Every rental business deals with inherently risky processes – none more so than handling rental payments. But while some risks are known and can be controlled, others are black swan events that can topple even the best-run businesses. Jan Davel from leading residential rental payment platform PayProp says that in 18 years of operation, one recurring type of risk has stood out to this company, and it happens to be one that business owners often don’t want to think about.
“Business owners tend to be blind-sided by the risk of internal fraud more often than not in these cases. They rely on trusted employees that are trained and upskilled in their property agencies, and they just cannot imagine that they’d ever commit fraud,” says Davel. “Sadly, it is an ever-present risk that business owners need to equip themselves against.“
Davel says that there are various ways to mitigate the risk, as follows:
1) Audit log
It is imperative to keep an automatically generated digital audit log showing every action taken by every user on company platforms. If so much as a cent is moved, it must show you when, where, and by who – and once an action has been entered into the log, it should never be able to be edited or deleted.
What to do: Invest in tools that allow you to easily check your audit log summary on a monthly basis for an overview of what actions were taken by your employees, and investigate if you see something that looks out of the ordinary. By doing this regularly, you’ll also develop a better sense of what a clean audit log should look like – making it easier to spot any transactions that are out of place.
2) Credit notes
A credit note has the same effect on a tenant’s balance as a payment, making it look as if the rent has come in, but without the actual cash flow – making it possible for fraudsters to cover their tracks. An automated invoicing system should eliminate most of the reasons why an agent might need to create a credit note, making them available only in exceptional cases.
What to do: Download the list of credit notes that were created during the course of the month and check closely for any irregularities. It is a good idea to limit credit note permissions to a few employees, and then ask them to add a detailed description to any they create. This will help you to verify the details if necessary.
3) Damage deposits
Damage deposit funds should only be used to pay for any necessary repairs after a tenant has moved out of a property, and the balance must be paid out to the tenant. However, fraudsters can attempt to take money from the damage deposit account by creating and approving false payout requests.
What to do: As a start, when a deposit is requested to be released, make sure that all balances are settled that might still be outstanding on the tenant’s statement. In addition, make sure that the beneficiary due to receive the funds is indeed the tenant and double check the underlying banking details of that tenant, or any other recipient, to make sure that the funds are being directed accordingly.
Davel says that it’s extremely important to control which users can perform which actions on the system.
“Permissions are your first and most important line of defence against internal fraud. It is good practice to limit the number of people who can create beneficiaries and update beneficiary details. Ideally, this permission should not be paired with payment approval rights – otherwise someone could create an account that they control as a new beneficiary and then authorise payments to that account with no oversight. Damage deposit payout permissions can be split in a similar way. Users should also not have the permission to create other users,” says Davel.
What to do: Check your users and permissions regularly. Your first objective is to make sure that users only have the level of access that they need to do their jobs. The second should be to make sure duties are segregated and that no single person can control a transaction from beginning to end.
5) Beneficiary verification
Are all the beneficiaries on your account genuine landlords and contractors – and are all their details up to date?
What to do: PayProp lets you verify a bank account from the beneficiary’s details page in a couple of clicks. Verifying every beneficiary is probably unnecessary, but carrying out a few random checks each month will help to preserve the integrity of your beneficiary list.
Davel says that many business owners think that internal fraud is something that happens to other people – and underestimate the risk at their own companies. In fact, the high frequency of transactions in and out of a rental agency make them an easy target, and so business owners need to be hands-on to mitigate the risk.