Stan Graham, CPA, Juris Senior Consultant, LexisNexis:
Many law firms are unwittingly placing an amazingly low priority on safeguarding their assets. If you were to ask them, they would probably say that it is not so. But the reality is that their behavior is often inconsistent with the Best Practices of Protecting the Firm’s Assets. There are four primary reasons for this:
The recent hack of financial data at Equifax in 2017 should serve as our wake-up call. To keep from being the victim of fraud or embezzlement, we must remain eternally vigilant and set up the best possible protections to keep from becoming victims. The biggest areas of risk in the loss of Financial Assets centers around three main areas:
There are multiple ways criminals can and will attempt to gain access to a Firm’s bank accounts. An important area of risk that is very easy for firms to prevent is the protection of check stock, so that it cannot be stolen and used to access firm funds. Relying on the banking system to verify signatures on checks is an impossible task, given the number of checks processed in the U.S. each year. Keeping check stock under lock and key with access limited to key personnel can be a good first step in preventing this type of fraud.
However, every time a law firm issues a check to a person or business, key information on that check can be obtained by persons outside of the law firm, most critical of which are the Account Number and Bank Routing Number. Photocopying and printing technology have improved over the years to where criminals can very easily make copies of the firm’s checks to fraudulently divert the firm’s funds for their own use. These “fake” checks are so good that they even have the magnetic MICR (Magnetic Ink Character Recognition) printed on the checks to facilitate the clearing of the fraudulent checks through the U.S. Banking System.
In addition, many firms will provide bank account information on their bills to clients to allow their clients to send wire and ACH transfers from their bank accounts to the firm’s account. Again, as this information is broadly disseminated to the firm’s clients and/or vendors, it can become an attractive target for hackers to try to gain access to the firm’s money. This information can be obtained and used by more people than we would normally expect. It only takes one person with illicit intentions to create a situation of potential loss for the firm. We must consider:
If we stop and think about this, we quickly realize that a lot of people will have your firm’s bank account information, any of which could attempt to fraudulently access funds.
This means that the firm must work to actively prevent and detect such fraudulent activity. If a firm thinks that this can’t or won’t happen to them, they should consider the following statistics.
According to the 2017 AFP (Association for Financial Professionals) Payments Fraud and Control Survey:
The reasons for these frighteningly large statistics include:
The most concerning aspect of these statistics, is that the risk levels have increased again in 2017, yet the survey shows that companies are doing less to prevent or detect fraud.
There are three simple steps that a firm can take to protect their bank accounts and detect fraudulent activity:
The idea behind segregation of accounts is to protect the firm’s cash in a bank account that no one will know the account information. The way fraudsters find bank account information is generally from the Firm’s checks, or from the banking information provided for wires and ACH transfers on the firm’s invoices.
So, the key is to have three Bank Accounts. The primary bank account is the account where all funds are held. Checks are not written from this account and deposits are not made to it either.
The firm will have a Deposit Only account for Cash Receipts and receiving Wire or ACH payments from clients. No withdrawals are permitted from the Deposit Only account. At the end of each day, the bank sweeps all funds from the Deposit Account into the Primary Bank Account. At most, only one day’s deposits are at risk on any given day. And since no withdrawals are permitted from that account, fraudsters should be unable to request a withdrawal of funds or gain access to the money.
The third bank account is a Disbursements Account. This is the account that is used to write checks for the firm. This account will not accept deposits and no funds are kept in the account.
In addition, this bank account will be protected with Positive Pay . . . meaning that only checks that the firm has uploaded to the bank can be paid when presented for payment. Any checks not on the list uploaded to the bank nightly will not be paid. At the end of the day, the bank automatically transfers funds from the primary bank account to the Disbursements Account, equal to the amount of checks that cleared for that day.
Graphically, it would look as follows:
*Click to enlarge image.
In general, Positive Pay is a service provided by your bank or financial institution, whereas the firm uploads a list of checks, generally daily, to their bank . . . Authorizing the bank to pay only those checks contained in the upload file.
Checks that have not been uploaded to the bank’s Positive Pay website/portal will not be paid.
However, you do have the option on the website to authorize a payment that wasn’t uploaded (such as an ACH Payment), or a manual check. Most financial institutions will either email you with exceptions with a deadline to respond or will expect you to log in daily by a specified deadline to authorize any exceptions.
If the deadline is missed, the presented item will be returned unpaid to the account that had deposited the check.
The Bank will compare the Check Number, Check Date, and Amount of the check with the uploaded list of checks to determine if an item should be paid.
Voided Checks are also uploaded, so that they are removed from the list of checks authorized to be paid. This prevents someone from presenting a stale or old check for payment that you have already voided out of the system . . . forcing them to contact you for a replacement check.
There are three types of Positive Pay:
As mentioned previously, the Bank will compare the Check Number, Check Date, and Check Amount against your uploaded file and only pay those items that have been uploaded to the website.
There is usually a deadline for reviewing exceptions after which checks might be returned unpaid.
Some banks will notify you via email of pending exceptions, others will require you to log in daily by a deadline to approve any exceptions.
Payee Positive Pay is basically the same as Positive Pay, except that in addition to verifying the Check Number, Check Date, and Check Amount, the bank will also verify the Payee on the check.
Some banks might charge a slightly higher fee for Payee Positive Pay.
This has the added advantage of preventing someone from altering the Payee on the check before it is presented for payment.
In Reverse Positive Pay, the firm sets a threshold amount at which the bank will automatically pay any check presented that is at or below the threshold amount.
Someone from the Firm will need to log in daily to see all checks that are pending payment that are above the threshold amount and approve or reject each check presented above the threshold.
This doesn’t prevent someone from presenting large quantities of small checks for payment that may be fraudulent.
There’s usually no monthly fee for Reverse Positive Pay, but there is a per item charge to the firm for each rejected check.
The third part of the triad of protecting a firm’s assets is the timely review and reconciliation of all bank accounts . . . including credit cards. This is how and where fraud is detected. It is also an area that is frequently neglected by those whose responsibility it is to perform. But this task needs to be elevated to a high priority at the firm.
The first task is to determine who the appropriate person at the firm is, to do the bank reconciliations. Strong internal controls around who performs bank reconciliations are important from preventing fraud or embezzlement from within the firm.
Bank Reconciliations should be performed by someone that does not do any of the following:
Ideally the Bank Statements should be mailed to the attention of a partner at the firm, or if you are using an outside accountant to do your bank reconciliations, directly to that person. And someone in management at the firm (i.e. a partner) should regularly monitor the reconciliations of the bank accounts, to ensure that they are happening in a timely manner.
The separation of duties is an important Internal Control. Law firms are generally always surprised when fraud happens internally. The environment that makes internal fraud occur centers around three areas:
Many of these things would not normally be known by the law firm. Often disgruntled or entitled employees hide their feelings from management. Personal financial problems, vices and living beyond one’s means is not something that a person shares with their employer either. So rather than worry about such risks, the firm should just set up the appropriate internal controls, so that they don’t have to worry about it.
Reconciliations should be done promptly upon receipt of the bank statement or credit card statement. Outstanding checks that are over a month old should be followed up on to determine if they should be voided or replaced. If checks are given to attorneys, it often turns out that later they don’t need them and it is important that they are returned to accounting to be voided . . . and subsequently listed as voided in Positive Pay.
Given the recent Equifax hack, firm credit cards are even more at risk. In addition, anywhere that the firm credit card is used is at risk for hacking or being stolen. This is an extremely high-risk area. But unfortunately, attorneys are notorious for not examining charges promptly and communicating what charges are for to the accounting department.
It is important that Management team at the firm have and strictly enforce a policy regarding the prompt review and timely reporting of credit card charges. If charges are reported immediately after they are incurred, it will allow the accounting department to process charges promptly and detect fraudulent use of the credit card sooner.
Protecting the firm’s assets should be the responsibility of every partner, attorney, and employee at a law firm. However, by employing the triad of steps for preventing and detecting fraud, the firm can rest easy that cash doesn’t leave the firm inappropriately. Often this requires behavioral changes at the firm, but none of the steps are expensive and are certainly less expensive than a loss through fraud or embezzlement.
Firms can and do often employ insurance against such events. However, many of those policies today have a contributory negligence clause that would result in the firm not being reimbursed for losses if they don’t take these steps to prevent fraud. So, while there is significant risk to firms, losses from fraud can be easily prevented and/or detected, and if fraud occurs, the firm should be able to confidently prove that they weren’t negligent in their internal controls and prevention methods.