Deluxe Corporation (DLX) Earnings Call Transcript & Summary

Welcome, everyone, to today's webinar titled securing your receipts. This is Brian from Strategic Treasurer, and we're pleased you could join us as we discuss how you can assess and improve the security processes and standards for payments flowing in through your lockboxes. But before I introduce today's speakers, I have just a few quick announcements. Zoom offers several different ways for us to interact today. If you would like to post comments or questions viewable by all attendees, please use the chat icon in the tool bar. If you would like to ask your question to just the presenters, please use the Q&A icon in the tool bar. You can ask your questions at any time during the presentation, and we'll try to get to as many as we can. But if we don't get to your question, someone from our team will gladly follow up with you. There will also be a few polling questions throughout today's webinar, where you'll be able to select your response from a list of multiple choices. You will need to click the submit button on the polling questions to have your response recorded. If you are here for CPE credits, you will need to answer at least 3 poles today. And last, please ensure that your Zoom display name includes both your first and last name, so we'll know to whom we should send the credits. Our speakers for today are Sarah Mille, Senior Lockbox Manager at Deluxe; Jim Woods, Director of Outsourced Services at Deluxe and Craig Jeffery, Founder and Managing Partner of Strategic Treasurer. Welcome, Sarah, Jim and Craig, and I'll now turn the presentation over to you.

Thanks so much, Brian, and it's good to be speaking with you 2 folks today from Deluxe. Thanks for spending time with us going over today's topic. There's an agenda. You can see the rough outline of the agenda on the screen in front of you. I'll just talk you through it for a moment, and then we'll get into the content.

So we're going to be going through fraud. What is the situation with fraud? Fraud is increasing. Many companies have experienced it. Almost all of you recognize that the threat is increasing on a year-over-year basis, either increasing or significantly increasing. And this brings about a required response. On the receivables side, there are a number of complicating factors, complexities and problems that need to be addressed in light of a growing fraud environment. Then we'll talk about the role of the lockbox. And as many of you know, Deluxe not only makes checks, but it does a significant amount of lockbox activity with a number of innovations there. So look at the role of the lockbox from a micro and a macro view, paper, electronic, how that fits into a company's plan for efficiency, scalability as well as control. We'll touch on payment security. How do we improve the process? And you've probably heard the quote many times, improving part of the process, sub-optimizes the whole. And so this comprehensive look at payment security is really part of looking at the entire process from an end-to-end perspective. That's essential for managing the control. And then how do you evaluate lockbox services? What are some of the key pointers or looking at lockbox services? So we'll cover some of that. And then finally, we'll end with some of the key takeaways. What's the summary of what we learned? What are some of the items that if you forget most of what's said what should you take away from today's webinar. And with that, I'll bring it -- we'll start with fraud, and I'll turn it over to Sarah.

Good morning. So payment fraud is a complex and ever-changing issue. Fraudster continually adopt their tactics to exploit vulnerabilities in the payment system. Payment fraud has been a significant concern for corporates for many years. And at the Cold Corporation, 73% have experienced fraud, were suspected fraud in the last 12 months. 78% of the respondents believe the threat level has increased in the last year. Tactics that have been used, such as phishing, social engineering, malware, hacking, booting are all online fraud techniques that continue to become more and more prominent in the industry. So obviously, having fraud on the top of the mind is important and having the right controls in place is key.

Yes, that's really good, Sarah. The idea that the threat level is elevated. It's been -- it's increased and it continues to increase year-over-year despite a lot of activity as the warning sign, right? Anytime you have a topic on fraud, it's like how do we get everybody scared because the threat level has increased, and so how do we manage that properly. So some great points. So we'll jump over to payment fraud and controls. And Jim, I know I'll probably let you jump in with -- I know you have some stories about this. If you want me to do a little bit of an overview about outbound and inbound, I could do that before or after, but I wanted to get you talking as well.

Sure. Good morning, Craig. Yes, if you want to just give a general outline, we can do that, and then I can jump in about some specifics within these categories and story that I feel, especially on the inbound side, touches just about all of the 4 things that are listed there below. So if you want to go ahead and take it away, and then I'll jump in, that would be great.

Yes. Great. So on the outbound that we -- a lot of the times think about payment fraud as when we're making payments. Our companies are making payments. We're sending things out, and we're concerned about AP, we're concerned about some on altering payment files we have, creating fictitious invoices that get approved or changing address information. There's a real heavy focus on the outbound side. Many companies aren't thinking on the inbound side when payments are received by a company, someone who stands in the middle and perhaps redirect payments to the criminal site. And sometimes that's the case because to a site or an account that the criminal can control. We tend -- maybe we don't think about that as much because the paying company tends to be responsible if they were spooked, and it's -- they still have responsibility to pay. But when you think about some of these different areas on the inbound side, it's not something we think about as much. So things like postal fraud, internal fraud in an era of COVID where people move to home and are remote, or you use a lockbox provider, we may not think about some things like internal fraud or postal fraud as much. But to provide protection and to think about controls requires both sides, both the AP side and the AR side, if you want to think about it that way. These are some of the vital areas that treasury as the owner of payment security needs to be thinking about these and whether you're an AR or AP, you have vital activities to undergo and to take on to protect inbound and outbound payments.

Sure. And Craig, I feel like a lot of the -- where you say the heavy focus and the outbound is because those are the very high-tech levels of, say, fraud and scanning and hackers and business e-mail compromise, the BEC, the redirects, things like that. You're thinking there of this group of hackers sitting in a room and taking over your computer in this high level tech that goes into those types of fraud. But in reality, a lot of the fraud, especially that we experience in the lockbox world are at -- on the inbound side. And it's things as simple as postal fraud. It's things from you go and you put your payment in the mailbox and believe it or not, the U.S. Postal Service a couple of years ago, began to redesign how all mailboxes, you may notice this people when you go to a mailbox. It's not the open wide and it's now a curve because what they were finding was people were taking phishing line and putting gum on the end of phishing line and going down into mailboxes and pulling out checks, I had that in, one of my past jobs where a whole mailbox of payments was stolen in that simple of a method. Other times, I remember seeing a story in the New York post about a mailbox that was ripped up off of the street and stolen with payments in it. Things like that to now -- there's been a lot of stories recently in the city of Chicago, where gangs are taking family members of theirs who have clean backgrounds and whatnot, and actually having them apply for jobs within the postal sites. And this isn't to throw out a negative light on the postal system, but Payments are touched in a lot of places along the way from where you go in, you put your envelope in the mailbox until it's actually received at its final destination. There's a lot of places along that route that aren't as complicated as trying to get your e-mail and compromise or e-mail. It's a very simple [indiscernible] a piece of mail, see that there's a money order inside it, what they call check washing, which is our item at the bottom, wash out the money order and make it out to wherever you want. In a previous role that I had actually had the experience of having to go testify in front of the grand jury in New York City because a client of mine, one of their employees, and this goes to internal controls. She worked at the company for 32 years. The owner of the company had sent her kids to college, paid for their college tuitions and while she was working for this company because it was like, oh, everybody trusted Sally to use a fictitious name, she was great. But what they didn't know was she was very calculated about she would reject money orders that needed to be decisioned in an online decisioning portal so that the money orders would then be mailed back to the office. She would get them back in her office and she would sometimes just wide out over it and pay her Con Edison bill, pay her optimum bill, just with somebody else's money order that was meant to pay their rent at the managing company and she would do all of those things. She did it to the tune of about $250,000 over numerous years and went to jail for it, eventually. But I wouldn't say it was because of great internal controls that where she was working. It was actually on the other end that it was caught by the place that she was making the payment to because she got so raising at the end that she was just crossing things out and writing in like, she wasn't even washing it or doing anything like that. It just got so over the top that it got caught and -- but that kind of touches everything in there. That's postal fraud. That's check wash, and that's internal fraud and not having good internal control. So it doesn't have to be a complicated send money to Nigeria scheme. It can be a simple as stealing a checkout, stealing a piece of mail could trigger something like this.

So I'm not sure if I should be like as excited about these stories that you tell me. I just hope it doesn't turn me to crime. But if you're a teenage son or daughter, if their name is Sally, fictitiously, says, I'm going fishing, where are you going fishing near the post office. That may be a warning signs, especially if they have gum for bet, but they're trying to pull checks out of there or envelopes. That's amazing. I know our post office has issued warnings and removed some of the giant boxes there to prevent what however they're stealing stuff out of there. very, very good. Yes, now. So that brings us right to our first polling question. So this is a select all-that-apply. These are organizational characteristics that show elements of complexity. We have over 100 bank accounts. That's -- click it, if you have it, We have over 10 banks, yes, click it or not. We have over $2 billion in sales. We're in over 10 countries or none of the above. So it's just figure out. It's -- some are all of the first floor, we're the last one. And so we appreciate those who take a whole question. If you can't see the poll questions showing up on your screen or on any of your screens, look in the webinar chat box, Brian has posted some things they're about to find in. We'll give everybody a moment to complete that. And we will ask people to type the word Deluxe in the chat box if we get -- let me just see -- where I'd say we get -- let's go with 150 people typing the word Deluxe or poll, if you type poll. As long as you don't type words like Deluxe cube, we're okay, right? Just to see that you're paying attention. We'll share the results of the poll questions. We'll embed them in the deck when we send them out, so you'll get those results. Now yes. So Sarah and Jim, the results are in, just about half are probably highly complex with over 100 bank accounts. Over 10 banks, another 35 have complexity in that area. Over 1/3 are $2 billion in sales, and 30% are in more than 10 countries. I don't know if you guys have any comments on that? I guess, I don't know they'll see some things at the end, anyone who want to comment? Well, I'll make a few comments on that. It's like when you think about complexity, complexity comes in different sizes, volume of activity, number of countries. All of these can add to complexity. We could add some other items on the like number of systems, on the billing side, number of systems on the payment side, those all add to complexity and make the control process more challenging. We could have asked to how many different ways do you receive payments in the U.S., it might be we get checks in-house, we get checks through a lockbox. We get ACH, we get virtual card, we get wires, et cetera. These are complexity elements. Very interesting to see how complex the group is here. All right. Sarah, you're going to be up again. You talked about theory versus reality. In theory, reality is just like theory. In reality, theory is nothing like reality. That will be the setup.

So true. Yes. So I'm sure that a lot of you based on your answers to the first poll question that a lot of you are very understanding of this particular slide. So receivables, theory versatility. In theory, simple receivables workflow reflects how a company manages and collects their payments. So invoices go out, payments come in, seems very simple, right? But it's not. In reality, payments may come in and money may flow to various different receivables, workflows. Various payment types will flow into multiple accounts, multiple banks even. Monies are concentrated and then swapped into payables accounts, investment accounts, line of credit, paydowns. So although in theory, it's just collecting the funds. Those funds may come in, in a variety of different payment methods, check, ACH, wire, card, real-time payments. But they may come into multiple different accounts, multiple banks and then be concentrated and then, like I said, swapped out into a payables environment.

Yes. I appreciate that explanation. And yes, reality is a lot more complexity. The complexity can be added, companies acquiring other companies that have their own structures. So they get layered one on top of another, and the complexity grows and so the need for simplification and clean process comes into being into focus.

Yes, definitely, as you look at fraud and securities, it's definitely a situation where if you don't have the right controls in place, you are opening yourself up for fraud, especially with the complexities of the account structure. So this causes reconciliation issues. There are several different variables that contribute to reconciliation issues, differences in timing such as cutoff times or delays, differences in the ledger balances versus collected balances, differences in the amounts, the net versus gross is the ledger balance and collective balance are impacted by those as well. There's differences in the level of detail that come in on the -- and as far as remittance information that is received, it can come in via paper-based remittance such as what accompanies a check or a money order on a check, there is electronic remittance-wise or ERA that accompanies the electronic buzz transfers or ACH. There's online payment portals that may or may not capture all the right fields and all the remittance information necessarily -- necessary to reconcile a payment. And then, of course, you get e-mail detail sometimes as well. So the payment comes in, in one form or fashion, and then DPE follows up with an e-mail with all of that corresponding information. So the difference in timing, the banks differ and the availability schedules at times as well. So you may have 1 bank that make up 100% next-day availability whereas other banks follow to float schedule. So the timing of those payments definitely play in as a reconciliation issue as well.

Sarah, one of the things on the -- some people may say, why are we talking about reconciliation if we're talking about fraud and control. I don't know if you wanted to start on that. I know there's -- sometimes that's an obvious answer. Sometimes it's a little more nuanced.

Yes. The ability to reconcile a payment is your first line of defense in identifying potential fraud. So not only is the timing of reconciliation, important, but the amount of information received with the payment or as a follow-up to the payment is what's going to help you understand. If there is potential for fraud with that payment.

Yes, that's good. And when we looked at companies and we see reconciliations behind, and it's very complex, things get buried and they're not found, like you said, it's a first line of defense. When the process is designed poorly, there's gross and net amounts mixed in. So you're trying to compare items that don't match. It's one to many, a multiple to many, spanning different time frames and groups. And we said, if you have 6 CPAs doing bank reconciliation, you know the process is designed wrong. And that creates an environment for hiding -- having problems to be hit, not that this is done intentionally, but it's not going to be discovered. And whether it's -- yes, so sometimes people are -- they target accounts oftentimes with a, let's say, ACH, for example, bill. They'll debit an account and then -- or take money out and send money back in for a small amount to see if the account is open. And if nobody is reconciling someone who doesn't have a discipline of reconciling just marking these 2 things off and say, oh, banks are crazy. There's a $0.25 in, $0.25 out. We'll just close it out, not recognizing this I just discovered that this bank account is open, and you can debit the account.

That's a good point. I'd also say when it comes to the difference in the timing, by the time a payment comes in, if you're remittance information comes in days later by the time you identify what that payment was supposed to be, it could already have been identified as a fraudulent payment and the funds may already have gone out the door.

Good point. That one of the 12 security principles that we outlined is that speed matters. Even if fraud has occurred, the faster you can detect it. You're able to stop additional fraud from occurring and you may be able to stop the loss of funds or restrict the level of loss that you have. So these things matter. Reconciliation matters. It's not just an accounting concern. It's about payables, receivables, treasury and overall security.

Absolutely.

Great job, Sarah. We're going to bring Jim back into the discussion on payment control. We've got a conversation going on here, Jim, what...

Yes. And this is a conversation you typically hear on the support side of lockbox or if you would be at a banker in this case, we're providing as a lockbox reporting to our customers on a daily basis of who paid. So when -- let's just use the example of a credit card company, the problem a lot of times doesn't get -- like this phone call doesn't happen a lot of times until 2 weeks, 3 weeks after the situation has happened because nobody knows there's a problem until they get their next bill and see how they have a balance that's higher than they anticipated. There is no last payment date on the date that they thought they made the payment. So they call up their credit card company and say, they're an electric company or their school where they were supposed to pay their tuition fee or whatever it may be or the rent and say, why did I get my bill for this much? I paid last month. And then the company comes back and looks in the records and says, I don't see it. The person may come back and say, right, let me go back. I'll check my banking. They go back and check the banking and say, no, it was cashed. And now all of a sudden, you start to think there's a problem because you as the lockbox is saying, we don't have a record of this payment being cashed. This person is showing me that this check number for this amount or this money order, they get a receipt of their money order and they track it and that it was cash. So now red flags go up. Okay. Well, how did you send it? I send it through the postal service. I send it to FedEx. Well, it's great. If they sent it a trackable way, that speeds up the investigation because now you can say, okay, well, the package wasn't signed for here. It was signed for somewhere else. Somebody intercepted the package, signed for it. And now there's a -- now we know there's a problem. If it came postal service, though, you don't know. I mean, you don't know that because it's not trackable, just a regular piece of mail. Now it's not lost because it was cashed. The important thing is, was it cashed or was it not cashed? If it wasn't cashed, it can be lost in the mix. If it was cashed, okay, the next question becomes as a lockbox provider or probably the support departments at your various clients and train, show us a picture of the back of the check, so we can see how it was endorsed. And then that endorsement will start to really tell the story. And as a processor, we know like our endorsements always look like this. Well, now we see the endorsement on the back of that check that wasn't us, then that's the situation where you're able to identify, okay, this is a bad actor somewhere along the way, got a hold of this and took it into a branch or remote captured it somehow into an ATM, whatever it is, and the funds were credited to the wrong place. So that starts a series of that, now maybe you got -- the best thing in those cases is what it's generally the check writer who needs to open up an investigation, okay? So us as a third party, we're not the agreed party. The person whose payment was stolen is the agreed party. So we can't open up -- like I can't call the postal service and I think something was stolen and open up the investigation that check writer needs. So now you're investigating the person twice. And they're not happy. Your customer is not happy because you're asking them to open -- to do additional work for a payment of theirs that was stolen, not a popular thing. But they are the ones whose money was stolen. So they are the ones who need to do that. So this is just an example of the conversation that will come into place. It's -- oftentimes it's your -- you can have the controls in place and -- but if you're a large-scale lockbox provider like us, we don't know the amount that's supposed to be coming in. And we also don't know somebody may have a $500 credit card build, but they might only send $100. So if you look at the end of the month and say, all right, well, there's a difference. And what was invoiced versus what was paid, it's not $100 -- was it fraud? Or was it or was it just something didn't pay as much as they were going to. So it's important to keep this line of communication. It's important for -- you said previously, Craig and Sarah both mentioned about speed and getting on things quickly, your support departments knowing what to look for, knowing the correct questions to ask when things like when red flags start to go up and to get that information as quickly as possible, like something get us the copy of the back of the check right away. What is the check number? What is -- any of the -- when did you mail it all that type of information. That's what will aid these investigations along? And then if it becomes a situation where we believe it was in the postal system. They're going to ask you something like what mailbox did you put it in, on the corner of 57th in Madison? And you know what, now all of a sudden, their data, they see they have 9 investigations open in a 2-month period from somebody -- from people that mail from the same place, that's going to -- that's going to trigger their internal controls that we have a problem here or things coming into one central processing station or whatever it may be, they're going to connect dots. But they can only connect dots if they have that data.

All right. So that brings us to our second poll question. So this one. This one will pop up again, it's multiple choice. And this is asking about what are the security controls you have in place at your organization. Account payment validation, validating payment information, let's say, the banking information -- you have employee -- general employee training with testing. Later on, there's payment-specific employee training with testing at least annually. And you can see how these -- the different options are there. So go ahead and fill those out. And we were 45% Deluxe or poll in the chat box, so I'll be able to send these out. So that closed out, that would be awesome. Just to go ahead and fill out the poll question, hit the submit button. And then Sarah, I'm going to go ahead and ask you to comment on when it comes up when the poll is showing, see if you have any responses, then we'll go over to you.

Sounds great.

Yes, there we go. So yes, go ahead and make any comments that you have here.

Yes. So it looks like a majority of you do have the account name and validation, which is fantastic general employee training. Okay. Very good. So these are all really important areas for security control to help to combat fraud. We don't like to think about our internal employees, possibly being a part of fraud for our corporation, but it is a reality. And having these payment-specific employee training and testing and also just auditing the privileges of each, the principle of least privilege, only giving people access to what they absolutely must have. These are all really good ways to identify or to help to combat internal fraud from employees. So this is good. I'm trying to think if there's anything additional that I would have added to this list other than dual controls and such in just that overall, like I said, auditing in monitoring and logging what our employees are doing and how our payments are being sent.

Jim, any comments from you on this?

Yes. The dual control is something that I noticed as well. And a lot of times do, you'll be shocked, and I'm actually going to comment on it in one of the future slides, but the amount of cash that's still received at a lockbox more so than you can believe that people actually do put cash in envelopes and send it in the mail. And when you have -- that's the easy -- I shouldn't say, easiest kind of fraud, but that's a very risky situation is when somebody is putting cash in an envelope and putting it in the regular mail and not traceable and not trackable. So that's where the concept in our facilities where dual control comes at all cash has to be handled by more than one person. So we have that checks and balances against each other.

Dual control and maybe some cameras...

Yes.

The payment assessment, the payment security assessment in the past year, just about a quarter, just under 1/4 of the population on today's webinar have done that. that's a very good number. I mean, sure, it should be well over 50%, right? We would recommend people to do a payment security assessment at least every 2 years. I think this reflects an audience that's pretty well trained, pretty attentive on payment security, outbound and inbound payments. So really, really good information there. I'll draw your eye to the webinar chat section, and you can pull that up in the Zoom screen and see what the chatbox looks like, there is the ability to follow Deluxe on LinkedIn, Strategic Treasurer LinkedIn as well as our media channel, CTM filed for cash and treasury management file, go ahead and follow, those on LinkedIn that helps us just to communicate, all of us communicate with each other to follow what's going on in our different organizations. So really appreciate your information. And we just need 14 more Deluxe or polls in the box. I prefer not to say anything again instead of belaboring the point, but I appreciate you guys paying attention to that and liking data. I mean the data is great. We love to see what's going on. It's great getting a few hundred responses really rather quickly. Well, this is one I need to talk to. And so I'll introduce it. What's the role of the lockbox? How do we think of it as moving from simple to complex? Sarah had outlined and showed the chart moving from left to right, on the horizontal axis of check, ACH and wires for the U.S. going to a bank and then being sent to some different systems. Well, if you look on the complex side, what do we typically see, we have check, maybe real-time payments, ACH wire maybe going into a number of accounts for a number of different entities. That's feeding through to the banking concentration system as well as to the back end. And here on this chart, we're just showing -- we're showing the payment types that are sent to a banking structure in the middle tier and then at the lower tier is the receivable system. And so you can see and think and reflect upon how many payment channels are in play. And we asked a question earlier about complexities, how many banks, bank accounts, we can also ask about payment types, underlying back-end systems, all of those add to complexity. How do we get our arms and our minds around the payment process and how do we protect or put a fence around the security for these items since there are so many different touch points or entry points. So the left side is the complex view. On the right side, is a conceptual simplification where those different payment types, again, in the U.S. here, for example, coming into a lockbox, maybe in an e-lockbox. It takes paper and digital items together, combines those. So payments coming in from different channels, get combined to a single lockbox. And then there's a file, a digital update file that goes to the back-end system, simplifying how many accounts are hit, how many payment types and payment flows are that it isolates most of that activity into a single stream into the back office. So the role of the lockbox is to collect funds efficiently and securely. And the more points of contact methods of making payments that works against some of the overall objectives. And the reason you offer so many different methods is, you're trying to collect however you can from your different customers in a way that fits them and not forcing them down a single channel. So from complex-to-simple, there's ways to simplify the variety of options that your company probably needs to make and make it an easier process for your clients and/or those that are doing accounting, those who are doing forecasting cash positioning. I'll pause there. I don't know if Sarah, you wanted to jump in or Jim, if you got anything else to add on the role of the lockbox?

I actually don't have anything to add to this one.

Yes. Yes. So it's a key thing that people have been doing and pushing and moving towards it, simplification is on most people's minds like rationalizing how many accounts, how many activities, how many payment types are made and balancing that with the customer needs. Now that...

Sorry, Craig, not to interrupt. The only thing I would jump in near if you pull it back up is not only is it simple buying reconciliation or things like that, but in the different channels to bring it into one place. Lockbox is a very manual process, as we know, a very prone to human interaction, human error, things like that. The more electronic channels that can feed in, it's also helping your business, and it's helping your speed and your productivity. If you can get more things converted to ACH, get converted to wire it, online bill paychecks that don't come in as paper checks, but instead come in as an ACH payment. You're eliminating thousands and thousands of paper checks that need to be open, touched, key, things like that, that put the risk for error into place as well, not just the risk for fraud. So all in all, these systems as we go towards more e-lockbox are really, really efficient and helpful.

Yes. I think another thing is by blowing things through a lockbox, you have the opportunity to use exceptions modules to decision something that falls outside of what you were expecting or using account validation files to populate correct account information, which leads to the data coming out of the lockbox being more accurate, meaning you can feed that into your ERP system and reconcile much quicker and identify fraudulent transactions much quicker.

Excellent. Thank you, thank you both. A lot of people are saying, I want my third poll question, I want it now. So here is your third poll question. What is your company's greatest fraud risk or security concern around inbound payment processes and everything coming in? So missing checks, stolen checks, lockbox, employee fraud. So the last 2 would be concerns about the employees of a lockbox company like company or a bank that's providing that service. And the last one would be, you process payments internally and you're worried about employee fraud. I'll give everybody a chance to look at that. And I know we've exceeded our number on the Deluxe or poll in the chatbox. Thank you. No additional items are needed there. So thanks for responding and loving data as much as we do. Even more than we do, look at that. We'll bank these for the next webinar. All right. Jim, I'll ask you. It's a pretty close heat with the stolen missing checks. And there's definitely more concern on the employee fraud side. Do you want to comment on those? Then Sarah, you can jump in too.

Sure. Well, just a couple of things I can comment on like I think it's important to remember, not all the missing check is 91 of the 167 replies. Not every missing check is a fraudulent item. A lot of missing checks get found without any instance of fraud, it's just a delay of some sort of getting process. So I think that, that's important to make that distinction. Stolen checks, obviously, because of the ramifications down the line, that could be more than just a onetime event, a check could be stolen in cash and then that person's account information can also be drawn from that check for multiple other transactions down the line. So I think it makes sense that, that's the #1. And then just to kind of fly the flag for lockbox employees and outsourcing your lockbox service. Lockbox facilities like ours do have the best controls in place and the best technology and things like cameras, card swipes, logging of information. We have the best tools as outsourced lockbox providers to monitor our employees. So it makes sense to me to be more concerned about your own employees and somebody that you may outsource the work out to because maybe at -- let's just use a property management office of 9 people or something like that, that is an outsourcing their lockbox. They may not have cameras. They may not have card swipes. They may not have all those institutional controls that we do have. So I could see being concerned about it at that level more than the outsourced provider.

Sarah, anything you wanted to add?

Yes, I would agree with that assessment, Jim. I'd also add that although these are more paper-based broad concerns, I would add that if you are sending out invoices via e-mail and for some reason, we had the business e-mail compromise and someone hacked in or spoofed, I believe, is the correct term or one of the other terms, spoofed those invoice e-mails change the remittance to address. That may be a payment concern that where you were anticipating that payment coming in, but it was redirected to the fraudster. So that's another area that I think we need to make sure that we have a focus on and have a plan around.

One of the issues on the mail side was maybe a month ago, we received a check we sent out and about -- it was 2 months before we had sent it out, and they hadn't received it. So we ended up reissuing payment, and then it was almost exactly 2 months later. We get the envelope back and the address information was right, but it came back into the -- into our mailbox. And I was like, how does that happen in a world of paper, but I guess those are some of the challenges. Well, thanks, everybody, for answering the third poll question. We appreciate it, and we've reached our number, our count, which is great. So on to payment security. And Jim, I'll turn this over to you, as we think about assessing the payment processes and standards, there's a lot of areas to look at. And I've got a number of things to say, too, so I don't.

Great. So yes, a couple of things I've touched on before, and I just mentioned some of them, when we looked at the poll question about the state-of-the-art things that are in place and outsourced lockbox facilities. But a lot of the things are in as -- fancy has card swipes and great cameras. It's having documented detailed processes tracking mail the entire journey that it takes when it enters your facility. You can only control it from the moment that it gets to your courier and gets into the facility. Beyond -- prior to that, you really don't have much control over it. So the 2 words I would say, if you don't hear me say anything else today would be audit trail. Just have an audit trail on all of your payments that are coming in. And that starts with if the outsourced lot box provider uses a carrier, a fully bonded insured licensed carrier service to pick up the mail, which most of them do. When that carrier gets to the post office, there should be a log saying, first of all, you should need to show a photo ID when he gets there. They should have a list of the acceptable people from that courier company with their photo, so that the post office can match that up to who's receiving that mail. They should be signing a lot the post office should be saying, I'm giving you 42 trays. They should be counting we're getting 42 trays, that should be signed off. When the courier brings it into the facility that you're using for your lockbox. They should be now -- they would know the courier from coming every day, but if something -- somebody not the normal courier or whatever, you'd be checking those types of things against IDs and whatnot, and then you'd be doing your count, okay. post office said 42 trays, the courier said 42 trays, I'm now counting. Do we have 42 trays, sign off on that. It starts at that basic of a level when you're talking about lockbox. Then I can speak for [indiscernible] count it when it comes in. It's -- so we know these mail counts on a day-to-day basis we can use that not only for fraud, but also forecasting. But if a year from now, we see there's drastically less at a certain time that may raise a red flag as to what's going on. Everything is assigned a batch header based on when it needs to be processed by that batch header remains with that payment all the way through the cycle. So the payment maintains its batch integrity throughout. When payments are scanned and they go to data entry you mentioned earlier, like is that data entry being done in a white room environment, especially if it's offshore, like that people don't have phones on their desks. They don't have posted notes, like it should be a clean environment where it's just them in the keyboard to do data entry, and there was a fancier term for what I -- how I would say that you guys had up on the slide before, but about only show people what they need to see. I don't remember exactly what the term was in the poll, but...

Principle release privilege.

Release privilege, exactly. So your data entry operators, they don't need to see the ticker information on the bottom of a check necessarily. They should just be seeing a block that has the amount and the legal written amount, so they can keep from that. So it's things like that. And then it goes to further on, like out on the floor of the lockbox, no phones. Again, people should be coming and putting their stuff in lockers. Each employee should have a locker to put their phone in so that they're not -- there's no ability to snap a picture of a check. You shouldn't be able at a data entry, especially offshore, they shouldn't be able to screenshot anything that's on -- so I want to check if, for some reason, the MICR wasn't block, maybe a supervisor can see the MICR or a customer support person who a lot of time will need to see that MICR information to do one of the traces that we talked about before. Well, then they shouldn't have the ability to take a screenshot. Things of that nature, but the most important thing is you audit trail shredded and use Iron Mountain, you shred it. And so when you get rid of your check, maybe you only retain them on site for 5 to 7 days, whatever it may be. Logs of all your shredding and your secure destruction that, that's all monitored so that something doesn't happen on the back end with the payment. Also a lot of times in lockbox, and I know saying a lot right now, and I'm kind of just viewing some things. But in lockbox, it's not just the incoming mail. And a lockbox, so you're responsible for outgoing mail also, not every payment that comes in necessarily needs to get processed. And going back to my story before about the grand jury, those were payments that were dispatched back to a company, okay? So it was very easy. To me the first question because, well, was it somebody in your lockbox who committed the fraud. And we were able to say, no, because those payments were archived, they were imaged. They were rejected. They were sent out. Your dispatch. I can't stress this enough. This dispatch, it really should be going back in a trackable format, either a FedEx or UPS. So you could say, no, we sent that checkout on this date. It was signed for by Sally at your office on this date. That's where you need to be looking in your fraud investigation. So not only with lockbox on the incoming side but also the dispatch on the outgoing side is really, really important to be -- to have controls in place. And then the last thing I would just touch on would be the cash, as I said before, especially in the nonprofit world. If you're working with nonprofit lockbox, doing things for churches, doing things for schools. Somebody may just send -- they give what you can give and they send in $1 or they send in $5, we process hundreds of thousands of dollars in cash a month in our facilities, all under dual control, to get that money out of the safe, it has to be 2 people. 5 of them have keys to 1 lock. It's 2 locks on the safe, 5 have keys to 1 lock, 5 have keys. Nobody has a key to both locks. So you need to do it with somebody else to get that cash and then to write checks out for all that cash. It's a very controlled process like everything else that we do because the temptation of cash is a temptation.

Yes. Some great points, Jim. When you think about the common phrase is people, processes and technology, you can see these here, but the services, there's also structures, how we structure our banking system for those that are on from the treasury perspective, designing your banking structure should be designed for optimal cash management purposes to also support the accounting function not to be designed for the accounting function, but to support that and to allow for that growth scalability, isolation, so that any type of fraud will be discovered. So there are some good points there, Jim, so thanks for that. As we continue on. Sarah, I don't know if you wanted to go first on this one or if you'd like me to go first. I think we had a couple of points we wanted to talk about and perhaps a story or 2. What's your preference?

Why don't you glad you kick it off, and I'll take over in half.

Yes, correctly. The fourth item down there, employee security training, this idea of training. I think we're pretty used to it, payment security training is not as common as general cybersecurity training. And I want to emphasize that point of having employee security training on payment security is often overlooked. There's a couple of standards that are out there. The Swift customer security program or Swift CSP has a bunch of security standards, including training on a number of topics that are required. If you look at PCI DSS, the Payment Card Industry Data Security Standards, they have annual requirements for protecting of data, technology updates as well as have 5 different channels or paths for having training. And so you can see how some of these payment processes have made payment security training, vital and essential and recognize that. I guess the last thing I'd say is when we've done surveys on those who are doing payment security training, cybersecurity training against those who do not, the last time that we were able to get a substantial number of those who don't do any training. The losses for those that don't have training were anywhere from 2, 2.5x to 5x greater than those who had security training. And that's just -- those are awesome correlations you can understand why there's a correlation there. It's like those that are more alert on top of things, do better. And so we've seen the growth of people having security training and payment security training and the frequency of that training increase. And the reason that it increases is because it's paying dividends, it's protecting organizations. Those are some of the really important items to training the human factor, just like you update your firewall. Go ahead, Sarah.

So when you look at the employee security training, you must have a plan for keeping your employees up-to-date on the most recent compliance and industry standards. The industry experience, specifically as lockbox provider, you want to know that your lockbox provider follows all of the industry standards, the access controls and authentication -- response plans are very, very important. And then segregation of duties, this is one that's kind of near and dear to my heart. Similar to Jim's situation where he had to testify the grand jury, I had a situation several years ago, where a -- where the person who was writing the checks was also the person reconciling the checks. And over the course of about 10 years, this individual is still over $2 million from their employer. She was very, very well trusted. She was the go-to person. She handled the cash and the checks and the money orders and everything that was in coming. But what she was doing is she was periodically writing checks that seems legitimate to family and friends who would then get a kickback and then give her the true bulk of the funds. Had there been dual control and separation of duties, that would have been caught a long time ago. The principle of release privilege, making sure that each person only has access to the task required to do their job. And then also, one that I don't have on here, that is the security background check because in this situation. Had they done a security background check on her as an employee, they would have found out that this individual was released from our last 2 positions for embezzling.

That's a significant story in itself. Thanks -- thanks so much, Sarah. And Jim, to get you back into the conversation. There's a bunch of security questions here that many people would want to ask themselves and their team.

Yes. And for purposes of time, we don't have to go through every single one of them, but one that I'd hit on right away is do you offer a third party out of station. So what that is or it's basically certifying if you hire an outsource provider take to provide your lockbox. Are you sending out an audit team to certify that proper procedures are being filed, the document to procedures of that company or they be followed? So about, I guess, it was about a month ago, I was on site at one of our facilities for one of our largest clients came in to do an audit. And I just watch them and go through that whole process of third party out of station. It was very detailed. They wanted to see documented procedures, and then they would walk the floor and make sure those procedures were being followed. Touched on the offshore resources data entry before about the way knowing your data entry provider, knowing how the structure is. The business continuity plan. I can recall right before COVID getting a phone call from one of our clients saying, this is in like the end of February and them saying, what do you plan on doing if you have to shut your offices down? I'm like -- at this point, I was just starting to hear kind of like middle of February, just started to hear this COVID thing. And this was at my previous place and said, we're going to be just operating business. You didn't think it was going to be a big thing. All of a sudden, business continuity came to the forefront for every single person in March of 2020. And it's so critical to have document BCP to have redundant processes. One of the things that's nice about our Deluxe footprint is, we're in multiple sites with all can feed into the same place, a hub-and-spoke model where mail can be opened in one place and key it somewhere else, so we back each other up and we're redundant. So -- and then one other thing with the employee background check, just talked about in the other story, if the background check had been done correctly, something like that might have been identified. Well, it's not just when you hire somebody, like every 5 years, our background checks are redone on. But you never know, somebody could get -- be on their perfect behavior and get a job. And 2 years later, they could have a situation in their life that turns them towards a crime or something like that. And all of a sudden, if you never recheck anybody, you don't know you might have a bad actor on your hand. So it's critical to do that throughout the process of their employment.

Yes. Excellent. So as we come to the takeaways, I'll start then Sarah and Jim, if you could wrap us up. So what are some of the key points to leave with you when you think about controlled processes and services. There's services from your bank that protect accounts, services from third-party vendors. There's what you do, however you interface with the payment process from an internal control perspective. But finally, there's a standard of what's commercially reasonable for the protection of your payments inbound or outbound? And that changes over time because criminals are more efficient. So think about how do I continue to update those standards. And over to you, Sarah.

Yes. So when you look at the takeaways for security and banking security standards, compliant with industry standards, I mentioned that a couple of times, NIST cybersecurity framework, COBIT, control objectives for information and related technologies to help establish those controls and align the IT activities. PCI compliance, ISO 27002 that helps to identify that framework for identifying and managing and mitigating risk. Swift the basal committee on banking supervision, AML regulations, knowing your customer, all very, very important. Access controls, MFA, multifactor authentication, dual controls, role-based access controls, single sign on physical address control -- or access controls, regular audits and reviews already mentioned, and then incident response and recovery. Make sure that your incident response plan, they -- of course we have one, then identification and reporting incident response team is important, containment and mitigation, communicating and reporting, remediation and recovery in business continuity and disaster recovery, all very, very important.

And that kind of leads right into my first point, which take away from today would be how prepared are you for disaster recovery and business continuity. Do you have multiple sites set up? Do you do testing to see if that plan needs to be enacted and how quickly it needs to be enacted? Make sure that if you're choosing a lot but they're using state-of-the-art technology from a cybersecurity standpoint with servers, but also just as simply as making sure its cards light access to every room that cameras, monitor the entire facility. And then you have determined back KYC, know your customer, I would say, in lockbox or what a KYV, you know your vendor. Know your courier company, know your offshore data entry provider, know your shredding company, just know all the vendors that you're using are critical.

Right. Sarah, and Jim, thank you so much. We're going to turn it back over to Brian with our thanks for everyone for listening. Brian?

Indeed, thank you for everyone for listening today and your CTP credits, today's webinar slides and the recording of today's webinar will be sent to you within 5 business days and to explore next-generation payment trends with Deluxe and -- or Strategic Treasurer. We should listen to the treasury update podcast episode 255, that's episode 255 by clicking the link in the chatbox. Thank you, and we hope you have a good rest of the day.

Thank you, all.

Thank you.