Taking Treasury Outside the Box

Why ChildFund International has won the 2023 Gold Alexander Hamilton Award in Treasury Transformation. Congratulations!

For more than eight decades, nonprofit ChildFund International has been serving the needs of children around the world. “We are totally child-focused,” explains Sassan Parandeh, the organization’s global treasurer and director of risk management. “Child protection is one very important aspect of what we do, but we have different programming in various countries, depending on the local needs. For instance, clean water and sanitation are pressing needs for children in some areas, whereas in others, the priority is early childhood development or HIV/AIDS education and prevention.”

ChildFund operates in 24 under-resourced countries, funded by governments, foundations, and individual donors. In Parandeh’s mind, the organization’s business model makes risk management absolutely crucial: ChildFund can continue to operate only if it keeps donors’ funds and information secure.

“Many companies can experience a data breach, and their customers will still need them,” he says. “By contrast, contributions to an organization like ChildFund are entirely a matter of choice. If we were to make a security mistake that tarnished our reputation—say, by losing donors’ PII [personally identifiable information]—that would be incredibly destructive to us. If people don’t trust us to manage their data correctly, they will give their charitable donations to another organization. That is why we have always made sure to run a very sophisticated corporate treasury department.”

Prior to the Covid-19 pandemic, all ChildFund treasury staff worked in a corporate office somewhere in the world. That meant their communications and access to applications happened on secure networks, with connectivity to other ChildFund locations via virtual private network (VPN).

“But Covid was a shock to the system,” Parandeh says. “All of a sudden, we had a situation where treasury staff were dialing in from home. Even worse, in some of the countries where we operate, people don’t have Internet access at home, so they would pick up their laptop and connect from a hotel or café.” This haphazard remote connectivity raised major red flags for Parandeh and his central treasury team.

Payment requests posed another problem. “Our centralized treasury department is the internal bank of the company, so people are always asking us to make payments,” Parandeh explains. “We always had physical signature cards, and for many requestors, we were familiar with their signature. During Covid, though, we started getting payment requests with all kinds of digital signatures. People would just use Word to type in their name. And they might be unable to get approval from their boss because the boss was on the other side of the city and quarantine prohibited travel there. We couldn’t trust that payment requests were not social engineering attacks.”

The organization’s IT staff was focused on rolling out remote connectivity, conferencing, and related tools. So Parandeh realized the treasury team needed to take on the challenge of standardizing payment requests and develop an approval process that would work during the pandemic. They launched Project SEA-CADETS, which stands for “Social Engineering and Cyberattack Awareness, Detection, and Eradication by Treasury Staff.” The goal was to revamp treasury and convert the function into a digital cash fortress by adopting aggressive controls for all payment-related activities.

As a first step in Project SEA-CADETS, Parandeh proposed to the ChildFund CEO, CFO, and CIO that the organization form a Cyber Incident Response Team (CIRT), with treasury and IT as co-leads on the endeavor. “At first, treasury’s voice was tiny,” Parandeh says, “but we kept going to them and saying, ‘We need to have a cyber response team. What happens if we get attacked? Who will you call? Insurance alone is not enough.’”

Treasury was convincing, and the CIRT soon became a top organizational priority. Suddenly, Parandeh’s team was working closely with HR, IT, insurance, accounting and accounts payable (A/P), communications, and the office of the general counsel. The CIRT’s goal was to devise countermeasures for the constantly evolving external threat environment.

Then the treasury team turned their attention to their own processes. They adopted a new paradigm for treasury management, which emphasizes both strong internal controls and vigorous external controls aimed at intercepting and neutralizing social engineering and cyberattacks. They worked with other members of the CIRT to determine what treasury’s new cybersecurity framework should look like.

One new development was a requirement that all treasury and finance staff must connect to the corporate network via VPN with multifactor authentication. They also must receive training on fraud and cybersecurity risks, prevention, and recovery.

At the same time, the treasury group embarked on a massive data hygiene initiative, purging stale information from their systems. They launched a similar process for hard copies, working with external auditors and the general counsel’s office to determine which paper files they needed to retain. These documents, they redacted. Everything else, they shredded.

Next, the treasury team tackled payments. “We created a new payment template,” says Andrea Mooney, corporate cash manager for ChildFund. “It is universal; it is the only template we will accept for requesting a payment. Because we distributed it only to internal staff, and because the proprietary payment request process is known only to ChildFund staff, we are confident that information which comes in on this template is valid.”

The treasury group permanently banned all payment requests via telephone, email, text, and fax, with no exceptions for anyone. “We don’t care about the authority of the person making a request,” Parandeh says. “If they want to ask for a payment—even if they’re the chairman of the board—they must follow our protocols. We ignore any requests that do not follow the process.” In addition, requests above a certain dollar value must be verified by phone or through a platform that uses multifactor-authenticated VPN.

Very early in the development of these new processes, the treasury team educated ChildFund executives about cyber risk and secured their buy-in. Parandeh says that treasury’s vision was supported by the Covid-induced rise of remote work and by the fact that ChildFund experienced a number of attempted social engineering attacks around the same time the project launched.

This new approach was not universally beloved right away. “We did get some complaints from people who thought the process went overboard,” Mooney says. “They asked whether we really needed to be so strict.” But, Parandeh adds, “because we had educated our executive team early on, we could move forward forcefully. We could tell others that this was our process, whether they liked it or not. If they elevated their complaints to the executive team, they were told they needed to follow treasury’s new process.”

Treasury enacted similarly rigid rules around changes to payment instructions. These requests require a specific form that must then be confirmed through verbal verification with the counterparty. “For changes to vendor banking information or payment routing, we developed a standardized authorization process that involves confirming with a known contact at the vendor that they did indeed request the changes,” Mooney says.

The treasury group also empowered lower-level employees to stop a payment anytime they had a security concern. “We stole this idea from Japanese car manufacturers,” Parandeh explains. “Their vehicles were very high-quality because even the most junior person in a Toyota or Nissan factory could push a button and stop the entire assembly line if they saw a quality problem. We put in writing that everyone working in our payment system has the right to stop a payment that doesn’t follow our protocol, regardless of the rank of the person requesting the payment. Even if the delay causes the payment to go out late, the requestor needs to provide additional material until everyone is satisfied that the request is legitimate.”

 


Don’t miss the webcast celebrating our 2023 Small Company Excellence award winners on April 25, 2023, at 11amET, and receive CTP/FP&A recertification credits from the AFP! Register for the free webcast today.


See also:


 

Another major element of Project SEA-CADETS was a review of ChildFund’s cyberinsurance coverage. The treasury team engaged an independent auditor to identify gaps and pinpoint touchpoints for treasury controls. “They asked direct, treasury-specific questions related to cybersecurity,” Parandeh says. “Their questions led us to rethink everything from our overdraft limits to how much someone could steal if they cracked Andrea’s or my password. We ended up shifting our entire way of approaching decisions like daily payment limits and overdraft protections.”

Treasury also researched alternatives to the lockbox provider ChildFund had been using and decided to change vendors. “We went from a small, inexpensive provider to what is probably the most technologically advanced lockbox, the only one in the U.S. that has ISO certification on quality and internal controls,” Parandeh says. “Changing lockboxes was a major undertaking, but it is something that will pay off in terms of security.”

A final component of Project SEA-CADETS was the development of a process that tokenizes ACH payments. Tokenization has long been an option for companies that need customers’ credit card numbers for recurring payments—and ChildFund has long taken advantage of this capability.

“Rather than storing credit card numbers, even encrypted card numbers, we send credit card data to a company called Cybersource,” Parandeh explains. “They are a division of Visa, which means they can do a better job of protecting this data than we can. When we send them a card number, Cybersource gives us a token. The token is a number that Cybersource can connect to the correct credit card when it is time to process the payment, but the number is worthless to anyone else. If an attacker breaches our systems and steals the tokens, they will just get strings of meaningless characters. And if we were subjected to ransomware, Cybersource could simply erase the stolen tokens and issue us new ones.”

Tokenization has been an option for credit card payments “for a good 20 years now,” Parandeh says. The challenge for ChildFund was that some donors prefer to make recurring payments directly from their bank accounts, and the treasury team was not aware of any organizations offering tokenization for ACH payments. “We do not want customers’ checking account information sitting on our servers, even if it’s encrypted,” Parandeh continues. “We talked to our bank, which is Truist. They introduced us to one of their partners, check processing company TeleCheck, which had developed a rare ACH tokenization process. Now we send ACH payment information to Cybersource, which tokenizes it like they would a credit card payment. Each month, when we want to debit a donor’s bank account, Cybersource sends a token to TeleCheck, which processes it and passes the banking information on to Truist.”

Parandeh and Mooney emphasize that one of the biggest lessons learned from Project SEA-CADETS is that treasury needs to take responsibility for ensuring that the security controls around cash are adequate. “You have to be proactive and know the risk factors that are out there before they impact you,” Mooney says. “You don’t want to rely on IT, nor to just react and end up a victim.”

By taking the lead on this initiative, which falls well outside the usual bounds of treasury, the ChildFund treasury team has gained new prestige throughout the organization. “In most companies, the people in sales and marketing and manufacturing think of treasury primarily as a support function,” Parandeh says. “But because of our involvement in this initiative, we are no longer thought of as just a back-office unit. We are part of the organization’s strategic thinking. Just yesterday, as ChildFund was considering purchasing software to upgrade our web page, people were proactively coming to treasury and asking whether we were satisfied with the way the solution would handle credit card payments.”

“We are asked to consult on a lot more of what’s going on at ChildFund now,” Mooney concurs. “Other groups in the company will ask our opinions on all kinds of projects, whereas in the past they might not have solicited our input. We work hard to know what’s happening, and to stay current with the technologies that are available and the risks that we face. And other departments are much more dependent on treasury these days.”