What controls would you put in place to prevent payment fraud, including business email compromise (CEO/CFO fraud)?
A core Corporate Treasury interview question — asked in analyst and associate interviews across IB, PE, and the Big 4.
THE SHORT ANSWER
Layered controls. Process: segregation of duties (initiator ≠ approver), four-eyes/dual authorization on payments, and payment limits by user. Master data: lock supplier bank-detail changes behind a verified call-back to a known number — most BEC attacks just change the IBAN on a real invoice. Technology: payment-factory/host-to-host with standardized formats, sanctions/IBAN validation, and anomaly detection on unusual amounts, new beneficiaries, or off-pattern timing. People: training to recognize urgency-and-secrecy social engineering, and a rule that 'urgent, confidential, change-the-account' requests are always verified out-of-band. Finally, no exceptions for senior executives — CEO-fraud works precisely by pressuring staff to bypass the controls.
WHAT INTERVIEWERS LISTEN FOR
- ✓Segregation of duties + four-eyes authorization
- ✓Verified call-back for bank-detail changes (BEC defense)
- ✓Payment factory with validation/anomaly detection
- ✓Training; no control bypass for executives
COMMON MISTAKES
- ✗Allowing IBAN changes on email alone
- ✗Exempting senior management from controls
- ✗Relying on technology with no process controls
Reading isn't the same as answering under pressure.
Interviewers don't hand you the model answer — you deliver yours on a clock. Practice this and 1,000+ questions with AI feedback on every answer.
RELATED QUESTIONS
- What does a corporate treasurer do?
- Explain a letter of credit and how it works.
- How do you manage bank relationships?
- How do you handle a SWIFT outage?
- How do you benchmark bank fees?
- What conditions must be met to offset (net) cash balances in notional pooling on the balance sheet, and why does it matter?