The rise of the cyber counterparty
As digital technology transforms treasury processes, cyber, legal and regulatory risk has moved to the top of the agenda.
Companies that embrace digital transformation are increasingly dependent on the new systems and the vendors who supply them, alongside banks that are under pressure to go digital or make their services cloud-based. Treasurers are now realising that this dependence exposes them to myriad cyber, legal and regulatory risks, but it’s unavoidable.
Start with cybercrime. For many treasury teams, the issue has climbed to the top of the risk agenda over the past decade, as responses to cyber breaches start raising compliance issues.
When the right controls are lacking, corporates can lose millions. Fortune 500 components group Arrow Electronics is one of many examples. “Go to Google and search ‘Fake President Fraud’ or ‘Corporate Wire Fraud’,” says the company’s treasury systems manager, Annette Tedesco, speaking at EuroFinance’s recent Strategic International Treasury Conference in Miami.
Arrow saw fraudsters successfully impersonate an executive of the $29.6 billion technology solutions company. Before the subterfuge was exposed around $13m had been transferred from one of its bank accounts to external accounts in Asia.
Tedesco says this type of story helps build a business case for treasury management system (TMS) funding. “Put case studies like this into your proposal, it provides a reason for investing in and implementing a system,” she suggests.
Meanwhile as cybercriminals increasingly resort to ransomware attacks, risk management can conflict with regulation, thanks to the US Office of Foreign Assets Control (OFAC) regulation, which aims to stiffen corporate resolve when a company is hit.
“OFAC is now registering all cryptocurrency accounts,” says Royston Da Costa, assistant group treasurer at multinational plumbing and heating supplies specialist Ferguson plc.
“Any company paying into a cryptocurrency account following a ransomware attack is likely not only to be fined but the amount – and we’ve already heard of several cases – is likely to considerably exceed the ransom paid and the company is also likely to be added to the authority’s blacklist.
“The implications are huge for many companies – including my own, which is UK-based but derives 90% of revenue from the US. But many companies, particularly SMEs, will readily pay a modest ransom simply because they feel they have no alternative.”
The regulatory cost of cybercrime means that companies might also face claims from bank partners or other counterparties in the event of security breaches that expose them in turn.
“Digital transformation can be voluntary, or it can be regulatory,” said Paul McCulloch of the NYC CyberLaw Group. “Either way, if you’re not working towards that it means one of two things – you have a good, conservative market that won’t ever change, or you’re going to be out-competed.”
There’s even talk of ‘technology counterparty risk’, as a new core responsibility for the treasury profession. “It’s about understanding technology better than your counterparty, and then offloading the liability”, explains McCulloch.
Where responsibility resides
The need for companies to devote resources to cyberattack defence and mitigation also raises the question of how great a role treasury should play.
Da Costa believes that while treasury teams gained kudos as “a safe pair of hands” in steering their company through the financial crisis, cybersecurity initiatives should involve all departments across the organisation.
“I’d still make the demarcation that IT is responsible for what I’d call the ‘gateway’ that protects us from the vast majority of harmful emails that could get through our firewalls. But we’re still responsible for ensuring that we don’t click on a suspect-looking link,” he adds.
“As regards payments, treasury is clearly responsible up to the point that a payment is released to the bank, which then assumes that responsibility upon receipt.”
Yet with the cybercrime risk requiring a coordinated response, Ferguson is one of many companies that has established a dedicated cybercrime response team. “In our case we have stakeholders from each critical department and within the wider group, who are on a list. Should anything happen and there’s a situation where they need to be contacted there will be a plan that kicks into play which we manage effectively,” says Da Costa.
Regulation and unpredictability
Tougher regulatory controls in the post-crisis era means a growing volume of regulation, the detail of which treasury needs to be familiar with.
The list includes Basel III’s capital adequacy requirements; Europe’s revised Payment Services Directive, aka PSD2; the European Market Infrastructure Regulation (EMIR) for over-the-counter derivatives; money market fund (MMF) regulation on both sides of the Atlantic and Europe’s SEPA Credit Transfer (SCT) scheme.
For Anthony Osentoski, former head of corporate treasury and insurance for the Apac region at advanced materials and specialty chemicals producer Solvay, the unpredictability of regulation in emerging markets adds to the headache.
Solvay has operations in mainland China, India and Indonesia, so “we’re in three countries where regulation is becoming a huge pain for regional treasury,” he reports.
“You can work really hard to understand the system, set up your processes around it and then suddenly the rules change overnight without any communication or guidance. It’s not the slow implementation we’ve come to expect in the West.”
This propensity to change the rules upset Solvay’s plans to reduce its need for hedging by setting up cross-border renminbi payments via its cash pool. The scheme was barely underway when China’s State Administration of Foreign Exchange (SAFE) began imposing quota limits on the banks. “So we just scrapped the whole thing and went back to US dollars for our cross-border payments because of that regulation change,” says Osentoski.