Microsoft’s banking structure is extremely complex. The company has centralized most treasury functions, but about 2,000 individual users in more than 400 entities around the world require access to the online banking portals of 60 different financial institutions.
“We do business in 191 countries and have a local finance team in 118 of those,” explains Vinni Dang, senior treasury manager for Microsoft. “Some of these teams are responsible for payroll. Some are responsible for local statutory and tax payments. Some process vendor payments or handle reconciliation. The finance team typically needs to log into a banking portal to perform these transactions.”
Managing which users have permissions on each account used to be challenging—but it was also crucially important. “These bank accounts support $18 billion in monthly cash flows,” Dang says. “There is large financial exposure, so it is important to prevent anyone from gaining unauthorized access. Each local team had a security administrator who managed which users had access, but they all had their own governance models for online banking access.”
In most locales, when a new user needed access to bank account information, he or she would have to figure out who the local security administrator was, then email that person to request access to the bank’s portal. The security administrator, in turn, would have to determine whether the requested access was appropriate. Assuming so, the security administrator would grant the individual permission to access the portal.
“This was happening in our 400 subsidiaries in an inconsistent manner, and it was typically a very slow, manual process,” Dang says. “Also, the 400 security administrators had other roles as well; some were even the country managers and regional controllers. It was a waste of their time because they weren’t specialists on banking portals, and there was a risk of giving incorrect access.” Making matters worse, she adds, “the local finance teams didn’t always have a clear audit trail. Central treasury didn’t have visibility into who had access and why, or who had approved a specific individual to get access.”
Effectively securing bank account access would require a centralized solution. The Microsoft treasury group worked with business stakeholders, including local finance teams around the world, to develop a plan for standardizing user access reviews companywide. They also wanted to automate as many components of those reviews as possible, while minimizing their reliance on the corporate IT group, which was inundated with other projects.
They launched a project with the goal of significantly improving the company’s approach to the people, processes, and technology surrounding bank account user access management. “We started by researching what our internal users were using online banking portals to do and how they were governing access,” Dang says. “Then, we worked with our controls and compliance team, internal audit teams, and our privacy team to design a centralized process that wouldn’t have any audit loopholes.”
They developed a standardized workflow for bank portal access requests that includes a comprehensive authorization process, Dang says, “to make sure every individual who requests access is authorized by the appropriate channels.” A number of different types of users might need access to Microsoft’s banking portals, from full-time employees to consulting companies, and from vendors and outsourcing providers to recently acquired businesses. “We designed a different authorization matrix for each of these types of users.”
They simultaneously developed a software application called uFlow that streamlined access requests, end to end. uFlow is a web-enabled tool built on the Microsoft Power Platform. Dang emphasizes that the project team looked at several prebuilt solutions but decided they would require too much implementation effort and ongoing support from IT. “Using the Power Platform enabled our team—all treasury business users—to develop this application and automate user requests,” she says. “We didn’t have to do any coding, just utilized drag-and-drop functionality.”
Meanwhile, they created a centralized team of 10 security administrators within treasury to take full responsibility for managing user access to portals for all bank accounts companywide. “The new team is trained and specialized on all of Microsoft’s third-party banking applications,” Dang says.
This means they can perform routine activities more efficiently and consistently than could the 400 security administrators formerly spread across all Microsoft’s business units. Dang estimates that companywide, staff now spend a total of 75 percent less time on user access management for banking portals. The specialized team also provides support for internal end users of the banking portals.
And unlike the former access control model, in which each business unit relied on one security administrator, spreading the user access workload across a team of 10 provides better business continuity. When one staff member takes a vacation or holiday, others are available to seamlessly assist users with banking access permissions and to answer questions.
Now, when a local business user needs access to a banking portal for a Microsoft account, the individual fills out a form in uFlow. The app automatically validates that the requestor is an active employee, provides a list of preapproved roles and permission levels to select from, determines which manager needs to approve the request, and routes a notification to the appropriate manager. The manager can review the request, and authorize or reject it with the click of a button. Once approval is granted, the security administrator team automatically receives all the information necessary to perform their own review and then give the user access.
“Centralized reporting, centralized visibility, and an audit trail are the three key elements of the uFlow app,” Dang says. “At any point, we can see who requested access and why, who authorized it, and who configured access on the banking portal. We built a whole series of reports. Auditors make sure that we’re following our security principles for how we authorize, create, and disable user access.”
In fact, streamlined disabling of a user’s access is another key feature—and one of several ways in which the new approach to user access management is much more secure. “If an employee leaves the company, uFlow will notify a security administrator that they have left and we can immediately switch off their access to banking portals,” Dang says.
“The risk of unauthorized access to online banking portals is huge,” she continues, “and it’s an area that a lot of treasuries overlook. An access management governance model is critical to keeping our accounts secure. We have multifactor authentication enabled on all our banking portals, so each individual who logs in needs a username, a password, and a token.”
Although the tokens substantially increase security, they also generate additional work for the security administrators, which would have been problematic when Covid-19 hit if Microsoft had not transformed this process. The token is a small physical device assigned to a particular user that generates a string of numbers used to access the banking portal. During the initial pandemic lockdown, a lot of Microsoft users around the world ended up unable to access their token because they had left it in the office. That meant they couldn’t access banking portals to process payments.
If security administrators didn’t have access to their tokens either, under the legacy model, the business unit’s bank account access would have ground to a halt because no one would have been able to grant access to the banking portal. The situation might have been further exacerbated by the fact that foreign mail wasn’t being delivered in a lot of countries at that time.
“Because we had a centralized team, we were able to navigate the lockdowns in a much more agile manner,” Dang concludes. “If an individual needed access, they could just come to our team, and we could set them up on any appropriate banking portal. Management of user access to bank accounts is a crucial function, and I am grateful that the company initiated this project before Covid-19 hit.”
And join Treasury & Risk for a webcast celebrating the winners of our 2021 Alexander Hamilton Awards in Working Capital Management: Partner Impact! The live virtual event will take place on May 5 at 12pmET. Register today.