Fraudulent Vendor Payment Account Data

Prevention tips divulged.

June 5, 2008
by Mary Schaeffer

Is the rush to electronic payments creating opportunities for sticky-fingered employees at your organization — or your vendor's — to take advantage of gaps in the system?

Technology solves many problems, but it sometimes creates new issues or worsens old ones, such as vendors looking for payment and the veracity of bank account information they provide. How can you tell if the information is accurate? Are you confident that one of your vendor’s employees has not substituted his or her own back account information for the vendor’s? How certain are you that one of your own employees hasn’t played games with the account information? This is not only a payment concern, but also an internal audit one.

REMINDER: Surviving the Credit Crisis: What Financial Executives Need to Know — FREE Infocast June 26. Register Today. Space is limited.

The Problem

The issue under consideration is independent verification of payment instructions. When setting up or changing payment instructions in the vendor/supplier master file, do you require validation and independent verification of the electronic payee/payment data by someone other than the individual creating the data? The purpose here to avoid fraudulent or incorrect bank accounts entered into a master file which could be paid by Automated Clearing House (ACH) to a fraudster.
The very legitimate concern is that someone simply sends a bank account number change request on company letterhead, and having that information entered in the address book system causes payments to be sent to the new address. A crooked employee could simply supply her own bank account information. And, as you well know, it is not difficult to obtain or replicate company letterhead.

A related issue is that even the most honest employee sometimes makes mistakes and could inadvertently transpose two digits when supplying the bank account number, be it the first time or for a legitimate change.

The Solution

Make sure you have a system of verification in place. This can include a call back to the payee to verify the data, or comparison to independent market sources or verification to authorized signed documentation, etc.

Call-back procedure: Using a call-back procedure you avoid the risk of simply accepting a bank account add change as requested on a letterhead, which could be created easily by anyone. As this solution is not without its own headaches, few organizations actually use it. Often independent verification cannot be performed because payees are difficult to reach and independent sources are not available to verify bank accounts. In lieu of this, many experts recommend and prefer to rely on voided checks or deposit slips.

Master vendor file review: Another highly recommended control is to have a very senior officer review ALL changes made to the master vendor file. Most controllers don't like this but it makes your own employees think twice before committing fraud. Unfortunately, this step won’t thwart the fraudulent activities on your vendors’ employee’s side. Should your senior officer be unwilling to conduct this review process, the review can be sub-delegated, although all inquiries should be made by the senior officer to give the appearance of a high-level review.

These above solutions demonstrate how important it is not to adopt new processes randomly without thinking through all the ramifications of the new process. The solution, while not ideal, does provide some protection against both fraud and honest mistakes.

Rate this article 5 (excellent) to 1 (poor).
Send your responses here.

Mary S. Schaeffer is the author of more than a dozen business books including Controller and CFO's Guide to Accounts Payable. She serves as the editorial director of Accounts Payable Now & Tomorrow, a newsletter for professionals interested in payment issues, and directs the organization's consulting practice. Her next book, Preventing Fraud in Accounts Payable will be published in August. She also serves as president of CRYSTALLUS, Inc. a publishing, training and consulting firm focused on payment issues.