Cash Strategy
Cash Handling Guidelines - Dec 2015 CONTENTS 1
INTRODUCTION
2
CASH INCOME HANDLING
3
GUIDELINES FOR HANDLING CASH
4
BASIC SECURITY
5
COUNTERFEIT BANKNOTES
6
FRAUD & FINANCIAL IRREGULARATIES
7
MONEY LAUNDERING
8
PROTECTING AND HANDLING CREDIT CARD DATA
9
FURTHER INFORMATION
Cash Strategy 1. Introduction 1.1.
Total University income is approximately £800M which in the main consists of grants, tuition fees and commercially invoiced debt. This will generally be collected by on-line payments, cheque, direct credit transfer, credit / debit card receipts, and direct debit. However there are occasions where there will inevitably be receipts in cash.
1.2.
The majority of the receipting occurs within the central cashier function in the John Owens building on Oxford Road however there are also ongoing collections of other income in many parts of the University. Other income covers a wide range of activities including residence fees, catering, car park income, photocopying charges, library fines etc… Much of this income will be received in remote locations by staff whose responsibilities lie primarily outside the finance function and therefore receipting of this income will form only a very small part of their duties.
1.3.
This paper will highlight the areas in which the University is exposed to any risks associated with “cash” handling and will put the controls in place to ensure that these risks are controlled effectively so as to reduce the University’s exposure.
1.4.
For the context of this paper “cash” is taken to cover all methods of payment including cheques and credit cards.
Financial regulations and procedures The Financial Regulations set out the principles of financial management and control and they are supported by the Financial Procedures which detail the operational application of these principles. All members of the University are required to comply with the Financial Regulations and Procedures. This includes all staff (including holders of honorary contracts), students and other associated individuals (e.g. lay members of the Board). Failure to do so may result in appropriate action under the University’s disciplinary procedures. Cases of fraud, theft and other serious misconduct may also be reported to the Police. Heads of School and all other budget holders must ensure that all relevant staff are made aware of the existence and contents of the Financial Regulations and Procedures, and that staff with financial responsibility are acquainted with their detail. The Financial Regulations and Financial Procedures apply to the University and all its subsidiary undertakings (including wholly owned subsidiary companies) and to all funds, irrespective of their source, passing through University accounts. Financial Regulations Financial Procedures Page 2
Cash Strategy 2. Cash Income Handling 2.1.
The importance of following proper cash handling procedures cannot be stressed too highly. Following good practice greatly reduces the risk to the University of cash going missing, and provides protection for staff not only from the risk of violence and assault should there be a robbery, but also protection to an individual should there be any apparent loss of funds within a cash handling location.
2.2.
Incidents of loss of money must be reported to the Police, the University Security Office (Tel 0161-306-9966 internal 69966) the Director of Finance via the Income Office Manager and the Insurance Office. The Police will provide a crime reference number that the insurers will require to proceed with the claim. The insurers require to be notified of any loss within seven days of it being detected. For a claim form, to be completed and returned to the Insurance Office, visit
•
RSA Property Claim Form (doc)
Page 3
Cash Strategy 3. Guidelines for the handling of Cash 3.1.
University schools collect cash from many different sources (e.g. students, external customers, etc) and for many different reasons (e.g. sale of photocopying, provision of printing service, etc). The following procedures can be used as a guide for the control, receipt and banking of miscellaneous cash.
3.2.
Each school should centralise the collection of cash, a minimum of two people within the department should be responsible for handling cash.
3.3.
All cash and petty cash floats should be held securely, either in a till, or in a locked cash box at all times. In the latter case, the cashbox should be kept out of sight at all times in a locked cabinet or drawer. When cash has to be held in an office for any length of time, it should be stored in a safe, wherever that facility is available.
3.4.
Where departments use tills to collect and store cash throughout the day, then further more detailed guidance is available upon request from the Income Office Manager.
3.5.
All cash income should be held intact. Under no circumstances should deductions be made, or personal or other cheques be cashed from any cash collected on behalf of the University.
3.6.
Keys to the till, cashbox, or safe, should be given to a designated person, who should keep the keys secure and ensure that they are not left unsecured in the office overnight. All cash drawers must be kept locked when not in use by the designated cashier’s officer. Sensible precautions should be taken to ensure that any room in which cash is regularly stored is locked when unoccupied.
3.7.
Where cash is being counted by staff, this should be done out of sight.
3.8.
All staff members responsible for collecting cash should issue a receipt and a copy should be retained as a record supporting daily cash collected in every circumstance.
3.9.
All departments should reconcile cash received to supporting records on a daily basis, someone other than the person responsible for cash collection should complete this reconciliation.
3.10.
Either on a weekly or a daily basis, (influenced by the sums involved), the department should prepare the cash to be deposited with the Income Office or sent via the Security company. Ideally, someone other than the person responsible for reconciling should complete this task. Failing that however, in order to ensure segregation of duties, another member of staff should check that the cash collected agrees with supporting records, e.g. duplicate receipts / till control totals, and to the pay in documentation submitted with the cash collected to the Finance Income Office.
3.11.
Members of staff involved in the cashing up process should countersign the reconciliation.
Page 4
Cash Strategy 3.12.
The original reconciliation document, e.g., a memo detailing the breakdown of the sales, should be copied and the copy should be retained as the departmental record.
3.13.
The original reconciliation document plus the cash should be placed in a secure cash bag and taken to the Income Office or banked as soon as is practical by a member of the Security Company.
3.14.
The overriding principle is that, in order to achieve an adequate segregation of duties and to reduce risk, it is necessary to ensure that no one individual is responsible for all activities in this area.
3.15.
Where cash handling is undertaken in a remote location and segregation of duties is not possible i.e. in a location with only one employee then a risk assessment will be undertaken by the Income Office Manager based on the volumes of cash received to establish whether to retain the location or transfer all cash handling to the Central Income Office.
3.16.
All locations where cash is kept are subject to insurance limits as follows: 3.16.1. 3.16.2. 3.16.3.
£1000.00 or under
- Lockable drawer or cabinet
£1,000+
- In a safe
Over £2,500
- In a safe named on the insurance policy
3.17.
It will be normal for payments for goods and services provided by schools to be sent direct to the Income Office in the Finance Directorate. However if cheques, cash and postal orders etc are sent to schools they must be recorded and then forwarded immediately to the Income Office, unless the area concerned (such as the Refectory, Library and Halls of Residence) is responsible for its own banking.
3.18.
School records of income received directly by the school must include: date income received; 3.18.2. payer; 3.18.3. if the payment was made by cash, cheque or debit or credit card; 3.18.4. cheque number etc, (if relevant); 3.18.5. amount; 3.18.6. invoice number (or, if no invoice was issued, the nature of the goods or services provided); 3.18.7. the date that payment was forwarded to the Income Office 3.18.1.
3.19.
Cheques, postal orders and similar payment methods may be forwarded by post. Cash payments must not be sent through the post.
3.20.
Delays in crediting income received to a school’s account can be avoided by ensuring that all payments forwarded to the Income Office include the appropriate remittance advice slip.
3.21.
Receipts cannot be issued for large batches of cheques delivered to the Income Office by hand. (This would be a very time-consuming process and Page 5
Cash Strategy would disrupt the level of service the staff in the Income Office could provide to other customers). Where cheques represent sales ledger receipts schools will already have been credited with the income and it is not considered essential that a receipt needs to be issued. 3.22.
3.23.
Schools are responsible for ensuring that any cash they accept is legal tender (please also see section 8 on Counterfeit Banknotes). Where possible, schools should direct individuals wishing to settle debts in cash to the Income Office, in the John Owens Building. Where other areas have the facility to accept cash they must issue a receipt. The receipt must include the following information: 3.23.1. invoice number (or, if no invoice was issued, the nature of the goods or services provided); 3.23.2. payer; 3.23.3. date payment received; 3.23.4. if the payment was made by cash, cheque or debit or credit card; 3.23.5. the amount
3.24.
A copy of the receipt must be retained for school records. In all cases the member of staff who accepts the cash payment must sign the receipt. Insurance limits on the holding/transport of cash must not be exceeded.
3.25.
Any cash which cannot be handed into the Income Office in any given working day must be held by the school in a lockable container or safe. Staff should be aware that the University has insurance cover for holding cash of up to £1,000 in a locked drawer or cabinet. Cash held which exceeds this limit must be deposited in a safe. Where more than £2,500 in cash is held in a safe details must be provided to the University’s insurers. (See Section 6 Safes for more information).
3.26.
The University’s insurance policy stipulates that in moving cash across the campus or other buildings that 3.26.1. a minimum of one able bodied person is required to transport amounts of cash up to £2,000 in total; 3.26.2. a minimum of two able bodied people are required to transport cash amounts between £2,000 and £5,000; and, 3.26.3. a minimum of three able bodied people are required for cash amounts above £5,000.
3.27.
Where a school, residence or other unit receives credit and/or debit card payments, all copy vouchers, audit sheets and similar documents must be shredded and disposed of as confidential waste immediately after balancing.
3.28.
Instructions from companies providing credit/debit card payment terminals must be complied with. The terminals must be kept securely at all times.
Page 6
Cash Strategy 4. Basic Security 4.1.
Managers in Schools and elsewhere should be aware of all locations within their area where cash is received or held. It is helpful to review these regularly and to consider if they are all in fact necessary. Generally, many errors occur where members of staff who have other duties are required to handle cash on an occasional basis. It is often best if cash handling can be focussed on one or two staff that can develop the expertise required.
4.2.
Managers must make clear to staff that they are accountable for cash and cheques under their control, and are responsible for ensuring that monies are held securely at all times. No other staff should have access to these monies not even for brief periods. Cash should never be left unattended for however short a period of time.
4.3.
When cash is physically transferred between officers, the monies handed over should be counted and checked at the time of the transfer and a discharge signature obtained from the recipient. During this process, the monies should be checked and agreed in the presence of both officers.
Page 7
Cash Strategy 5. Counterfeit Banknotes 5.1.
There are forged bank notes in general circulation and the University can incur losses through the acceptance of counterfeit bank notes. These tend to be mainly £10 and £20 notes but other denominations may be found.
5.2.
A number of simple checks can be carried out by staff when bank notes are tendered for payment. These are detailed in a leaflet issued by the Bank of England entitled “Know your Bank Notes”. This information is also available on the Bank of England’s website at http:/www.bankofengland.co.uk/banknotes
5.3.
Staff should exercise vigilance when accepting bank notes. In the event of a counterfeit bank note being detected when it is tendered for payment, the strict legal position is that the note should not be passed back to the person tendering it - the counterfeit note should be retained by the officer and the incident reported to the police. It is a serious crime to deliberately tender a forged note.
5.4.
Receipts for payment should not be issued until bank notes have been examined and confirmed as being genuine, as identification of a counterfeit note after receipting will result in the University having to bear the loss.
5.5.
Two methods to detect counterfeit bank notes are ultra violet detector lights and detector pens. The detector pen provides a cheap and effective means of safeguarding against counterfeit bank notes. The note is marked on either face by the pen. If it is a forgery then a dark mark will appear. If it is genuine, no visible change will occur. These pens are inexpensive and can be obtained easily.
5.6.
Under an ultra violet detector light a counterfeit note will normally appear to glow with a fluorescent blue colour, whereas a genuine note will not change colour or texture. However, this method is not foolproof as some counterfeit notes are capable of passing this examination.
Page 8
Cash Strategy 6. Fraud and Financial Irregularities 6.1.
The Registrar and Secretary is responsible for investigating any matters involving irregularities or suspected irregularities in the exercise of activities of the University. On financial matters such as suspected fraud concerning cash, stores or other property, the responsibility exercised by the Registrar and Secretary may be delegated to the Director of Finance who will take appropriate steps to involve the internal auditors, or where appropriate, other investigatory bodies, to undertake investigations and to forward such reports to the Audit Committee who oversee the University’s policy on such matters.
6.2.
The Director of Finance should be informed, as soon as is practical, of any irregularity or suspected irregularity concerning financial matters such as fraud involving cash, stores, property, money laundering and other financial malpractice.
6.3.
The Director of Finance is responsible for setting up such investigations and will involve the internal auditor and other relevant staff, and, if necessary contact external agencies such as the HEFCE and the Police.
6.4.
The report that is produced from the investigations that are undertaken will be forwarded to the Registrar and Secretary who will take such steps as are necessary to pursue the matter. This may, if any investigation confirms the irregularity, involve the commencement of action under the University's disciplinary procedures.
Page 9
Cash Strategy 7. Money Laundering 7.1.
The University shall comply at all times with the Proceeds of Crime Act (2002) and any other regulations on suspected money laundering. Should staff have cause to suspect that any transaction with the University may be a cover for such activity, they must inform the Director of Finance without delay. Money laundering is defined as any transaction which involves handling the proceeds of crime. Care should be taken to guard against the misuse of University transactions for money laundering. This occurs when circular or disguised transactions take place to allow illegally gained funds to be laundered through a legitimate business to disguise their origin.
7.2.
Possible signs of money laundering include: 7.2.1. A person or company makes a large cash payment to the University, but fails to provide proper evidence to confirm their identity and address 7.2.2. A person or company doing business with the University lacks proper paperwork. (Examples may include invoices that exclude VAT, fail to quote a VAT number or invoices issued by a limited company that lack the company’s registered office and number. Such information can be verified on the Companies House website, www.companieshouse.gov.uk) 7.2.3. A person or company attempts to engage in “circular transactions”, where a payment to the University is followed by an attempt to obtain a refund from the University’s accounts. (This may occur where a student pays a significant sum in fees, and then withdraws and seeks a refund) 7.2.4. Unusual or unexpected large payments are made into the University’s accounts.
Please note that the list above is not exclusive, and money laundering takes many forms 7.3.
The Director of Finance shall report all suspected incidents of money laundering to the competent authorities. Under the Proceeds of Crime Act, this requires a Suspicious Activity Report to be forwarded to the National Criminal Intelligence Service.
Page 10
Cash Strategy 8. Protecting and Handling Credit Card Data. Protecting Credit Card Data As you may have seen on StaffNet the University is embarking on a project to become Payment Card Industry Data Security Standard (PCI DSS) compliant. The objective of the standard is to reduce the risk of our customers' card data getting into the wrong hands. Since 2004, PCI DSS compliance has been progressively rolled out internationally, with a target for all UK Universities to be fully compliant by the end of 2016. The standard was put in place to ensure that businesses storing, transmitting or processing card data are not putting their customers or their businesses at risk of data theft and fraud. One way to avoid handling card data in the first instance is to use the University E-store http://estore.manchester.ac.uk/ which is hosted by a compliant provider and payments can be made to the University securely. PCI DSS has been set up by Visa, Master Card and other providers as a compliance standard, it is not law but is a contractual obligation which can be applied and enforced by fines and other restrictions (removal of ability to transact card payments) - directly by the payment providers themselves. Penalties for not complying with PCI DSS range from an increase in security auditing, to facing an unlimited amount of fines, and most significantly losing the ability to process card transactions altogether, imagine this happening during Registration the immediate risk would be cashflow, closely followed by reputational loss and impact on student recruitment.
What data thieves are after The object of desire is cardholder data. By obtaining the Primary Account Number (PAN) and sensitive authentication data, a thief can impersonate the cardholder, use the card, and steal the cardholder’s identity. Sensitive cardholder data can be stolen from many places: • • • • •
Compromised card reader Paper stored in a filing cabinet Data in a payment system database Hidden camera recording entry of authentication data Secret tap into your store’s wireless or wired network
Page 11
Cash Strategy Any unsolicited card details that are received and any card details that are located on old records must be shredded and disposed of as confidential waste immediately. Computerised records must be fully deleted and non-recoverable. The University accepts payments by credit or debit cards through three methods: •
Through the On-line Shop system, where the customer enters their card details on their own computer; or
•
Where a customer gives their card details to a member of the Credit Control staff over the telephone, and the details are immediately entered onto the University’s computerised income system. This system makes the payments but does not retain card numbers and other sensitive information; or
•
By use of an electronic point of sale (PDQ) terminal.
Instructions from companies providing credit/debit card payment terminals must be complied with. The terminals must be kept securely at all times, and must be checked regularly to ensure no unauthorised hardware has been installed. INTERNET PAYMENTS All systems for receiving payments over the internet or via other electronic systems must be approved by the Director of Finance. The internet payment systems must comply with accepted standards for security, data protection, prevention of money laundering and ensure the existence of a full audit trail. CARDHOLDER NOT PRESENT PAYMENTS To comply with regulations on data protection, the University no longer permits Schools, Residences or other Units to receive and manually record “cardholder not present” credit or debit card payments. (These payments required the card-holder to give their card details on a form, over the telephone or by fax. These were recorded for completion later using a card terminal in the Income Office). Such information, if lost or misappropriated, could be used to facilitate fraud. The University may be liable to pay substantial damages in such circumstances and could also face action under the Data Protection laws and the Payment Card Industry (PCI) Data Security Standards (DSS). Credit or debit card details must not be recorded, copied or noted in any way. This covers both paper and electronic records. Disciplinary action may be taken against staff who breach this rule.
Page 12
Cash Strategy University E-Store As you may be aware the University has an online store that is used for selling conferences, products, short courses and events. This is a secure store that reduces the administrative time involved in selling products and conferences within the University as the store handles all the payments and provides reports of activity. The store has now been live since May 2010 and has taken £25m of payments representing around 146,000 transactions (an estimated saving of £2m in admin costs)*. Some highlights of the store include: • • •
106,000 products 19,000 delegate places sold from 380 conferences 21,000 short course sales from 1700 courses
Please visit http://estore.manchester.ac.uk/ and have a look around. (* Based on a University of Birmingham study, which shows an average saving of £15.00 per transaction in administration costs, when customers pay on-line)
Page 13
Cash Strategy 9. FURTHER INFORMATION Income Office Manager – Dave Taylor – 52120 – david.taylor-1@manchester.ac.uk Head of Transactional Services – Michelle Bailey – 58852 – michelle.bailey@manchester.ac.uk Internal Control Accountant – Laurence Clarke – 52139 laurence.a.clarke@manchester.ac.uk Security Manager – Gary Rowe – 52304 – gary.rowe@manchester.ac.uk Full versions of the University’s Financial Regulations and Financial Procedures may be found on the Finance Directorate Intranet Site: www.campus.manchester.ac.uk/finance
Page 14