For SMB, Thinly Spread Payments Veil Massive Risks

By BC Krishna - President and CEO MineralTree, Inc. - bc@mineraltree.com

At a payments conference recently, I shared a panel with a senior payments professional at a large multi-billion dollar global corporation. He spoke of the cost and complexity of managing tens of thousands of vendors, and disbursing hundreds of thousands of payments every week – by Check, ACH, Wire, Payment Cards, domestically and internationally – in an accountable, secure, controlled, error free manner.

This is a large corporation that prides itself on its finely tuned logistics and operations, and this attention to detail extends to the Accounts Payable (AP) and payments processes. It is supported by a large AP staff of several dozen people, well defined payment processes and systems and well designed controls and security.

And, while the process breaks down occasionally, and causes some consternation in the AP department, generally, it is quite a feat that vendors get paid as expected, fraud losses are insignificant and the AP department goes home on time and sleeps well at night.

This corporation though, is quite literally one in twenty seven million – the number of businesses in the United States. One large corporation that processes millions of payments every year clearly needs to, is required to, and can afford to make investments in expensive, complex people, processes and systems to make and manage its payments.

But what of the inverse? Unlike one corporation making millions of payments a year, we also have 25 million small businesses each making a few hundred payments every year.

The Plight of Small Businesses

Unlike the large corporation, none of these 25 million businesses can afford expensive, complex, people, processes and systems to keep these payments safe and secure. For business after business, payment after payment, day after day, year after year, these thinly spread payments represent a massive aggregate risk.

How large?

In the U.S., every year, businesses issue 9 billion checks. Over 50 percent of these checks, or about 4.5 billion, are written by small and medium-sized businesses, each for an average of $1000, for an aggregate value of $4.5 trillion dollars.

Non-payroll electronic payments – ACH and Wire – number about 2 billion a year. About 10 percent of these transactions, or about 200 million, are issued by small and medium businesses, each for an average of $2000, for an aggregate value $400 billion.

That’s about 25 million small and medium businesses, making 5 billion mostly “unprotected” payments – a few hundred a year per business – for an aggregate value of about $5 trillion dollars.

Wow!

You think the fraudsters have done the math? It’s a perfect storm: relatively few bad guys, going after a massive “market” opportunity, with barely any resistance.

It’s no surprise that financial crimes are on the rise – it’s easy to perpetrate, does not require any physical presence (or harm) and punishments are relatively light (nothing as draconian as California’s “three-strikes-you’re-out” law for “mere” drug possession and consumption).

So Easy Anybody Can Do It

Consider this.

Any time you write a check, your bank “routing number” and account number are printed in plain sight for anybody to see. You are voluntarily disclosing account information – the only information a fraudster needs – to electronically debit your account using the ACH network.

A fraudster with a business account at a bank and with the ability to issue “ACH Debits” can now pull money out of your account without your permission. And, if you are banking at an institution that has little to no electronic fraud monitoring, several weeks may go by before you notice the unauthorized electronic debit on your statement.

Businesses Are Unaware of the Risks

Small businesses are especially attractive targets for fraudsters for at least the following reasons:

1.    Unlike consumer accounts, small business accounts have more cash

2.    Unlike large corporations, small businesses have weaker controls and security

And business accounts don’t have the same protection from electronic fraud as consumer accounts. Consumer accounts are protected by a regulation called “Reg E”, which, among other things, stipulates that a consumer has up to 60 days to contest what they see as an unauthorized electronic debit on their account.

For a business account, you are at the mercy of your relationship with your bank. Indeed, many banks, given the nature of their business, will refund what they see as unauthorized debits. However, there are many well documented, prominent cases of banks slamming the window shut on the fingers of businesses that have been victimized by fraudsters. Bruised by this act, businesses in turn sue their banks to recover lost funds (Experi-Metal versus Comerica, PatCo Construction versus Ocean’s Bank). 

(In the banks defense, how is a bank to know when the small business bookkeeper unknowingly downloads a key logger by clicking on that attachment that has been forwarded to them by a somebody that appears to be a trusted friend?)

It is complicated. 

We tend to trust the social systems in which we live and function. For small businesses, lack of awareness can lead to living in bliss. If a business owner’s community of peers is not affected, how can he possibly be at risk? 

And the curse of probabilities. Ten thousand fraud incidents annually spread out of over 25 million businesses? That’s a pretty low probability. However, the clock does not reset on fraud incidents every year. So, ten thousand incidents per year, over two years, with the same 25 million businesses doubles the probabilities. And over the lifetime of a business, you see how a devastatingly costly incident can become highly probable. 

All Is Not Lost: Solutions Do Exist

On the surface, small businesses cannot afford the people, processes and the technologies that are available to the large global corporation that makes and manages millions of payments annually.

However, with the advent of inexpensive cloud infrastructure, and the efficiencies of electronic distribution, banks—like Silicon Valley Bank and its PayAbility solution—are now offering their small business customers the same kinds of secure payments solutions that larger corporations use. And, at a much lower cost and “right-sized” to meet small business needs.

Now that’s a win-win for everyone (except the bad guys).