Have you considered the risks?

Ailsa Burkimsher from Haines Watts Service Charge looks at the issues with technology, banking and fraud.

How can you be certain you are paying who you think you are paying? Managing Agents and directors of RMCs make thousands of payments of service charge funds to suppliers each day.

What is the issue?

A big issue is the increasing level of what the banking industry call Authorised Push Payment (APP) scams. This is where a bank customer authorises a payment to be made but have been tricked into using the wrong banking details either usually via email contact or sometimes telephone contact with a fraudster posing as your supplier.

According to the Payment Systems Regulator “Each year thousands of consumers and businesses fall victim to APP scams when they make a payment to an account that isn’t what they thought it was. Of the £145.4 million lost through AP scams in the first six months of 2018, £93.9 million was attributed to malicious redirection.”

In the vast majority of cases the money involved is not recovered by the bank and is lost forever.

What can you do internally to reduce the risk?

It’s really important to train staff who are making payments so that they can be made aware of this issue and try to prevent such frauds occurring.

In order to decrease the likelihood of financial fraud it is sensible to have internal controls in place such as segregation of duties between staff members with different members of staff entering payments to be made onto the bank system from those who then authorise the payments.

Consider requiring two bank account signatories to be needed to sign in to internet banking and approve payments.

Ensure that systems are in place so that if you are authorising a payment you are certain whether you know whether the payee bank account number and sort code has been changed.

There are also frauds where someone hacks into a managing agent’s email and then strikes when a senior team member is out of the office and then sends a fake email requesting an urgent online banking payment is made. Policies requiring that no payments are made without in person or a telephone conversation are a good idea. IT security measures are important to try to prevent hacking of the email system.

Have policies in place about what type of evidence you require from your suppliers before you change their payment details on your system. This could include requiring changes in writing on letterhead paper plus requiring that you phone the supplier direct to talk to them in person to confirm this change.

Who can help externally?

At Haines Watts we are well positioned to assist with a systems review of your internal procedures to help minimise the risk of your finance systems being compromised as a result of advances in technology. We have experienced and professional teams with knowledge of system audit techniques and the property management sector. The work can be carried out as part of the service charge certification process or as a standalone project.

If you are a director of an RMC consider having in place a Directors’ and Officers’ liability insurance policy in place which may protect you from personal financial liability. If you are managing agent then consider whether your professional indemnity insurance covers you for this type of scenario.

A typical fraud scenario

A typical scenario for this type of fraud involves the fraudster hacking into for example a builder’s email. The fraudster would then have details of works being carried out at the moment by the builder as part of a service charge. The fraudster would then email the managing agent/RMC director and explain that they have changed their bank details. This then means that what is thought to be a legitimate payment to a supplier is diverted to a fraudster’s bank account who will then quickly transfer the money and disappear with it.

You may be wondering how these frauds work when surely the new bank account set up by the fraudster will have a different name to that of the supplier’s name which you have used in the online banking system? Unfortunately at present the names of bank accounts are not checked to bank data to ensure that they match the account number and sort code!

Future Banking Industry Changes

There is good news coming though as from the middle of next year a new system called ‘Confirmation of Payee’ will be implemented by the banking industry. This will mean that when setting up a payment of amending an existing payee the banks will match the data entered for the name of the person holding the bank account. There will be three difference scenarios:

  • If the exact bank account name matches then the payment or change of payee details will be made.
  • If the name is very similar then the actual bank account name will be revealed and can then be re-entered so that it matches.
  • Or if the name is completely wrong you will be advised to only proceed with caution.

Make sure you review your internal procedures around banking payments and consider seeking professional help from an experienced service charge accountant.

Always stop and think when making a banking payment. Am I certain this payment is being made to the correct supplier bank account!?

Ailsa Burkimsher is a Client Services Manager at Haines Watts Service Charge.

Ailsa qualified as a Chartered Accountant in 2001 with a Big 4 firm. Having gained experience of property accounting working at a construction and property development company, she joined the Southampton office of Haines Watts in 2011.

Ailsa is responsible for the preparation of larger and more complex residential and commercial service charge accounts as well as management of the team in Southampton.

Reviewed: July 2019