Executive card fraud beyond belief.

June 22, 2016 Lynn Larson

I was planning to take a break from the fraud topic, but recent local news changed my mind. The day after I delivered a three-hour workshop on P-Card risk assessments, an article published by the Star Tribune grabbed my attention: Nonprofit CEO Bill Davis pleads guilty to fraud, theft charges. Here we go again. It drives home what I have written about before. Everyone, including executives, must be held accountable. Read what happened below. Could this occur at your organization?

The Fraud

Bill Davis was CEO of Community Action of Minneapolis (CAM), a nonprofit organization for assisting low-income people with heating/energy bills. Within a multi-year span, he spent thousands of dollars every month on the company card for personal purchases, including a new car, expensive trips, and gifts for different girlfriends.

Apparently, the Minnesota Department of Human Services (DHS) fulfilled some type of audit role. Davis was charged after the DHS discovered his organization misspent at least $800,000 between 2011 and 2013. This fact made me wonder how frequently audits occurred. Every few years?

How Could this Happen?

There appears to have been no card program policies and procedures. Davis seemingly had free reign to do whatever he wanted. It gets worse...

According to one article, Davis bullied his employees and fired them if they asked too many questions. He also had the backing of local politicians, some of whom were on the organization’s board. To top it all off, when facing increased scrutiny of his actions, he claimed unfair treatment.

Fast forward... Davis has pleaded guilty to 16 counts of fraud and theft, and prosecutors have ample evidence. Sentencing is pending.

Access the Articles

Below are links to the Star Tribune articles. I encourage you to take a look. The second one is particularly entertaining in a sad way.

See also my July 13, 2016, blog post (Who pays for payments fraud?) that offers additional insight into this fraud case.

Reminders

First the “Duh” statements:

No organization should ever hand out company credit cards without any rules or ongoing monitoring.
No position should be exempt from oversight or disciplinary action.

Is executive fraud shocking in this day and age? Unfortunately, likely not, but the details of a particular incident can still have shock value.

Addressing Executives

This is challenging, but organizations must plan for potential issues. Executives have to report to someone, likely a board. Does your organization have a mechanism by which employees can bring concerns about the C-suite directly to the board? From the start of a card program, the board needs to agree and sign off that executives will be held accountable like any other employee.

Perhaps an organization’s internal agreement that employees sign prior to obtaining a card should also include a stipulation that all cardholders will be held to the same policies and procedures, regardless of position, age, gender, ethnicity, etc. Consult with your legal department or Human Resources on this.

I am interested in what others have to say on this topic.

About the Author

Blog post author Lynn Larson, CPCP, is the founder of Recharged Education. With more than 15 years of Commercial Card experience, her mission is to make industry education readily accessible to all. Learn more…

Subscribe to the Blog

Receive notice of new blog posts.

Are end-users placing a burden on issuers?

June 14, 2016 Lynn Larson

A study by the Governing Institute indicates the answer to this question might be “yes” for state governments’ prepaid debit card programs (more on this below). I think their findings could apply more broadly. As an end-user, I participated on an RFP team for card issuer selection, so I know firsthand how quickly “desirables” shift into “requirements.” The problem is, excessive requirements can limit the number of issuers who bid on a program and, ultimately, the end-user may lose out. Following are three things driving this issue and tips for avoiding the trap.

About the Study

The Governing Institute explored challenges confronting the state prepaid debit card market and released a report of their research in 2016 (Is the State Prepaid Debit Card Market in Trouble?). States use these cards to distribute benefits payments tied to various assistance programs, unemployment insurance, child support, etc. Yet, as the report (“Report”) notes, they may be unintentionally pushing issuers out of the market with new requirements, such as increased program support. This leads to the first point...

1. Desires

We dream big. The retail industry has programmed us to want it all and get it on sale. I think of home buyers in an HGTV program. Their budget is $150,000 and they want move-in ready, a convenient location, four bedrooms, outdoor living space, hardwood floors, etc. In the end, they have to compromise by increasing their budget or letting go of some “must haves.”

Based on the Report, states’ prepaid debit card programs could use more compromise. I imagine the same thing could be happening with card programs elsewhere.

Tips

When selecting an issuer, carefully consider what is a requirement versus an interest or a nice-to-have. After creating a list of requirements (hopefully short), validate them:

Ask yourself if you are willing to completely reject a proposal (no matter how enticing the revenue share incentives) if the issuer cannot meet a stated requirement.
Do some fact finding before releasing an RFP to determine how many issuers can accommodate your requirements. If only one or two, you might want to revisit your list.

2. Perceptions

End-users generally do not think they are asking too much of issuers and, in many cases, they are right. However, as the Report points out, state officials may not be aware of how even small changes in RFP requirements affect issuers’ profitability. Further, the Report shares how issuers may compound the problem by not taking charge of the education process. Overall, there is often a communication gap between issuers and end-users.

Tips

Understand the factors that impact issuers’ profitability. They make money through the fee suppliers pay for card acceptance. Revenue sharing incentives for you mean they give up some of this money. Issuers also provide technology solutions and customer service. They have other overhead costs and incur the cost of floating the funds for your transactions until they receive your payment.

The weight of end-user requirements might be prove to be too much for some issuers.

Recognize where your program likely ranks in an issuer’s portfolio. Low card spend (as defined by the issuer), slow payments, and regular use of their customer service resources are things that collectively lower your rank. Does your program justify what you are asking of issuers?

3. Losing Sight of the Value

The Report observes how the perception gap creates an urgent issue. In response to an end-user RFP, a single proposal or none at all could mean an organization is “just a short step to the expensive, time-consuming process of paper-based payments.” This makes me wonder how many organizations would be willing to forego card programs altogether rather than reevaluate their “requirements.” How important are card programs to the organization payment strategy?

Tips

Review the benefits of Commercial Cards and identify how they have specifically helped your organization. Quantify as much as possible, such as the process savings. Do not lose sight of the value. Conversely, if you eliminated, or even severely restricted, card payments, how would this affect your operations and employees? Chances are the resulting inefficiencies would require additional staff.

More Information

For more RFP resources, visit the related webpage.

About the Author

Subscribe to the Blog

Receive notice of new blog posts.

Attack fraud through training.

June 6, 2016 Lynn Larson

My receipt of a fraudulent email last week reinforced a topic I will be covering during the June 15 P-Card Program Risk Analysis virtual workshop. I’m referring to information security and the need to train employees, so they can be more vigilant. Following are topics to address within Commercial Card training, as well as broader training aimed at all employees. A third category not addressed here further, but equally important, is training designed for accounts payable staff on the growing problem of business email compromise (BEC). Refer to the 2015 public service announcement by the Federal Bureau of Investigation for BEC information and guidance.

Commercial Cards

Do you include the elements below within your card program training and the procedures manual? Because cardholders are gatekeepers for protecting your organization against external fraud, they need to know how to:

identify a secure website before entering payment details
differentiate between legitimate communications from the card issuer versus fraudulent ones
properly dispose of documentation containing card account information

For managers, providing training on common red flag behaviors might help them more quickly spot any internal card misuse and abuse by cardholders.

Broader Information Security

Does your organization require annual training on the following? This list is just the tip of the iceberg.

How to create strong passwords
What employees can divulge about the organization to non-employees
Where/how to store, and dispose of, sensitive documentation
Asset protection standards to combat physical theft and loss
How to identify fraudulent emails and phone calls, what to do (and not do), and who to contact in these situations

The fast-paced nature of our jobs can work against us. In my haste, I almost fell for the fraud referenced in the introduction above. It claimed to be from FedEx (see image below) and, since I recently placed various online orders, this message caught my attention. I saw it on my mobile device, so I did not see the sender name behind it until opening the email. Fortunately, I paused long enough to recognize the fraud and delete it.

As Verizon’s 2016 Data Breach Investigations Report (DBIR) describes, the basic structure of phishing attacks remains the same—user clicks, malware drops, foothold is gained. Their report notes:

In this year’s dataset, 30% of phishing messages were opened by the target across all campaigns.
About 12% went on to click the malicious attachment or link and thus enabled the attack to succeed.

Overall, the Verizon research reveals we have much work to do to combat breaches.

About the P-Card Risk Analysis Virtual Workshop

When was the last time you conducted a risk analysis (also called risk assessment) of your Purchasing Card program? I will be delivering the three-hour workshop on June 15, hosted by AP Now, to guide participants through a risk analysis process from start to finish. For more information and registration, please visit the AP Now website.

Recommended Resources

If you want to dive deeper into the vast world of fraud, I find value in these two reports, which are published annually:

2016 ACFE Report to the Nations on Occupational Fraud and Abuse – The report “provides an analysis of 2,410 cases of occupational fraud that occurred in 114 countries throughout the world.” Red flag behaviors are among the many topics.
Verizon’s 2016 Data Breach Investigations Report (DBIR) – According to their website, this report “lifts the lid on what’s really happening in cybersecurity.”

Finally, see also additional content on this website pertaining to training and controls.

About the Author

Subscribe to the Blog

Receive notice of new blog posts.