It’s common practice for Accounts Payable (AP) Vendor Maintenance to call the vendor when there is a change requested to the vendor’s bank account. There is no shortage of fraud being reported, for AP teams not to know that additional validation protects companies from making fraudulent payments. The question is: Are AP teams driving up volume of required vendor confirmations by not adding additional authentication processes because the vendor will be called to confirm the change anyway?
Why is this a Problem?
Relying solely on confirming banking updates with the vendor overlooks the time it takes to get it that far and the processes that can contribute to more frequent calls only to discover they are fraudulent requests.
For example, in order to get to through the process to have to confirm the update with the vendor, the process has most likely been:
Receive request to update banking details.
Send Branded ACH Form or Instructions to the vendor on how to update banking details
Receive completed Branded ACH Form via Email
Search for the Vendor in the Accounting System/ERP
Review the Vendor Record to verify that this is a change of banking
Verify that the routing number is correct since you don’t want to confirm with the vendor, only to have to send it back after validation because something is wrong. Yeah, they hate that. Identify all issues before you communicate back to them. Everyone learns that the hard way 😊
Confirm with the vendor the banking change using a phone number, email address or remit address already on the vendor record.
This is how it would look with processes in place to authenticate the request prior to processing and disqualify those that do not authenticate:
Receive request to update banking details.
a. Authenticate the Requester: Ask two or three identifying questions from different areas to authenticate the vendor before providing instructions or your Branded ACH form. For example, you could ask that they provide you with the last 4 of the Tax ID (from Vendor record) + last payment date (from A/R) + last invoice amount (from Invoice). Ask questions that are not able to be found elsewhere. Only if they answer the questions correctly should a banking form be sent to the email address on file (not a reply to the request).
2. Send Branded ACH Form or Instructions to the vendor on how to update banking details
3. Receive completed Branded ACH Form via Email
a. Authenticate the Banking Form: Require authentication criteria on the form as well. It can be old banking (they should have it) or the last three deposit dates and amounts. Also, require the tax id on the banking form.
4. Search for the Vendor in the Accounting System/ERP
5. Review the Vendor Record to verify that this is a change of banking
6. Verify that the routing number is correct since you don’t want to confirm with the vendor, only to have to send it back after validation because something is wrong. Yeah, they hate that. Identify all issues before you communicate back to them. Everyone learns that the hard way 😊
a. Authenticate the Banking Details: Look at Early Warning or GIACT systems (or other resellers) that can validate bank account Ownership with the Bank Account Holder Name (Vendor Name) and the Bank Account Number.
7. Confirm with the vendor the banking change using a phone number, email address or remit address already on the vendor record.
Definitely less fraudulent requests will make it to the Confirm step and it lets your vendors know that you have processes in place to keep their payments safe and they will only expect a call if they submit a request to change their banking.
Does your department have any other tips to keep our vendor payments safe? I’d love to hear about it – comment below or email me at firstname.lastname@example.org.
Looking to add Fraud Prevention that includes Authentication to your manual Vendor Setup & Maintenance process? Get the Toolkit here.
Debra R. Richardson,
MBA, APM, APPM, CPRS
Debra is an accounts payable speaker, consultant, and trainer with over 20 years of experience in AP, AR, general ledger, and financial reporting for Fortune 500 companies including Verizon, General Motors and Aramark.
For the past eight years, Debra has focused on Global Vendor Maintenance, and implemented a vendor self-registration portal for 140k+ global vendors across five Accounting Systems/ERPs. In her consultancy, she focuses on internal controls and authentication to prevent fraud in the vendor master file.