Avoiding Digital Fraud

Q. How can our church avoid digital giving fraud?

A. Avoiding digital fraud must be a priority for churches. This requires understanding the basics of how electronic giving is established. It is a matter of understanding the three processes included in all e-giving arrangements and the safeguards that go along with them.

Giving platform. Typically, the church collects credit card information and the bank account information through an online giving platform. Data security on the giving platform is essential. Look for all of the following to ensure your giving platform is secure:

  • SSL (Secure Sockets Layer) encryption, which establishes an encrypted link, allowing data to be transmitted securely between browsers and web servers (you will know if you see “https” in the web address instead of just “http”);
  • Security card codes; and
  • Address verification. Nick Nicholaou, president of Ministry Business Services, also suggests looking for the lock icon in the browser URL address bar: “If it is solid, the security certificate is fully in force. If it is broken, there may be issues with the security certificate on the server.”

Payment processor. The next step is the payment processor (also called the merchant account provider), which processes the gift and delivers it to the church’s financial institution. It is usually a third-party service using a system of computer processes to receive, verify, and accept or decline credit card trans­actions through secure Internet connections on behalf of the church.

Giver management system. After the gift is made, there must be some form of recording and management. While some giving platforms have the option of processing giving records, most churches host giving records on their own information technology systems.

While properly establishing these three steps is important to protect a church from outside theft, it is also important to implement the following strong internal controls related to digital giving:

  1. Build a strong, multi-person payment processor relationship. Digital giving involves interaction with at least one outside vendor—the payment processor. Who should have the initial and ongoing interaction with this vendor—and others—in the digital giving process? The natural tendency is to ask someone with information technology skills to handle it. You may involve information technology staff, but someone in a top leadership position at the church must control the process.

While one person must initially establish an account with each payment processor, multiple staff should verify the initial set-up, including a high-ranking church staffer. For example, the high-ranking church staffer should subsequently access the set-up information to verify the accuracy of the information.

  1. Limit authorized changes to payment processor accounts. After initially establishing a payment processor relationship, changes to the account routing number should be limited to high-ranking church staff, none of whom participate in the reconciliation of digital funds or have access to the giver management system.

Note: This prevents any one person from having access to change the routing of funds from the church’s account to a personal account without being caught. Without this system in place, the routing number could be changed to divert incoming funds from a church account to an employee’s personal account for just a few hours or a few days each month. The church would still be receiving most of the digital gifts and may not notice the missing funds. If the payment processor does not notify the church of routing number changes or, if they send a notification and it goes to the person in control of making the change, who will know the funds have been diverted?

  1. Set notifications for any time changes are made to payment processor accounts. Each payment processor should be requested to immediately notify a high-ranking church leader of any change to the bank routing information. If the processor will not commit to complying with this request, strong alternative controls should be used. For example, periodic surprise tests should be made of each payment processor account to ensure the appropriate bank routing information is being used.

  2. Verify the payment processor has internal controls in place. How do you evaluate the quality of the internal controls employed by your payment-processing vendor? Only by insisting it has a SSAE 16 Type 2 (also commonly referred to as a SOC 1 Type 2) report issued by an inde­pen­dent auditing firm covering its internal controls. The processor should be PCIDSS-compliant—that is required by law. But that is not enough. Insist on a SOC 1 Type 2 report with a favorable opinion regarding the organization’s internal control over processing of transactions.

  3. Require regular payment processor transaction reports. All payment processor transaction monthly reports should be received by a high-ranking church leader in addition to a staff member more directly involved with the transactions. Use the reports to confirm the proper routing number was used.

  4. Reconcile digital giving accounts regularly. A high-ranking church leader should regularly review the following reconciliations: • Bank accounts to payment processor transaction reports. This reconciliation ensures that all digital gifts were deposited in the appropriate bank account (digital gifts will be separately identified in the bank statements).

  • Giving records to payment processor transaction reports. This reconciliation verifies that all digital gifts are recorded in the giver management system (this is in addition to verifying that all non-digital gifts are recorded).
  • Giving records to bank accounts. This reconciliation verifies that all digital gifts deposited into bank accounts are reflected in the giving records.

Note: Reconciling bank accounts with the giver management system is a good start. But who is doing the reconciliations? If the same person is in charge of the payment processor relationship and the giver management system, a negative entry—perhaps posted to the fraudster’s own giving account—could keep the giver management system in balance with the bank. That means the diversion of funds will go undetected. These duties must be separated.

  1. Limit access to giving systems. Heighten security by limiting access to the giving platform, payment processors, and the giver management system. Proactive ministries allow givers to access giving records online through a secure system and also mail quarterly giving statements. These extra “eyes” on the data help ensure that gifts are properly posted to giving records.

When one or a few people control the giving platform, payment processor, and giver management system, the church has just invited fraud to come in and take a front row seat. Who interacts with your payment processor, designating the church’s financial institution and the specific account to which the payment processor will direct the funds? Does the payment processor confirm bank routing changes to the church, and, if so, who receives these notifications?

If a church has delegated responsibilities to two individuals, security is heightened, but the fraud steps above could still be accomplished simply by collusion between two people. As more people are added to the internal control matrix, collusion of additional people is required, reducing the risk of fraud.

Find the balance between trusting your staff and verifying their work. Help them understand that high accountability in the digital giving arrangement protects them and demonstrates sound stewardship of God’s resources. Establishing and maintaining God-honoring digital giving for the church is not for the weak at heart. It is hard work!

Q. How can our church avoid expense-related digital fraud?

A. Along with avoiding fraud in receiving contributions coming into the church (inflow), churches must also be concerned with avoiding fraud in their disbursements out of the church (outflow).

For helpful tips to avoid expense-related digital fraud, ECFA recommends the book Integrity at Stake: Safeguarding Your Church from Financial Fraud by Rollie Dimos, Certified Fraud Examiner. See chapter 6 on Electronic Fund Transfers and the Fraud Risk Assessment included in Appendix A.