Payroll Integrity and Fraud Protection: A Shared Responsibility

what to do when you receive a wage garnishment

Payroll is the most central personal issue for working Americans as well as what drives business and powers the economy. 

Payroll is the most central personal issue for working Americans as well as what drives business and powers the economy.

As a provider processing billions of dollars in payroll for small and mid-sized businesses each year, Zenefits is committed to the integrity and security of that payroll. Our organization is hyper-focused on protecting payroll from externally-generated fraud as well as occasional bad actors who come from inside a customer’s business. In addition, we continually educate our team and our customers on human errors that can result in fraud, such as insecure passwords, etc.

Zenefits helps customers ensure reliable payroll for their employees across three levels:

  1. Product design
  2. Banking partner selection and compliance
  3. New customer and partner due diligence

We have developed — and continually enhance — our product level security, our fraud protection expertise, and our monitoring capabilities. Simultaneously, customers and individuals should work to stay informed, be proactive, stay diligent, and take an active role to create the strongest foundation for pay integrity and the security of their accounts.

In my role at Zenefits managing cash operations and payroll risk management, I am often asked about best practices to help ensure payroll integrity and protect against fraud.

Following is a summary of the tools, processes, and expertise Zenefits deploys to keep and secure our customers’ payroll integrity. And, of equal importance, we offer the roles and actions your company and employees should take to ensure all of your data is safe, no matter what software system it is housed in.

The best fraud protection comes from companies, their teams and their technology vendors uniting to be vigilant in ensuring payroll integrity.

PRODUCT DESIGN

What Zenefits Does

By considering and integrating security principles at each stage of our product design & software development lifecycle, Zenefits can introduce stable, secure, and resilient products that keep pace with changing regulations and new attacks.

Our platform is built and maintained to industry standards. We leverage encryption while data is in transit and in rest. Access to our production environment is tightly controlled. Changes follow a rigorous change control process that includes testing and signoff gates.

Zenefits conducts regular independent assessments to validate the efficacy and consistency of the control environment we have designed and implemented to protect our customers from fraud.

What Business Owners Can Do

  1. Take the time to understand where critical information exists within your organization (this may be on systems you control like laptops and network storage, or in SaaS systems like Zenefits).
  2. Once you have an inventory of critical data, take time to validate who can access and update this information. Within Zenefits, you can control access to sensitive information by using the granular administrator permissions within the platform.
  3. Enable Multi-factor Authentication for critical systems such as email, document sharing, HR, and financial systems.
  4. Require all of your users and administrators to use their own accounts – don’t share passwords or accounts.
  5. Speak with your employees about the importance of reporting system malfunction and error messages as they can be the first indication of a larger problem.
  6. Speak with your technology providers about the measures they employ to protect your data and keep your employees (and your business) safe.

What Individuals Can Do

  1. Keep your accounts secure by using a unique password that isn’t easily guessable and doesn’t use dictionary words. Passwords should be at least eight characters long; you will gain more protection from attacks by using a longer password. Change your password immediately if you think it may have been stolen (e.g. you receive login codes when you haven’t attempted to login) or you don’t recognize changes made in the application.
  2. Use two-factor authentication wherever possible, particularly on critical systems, like Zenefits, and email. Remember, Zenefits will never call and ask for your password or your two-step login code.
  3. Take care when downloading information and when sharing information with others. Cyber attacks can start as an email “phish” that includes an attachment or download link. These emails are often timed / themed around recent events, may include personal information gained from social media sites, and will often have an urgent tone. If you’re not sure an email is legitimate, contact the sender via another means (phone or in-person).
  4. Don’t download sensitive data (i.e. health / financial data) on public or shared computers. When you download sensitive data to your personal computer, be sure to delete temporary copies when it is no longer needed (i.e. in your downloads folder). Always double-check all email addresses carefully before sharing sensitive data.

BANKING PARTNER SELECTION & COMPLIANCE

What Zenefits Does

Most of Zenefits payroll is handled through ACH transactions utilizing two banking partners. ACH is a system that allows financial institutions to push and pull funds to and from checking accounts between banks. Zenefits does not use any other 3rd parties to conduct these transactions. Zenefits creates ACH files and securely delivers those files to our banks and those files are then sent to reserve banks or the Fed. As an ACH operator, the Reserve Banks receive files of ACH payments from originating depository financial institutions (our banking partners), edit and sort the payments, deliver the payments to receiving depository financial institutions (our clients), and settle the payments by crediting and debiting the depository financial institutions’ settlement accounts. This is done under the regulatory guides of NACHA. 

In turn, in accordance with Federal Regulated Banking Guidelines, we work with our banking partners to identify and prohibit implementation of and cease transaction processing for customers engaged in any of the following business types or activities:

  • Illegal activity as directed by federal, state, or other local jurisdictions
  • Gambling
  • Payment for debt that is uncollectible
  • Illegal drugs or drug paraphernalia (real or synthetic)
  • Adult content or services (escort, pornography)
  • Technology developed to weaken industry security controls
  • Unregulated digital currency (unlicensed money transmitters, exchangers, ATMs.

This also applies to individuals who have been identified as violating any U.S. economic sanctions, trade sanctions or national security goals against targeted foreign countries, regimes, terrorists, international narcotics traffickers, and those engaged in activities related to the proliferation of weapons of mass destruction.  Zenefits will ensure that all customers are screened for inclusion on the Office of Foreign Assets Control (OFAC) Specially Designated Nationals and Blocked Persons List (SDN) and other watch lists prior to onboarding and annually, thereafter. Additionally, Zenefits will not allow Zenefits employees included on any U.S. Sanctions List to execute payroll related transactions.

Compliance

We maintain full compliance with local, state and federal pay compliance in our software security and practices.

Zenefits ensures we are in federal compliance with OFAC (Office of Foreign Asset Control) regulations, BSA (Bank Secrecy Act), and SDN (Specially Designated National and Blocked Persons List) by verifying all clients coming on board, and routinely checking all clients throughout the year.

What Business Can Do

Companies running payroll should remain vigilant and think before you click. Be aware of phishing scams and audit internal changes to ensure that bank accounts are not changed by threat actors.

Set-up a process that requires two administrators to confirm before significant payroll changes can be made. Use these conversations to talk about how your organization should implement and handle anti-fraud controls.

What Individuals Can Do

Audit your personal information to ensure it hasn’t been changed without your consent. Think before you click and be aware of phishing scams.  Respond quickly if you receive a notification that your information has been changed or if you account has been accessed in a way you don’t recognize.

NEW CUSTOMER, PARTNER, SUPPLIER DUE DILIGENCE

What Zenefits Does

Our practice is to know our customers, partners and suppliers at the point of sale or partnership. This is meant to protect our customers and our own company by keeping out potentially bad actors. But before we get to that, we do careful due diligence around prospective customers, partners and suppliers before accepting them into our ecosystem including:

  • Business identification (legal business name, legal physical address, phone number, email address)
  • EIN (Employer Identification Number)
  • Ownership disclosure
  • Anticipated business activity
  • NAICS Code (North American Industry Classification System)
  • Risk rating (based on credit check and other factors)
  • Sanctions screening results
  • Employee identification (name, address, phone number, email address)

What Business Can Do

Know the questions you should ask your software providers to ensure they are taking all the correct pre-emptive measures for vetting new customers, partners and suppliers.

What Individuals Can Do

Know what you should ask your employer about software vendor security. Ask questions and tell your payroll administrator if you see something strange or different than your normal expectations.

Summary

Payroll integrity and fraud protection is a shared responsibility. When vendors, companies and employees become stewards of payroll through better informed vigilance and action, we substantially limit room for issues.

Share This