In a fast-moving, entrepreneurial culture, internal financial controls to fight payments fraud are often missing. This lack of vigilance can open the door to everything from bogus check-writing to the diversion of vendor payments to fraudsters’ accounts.
Whether you run a lean internal team or have a robust staff, consider the following five controls to protect your business.
- Segregate financial duties. One of the easiest and most essential safeguards is to separate duties to create oversight. This makes it more difficult for someone to both commit and cover up fraud. For example, the person who approves or executes payments shouldn’t also reconcile bank accounts or be able to make changes to your vendor master file. If your finance team is small, consider having someone outside of the department review payments or be in charge of updating vendor bank details.
- Tightly manage your vendor master file. Keep your list of vendors who are approved to receive payments up to date, and have a second person review any changes to the file. Fraudsters may try to trick well-meaning financial staff into altering bank account information to misdirect legitimate payments — or add a bogus vendor. Confirm vendors’ change requests, ideally by calling them using contact information already in your files to limit fraudulent changes. Try to assign someone outside of the accounts payable function to maintain the vendor master list.
- Limit system access by role. Assign access and permission levels to financial systems and online bank portals only as needed. Someone in accounts receivable doesn’t need access to the accounts payable system. No one should have permission to approve his own payments. If someone needs financial data, have your team create reports for them. Audit your lists of authorized users for all systems at least quarterly to ensure that access rights line up with current roles.
- Set up formal procedures for requesting payments. No one loves red tape. But requiring employees to fill out a form to request payments can trip up fraud attempts, in particular common business email compromise scams. Consider using an electronic form, and limit access to it via a secure intranet. Also insist that every payment request includes precise internal account codes; this can weed out fraud attempts that come with vague instructions like "just code it to admin expenses."
- Establish separate bank accounts for different activities. Setting up different bank accounts for different purposes not only helps you limit access by role, but also makes it easier to spot unusual activity. At a minimum, it’s advisable to have debit-only and credit-only accounts. For example, using a separate account for issuing check payments only will help anomalies (non-check transactions) stand out even more, and will allow you to protect the account with a service like ACH Block. A bonus to this approach is that it makes it easier to perform reconciliations.
Round out those five tactics with a few more best practices, such as reviewing your bank accounts daily, reconciling them monthly, and setting up alerts for any account activity.
To learn more, please visit SVB’s Fraud Prevention Center or contact your SVB representative. SVB can also perform a free fraud risk assessment and provide recommendations for potential improvements.
* Services may have monthly, per item, or per transaction costs. Contact your SVB representative for more information.
This material is provided for informational purposes only. The conclusions expressed are based upon limited information available to Silicon Valley Bank regarding your company's fraud detection and prevention programs, and should not be seen as a substitute for obtaining your own independent assessment of such programs. The security of your operating system and your procedures for conducting banking transactions with us remains your responsibility. Silicon Valley Bank is not responsible for any cost, claim or loss associated with your use of this material.