Procurement fraud and card misuse reenter the news.

Two different situations, but both yielded negative press. The following stories once again highlight control gaps that allowed fraud and misuse to occur. While we cannot control the media, we can learn from the mistakes of others. To keep your organization out of the “bad news” arena, take necessary actions now to improve internal controls. 

If your card program (or your client's card program) has been the subject of a good media report, I encourage you to share it within the comments section below. 

Avoid being the topic of bad news by utilizing effective internal controls.

Avoid being the topic of bad news by utilizing effective internal controls.

1. Procurement Fraud 

The Financial Industry Regulatory Authority (FINRA) permanently barred a former Charles Schwab financial representative after he purchased and resold approximately $1 million of office equipment.

FINRA records note that, between February and August 2014, the rep used the firm’s corporate procurement system to purchase office equipment for his branch office in Florida, which he later sold to various people to obtain cash for himself. Multiple organizations reported this story last November, including ThinkAdvisor.

Control Gaps

I doubt that it was typical for a rep with his size of office to spend nearly $1M on office equipment in less than a year using corporate funds. Such activity could not even be explained away as a new rep establishing an office (it would be quite an office!), as he was a 15-year veteran. I assume that the control gaps included:

  • Overly trusting management who did not consider or believe that a veteran employee would commit fraud 
  • No budget for the rep to adhere to 
  • No purchase limit/threshold preventing the rep from spending above “X” amount via the procurement system each month 
  • No one monitored his purchases or visited the branch office for purchase follow up 
  • Lack of fixed assets tracking 
  • No one reviewed spend reports to compare the rep’s monthly spend total to previous year(s) or to other similar sized reps in an effort to identify out-of-norm spending activity

2. Card Misuse/Abuse

Right in my own backyard, the local newspaper, Star Tribune, reported last month on card misuse and abuse within the Minneapolis Public Schools (MPS). The issues included inappropriate purchases, lack of receipts (even though receipts are required) and out-of-policy purchases; for example, using the card at local restaurants when the policy only allowed meal purchases while on business travel. Top executives have been part of the problem. 

Fixing What is Broken

After reading the initial article on January 11, I contacted the author to offer my insight on the district's woes. A follow up article published by the Star Tribune on January 12 included some of my comments. (I garnered a modest 80 words.) My recommendations included the standard control best practices:

  • Assigning and enforcing accountability for the oversight role to ensure policies are followed by everyone, including executives 
  • Clear P-Card policies and procedures (P&P) 
  • Mandated training prior to card issuance and annually to stress key P&P, such as what is and is not allowed 
  • No tolerance for policy violations, including missing receipts 
  • More strategic MCC blocks; for the district, this could mean blocking restaurants and similar unless the cardholder will be traveling 
  • Obtaining reports from key suppliers that show off-contract purchases; for example, with the office suppliers vendor, are cardholders purchasing higher quality goods than what are allowed? 
  • Effective auditing on an ongoing basis to catch and remedy issues if/when they emerge

About the Author

Blog post author Lynn Larson, CPCP, is the founder of Recharged Education. With more than 15 years of Commercial Card experience, her mission is to make industry education readily accessible to all. Learn more

Subscribe to the Blog

Subscribe

Restacking the chips—pros and cons of EMV options.

Have you formed an opinion yet on the topic of chip-and-PIN versus chip-and-signature cards? Maybe you saw the recent news that many U.S. banks are leaning more toward the latter, which is less secure. I wondered about the reasons for this since other countries have already predominantly adopted the more secure chip-and-PIN. However, before diving in further, we cannot forget that any card with a smart chip and the EMV security standards is more secure than cards with only a magnetic stripe.  

On the PIN vs. signature topic, I found some great insights in an article by Brian Krebs of Krebs on Security in which he interviews industry experts from Aite Group and Gartner Inc. I highly recommend you read it, but following is a summary of two key considerations at play.

Ease of Use

Chip-and-signature takes the lead, being quicker and easier to use at the point of sale. Chip-and-PIN requires the extra step of entering the correct PIN (personal identification number). If the cardholder forgets the PIN, he or she would need to pay a different way or abandon the purchase altogether. These are not good outcomes for the card-issuing bank or your card program. 

Then there is the issue noted by Jack Jania, Gemalto Inc., during my 2014 interview with him: limitations of the current U.S. ATM infrastructure to manage card PINs in the field. Since the PIN is tied to the smart chip, it is not easy to reset. As a last resort, the bank might need to reissue the card, which is another hassle for everyone.

 

Protection for Lost or Stolen Cards

The advantage here goes to chip-and-PIN since a lost or stolen card would require a fraudster to enter the correct PIN in order to use it. With a chip-and-signature card, a fraudster could forge the cardholder’s signature at the point of sale and/or use the card at an unmanned kiosk or terminal. 

Is it a gamble or good business decision for banks to go the chip-and-signature route? Probably a mix of both.

Is it a gamble or good business decision for banks to go the chip-and-signature route? Probably a mix of both.

Given the above plus other nuances, each bank needs to decide what makes the most sense for its business. If you are an end-user organization, ensure you understand what type of card you have, requirements for usage, what could go wrong and how to resolve any issues. 

For more on EMV, see the related webpage.

Related article: Banks Opting For Less Secure Signature Cards, January 6, 2015, PYMNTS.com.

About the Author

Blog post author Lynn Larson, CPCP, is the founder of Recharged Education. With more than 15 years of Commercial Card experience, her mission is to make industry education readily accessible to all. Learn more

Subscribe to the Blog

Subscribe

Recommit to annual P-Card housekeeping tasks.

What is on your list of annual program management tasks? Have you documented them within your P-Card procedures? Making a conscious effort to complete the following 12 tasks annually will help keep your program in good shape. Of course, you might tackle some of these more often than yearly and in months other than January, especially if your fiscal year is not the calendar year. Nevertheless, the beginning of a calendar year marks a fitting time for a review.

Annual P-Card housekeeping clears the way for you to explore expansion opportunities.

Annual P-Card housekeeping clears the way for you to explore expansion opportunities.

Housekeeping ain’t no joke.
— Louisa May Alcott

Can You Add to the List?

If you have additional card program management tasks that you do annually, please share them within the Comments section below.

Number 13 Added!

The November 11, 2015, blog post adds one more task to the annual list: cardholder contact information. Learn more...

12 Annual Housekeeping Tasks

  1. Revise P-Card Web pages and documents that reflect dated information, such as the schedule of transaction reconciliation deadlines for the year that cardholders must follow.
  2. Ensure P-Card policies and procedures are current.
  3. Execute mandated annual refresher training for cardholders and their managers.
  4. Evaluate cardholder activity for the prior year to identify inactive or under-utilized cards.
  5. Review the appropriateness of card limits and MCC restrictions. Too many temporary adjustments during the prior year to accommodate legitimate purchases indicate a mismatch between your controls and program goals.
  6. Update your P-Card program risk assessment.
  7. Publish key program metrics online, such as annualized process savings, and develop a 2014 summary specifically for management. Using graphs can be an effective way to share program status at a glance.
  8. Consult with accounts payable regarding the potential need for a rebate accrual entry or adjustment.
  9. Upload current accounting/budget codes to your P-Card program management system, if applicable. Some organizations pre-populate budget code drop-down menus. This allows cardholders to select (versus key in) the right codes, if different than any default codes, when reconciling transactions online.
  10. Provide updated cardholder information for the organization’s business continuity/disaster recovery plan. If your organization does not require annual training on the plan, then consider sending an overview to cardholders and their managers as a reminder.
  11. Assess your organization's relationship with the card issuer. Are there any unresolved issues? Are they meeting your needs? How can you improve the relationship? Confirm when your contract expires, so you are not caught off-guard. Plan accordingly.
  12. Consider whether your organization could benefit from adding another card type, such as Declining Balance Cards (e.g., project/meeting cards) or Virtual Cards, to round out your payment strategy and address a pain point.  

Annual housekeeping plus the type of goal setting for card program expansion that I mentioned in my last post will get the new year off to a great start.

About the Author

Blog post author Lynn Larson, CPCP, is the founder of Recharged Education. With more than 15 years of Commercial Card experience, her mission is to make industry education readily accessible to all. Learn more

Subscribe to the Blog

Subscribe