Treasury in Higher Ed: Protecting and Serving

We recently spent time with Valarie Van Vlack, the Treasurer at Texas State University, discussing the role of Treasury in supporting the university’s mission, as well as the ubiquity- and creativity- of fraudsters attempting to scam higher education institutions. Excerpts are below. You can listen to the full interview here.

Taylor Nemeth: Let’s start with you walking us through how you ended up working in treasury, and what treasury means.

Valarie Van Vlack: I found treasury by accident. I started at a Fortune 500 company, ended up going for a job that reported to the treasurer. He was super supportive, and so he wanted me to become certified in treasury. My job evolved from a day-to-day analyst to a treasury professional. I am a certified treasury professional now, and I’ve been in some type of treasury role since the 1990s, first at a Fortune 500 company, and then I was hired by Syracuse University. I found the mission of higher education to be really compelling, and I really enjoyed the work. After I was at Syracuse for about 13 years, I became the treasurer at Texas State University, and I’ve been here for 12 years.

Taylor: What is unique about higher ed treasury departments versus other industries? So you had mentioned you worked for a Fortune 500 company. What do you feel are the key differences?

Valarie: We are involved in enrollment management. I think the nature of things progress at a slower pace in higher education, and that’s kind of an understatement. But researchers really want to focus on their mission, not processing paperwork or waiting for the vendor to be paid. And so they may be pushing a little bit hard because they’re waiting for an instrument, or some kind of research to be done. And the urgency of that payment being done that day. And our university mission, our area is to support the rest of the university. We’re a support arm in the university, so we try to take that into account while also being understanding. But we do have to have the processes and procedures in place.

We also are known as having open source systems. So the attempts of fraudsters on a daily basis is insurmountable. IT gets hit from various entities throughout the world trying to penetrate our system. So we really have to have a good IT security system as well.

Taylor: If somebody is trying to get into your ERP, or trying to get into some other system to grab student credentials, be it a social security number or a bank account, does that risk ultimately roll up to treasury as well? Or is it shared?

Valarie: It’s shared. We work very closely with IT security on a number of different matters. For instance, we have a requirement called the red flags, where any fraud attempts need to be reported to the CFO or your administrator of the program. So annually, we create a report of any entity that an imposter tried to enter to try to give us information, and it didn’t seem right. So we have to record that. My reports are very short for a lot of other business units on campus, but IT is 600 to 700 lines of just phishing attempts and students taking the phishing attempts.

Taylor: Have you placed a lot more importance on email compromise? Email compromise is the largest source of many of these different fraudulent attempts, is that something that the university has thought about?

Valarie: Accounts payable and in the back office processing are very cognizant of it. Let’s just say that if it sounds fishy, then you should investigate. So many universities I’m finding are putting their senior level executives behind firewalls, so that you cannot get their information just by surfing the web. That’s super important when people are just spoofing the internet and giving us an email from your boss asking you to do a wire very quickly because the president needs it, or the president is traveling. Or can you buy some gift cards for us? If it sounds out of character, pick up the phone and contact the person. We have made it a rule at the university that no wire will happen from just an email from a CFO or the president. It really needs to be going through the correct process. We will take our time in order to make sure that it’s correct.

“We have made it a rule at the university that no wire will happen from just an email from a CFO or the president. It really needs to be going through the correct process. And we will take our time in order to make sure that it’s correct.”

Taylor: Can you speak to other types of fraud you have contend with as a higher education treasury professional?

Valarie: People call us pretending they are students, so we do not keep student information in our system. And then there are payment cards. There’s fraud going on almost every minute in the payment card industry. We have a team that works with our IT security and IT networking. When a vendor wants to do business on our campus and wants to take payments, it is vetted through the electronic payment team. We look at how they set up their networks, how they’re processing the information, where that information goes, how much is stored. Are they certified? There’s a lot of things that we need to make sure of in order to protect our students.

There’s a lot of initiatives within dining services and athletics. And everybody wants the new and best thing, but we’ve got to make sure that the vendors that we approve for our campus are safe to the students to use the credit cards because really, it’s our reputational risk at stake.

Taylor: Speaking of reputational risk, we know a lot of higher education institutions have been hit by payments fraud, but almost no one ever talks about it. Higher education is so unique in how everyone is willing to share best practices with each other, but not about this one subject. Why is that?

Valarie: No one wants to talk about fraud. No one wants to admit that they got hit and how they got hit because somebody found a weakness within their controls and was able to use that to their advantage. So I think it’s really interesting in the fact that we need to share this stuff with everybody. And you need to hear from those people. I think that it needs to be really shared.