Payroll Fraud

How to Avoid Payroll Fraud and Secure Employee Data

  • Payroll pivots the last few years have centered on technological changes to processes.
  • Has the ability to secure employee and payroll data kept up with the changes?
  • Payroll fraud vulnerabilities can be found in the ability to access and in the routines performed.
  • Locking down the privacy and security of payroll data means changing protocols.

Payroll operations in the last several years have dramatically changed how employee data is collected, shared and secured, and not just because of the pandemic and the need to process payroll from remote locations. And payroll fraud-related data breaches remain an ongoing threat to operations. According to the Ponemon Institute’s Cost of a Data Breach Report, it cost employers an average of $3.86 million to resolve a data breach in 2020 that wasn’t discovered, on average, for some 280 days!  

The cost to secure systems started going through the roof several years ago. Do you remember when companies had their own proprietary email solutions and struggled to ramp up email security (and storage capacity) in order to improve delivery? Quickly, it became untenable to maintain such a growing set of servers and to secure them and the data stored within them — and efficiently run payroll at the same time, all while avoiding payroll fraud. 

With new solutions, companies no longer have to invest a lot of capital to increase the hardware capacity needed to keep up with the ever-evolving applications, and in the computer expertise that goes along with that. They could use a service company that has those capabilities. Currently, just about all payroll service organizations use cloud technology in at least some of their client offerings. 

The offer of a less expensive solution for data storage and, along with it, top-of-the-line security applications — at least we hope — is being embraced now. But, this creates a new set of issues around data privacy and security that now need to be addressed.

Keeping up with the new applications

New processes, applications and technology running through third parties means changing the security protocols surrounding the data involved. And it means learning a lot of new acronyms for the different security assessments and applications. Each organization that you are considering for handling or storing some of your data should provide you with a detailed summary of their security policy. 

In that policy description you should receive: 

  • Ways data is protected from improper access
  • General description of how encryption protocols are applied
  • How they secure the network, endpoints and the physical environment
  • Validation that other parties they use have similarly stringent protocols
  • Verification that independent security assessments are ongoing
  • Incident response and business continuity plan summaries

The policy description from the third party also should include credentialed audit reporting under the oversight of The American Institute of Certified Public Accountants (AICPA) and other certifications from organizations that set up watchdog types of assessments for security and data privacy.  

In 2011, the AICPA created a Statement on Standards for Attestation Engagements (SSAE) No. 16, a rigorous set of guidelines for auditing. At the same time, the AICPA announced complementary Service Organization Controls (SOC) reports that the AICPA developed, which can differ depending on the needs of a service organization and their clients. The one most visible in the payroll community is the SOC 2®: Trust Services Criteria. 

What to look for when considering a third-party provider: SOC 2, Type II certified. Type II means that the organization was audited over a specific period of time to determine the effectiveness of the controls they have in place.

Several other compliance assessments and designations should be met by service providers, and some of these depend on the type of service.

For example, compliance with the Payment Card Industry Data Security Standard (PCI DSS) is necessary if payments via a pay card are being facilitated by the provider.

For information security management, there is the ISO 27001:2013 certification. Put together by the International Organization for Standardization, ISO 27001 is a family of system standards that “enables organizations of any kind to manage the security of assets such as financial information, intellectual property, employee details or information entrusted by third parties.”

The 2013 certification is for any kind of digital information. 

But that's not all!

I would be remiss to not cover the impact that Europe’s General Data Protection Regulation (GDPR) has wrought on organizations operating both within and outside the sphere of the GDPR.

The GDPR redefined data protection and the use of employee personal data for many employers, and service providers have been compelled to follow suit. The goal is to increase transparency of data processing, establish clear privacy safeguards and develop consent provisions for use of employee data.

For example, a data breach under GDPR can simply be the use of employee or an individual’s information for something other than the main purpose for which it was collected, and for which the individual consented for it to be used. This can result in huge fines. The new regime in Europe has begun to impact operations in the U.S. in how they handle cross-ocean transactions and interactions with individuals in Europe. 

The landscape for ensuring the data security and privacy of payroll data is ever-changing, and there is a constant need to be vigilant about staying up to date on the new technology.

Of course, keeping the data safe from hackers and other data miners seeking to steal private information from the systems you run on involves not biting on social engineering techniques (i.e., email phishing scams), which account for a high percentage of all breaches. 

Payroll fraud can come in a number of ways. Using third-party applications is beneficial, so long as you can be assured those parties are applying the right procedures to lock down that data.  Leveraging the right software in tandem with best practice protocols can set you on the right path, helping you to avoid long-term damage and even prevent fraud from happening in the first place.


Payroll Service Payroll Trends

Payroll Professionals Turn to Social Media to Evaluate Service Providers

  • A prime outlet for airing complaints in general, social media is becoming a forum for calling out the shortcomings of payroll service providers.
  • It appears no particular service provider is immune to the brickbats.
  • Payroll pros help each other to navigate selecting service providers.

As challenges for payroll pile up due to major, complex legislative changes, payroll service provider solutions are struggling to keep up and deliver at crucial times, according to user reports on social media.

For all that third-party providers do to ensure their clients’ payroll processes are efficient, accurate and timely, there remains concern. 

The complaints appear to span across the entire third-party payroll provider industry of, from the very reputable and well-known to the mid-size and specialty service providers. 

These issues appear to range from system instability and processing delays that impact payroll delivery, to not being able to create usable reports for the employer from the data. There are instances of confusion due to updating procedures, year-end anomalies, and serious customer service problems, all aired out on Facebook, Twitter, Reddit and other platforms. 

Users of services that were pressed minced no words. One said: “Another 65-minute wait for a representative … I finally got a person and they couldn’t figure out the issue … Two hours wasted — payroll processing was delayed.”

Another complained about lack of sufficient support for a specific reporting issue. “When we try to fix or add something, something else ‘breaks.’ I’ve been with this company for a year now and we are on our third rep!” 

A separate service provider received similar bad comments: “Reporting is terrible and if you need something specific you pay a lot for it.”

The issues keep going: 

At year-end, employees using an earned wage access provider at one major retailer were told the option “is not available to associates from Dec 19 to Dec 31.” What a great time to not have access to the highly-touted benefit. 

On being able to generate reports, several echoed this complaint, “They ignored my report request. I had to get other departmental directors involved. We had to pay extra for these reports.”

“Unfortunately, their answer as usual was ‘system limitations’ … no follow-up, no research, no accountability,” cried another.

Many professionals discussed their own work-arounds due to system limitations.

“I keep a separate excel spreadsheet just to make sure it’s right because even though you can see what will be accrued, it may or may not be in the EE’s (employee’s) total,” said one who posted. “Their customer service is horrible”

“Every single time they have an upgrade over the weekend, Monday’s are shot.”

Payroll pros rely on peer evaluation in selecting a provider

Often when these situations are identified as someone asks about a particular service provider, there are a few in the same thread who endorse, and others who pan.

While one says “We are using products from both systems and it’s been great!” Another says “Not user friendly at all. I would never recommend it to any of my payroll friends.”

On another thread about garnishment processing, a similar refrain has one poster saying, “We used them in the past and won’t do it again,” while another says, “The service benefits outweigh the few problems that we know of.”

And there can be more to the concerns than simply what the service provider has offered and can or cannot deliver effectively. Often large service provider systems are set up at the client by approved consultants or teams that specialize in such implementations. And implementations can go badly. For example, “My implementation specialist wasn’t very good. They really made a mess …”

Some are resigned to having to deal with shortfalls in service and delivery.

One in payroll said “I want to switch … but I am just scared it’ll be the same thing elsewhere.” Then another seems to back that issue up, “I wish we hadn’t switched right now. We are at the third check into our new provider and I am so very sad.”

Others pull back completely.

“This is why I appreciate a full in-house payroll. Everything is under my control.”   PYD