Digital Gifts to Churches - Developing Controls to Avoid Fraud

Many organizations have implemented online systems to allow an easy and convenient way of giving for its members. The following article discusses important control steps to be taken in order to prevent digital fraud. It was written by Dan Busby, President of the Evangelical Council for Financial Accountability (ECFA), and is based on an upcoming piece from Christianity Today.

Gifts are flooding in through churches' websites and other portals as givers use debit and credit cards, ACH (Automated Clearing House) debits to their bank accounts, electronic checks, charges to their cellular accounts, and even virtual currency using a variety of devices including their computers, tablets, and smart phones as well as giving kiosks placed in churches.

1. It is vital for church to take adequate control steps to avoid digital fraud. Preventing digital theft of contributions to churches requires strong stewardship controls in three key areas:

A. The payment processor relationship. Digital giving controls start with the arrangement between the church and the payment processor(s).

B. Establishing a payment processor relationship. While one person must initially establish an account with each payment processor, multiple staff should verify the initial set-up, including a high-ranking church staffer.

C. Authorizing changes to payment processor accounts. After initially establishing a payment processor relationship, changes to the account routing number should be limited to high-ranking church staff, none of whom participate in the reconciliation of digital funds or have access to the giver management system.

D. Notification of changes to payment processor accounts. Each payment processor should be requested to immediately notify a high-ranking church leader of any change to the bank routing information. If the processor will not commit to complying with this request, strong alternative controls should be used. For example, periodic surprise tests should be made of each payment processor account to insure the appropriate bank routing information is being used.

E. The payment processor's internal controls. How do you evaluate the quality of the internal controls employed by your payment-processing vendor? Only by insisting they have a SSAE 16 Type 2 (also commonly referred to as a SOC 1 Type 2) report issued by an independent auditing firm covering their internal controls. The processor is undoubtedly PCIDSS-compliant—that's required by law. But that isn't enough—hold firm in requiring a SOC 1 Type 2 report with a favorable opinion regarding the organization's internal control over processing of transactions.

F. Distribution of payment processor transaction reports. All payment processor transaction monthly reports should be received by a high-ranking church leader, in addition to a staff member more directly involved with the transactions. These reports reflect which routing number was used and provides another oversight step in the digital giving arena.

2. Reconciling of digital giving accounts. Examination of digital gifts to churches starts with the following reconciliations, reviewed by a high-ranking church official:

A. Bank accounts to payment processor transaction reports. This reconciliation ensures that all digital gifts were deposited in the appropriate bank account (digital gifts will be separately identified in the bank statements).

B. Giving records to payment processor transaction reports. This reconciliation verifies that all digital gifts are recorded in the giver manage¬ment system (this is in addition to verifying that all non-digital gifts are recorded).

C. Giving records to bank accounts. This reconciliation verifies that all digital gifts deposited into bank accounts are reflected in the giving records. Rodney Ross, Giving Experience Director with LifeChurch.tv, says their Giving Experience team reconciles the giving records to each payment processor on a weekly basis. The Finance team reconciles the giving records to the bank accounts monthly.

Limiting access to giving systems. Access to the giving platform, payment processors, and the giving management system should be limited to heighten security. Rodney Ross explained, "Our finance team members have read-only access to our payment processors and no access to the online giving platform.

The Giving Experience team has readonly access to our online giving platform and no access to the bank accounts. Access to each system is limited, with a record of who did what, when, based on logins. Various permission levels also restrict what each individual is able to do within each system." Whether your church is large or small, if you offer digital giving opportunities to your congregation, commit to provide the necessary oversight to ensure proper stewardship over the resources God provides.

By Dan Busby, President, ECFA