By this point, you’ve probably heard about the fraud case perpetrated by MyPayrollHR. Based on several reports, the New York-based payroll company absconded with around $26 million of its clients funds and has left many organizations wondering if their own payroll operations are secure. While instances like this are rare, it’s always a good idea to take the proper steps to protect your company from payroll fraud before it happens.
What Happened with the MyPayrollHR Fraud Case?
As is common in the payroll industry, MyPayrollHR sent daily digital files to their ACH processor, Cachet Bank, that included the amounts owed to each employee for their payroll. These digital files also included entries that showed the funds would be deposited in a holding account maintained by Cachet Bank. The bank would then distribute the funds to the accounts. Again, this is a daily, routine occurrence.
However, things started taking a turn earlier this month. On September 4, 2019, Cache Bank reported that MyPayrollHR requested that all clients’ payroll dollars be sent a private account owned by MyPayrollHR. This in itself constituted fraud and when Cachet Bank discovered the transactions, it attempted to reverse the funds that had already been dispersed to employee accounts—essentially taking back people’s paychecks. Very shortly thereafter, MyPayrollHR announced they were going out of business, leaving many companies and their employees without their earned funds.
How Do I Know My Payroll Processor is Secure?
While these large scale events are rare (there at least 1,900 independent payroll processors nationwide), it’s always a good idea to know what questions to ask your own payroll processor to ensure it has the proper security controls in place to prevent this type of fraud. First off, payroll companies and financial institutions need to have a proper “separation of duties” when submitting payroll files. As in most cases of fraud involving financial institutions, one person usually has unchecked access to too much information.
Separation of Duties for ACH Processing
If “Separation of Duties” is properly exercised by a payroll organization, one department or individual is responsible for generating the daily ACH files to the bank with instructions on how and where to pay employees. Then a different department or individual is responsible for approving and reviewing the transmitted files. Once the file is securely uploaded to the bank, a banking partner (like Cachet Bank was to MyPayrollHR) institutes further controls to rule out any possibility of fraud. When “Separation of Duties” is properly exercised there are several layers of control to protect the customer.
In the case with MyPayrollHR, there was a dual failure of separation of duties at both the payroll company and the bank. At the payroll company, one individual or department was allowed to manipulate the bank account information within the NACHA file uploaded to the bank. Additionally, Cache Bank recently appearing on the Cloud Accounting podcast and admitted to not having these proper fraud controls in place. You can listen to the full conversation here.
In addition to “separation of duties,” below are some additional controls that each payroll processor should have in place.
Daily Account Reconciliation – Payroll processors should have individuals who are responsible for conducting daily bank account reconciliations to match direct deposit payment and tax payment files to funds received by clients, ensuring there are no incidents of fraud or client non-sufficient funds (NSFs).
Multiple ACH Files – As a risk mitigation effort, payroll companies may send several ACH files throughout the day, rather than sending one large daily file transmission.
How Can I Verify these Payroll Security Measures are in Place?
There are two very important audits in the payroll industry that test internal processes for ACH Processing. The first audit is an annual SOC 1 Type 2 audit (also known as the SSAE 18 Report). The second audit is a NACHA Audit which is recommended by the official regulatory body of the ACH industry. Your payroll company should be undergoing these audits on an annual basis and should be evaluated by an independent auditor with experience in the payroll industry. Your payroll company should make these audits available to customers upon request. You should review the audits to ensure that the payroll processor is exercising the proper “separation of duties” outlined above.
About CTR Payroll
We know the distrust MyPayrollHR has brought on our entire industry. This criminal investigation certainly hit close to home for us at CTR, but we pride ourselves on the trust we’ve cultivated with our customers. That’s why we want you to know what payroll fraud looks like and how to protect your company and its employees from it.
Getting your employees paid involves a lot of processes happening without delay or error and we’d love to help you understand it even further. Please feel free to contact us with any questions or to learn how we can partner with your organization, giving you the peace of mind you deserve.