In the course of building our network and our platform, we did what product people do: we talked to the market. When it comes to the risk associated with vendor onboarding, everyone we spoke to was united. However, when it came to how to solve it, consensus was elusive. Vendor management, AP and Procurement personnel know they should not trust banking information that arrives via email. That is a given. To solve this most seem to focus verifying vendor banking information. But what, exactly, does that mean?
How banking information gets 'verified', generally falls into these three buckets:
- Collecting a voided check or account info on bank letterhead
- Calling the vendor to confirm the change
- Multi levels of internal approvals for changes
All of these seem, on the surface, to be solid, but are not infallible in defending the vendor master from infiltration by fraudsters. The devil, as they say, is in the details. If your organization is relying on any of these three ways to ensure the validity of your vendor master file's banking info, you are likely leaving holes wide enough for a fraudster to walk right in.