Payments are the lifeblood of every organisation and should be at the forefront of evaluating business resiliency risks. Yet almost half of the corporates we surveyed earlier this year said they were still working on incorporating payment processes into their business continuity plans.
Several high-profile system failures in 2024 brought home the centrality of payments in business operations. The CrowdStrike-related IT outage in July, which Microsoft estimated affected 8.5 million Windows devices, hit payment systems, banks and payroll companies worldwide, with many retailers having to resort to accepting only cash.
A week before, the Bank of England’s (BoE) CHAPS system experienced delays to some high-value and time-sensitive payments as a result of a , which impacted real-time gross settlement systems around the world. A month later, CHAPS was offline for around six hours due to a BoE internal issue around an expired certificate in its IT infrastructure.
Increased regulatory scrutiny
Regulators are also focusing attention on operational resilience in important business processes – which could include payments depending on the organisation. Regulated organisations, including banks, building societies and designated investment firms, have until 31 March 2025 to comply with the Prudential Regulation Authority’s SS1/21 regulation.
The UK watchdog is already asking organisations impacted by the regulation to reveal their plans and benchmark their progress. To get ahead, many organisations are bringing together their payment providers to conduct scenario planning for potential risk events. This consolidated approach is a good way of positioning business continuity in any organisation, whether regulated or not.
We also recommend conducting a similar exercise with internal stakeholders. The most impactful discussions we see are those where payment process issues or system failures get examined as a company-wide exercise, with every business unit that touches payments represented in the room.
A holistic approach
An organisation should look at the impact of a payment system failing on the business, as well as its customers or suppliers. Considering the balance between collecting money and making payments is important when taking a holistic business view.
While some are concerned about the cash flow impact of not receiving payments, others are more worried about missing staff or supplier payments – which becomes an interesting conversation between multiple departments.
A straw poll of the audience in a recent Bottomline webinar, entitled ‘Adopting a Robust Approach to Business Continuity’, found that the biggest concern is related to reputational damage, as well as making staff or supplier payments. Collecting money was the third most important concern.
Cases where carefully timed payments go awry can significantly impact a business’s reputation. For example, a pension provider missing pension payments could be a front-page story in the Daily Mail.
Equally important is the timeliness of staff or supplier payments, which can also affect reputation. Many organisations might be surprised at employees’ lack of tolerance for getting paid a day late, as many have scheduled their Direct Debits and other financial obligations around their pay date.
Undoubtedly, the key to a payroll bureau’s success is ensuring that it has proper contingency built in, alternative routes into payment systems and alternative payment solutions.
Depending on terms, a delay of a week or a month to make a supplier payment may be acceptable. In that scenario, a company should focus on making payroll or receiving payments when facing a payment disruption.
However, supply chains are complex, and many companies have just-in-time arrangements where the payment needs to be made before the supplier will deliver. Third parties that provide services on behalf of another company may decide not to do the work if they don’t get paid in advance. This situation is when timely supplier payments become critical.
As mentioned above, it is important that organisations bring together all the business departments that deal with payments to determine which payments are the most critical and create a priority list.
When payment systems fail
Identifying where things can go wrong is also a useful exercise. For example, the Bacs service, which has been in operation for more than 25 years, is an obvious one to assess, and there are many different scenarios and solutions to consider.
For example, what is the plan if the Bacs payment process is reliant on a smart card reader attached to an authoriser’s PC, but they can’t get into the office to authenticate and make the payments?
One solution is to shift to multi-factor authentication (MFA), where a code is sent to the authoriser’s phone. Organisations can move from direct to indirect submissions via a Bacs-approved bureau and maintain the same file submission process. In this case, the bureau handles the authentication with Bacs, while the authoriser uses MFA to authenticate and sign off the file.
Looking at the Bacs service itself, an alternative to direct credits could be Faster Payments through the Direct Corporate Access service (note: not all banks support it) or a host-to-host connection. The item limit for Direct Credits is less than £1 million for most banks but is dependent on the bank and the specific relationship.
If the whole Bacs service goes down, which can happen, there’s no viable alternative for Direct Debits. It is not possible, for example, to switch a Direct Debit to a Faster Payment. It is worth exploring whether a bank can support Direct Debit files via a host-to-host connection, which could be used in an emergency.
Fraud threat
Another angle to the CrowdStrike outage was the explosion in fraud attempts. As soon as the global IT issue happened, fraudsters used the disruptive situation to their advantage to disrupt payment processes.
Situations where systems aren’t working and there is a heightened emotional state provide a great opportunity for criminals to perpetrate authorised push payment (APP) fraud. For example, there are many examples of a fraudster pretending to be a senior executive, such as the CFO or CEO, relaying instructions for an urgent manual payment. In the era of deepfakes, the sophistication of these fraud attempts is increasing.
Therefore, it’s important to create a process for urgent payments in the event critical systems break down. Everyone in the business needs to understand what the process is, from top to bottom.
If it’s a legitimate call from the CFO to make an urgent payment and they’ve not followed the process, then they should expect to be denied.