There are many sad stories of companies losing money from poor payment controls. It could be:
- An employee conducting fraud
- A simple error that sends the wrong amount of money
- A mistype of an account number that causes the money to go to the wrong person
- Fraudsters trying to get funds from a wire transfer or altered checks
Let’s look at some ways to save the financial losses and emotional pain these transactions can cause.
Alerts and Rules
I’ll start with some controls that are easy and more effective than most people think. The first is setting alerts for when:
- An account falls below a certain balance
- Certain types of transactions occur
- Transactions over a certain dollar amount occur
The first alert above can help you avoid overdrafts. It may also warn of cash flow issues. The latter two help stop fraudulent or mistaken transactions. Wire transfers are instant and irrevocable, but you may have a chance to reverse or return other types of transactions. You may not be able to stop one bad transaction, but quick action could prevent further damage.
A company can also have the bank set rules on accounts to not process certain transactions. For example, it may block any ACH debit transactions. Cards can be “frozen,” so no transactions can occur on them.
Reviewing Bank Statements or Transaction Reports
This control is so simple but incredibly effective. A simple example is an owner reviewing the bank statements for their business. I know two stories of owners who had a trusted employee steal money. In one of those instances, the owner’s wife happened to open a bank statement and asked her husband why he was writing checks to the bookkeeper. Of course, the bookkeeper was writing checks to the bookkeeper. Owners can delegate bookkeeping, but they can never abdicate certain controls.
In other companies, a reconciliation and transaction review by someone independent from the payment process offers the same control. Knowing that someone will be watching transactions is technically a detect control, but the deterrent effect is a prevent control.
Dual Signatures on Checks
Requiring two signatures for checks over a certain dollar amount is a control that’s been around for a long time. Unfortunately, it’s a very weak control. It’s effective when the second signer catches a mistake in the amount or payee for a check. The payee may not deposit the check and return it to the sender if there aren’t two signatures and the check says something like “Two signatures required for checks over $10,000” on it.
There’s one party that’s almost certainly not checking for two signatures: Your bank. Most checks are now deposited and routed electronically. The bank does not have to review for two signatures unless your checking account agreement specifies so, which they almost never do.
Also, an employee committing fraud will forge two signatures as easily as one. Banks almost never compare signatures to signature cards when processing checks.
Dual Approval for Electronic Fund Transfers
Dual approval for ACH transactions and wires is an effective control. Each person should have a unique username and password. A good online business banking system can be set up to require two approvals before the funds are remitted. This control breaks down when only one person with administrator rights can change the dual requirement to a single authorization. In small companies, the owner may want to retain sole administrator rights to the online banking software. Larger companies will rely on detect controls, like audits and reconciliations, in addition to the segregation of duties.
Templates or Pre-Filled Forms for Frequent Transactions
Your company wants to have strong control over who has access to wires and controls over assuring correct wire recipient information. For example, you may have an account or vendor to which you periodically send wires. You want a form or template for those wire instructions that doesn’t allow accidental changes to recipient information but does allow changes to the amount of the wire. This also applies to common ACH transactions.
Multifactor Authentication
Accessing online banking can sometimes feel like running through an obstacle course. It’s a series of usernames, passwords, and other codes before you can finally do the work you need to do. However, these controls are very important.
There are a wide variety of multifactor options. I won’t bore you with a list. The number of options is constantly increasing. I do have a few pieces of advice:
- Don’t leave codes where other people can find them.
- Don’t use the same passwords on multiple sites. Once one is compromised, it’s like they have the master key to everything.
- Don’t give your code over the phone or email. Fraudsters are masters at calling someone and acting like they are the bank. They then ask for the multifactor authentication code, which gives them access to your account.
Positive Pay and Reverse Positive Pay
In positive pay, a company submits lists of the checks the company has issued. These lists include items like check numbers, amounts, dates, payees, account numbers, and issue dates.
As these checks are presented to the bank for payment, the bank makes sure the details on the check presented for payment match the details in the file from the company. The bank pays the checks for which all items match. The bank does not immediately pay on any checks with discrepancies. They notify the company about the checks with discrepancies to list information. The company then instructs the bank to either pay the checks or return them unpaid.
This is a stronger control than reverse positive pay. In reverse positive pay, the company doesn’t submit a file of checks to the bank when the checks are written. Instead, the bank sends a file to the company of all the checks presented for payment each day. The company compares their file to their records and then instructs the bank to return any checks that don’t match the company’s records. If the company does not respond to the bank within a certain amount of time, the bank pays all the checks.
Payee Account Validation
Payee validation is when the bank or payment service provider compares information about payee accounts in an electronic payment to databases about payees. They then flag payee account numbers that may be fraudulent.
The payment processor can also make a zero-dollar transmission or a small-dollar transaction to confirm that the payment account details are correct.
Backup Payment Methods
The payment methods and online banking services are great when they work. What if they aren’t working?
I’ve been on both sides of a transaction failure. I was the CFO of a company where we lost internet access on the day when we needed to submit the direct deposit payroll file. We worked with the bank to find an alternate way to send the file. I’ve also been the Director of Operations at a bank where bad actors overwhelmed our internet site with traffic, preventing customers from accessing online banking. The attack was temporary, but we discussed ways for customers to transmit critical payment files to us.
Work with your bank to identify the backup methods for payments. Periodically test these methods or confirm that the bank is still using the backup process.
For more info, check out these topics pages: