Payments Fraud and Your Vendor Master: Uncovering Hidden Risk

Posted by Angela Sarno on Oct 29, 2020 8:30:00 AM

Spoiler alert: the scourge of business payments fraud is not going away. The challenges facing organizations with maintaining and securing their vendor master data were already daunting in a pre-Covid world, never mind now that the way people work has been radically reimagined. 

Against this backdrop, we were thrilled to host a panel discussion, "Payments Fraud and Your Vendor Master: Uncovering Hidden Risks," where we brought together Clay Deutsch, a former bank CEO, Rob Unger from Nacha and Thayer Stewart, our CEO, to provide their divergent perspectives on the problem of business payments fraud, and what organizations should be doing to combat it.

You can access the entire recording here.



Here are our five key takeaways from this fascinating conversation:

There isn't a type of business that is immune to the threat of payments fraud.

If you think fraudsters are only going after specific types of  companies, think again. Toyota learned this the hard way last year when they were taken for $37 million in an email scam.

“The people in the wire room at Toyota are very sophisticated people,” Stewart said. “And so I think when one of the most sophisticated companies in the world has one of these events people realize, well, this can happen to anybody.”

Many of the systems that companies have in place were designed without allowing payees the ability to make changes on their own, Stewart explained. It doesn't help that roughly 1/3 of a typical organization's payees will make changes to their identity credentials during a 12-month period. Every change is a possible opening for a fraudster to exploit.

And it’s not just car manufacturers.  It’s financial services.  It's school districts. It’s museums. It’s everyone.

"When one of the most sophisticated companies in the world has one of these events people realize, well, this can happen to anybody.” Thayer Stewart, PaymentWorks


COVID-19 has served to reveal already existing weaknesses.

Each of the panelists believes the COVID-19 pandemic is playing a role in shining a huge spotlight on an already existing issue, and motivating organizations to adopt new means of shoring up their defenses.

"COVID has just put more and more stress on the system," Stewart said. “In terms of companies wanting to move away from checks all together -- creating disruptions that fraudster sort of prey on -- I think the situation has just gotten worse."

Unger comically described how clients have had to resort to what he called a "drive-by check signing" when they weren't allowed to come into their offices or have physical contact with employees.

"The AP manager would go to the office, print off the checks, go to the park across the street, leave the checks in an envelope, you know, stand back 12 feet," Unger said. "The controller would come by and sign. COVID has just mixed things up here with respect to seeing more fraud.”

Clearly this pandemic has proven that the center does not hold. Maintaining your status quo all but assures your organization will be targeted for this type of fraud. 


"Anywhere there's information sharing there's opportunity for fraud." Rob Unger, Nacha


Reputational risk means more is at stake than just dollars being lost. 

When a company is defrauded it can lead to reputational damage that is more costly than just the money that has been lost. 

Deutsch, the former CEO of Boston Private Bank, weighed in on what this means for a financial institution: “The real consequences of (fraud) are many, many times greater than just the cost of the fraud. Reputational damage, regulatory punishment, fines, sanctions, client reputation damage. I mean, on and on and on.”

Reputational damage on a macro level can lead to the loss of future clients. There's also the issue of fallout from existing clients, especially the one that has been defrauded.

"If we act in good faith on client instructions but there's a massive misstep or a breach or a fraud, we’re in the uncomfortable position of having to go to war with our client over who makes good," Deutsch said. "And even though the financial institution may have done nothing wrong, you know, being in a dispute about costly mistakes with your client is not where anybody wants to be."

But the reputational risk isn’t just for the banks.  It’s for any company that makes this type of mistake.  The proof of this is in how often you don’t publicly hear directly from a company that has been defrauded.  No one wants to talk about it, no one wants anyone to know that they had a hole in their process or controls. 

The vendor form is the problem.

While paper or online static forms may still be commonplace for collecting vendor information, more and more they are seen as a liability that needs to be solved for.  Paper, after all, isn’t dynamic or secure.

"I think that our kids will never hear of a vendor form," Deutsch said. (They'll ask) what's a vendor form Grandpa? That goes the way of the dodo bird."

Stewart agreed that vendor forms are on their way to becoming relics of a bygone era.

"Increasingly, companies are looking for technology solutions," Stewart said. "Whether it's sophisticated email detection programs or some type of platform where, instead of the vendor form, you're collecting this information from third parties in an automated digital way. The providers are using sort of sophisticated cutting-edge identity proofing technologies, whether it's IP monitoring, phone-based verification, and supports all of the workflows before it eventually finds its way into the ERP."

Doing this all manually goes beyond being merely inefficient, it's so rife with opportunity for exploitation that it's borderline careless.  The static, insecure vendor form has got to go.

Crystal Ball prediction: payments fraud is here to stay.

If there’s one thing that’s certain about the future of the vendor management industry it’s that fraud – or at least attempts at fraud – will always be something to contend with. 

"Anywhere there's information sharing there's opportunity for fraud," Unger said. "And so if you're doing that manually I think the opportunity is great. If you've got automation tools like PaymentWorks I think that decreases it. Evildoers are always going to be evildoers, and they're going to figure out new ways. And, you know, we've got to keep up with it.”

Deutsch weighed in with his 30 years in the financial industry: "Financial institutions alone cannot solve this," he said. "I think the Fed and NACHA, the public sector and the private sector needs to work together. In my opinion, [it’s] a collective solution. I don't think any one financial institution has either the wherewithal or the resources to solve this problem on their lonesome."

Listen to the entire discussion here.

Read our FREE guides:

Business Payments Fraud: Risk Assessments, Fraud Vectors and Prevention

Automation: Pitfalls and Practical Advice in the Quest for the Perfect Vendor Master

Topics: payments fraud, ACH, vendor master, risk


The Business Identity Platform that automates complex payee management processes to:

  • Eliminate the risk of business payments fraud  
  • Reduce cost
  • Ensure compliance

Sign up to be alerted when we publish interesting things

Recent Posts