The Reputational Risk You Don't Know About – And What You Can Do About It
As gatekeepers of confidential employee information, HR and payroll departments play an important role when it comes to employees applying for personal financial accommodation, such as a credit card, mortgage, or loan. Done well and you're seen to help your employees realise their goals. Done badly, and you may be seen as a source of delay and can open a world of risk for your employees and your company.
A critical task of HR and payroll departments is to provide employee income information to lenders when their employees apply for finance. Lenders will typically seek out information through a phone call or by email to help them verify your employee's income claims and help them with the application approval process.
The way your company sets itself up to handle these requests for employment income data can increase the chances of employee data theft (including internal employee data misuse), inadvertent data disclosures and consequently, impact your business reputation. Unsafe data access and transmission practices can expose personal information to unauthorised third parties who can use this information for cyber-crime. The challenge for many HR departments is a lack of awareness around the risks involved when sharing this information and how they may be mitigated.
Risks with common HR practices
Some common HR practices that can increase the risk of cyber-crime for your organisation and its employees include:
'Self-serve' Downloading of payslips
Once an employee downloads their payslips, the employer has no visibility to what their employees may do with that information. Your processes should not be seen to facilitate fraud. According to a UBS survey 41% of loan applications contain factual inaccuracies, with tampered payslips with overstated income one of the most common.
'Self-serve' Downloading of payslips - Unauthorised access
'Self-serve' access to HR data allows payslips to be printed, scanned, or emailed by your employee or a person posing as that employee. This increases the risk of employee personal information being exposed (both internally & externally) and identities being stolen. According to a recent PwC survey, 37% of respondents experienced fraud which originated from within the respondent's own organisation.
Answering verification enquiries
If a lender calls to verify an employee's income details with your company, your processes must address how HR or payroll staff screen those enquiries. Without your own verification process in place, you have no way of knowing if the person requesting information is who they say they are - even if your employee has told you to expect a call. Lack of adequate controls may lead to inadvertent disclosure (a data breach), inadequate employee consent to the actual information then disclosed (also a data breach), and related mismanagement of requests.
The impact of employee data theft
Employee payroll information is an attractive target for threat actors and insecure data transmission practices increase the risk of information being stolen. The impact of cyber-crime can have significant financial and emotional impacts on victims. It can add considerable financial stress, take months or years to resolve, and leave victims - here, your employees - feeling vulnerable and betrayed.
Reputational risks for your company
As an employer, cyber-crime obviously can have implications on your reputation, particularly if your data handling practices aren't safe and secure. This can manifest itself in longer-term implications for your company, affecting your ability to attract talent, customers, and build loyalty. Both your company's actions and the experiences of your employees impact your reputation, so it's important to consider both in your current processes.
A fee-free and safe alternative
The good news is that there is a safe and secure way to transfer employee income information to third parties when your employee wants it – it's easy to implement, it's set-and-forget, and it's free of charge to you.
Equifax Verification Exchange® is a risk and data protection solution for the verification of employment income that streamlines and automates the verification process for employers. It is FEE-FREE for employers. It will:
- take all employment income verification enquiries from identified Verifiers (such as credit providers) on behalf of an employer
- require an explicit consent to be captured from your employee before providing any information to that Verifier
- provide the Verifier with only relevant information for that individual through a secure on-line environment.
With globally recognised standards in security and data management, Equifax Verification Exchange is able to help reduce the risk of your employees' information being accessed fraudulently by both internal and external threat actors. The Verification Exchange has the safeguards in place to assure security of employee payroll data while conducting verifications with ISO 27001 and SOC 2 Security Certification. Any Verifier, such as a third party financial services provider, who is requesting to verify your employee's employment income is credentialed and the data is accessed and shared only after your employee provides their explicit consent. With Verification Exchange, you can confidently enable your employees' employment income information to be shared securely and help minimise the risk to your organisation's reputation.
By removing data handling risks and providing a safer way to share employment income data, Verification Exchange also gives employers the opportunity to future proof for expected outcomes from the current Online Privacy Bill proposal and Privacy Act Review, with those changes expected to roll out as legislation over the next 1 to 3 years and better align the Australian privacy environment to European standards.
How does it work?
Concerned about the risks of employee data theft, internal employee data misuse and business reputation damage?
Talk to us to learn more about how Equifax Verification Exchange can help.