![](https://www.neugroup.com/wp-content/uploads/2024/12/293354e8-cc6b-4c52-b6d0-a6683f7e0b00-2.jpeg)
Editor’s note: NeuGroup’s online communities provide members a forum to pose questions and give answers. Talking Shop shares valuable insights from these exchanges, anonymously. Send us your responses: [email protected].
Context: Multinational corporations with hundreds of bank accounts at dozens of banks spread across the globe face some major challenges. One big pain point: efficiently tracking and updating which employees have access to online banking portals and who among those people are authorized signers.
- The challenge is twofold: Treasury has to manage whose access and authority needs to be revoked because they’re leaving the company or changing jobs—and time is of the essence. It also must ensure that the banks have updated and accurate information on signers. Much of the time they don’t.
As NeuGroup Insights reported earlier this year, many members send innumerable emails to banks to obtain data and correct inaccuracies in bank records that have not been properly updated. That has prompted some members of NeuGroup for Global Cash and Banking to form a subgroup to push banks for digital solutions and standards that will provide real-time visibility to signer data.
Member dilemma: “While we are compliant from a SOX standpoint, our IT security team is saying that there is too much of a delay between when someone leaves the company and when their bank portal access is removed. They are asking that portal access be removed same day.
- “Currently, treasury has no visibility to when someone leaves the company. We rely on a quarterly user audit for removing user access.
- “The way I think about this: either the manager of the employee leaving would need to notify treasury so that access could be manually removed; or we somehow restrict all portal access so it can’t be reached without being on our VPN or coming from a company IP address.”
Member question: “Do any companies restrict bank portal access via a requirement to be on your VPN or a company IP address? If so, how did you go about enforcing this? I would appreciate any feedback on how we could either restrict user access or better improve our current process.”
Peer answer 1: “Regarding visibility upon separation, we leverage a tool called IdentityIQ (IIQ) that is linked to our HR system and will flag folks for review both if they have a job role change or if there is a departure. This is on many key access and systems, not limited to treasury systems.”
Peer answer 2: “Our bank portal admin group receives a list from Workday listing all departing employees each day. We compare that list to the list of portal users and initiate removals as needed. We are working on automating the process so that we only receive the report when one of the users on our portal list leaves the company.
- “We have been doing this for a few years; we had the same concerns regarding employees with hard tokens that had left the company.”
Peer answer 3: “Our employee directory is linked to our access request system such that a departing employee will trigger a ticket to remove all their access. Role changes are only addressed though a periodic user access review conducted by the admin team, with email sent to each user’s manager.”
Peer answer 4: “We do a weekly check of ‘leavers’ and ‘movers.’ More importantly, IT now realizes that this type of blanket policy is not appropriate for some third-party applications.
- “We still try to operate within the principles of the policy, but they should not be treating third-party banking applications the same way as access managed via company systems.
- “We also require one ‘inputter’ and two approvers for any payments and no one in banking has access to vendor master data so our compensating controls are also important as the risk is lower.”
Peer answer 5: “Another idea is always require all users to use multifactor authentication to log in to the bank portal. This would mean each user would have a soft token on their phone that they would need to use to log in.
- “Generally, IT can disable those phones remotely even if they are not collected before the employee’s last day. Of course, this will only work if everyone is issued a company phone and if each bank you work with issues a soft token, which is not a case for all companies and all banks.”
Peer answer 6: “We track all online banking users in Kyriba and have an integration to our HR system that alerts us to any users that left the company. We also require VPN for some of our online banking systems, but it hasn’t been consistently set up in the past.”
Member follow-up: “How are you enforcing the VPN piece? Or is it the bank that is blocking the user’s access if the login attempt is not coming from your IP address?”
Peer response: “The bank blocks access if it is not coming from a white-listed IP address.”
NeuGroup Insights in 2021 published a story detailing how one corporate solved the signatory problem by creating a solution using robotic process automation (RPA) and technology from ServiceNow. The result: real-time monitoring of employee movements and an automated, centralized ticketing system.
- At the time, the NeuGroup member said treasury was considering expanding use of the process for all bank portal access—not just for signatories.