Enhancing Treasury User Management to Mitigate Fraud Risk

Business Leader’s Guide to Treasury Access Controls

Effective treasury management plays a critical role in a company’s financial health, particularly as fraud threats continue to evolve. For CFOs and business leaders, one area that warrants continuous attention is the management of users within Treasury systems. A thoughtful approach to user access can significantly reduce risk and support stronger operational governance.

The Role of User Management in Fraud Prevention

Fraud - both internal and external - remains one of the most significant risks facing organizations today. Cybercriminals continue to target business accounts through tactics such as business email compromise (BEC), social engineering, and credential theft, while internal actors may exploit inadequate access controls to conduct unauthorized transactions.

A disciplined approach to user management can mitigate these risks in several key ways:

• Limiting Exposure: When access is restricted based on job responsibilities, the opportunity for fraud is significantly reduced.
• Segregating Duties: Implementing controls that require different individuals to initiate and approve transactions helps prevent collusion and misuse. • Monitoring and Alerting: Treasury systems can flag unusual behavior, assisting in early detection of fraudulent activity.
• Timely Access Removal: Promptly revoking access from users who no longer require access limits the opportunity for unauthorized activity.

When coupled with broader cybersecurity measures and employee training, effective user management forms a strong first line of defense against financial fraud. Here are some suggested best practices that can help strengthen your Treasury user management protocols and help better prevent fraud before it starts.

1. Develop a Structured User Management Framework

It is advisable to maintain a formal policy that outlines how users are granted, modified, and removed from Treasury systems. This policy should include:

• Defined roles and responsibilities for system access
• Approval workflows for changes to user permissions • Clear documentation of access levels for various functions 
• Regular review intervals to validate compliance

Establishing such a framework helps ensure internal consistency and provides a reference point for audits or reviews.

2. Apply the Principle of Least Privilege

Limiting access to only what is essential for each user’s responsibilities is a foundational control. This includes:

• Each user having unique access credentials and passwords • Separating duties between transaction initiation and approval
• Restricting administrative rights to a small, trusted group
• Assigning view-only access where transactional capabilities are unnecessary

This principle minimizes potential exposure to internal misuse or external compromise.

3. Conduct Periodic Access Reviews

It is recommended to review user access on a regular basis, (recommended monthly, but minimally quarterly) to reflect changes in personnel or responsibilities. Additional review should transpire to determine inactive users, and determine the need to keep said access. Access should be promptly removed when employees transition out of the organization or shift to roles that no longer require system access.

4. Implement Dual Controls for Sensitive Transactions

To further mitigate fraud risk, dual controls should be applied to high-impact actions, including:

• Wire and ACH payment initiation
• Modifications to payment templates or payee information
• Changes to user roles or security settings

Requiring two separate individuals to complete such tasks introduces an important layer of oversight. 

5. Enable Monitoring Tools and Alerts

Treasury systems often provide functionality to monitor activity and configure alerts for specific events. Consider enabling notifications for:

• Large or unusual transactions
• Login attempts from unrecognized devices or locations
• Changes to user profiles or permissions

Along with reviewing transactions regularly and reconciling accounts daily, these alerts can serve as early warnings for potentially fraudulent activity and assist in timely detection to help protect your payments.

6. Provide Ongoing Training and Awareness

User security is only as strong as the awareness of the individuals involved. Organizations should consider regular training that covers:

• Treasury system functionality
• Cybersecurity best practices
• Emerging fraud tactics

A well-informed team is better positioned to recognize and respond to threats as they arise.

For additional guidance on Treasury user management practices or assistance in reviewing your current setup, organizations may consult with their financial institution or Treasury service provider.

Author: Dharm Patel

Dharm Patel is the SVP, Fraud Product Management for the Commercial business. Dharm is responsible for the internal capabilities to help protect Commercial clients and the bank from fraud and the products and capabilities our customers can use themselves. Prior to joining M&T, Dharm has served in a variety of senior leadership positions across identity verification & authentication, fraud detection, financial crime compliance, credit risk, and associated data, analytics & technology.