Think your bank account verification process confirms ownership? Think again.
How procurement and finance departments verify banking information generally falls into these three buckets:
- Collecting a voided check or account info on bank letterhead
- Calling the vendor to confirm the change
- Multi levels of internal approvals for changes
All of these seem, on the surface, to be solid, but are not infallible in defending the vendor master from infiltration by fraudsters. If your organization is relying on any of these three ways to ensure the validity of your vendor master file's banking info, you are likely leaving holes wide enough for a fraudster to walk right in.
Let’s break each one down:
1.Collecting a voided check or account info on bank letterhead
As a verification tool, this practice started before the digital age, when vendors needed to snail mail a W9 and their remit details. And it largely worked.
But in the age of digital communications, with email as our trusted delivery source, these documents are now so vulnerable we’d argue they are meaningless. They are easily forged, and moreover, a piece of paper does nothing to confirm the ownership of the bank account being offered to you. A fraudster can type any business name they want and then put their personal banking details under it. Paper, quite simply, is not proof of the authenticity of the information on it.
Verdict: Scrap it.
2. Calling the vendor to confirm the change
In the pre-Covid world, this technique was pretty solid. You called your vendor on a phone number you knew and the vendor confirmed the banking info. Simple.
In the Covid world, this is no longer a fail safe. Remote work has made this process vulnerable, and fraudsters have taken note. AR staff are often working at home, so when they get your voicemail and call you back, it’s usually not from the official number. It’s likely from a cell phone. How do your AP staff know they are speaking to the legitimate vendor when the incoming number is not familiar? If you cannot get the right person on the phone with an outbound call, and you cannot authenticate the number of the inbound call, you cannot be certain the call is from the legitimate vendor.
Verdict: Scrap it.
3. Multi levels of internal approvals for changes
More eyes on a problem can certainly help, and we encourage you to always have multiple levels of approvals when it comes to any vendor and payment related information; however, using only internal approvals as a means to ‘verify’ the validity of vendor information is borderline reckless. Not only does it lack formal controls of any kind, but the pressure the people in these positions now have as your only defense is surely keeping them up at night.
Keep your multi levels of approval, but do not rely on this to spot and stop fraud.
Verdict: Scrap it.
All of the increasingly stringent means for your staff to verify every digit on every payee bank account with every payment being made are still not solving the problem that humans can be tricked.
None of these three methods solve your actual problem: the problem of paying a fraudster.
Listen to the Deputy County Manager of Cabarrus County talk about relying on his staff to spot and stop fraud.
Check out our Free Guide and learn all about Social Engineering Fraud Scams