As the custodian of your clients’ rental properties and rental income, your most important job is to ensure no money goes missing. Ever.
One of the biggest threats to the security of that money is internal fraud. The Association of Certified Fraud Examiners (ACFE), which studies fraud worldwide, says that real estate is among the top five sectors most targeted by internal fraudsters, and suffers higher-than-average losses when fraud occurs.
Agency staff routinely receive and pay out large amounts of client money, and so it is crucial to restrict and monitor who can make payments, when and how. In fact, properly controlling payment permissions may be the most important thing you can do for your clients’ security and your own peace of mind.
Make sure your payment security is up to scratch by answering these four questions.
What permissions do your employees need – and what do they have?
Setting up new payment beneficiaries, changing beneficiary details, making payments and releasing damage deposits are all essential functions of a rental agency. But they are also prime opportunities for fraudsters to redirect client or tenant funds to accounts they control.
For this reason, it’s critical to only give employees the access they need to do their jobs. The bigger the group of people who have access to high-risk functions like payment processing, the bigger the risk.
It’s also important to regularly audit your user permissions list. Make sure that staff members’ permissions are updated to reflect any changes in their duties, and that any former employees have been removed from the system.
Using a payment processing platform like PayProp makes it much easier to restrict, review and manage employees’ access. It’s as simple as unchecking a box on their user profile.
How many rental agents does it take to make a payment?
If you can’t lock someone out of a function, e.g. if they need it to do their job but some form of security is needed given the inherent risk, the next safest option is to put oversight in place. The ACFE says more internal fraud is uncovered by employee tip-offs than any other method.
High-risk functions like making payments, changing landlord banking details, or adding new payment beneficiaries become much safer if they need signoff from two employees instead of just one. It means that no employee can pay out money or redirect payments without someone else approving the transaction.
If you would like to set up double payment approval on PayProp, just get in touch with our friendly Client Services team.
Some combinations of permissions are risky as they make it too easy for the staff member to move client money into accounts they control. Anyone who can approve beneficiary payments (unless it is the principal or business owner) should not also be able to, without approval:
- Create a new beneficiary
- Update a beneficiary’s details
- Change a tenant’s bank details
For smaller agencies, requiring multiple people to approve actions may not be practical – although fraud prevention should be a high priority at agencies of every size. If you don’t have enough staff to segregate duties effectively, it becomes even more important to audit user activity.
What is your process for changing beneficiary bank details?
Beneficiaries may want to change their bank details for perfectly legitimate reasons, like opening a new account. But it’s also a common method for criminals to steal money from businesses by redirecting payments to accounts they control.
Requiring dual approval to change bank details can stop that. But even so, you run the risk of the second employee being duped by a legitimate-looking e-mail purporting to be from a client. In this case, you should also verify the change with a phone call to the beneficiary requesting the change. You can also ask them for proof of bank account ownership for the new account.
PayProp users: remember you can verify bank details via PayProp for a small fee!
How do you track user actions?
Having strict controls in place only keeps client money safe if you can enforce them. How do you know who made a payment from your client account or changed a beneficiary’s details, for instance?
It couldn’t be easier with PayProp – the platform automatically logs all actions taken by users, and its record can’t be edited or erased. When reviewing your audit log, you can and should look out for unexpected beneficiary detail changes, payment updates, tenant invoice updates or excessive volumes of credit notes. But other systems may give you less visibility over payments or bank detail changes.
Another caveat is access control. With any system, it’s critical to give each user their own account and login details. Account sharing makes it much harder to determine which user carried out a particular action even if you have a thorough activity log. It also increases the risk of former employees accessing your system after they have left – a huge security flaw that can’t be left unaddressed.
Be the protector your clients need. By updating user permissions and reviewing your security settings to give employees only the access they need, you're providing the best possible security for your client funds and your own reputation.
If you’d like to find out more about how PayProp keeps client money safe, visit our website.
.jpeg)
%2520cover%2520(2).jpeg)
