|
Internet Banking for Your Business or Non-Profit
Should you or shouldn't you?
October 2002
Have you been thinking about doing internet banking for your business/non-profit and wondering if it is a good idea? If so, you are not alone. And, you may have a difficult choice to make. There are some efficiencies to be gained from the Internet, but there are also some risks to your assets.
By John Torry, BASc, CMA
Here's what you could be doing over the Internet:
• Looking at and printing your bank account transactions and balances.
• Looking at and printing your investment account transactions and balances.
• Paying bills.
• Transferring funds between one bank account and another.
• Transferring funds between a bank account and an investment account.
• Making investment purchases and sales.
• Transferring funds from your account to another person's/business' account at another bank.
In short, you can do almost everything over the Internet that you can do at a bank, except make deposits. All you need is a user ID, a password, and a computer with access to the Internet.
Is the Internet advantageous? Well, it certainly is for some people. We know of one person who does his mother's banking at one bank, his wife's at another, and his own at yet a third. And, he never leaves his home. The saving in time is enormous, and he can do his banking 24 hours a day.
But, and there is always a "but", he is doing his own transactions, for himself, and for the most part he trusts himself. That is, for his own transactions, he is does not have to worry about preventing or detecting fraud. It isn't the same situation if you are running a business or a non-profit. You may not be doing the Internet banking yourself; it may be one of your employees. And some employees have been known to defraud their employers. That is why businesses and non-profits put controls in place to protect their assets (called internal controls).
One of the most important controls that corporations use to protect their assets is to have two people sign every cheque. These people review the invoice that is being paid to ensure it is valid, and then sign the cheque. One of the features of Internet banking is that you (someone) can make bill payments without having signing authorities review them beforehand (and maybe not even afterwards!). All that is needed to do this is the user ID and the password.
We have segregated the different types of Internet banking transactions above into two groups. The first two items involve only looking at transaction history. This is the same information that appears on your bank statements. It is quite benign. The remaining items in the second group all involve moving funds around in one way or another. These are not benign, and it is these that you should consider carefully. Here are two examples.
Let's say that you decide that you will start paying your gas bill over the Internet so that you have more flexibility about the exact timing of the payment. Once you have established the ability to make bill payments over the Internet (which you do by contacting your financial institution), you determine which bills you will pay this way. You set up the permissible suppliers that will be paid. More correctly, the person with the user ID and password sets up the companies whose bills will be paid over the Internet.
This is where one problem arises! If your corporation's gas bill can be set up for payment through the Internet, so can someone's home gas bill. And that is probably not what you want to happen. The same is true for hydro bills, tax bills, credit card bills and so on.
Another issue arises around debit cards. Many of the financial institutions require that you have a debit card in order to use Internet banking. Once you have the debit card, Internet banking can implemented. The cornerstone of the whole process is the debit card.
All debit cards come with a PIN (Personal Identification Number) so that only the person who knows the PIN can use the card. However, the holder of the card and the PIN, whoever that might be, has the potential to withdraw cash or pay bills at an ATM. And that may be another thing that you do not want to happen.
So...is it all as bleak as it seems? Well, of course not. There are some things that you can do to protect yourself. What you have to do is weigh the risks of doing Internet banking against its increased efficiency, to determine what you find acceptable.
One of the most useful things about Internet banking is the ability to print up-to-date bank statements at any time. You can get a statement on the first day of a new month, from the Internet, instead of waiting a week or two to get it in the mail. This can considerably shorten the time to complete month end processing. You can even do partial bank reconciliations several times during the month if you are worried about your cash position.
You can use the Internet to get only bank transaction history, if you choose, and opt out of the ability to pay bills and to initiate other financial transactions. When you get a debit card and set up internet banking, you can ask your financial institution to set it up so that:
• The debit card can only be used to make deposits.
• The Internet banking can only be used to review banking transactions.
If this is what you choose to do, you will be protecting your assets very well. However, you will lose any potential for improved efficiency by being able to pay bills and initiate other financial transactions. This may be acceptable to you. In other words, you are willing to sacrifice efficiency in favour of reducing risk.
Other people may be willing to accept more risk. They may wish to have the added efficiency of paying bills on the Internet (and doing other financial transactions) while recognizing that their assets are at greater risk. These people should look for other ways to reduce the risk so that "they can have their cake and eat it too". What they should do is put new controls in place that will help to reduce the increased risk they are assuming when they start doing full internet banking. Here are some of the things that should be considered.
• If a debit card is required for internet banking, find ways to prevent it from being used at an ATM. For example:
- Cut it up.
- Separate the debit card from the PIN - have one person hold the card and another hold the PIN.
- Store the debit card in a place that requires two bank signatories to be present for access (such as a safety deposit box).
• Have two people, who have no access to the debit card or Internet, review the bank reconciliation and bank statement every month. Many, but not all, financial institutions identify Internet transactions uniquely on their bank statements. Implement the following process to replace the two signatures that are required when using cheques.
- Attach documentation for every Internet transaction to the bank statement. Acceptable documentation might be an invoice or a cheque requisition properly filled out and approved.
- Have two bank signing officers review every Internet transaction and the backup documentation. They should initial every transaction on the statement and each piece of backup documentation to indicate their approval.
- Periodically (and randomly) review the suppliers that have been set up for bill payment to ensure that no unauthorized suppliers have been included.
Does this sound a bit heavy handed? It might, but it is important to keep in mind that many corporations have an Expenditure Policy that says two people must review and sign all cheques. The reason for this is that, without two signatories, experience tells us that there is a greater potential for fraud, and undue risk to the corporation's assets.
Internet banking eliminates the control that is achieved by having two people sign cheques. If you (or your corporation) decide that you want to do more than just look at transactions over the Internet, you must take steps to reduce your exposure by putting additional controls in place (and take them seriously). ?
|
|
