Editor’s note: NeuGroup’s online communities provide members a forum to pose questions and give answers. Talking Shop shares valuable insights from these exchanges, anonymously. Send us your responses: [email protected].
Context: The devil is in the details and bank account information for suppliers is a detail that can bedevil finance teams responsible for thwarting payment fraudsters. The big picture reveals a big problem: 80% of organizations were victims of payments fraud attacks and attempts in 2023, a 15-percentage point increase over the previous year, according to a recent survey report from AFP. So no wonder that just 5% of those surveyed said their organizations did not validate beneficiary payment information last year—down from 17% in 2021.
- For many NeuGroup members, a top priority is verifying that changes to bank account info requested by a vendor or supplier are legitimate and not the work of criminals. The question and answers below match some of the measures taken in 2023 to improve controls as identified in the AFP report.
- It notes that for some respondents “a third-party solution has been employed to assist with fraud detection and verification. Some organizations are putting the onus on vendors to manage their own payment instructions and invoice submission through external facing portals.”
Member Question: “I am looking for ideas on best practices for validating supplier banking details. We are using a manual callback process, among other methods; I’m wondering what other corporates are doing to ensure that changes to supplier banking instructions are legitimate.”
Peer answer 1: “We have a process for ‘negative confirmation,’ wherein an email is triggered to our supplier (using contacts from our vendor master, and not relying entirely on the requestor of the change) notifying them there was a change made to their bank account information.
- “The email is triggered when the change is made in our ERP—though our internal audit team would prefer we do callbacks! The expectation is for the supplier to notify us in case the change of bank account info was not an authorized request. In practice, we typically don’t see many responses to these mails.
- “We are working on migrating to a tool that would facilitate suppliers managing their own data directly in the portal, which also includes some basic account validation at the time of entry.”
NeuGroup Insights followed up with the peer to learn more about the tool referenced above. They said, “this is an external portal provided by Apex Analytix. Our suppliers will have access to the portal (with multifactor authentication) and can manage their static data, including bank account data.
- “There are some basic level validations on bank account information captured here to ensure they are in accordance with local requirements (like IBAN, local routing code, BBAN, etc.).”
Peer answer 2: “For corporate suppliers, we have a system where vendors maintain their own banking data. The change requires dual approval from the vendor (enterer and approver) and sign-on has two-factor authentication.
- “This system feeds vendor master data in ERPs that build payables files. If a vendor is not a corporate supplier, we require callbacks.”
