limits, and non-budgeted item controls are often lacking. In addition, many banks have put controls in place and then have gone through years of strong growth or through multiple acquisitions.
Below, is a sample expenditure control matrix for banks that we have benchmarked for two categories of asset size. On the left-hand side is the delegated authority that is common for the board to grant the officers of the bank. On the right, are minimums or maximums for each category for two different sized organizations.
It is also interesting to know the statistics from the AFP on the size of attempted fraud:
As can be seen, fraud under $25,000 is the most common, but unfortunately, the second largest category is for amounts over $250,000. Note that the distribution isn’t all that different between two different sized institutions. Criminals, it turns out, don’t do their homework and often don’t size the fraud to the institution. This should be taken into account when sizing an expenditure authority. While a larger institution has larger payment amounts the expected loss due to fraud or employee malfeasance is about the same.
When it comes to fraud, paper checks, of course, make up the most likely fraud channel (approximately 45%) and is an obvious area of focus for both internal and external training. The bulk of the signing authority will have to do with the production of checks. Next, wire fraud composes about 24% of fraudulent payment activity, followed by ACH (10%).
It is also no surprise that internal fraud or misappropriation only makes up about 6% of the total losses. However, what is a surprise that vendors or known third-parties make up about 12% of the fraud, a number that most bankers would find higher than expected. Outside of that, the most common payment fraud comes from a combination of external bad guys or organized crime.
Putting This Into Action
In order to not be hypocritical, banks should review their own policy and procedures on expenditure authority and strengthen where needed. Then banks can provide education and assistance in helping commercial customers establish state-of-the-art corporate governance as well as stressing the importance of frequent reconciliation of bank cash balances. That conversation naturally leads into the sales of other fee-generating services such as positive pay, reverse positive pay, segregated accounts, ACH blocks and check security features. These products not only benefit the client but reduce both credit and operational risk for the bank as well.
Helping customers be proactive on expenditure risk is just another example of where banks can add needed value to its current and potential commercial clients. Doing so will not only help differentiate your bank but may save you potential future embarrassment.
Submitted by Chris Nichols on August 25, 2016