. . . Educating To Inspire Stewardship Excellence . . .

Risk Management

Church Online Giving Platforms – How to Manage Risks to Data and Finances

church online giving platform
Online giving platforms provide churches and givers with a convenient way to give, and also enables churches to reach givers beyond the walls of the church. With this convenience comes new risks due to the personal data, bank account and payment card information collected and processed. Knowing what those risks are, and effectively mitigating against them, helps churches to maximise the benefits of online giving platforms in a safe and secure manner.

Contents

Introduction

 

Church online giving platforms have existed in various guises for a while, but they grew in popularity and usage during the global coronavirus pandemic.

 

They have since emerged as an ongoing necessity not only for the convenience they provide to churches and givers, but also for their global reach.

 

Statistics show that churches that accept tithing online increased overall giving by 32%, and that 60% are willing to give to their church digitally.

 

As a pro-active church, you should therefore keep encouraging the use of online giving platforms as one of the means of giving.

 

You also need to have a good understanding of the associated risks and how to mitigate them.

 

Online giving platforms function by collecting and processing data of givers, which includes personal data, bank accounts, payment cards and amount given.

 

Not paying attention to the new or modified risks introduced by online giving platforms can unduly expose your church to those who may take advantage of vulnerabilities to effect cyber-attacks, data theft, financial loss and reputational damage.

 

When people give to your church, they are expressing their believe in its mission, and that their giving is contributing to the good causes promulgated by your church. 

 

You therefore want to maintain that trust.  Any data breaches can put individual givers at risk of identity theft or financial loss, and negatively impact on that trust. 

 

Data breaches could have a significant negative impact on the affected individuals. 

 

As others learn about the data breaches, you may begin to see a wider impact on levels or means of giving, as people lose trust in the church’s ability to manage data and finances.

 

This article takes you through what online giving platforms are, and five areas of risk to data and finances that need to be managed to benefit from online giving platforms safely and securely.

 

Table Stewards uses a light-hearted scene setting approach to introduce its topics, but if you would prefer to dive straight into any part of the article, please click the relevant link in the table of contents above.

 

 

Scene Setting

 

The Learning & Development Committee are here again for their pre-meeting with Coach Emmanuel before the masterclass.

 

Elder Sam: Nice and early, Badtrus!

 

Brother Badtrus: Well, I came in early to see Lydia in the accounts office but we were done quicker than I thought. 

 

Sister Jane: What’s up with Lydia?

 

Brother Badtrus: You don’t want to know!  I had a slip of finger with the church’s new online giving app, and I pressed one zero too many for my giving.  I put in 200 instead of 20, and only discovered it when I saw my bank balance.  I went to ask Lydia for a refund!  

 

Elder Sam: And?

 

Brother Badtrus: Well she showed me the system and we couldn’t work out how to process a refund, so she will ask the Financial Controller tomorrow.  However, looking at the list of givers and amounts, I can see that there is a good take up of the new church app.

 

Sister Mary: You shouldn’t be looking at who is giving what, and Lydia shouldn’t allow people to view the system in that way.  That is a breach of data protection.

 

Sister Jane: True, I would be furious if my data got into the wrong hands or people know how much I give.  And also, assuming the accounts office can give out refunds, how do we know that any refunds made are valid and not just a back door to misappropriation?

 

Brother Badtrus: You ladies never cease to amaze me!

 

Coach Emmanuel: Mary and Jane have valid points.  There are risks to data and finances associated with church online giving platforms, which need to be managed to avoid data protection breaches and financial loss.  Let’s explore them in today’s masterclass!

 

 

What are Online Giving Platforms?

 

Online giving platforms offer churches a convenient and efficient means of enabling giving within and outside of the four walls of the church. 

 

They also offer a convenient means for givers who either don’t want to carry cash, cheques or cards, or who just want to convenience of setting up an app on their mobile phone and using it over and again to give with ease. 

 

Online giving platforms offer a range of functionality and benefits, such as ease of sign-up and set-up, integration with back office systems, multiple payment options, regular reports, secure payment processing, confirmation of receipts, text-to-give and mobile phone apps for givers.

 

There are a range of online giving platform providers to choose from.  Some examples of online giving platform providers that cater to churches are Tithe.ly, Pushpay, givelify, easyTithe, Donorbox, and mogiv.  

 

An online giving platform has 3 main components:

 

  • The Giving platform front end. This serves as the front end for givers and can take the form of a mobile phone giving app, a website form, or text-to-give functionality. 

 

  • The Service Provider’s system. This is the third-party service provider’s systems that process the payments made by givers via the online giving platform, and transfers the money into your church bank accounts.  They also enable your church to access records of all giving via the back-end of the platform. And where integrated, can also email receipts to your givers.

 

  • The Giving management system. This is your church’s back office systems used to set up and maintain the church’s end of the platform.  Also includes any integration with the bookkeeping systems that receive records of the income banked, process the service provider’s fees, and systems that process tax reclaims, where applicable.

 

 

Managing the Risks to Data and Finances

 

Online giving platforms process vast amounts of personal data of givers, such as bank account details, payment card information, amounts given, email addresses and phone numbers, all of which need to be securely protected. 

 

Similarly, the platforms process and transfer funds into your church bank accounts, and you therefore need to ensure that the right bank accounts are receiving the money. 

 

Therefore, as convenient as online giving platforms are, you need to manage data and finance risks in order to maximise the value of the giving platforms and limit avoidable exposure to financial loss, data breaches and regulatory non-compliance. 

 

Here are 5 main areas of risk you need to consider.  Let’s take them in turn.

 

 

Risk of unauthorised bank accounts set-up and changes

 

Church online giving platform receive giving in the most convenient way for givers as well as the church. 

 

This involves the service provider processing the giving and transferring the funds into your church bank accounts. 

 

It is therefore crucial that the right bank accounts are set up on the platform, and any changes to the bank accounts are well controlled. 

 

Unauthorised bank accounts would result in diversion of funds, leading to avoidable financial loss. 

 

Steps you should take to manage this risk include:

 

  • Due diligence before selecting and contracting with an online giving platform service provider.

 

  • Assurance that the service provider has satisfactory controls in place to verify and validate the set-up of bank accounts and any subsequent request to change the bank account numbers.

 

  • Board level authorisation of the set-up of bank accounts on the service provider’s systems, preferably by your existing bank authorised signatories.

 

  • Requirement for the service provider to notify bank account changes to all the your bank authorised signatories. This also helps to identify external attempts (e.g. by cyber criminals) to divert funds by setting up new bank accounts or any attempts to divert funds for a few hours on Sunday into a fraudulent account, and then revert back to the original account.

 

  • Strong access controls to the giving management system, limiting who can access the systems and what they can do.

 

  • Requirement for the online service provider to provide monthly reports to your Board level contact(s) or senior officials. This is separate from the reports provided to your operational staff, and should show all bank account changes, new users set up on the giving management system, as well as a summary of giving information.

 

 

Risk of unauthorised refunds or withdrawals

 

Where a giver accidentally gives more than they intended, for example, by erroneously adding an extra zero to their intended amount, then they may sometimes request a refund.

 

Your church should therefore have the ability to make refunds. 

 

However, the ability to make refunds also opens up the risk of unauthorised or fraudulent refunds, resulting in financial loss. 

 

Steps to you should take to manage this risk include:

 

  • Having a clear written and published refunds policy on the online giving platform and church website.

 

  • Clear internal policy and instructions for staff or operatives processing refunds. This should include a requirement for refunds to be authorised by someone other than the person making the refund, validating against the request and record of the original giving.

 

  • Inbuilt requirement for refunds to only be made to the personal bank account that the original giving came from.

 

  • Regular bank reconciliation exercises to confirm transactions and identify anomalies for investigation.

 

 

Risk of non-compliance with regulatory requirements

 

Online giving enables your church to reach givers from around the world.  This also means handling sensitive data about givers resident in various jurisdictions, as well as their payment cards and accounts. 

 

Your church needs to understand where their givers are located and what laws you need to comply with as a result of their location.

 

For example, if you have givers resident in the UK or EU, you need to be compliant with the General Data Protection Requirement (GDPR). 

 

Similarly, there are regulatory requirements or agreed best practices relating to the payment card industry such as the Payment Card Industry – Data Security Standard (PCI-DSS), which provide a baseline of technical and operational requirements designed to protect account data.  

 

Some countries also have specific regulations, such as the Strong Customer Authentication (SCA) regulation applicable in the UK and EU, to further prevent fraud by verifying the identity of the person trying to make a payment before allowing the payment to go through.

 

Breaches and non- compliance can lead to penalties, fines and reputation damage. 

 

Steps you should take to manage this risk include:

 

  • Ensuring Board level awareness of regulatory compliance requirements relating to the church and the jurisdictions where givers reside.

 

  • Ensuring you have policies and processes that enable you to comply with all mandatory laws and regulation relating to data protection, payment card and bank account security.

 

  • Ensuring that the due diligence checks on your service provider includes their compliance with required or best practice regulatory requirements e.g. GDPR, PCI DSS, and SCA regulations.

 

  • Independent reviews so you can periodically gain assurance on regulatory compliance and address any deviations.

 

 

Risk of cyber security breaches

 

Cyber security is about the measures taken to prevent unauthorised access, theft or damage to personal data and information stored on systems, devices and online. 

 

Cyber security breaches or attacks can result in loss of data and finances, leading to exposure of church members data to identity theft, scams and fraud. 

 

That in turn leads to financial loss, reputation damage, fines, penalties, and reduction in giving due loss of trust. 

 

Steps you can take to manage this risk include:

 

  • Board level approved risk-based cyber security policy and strategy, communicated and implemented throughout the organisation.

 

  • Appropriate governance to ensure ongoing attention to cyber security risk management.

 

  • Assessment of cyber security threats and vulnerabilities and implementation of appropriate security measures to mitigate risks.

 

  • Periodic testing of resilience to cyber security risks and taking action to plug any holes. You should engage accredited cyber security expertise to help with this.

 

 

Risk of not maximising opportunities offered by the platform

 

Online giving platforms provide the opportunity for your church to take advantage of additional data collection and classification at the point of giving, for subsequent back office processing efficiencies. 

 

Majority of platforms allow churches to configure pre-defined giving categories, and prompt givers to select a category for each giving, e.g. offering, tithes, building fund, etc.  

 

This makes your subsequent record keeping easier and more accurate.

 

Additionally, if your church is in a country where churches can claim back tax on donations given by tax payers, the online platform can be set up to allow givers to indicate accordingly. 

 

The associated data received from the service provider can enable easier, quicker and more accurate processing of tax reclaims.

 

Some online giving platform also allows churches to pass on the transaction costs to givers. 

 

The costs are usually very minimal at roughly 3% on average; and most givers would be happy to add this on to save your church some money. 

 

Givers can be prompted via the giving apps or website, to indicate whether they want to add on the service provider costs to their giving.

 

Most platforms also allow givers to option to set up recurring giving. 

 

This could be useful for givers who already appreciate the benefits of standing orders for their bills, and would like to apply similar options to their giving.

 

Steps you can take to maximise the opportunities provided by online giving platforms include:

 

  • Identify the pain points in your current back office processing of giving, and factor them into the selection of your online giving platform solution.

 

  • Induct givers and provide them with access to guidance on how to make the most of the online giving platforms including aspects that are critical to maximising your church income, such as tax reclaims, options to bear transaction fees, and correct classification of giving.

 

  • Publish your church policy on tax reclaim and eligibility on the giving platform and website if applicable in the country the church is registered in.

 

  • Inform and communicate to online givers periodically in church announcements to encourage continual use of the giving platform and to address any learning points from usage.

 

 

Conclusion

 

Online giving platforms are a must for churches that want to maximise their reach and income, while increasing the efficiency of back office operations. 

 

However, online giving platforms also introduce risks to personal data, payment cards and bank account information of givers. 

 

By addressing the 5 areas of risk in this article, your church can effectively manage risks to data and finances posed by online giving platforms, and maximise the valuable benefits of these platforms. 

 

Read our other articles on:

 

Share this article:

Related Articles

Churches and charities are increasingly contracting out non-core or specialist services to third parties that are best placed to provide such services, while they focus on their core mission. Getting the best value from contracted services takes effective contract management. Poorly managed contracts can be a minefield for fraud, error, conflicts of interest and sub-standard delivery. Understanding how to effectively manage contracts helps you realise the benefits and mitigate the risks.
Churches and charities are not immune to the cost of living crisis. They face a two-fold challenge of navigating through the crisis while also responding to those who may be affected by the cost of living crisis. However, there are steps that churches and charities can take to navigate through the crisis so that they can stay afloat, operate efficiently and continue delivering their good causes.
Churches and charities play a major role in the world economy, offering services to benefit humanity in a way that no other sector of society does. However they also exist in an interconnected world that is becoming more volatile, with unpredictable disruptive events. Having a viable business continuity plan helps your church or charity to navigate disruptions and continue to operate through, and recover from, adverse events or major disasters.
Free EBook
Table Stewards free eBook
Explore
Prevent internal control failure

How to Prevent Internal Control Failure in Churches & Charities

Steps to Risk Management

6 Steps to Risk Management in Churches & Charities