Due Diligence of New Suppliers and Changing Bank Details
What do other companies do to prevent fraud and adhere to due diligence specifically relating to bank detail checks? This is both in terms of on-boarding new suppliers and when you receive a change of bank details request from a supplier? How do you prevent fraud? For example, if a company sends in a request to change their bank details but it is in fact a fraudulent request?
I agree with Marco's comment; to put it slightly differently, one task is to ensure the bank account information we get from the vendor is valid, and the second is to ensure it is input accurately into our system. Also, need to ensure that there is a mechanism that details on the system are only amended with the correct authorisation.
Similar to others, the process I introduced had the following checks.
- the person within the business who requests a supplier to the created (usually Procurement, but could be others) completes supplier set-up form (including all detail required for P2P) and mandatory requirement to obtains signed letter headed letter from vendor confirming bank account details.
- AP validate banking information by telephoning the vendor to request bank account details: if the information from the call and the letter match, then set-up form approved.
-On approval, procurement administrator inputs all details from set-up form into ERP
- Procurement Administrator then confirms to AP that vendor is set-up in system.
- AP confirms bank account details on system matches.
- Procurement administrator makes vendor live, and requestor informed.
- Monthly automated report from ERP showing any amendments, which is is reviewed by finance controller.
The areas that for me are just as important are (A) commercial viability- value for money and acceptance of terms and conditions, (B) technical viability- the product or service has been assessed as being acceptable to meet the need, and (C) financial viability.
Wind these into the supplier set-up process, so that it ensures a conversation occurs between requestor, budget holder, finance, and other approving parties. It is where the real magic happens! Not that admin excellence isn't magical.
Sorry Rosanna I am a little late to the discussion. All of the above comments are spot on with how most organisations go about bank detail validation. I have always stuck with at least a bank deposit slip for the supplier. These can be altered but not as easily as a letterhead which are readily available of the internet. Hope we have all helped in your supplier validation.
The risk is actually two folded:
From within: we apply a strict 4 eyes principle policy; suppliers bank accounts are checked and can only be input into our systems by another department (not Accounts Payable, as they are the ones disposing payments, nor the goods receipt / service acceptance owner).
From the outside: Accounts Payable run a first check to determine if the invoice has been issued by a real company (Google, D&B etc). A different department then contact the supplier to validate the bank account details.
The above is actually rather cumbersome, and we are reviewing our E2E Vendor mgmt process.
Happy to share thoughts if you wish so!
As well as official signed documentation and/or accessing secure company systems where the supplier only knows username/password, it is worth embedding a process where the Procurement/Finance function contacts the supplier directly to confirm the request (as essentially any documentation can be created or systems hacked unfortunately)
Hey Rosanna, our system is very similar, updated details on an official letter head supported by statement or some other documentation from the bank. Don't forget to hold these documents in a secure location for future reference.
Hi Rosanna, very good question and it's certainly a very challenging and delicate area. We actually work with a client who had been stung by that very situation where someone called in to their finance team to advise of a change of bank details, which was fraudulent.
The way that they have overcome this is to only set up suppliers bank details on the P2P solution if the supplier provides bank details on official letter headed paper, and for this client, they also need a signed letter from the bank confirming that the account details are correct. I'd be happy to discuss further if you would like to know more.