If You Had to Wait for a Vendor To Notify You of a Fraudulent Payment - You Don't Have Enough Controls

My first "grown up" job where no one gave me any slack because I was young and cute - I learned a lot. The best thing that has stayed with me was if I made a mistake, it was my responsibility to:

• Discover it before anyone else did (didn't always to this)
• Fix it (always did this)
• Put a process in place so it doesn't happen again (always did this)

I have tried to live by that in both my personal and professional life.

Especially in the Vendor Setup & Maintenance process.

Discover It Before The Vendor Does

This is January, which is typically the month where many companies will be notified by their vendors looking for payments due in December, that they did not receive them. After some research, the vendor team will realize that during the year-end - filled with distractions of the increased volume of invoices, rushed vendor setups and the holidays - remittance information was changed based on a fraudulent request.

Why is it important to discover before the vendor does? Because by the time the vendor follows up on the missing payment, it could be too late to recall/recover the fraudulent ACH payment from your bank, or put a stop payment on the check. By the time the vendor reaches out weeks (or months) later, it may be too late to get the funds back.

One step to take now: Contact all vendors that had remittance changes + payments in December and verify they received the payment.

Fix / Remedy the Fraudulent Payment

Implement your Fraud Response Plan. This should be unique to your company process and/or policy. Maybe your company has an insurance policy and have to follow a specific process to file a claim. Maybe after reviewing the email string that requested the remittance change, it was determined that it came from the vendor's legitimate email account that was hacked. It is not uncommon for buyers to not remedy the fraudulent payment if it was caused by the vendor's lack of security.

One step to take now: Create a Fraud Response Plan if you don't have one.

Plug Up the Gaps In Your Vendor Process So It Does Not Happen Again

This is the key. Don't just add a confirmation call, a tip or two that you heard from me, or the latest software or validation tool, since not one can protect your company from fraud by itself. Like any other process, it take a combination of processes, controls, tools etc to work. Look at the vendor setup process from end to end and plug up all the gaps where fraud can creep in.

Common gaps I typically see in the vendor setup and maintenance process:

• Vendor supporting documentation is received from the internal employee and not the vendor team. How do you know who they received the documents from? They can easily be social engineered since they don't have the enhanced training that the vendor team should.
• Relying on the "simple" confirmation call. This is not the silver bullet that many make it out to be - it is was there would be no fraudulent payments. Also, it's anything but "simple". Vendors don't pick up, vendor teams don't have contact information for the right contact, vendor sites are removing contact information so they are not exposed to fraud.
• Relying only on validation tools. They are great when the vendors account is found, but you still need a process in place when it is not found. Know how to interpret the results since many validation tools have some type of scoring and your company may need to determine which score is acceptable.
• Vendor validations are not adequate. Vendor validations should be customized based on your vendor type, vendor country (US vs Europe vs Canada, etc), industry (government entity vs non-profit vs health care, etc). Don't just rely on what everyone else is doing - identify what is required for your company and perform consistently at new vendor setup, existing vendor change and when you clean your vendor master file.

One step to take now: Download the Vendor Validation Reference List with Resource Links meet with Leadership, Tax, Legal, IT, Risk Management, etc and verify which validations are applicable for your company.

Get Started With Free Training

You know me - I always have something free for the you so you can implement whatever I am recommending. This training will help you get started with a 7-step process to review your process and it includes some digital downloads too.

• Implement 7-steps to find and plug up gaps in your vendor setup and maintenance process. 
• Use the Desktop Procedure - Template to document your enhanced process for the vendor team to follow
• Use the IRS W-8 Expiration Tracker - Template to track vendors with expiring W-8's to avoid IRS compliance fines
• Use the Vendor Validation Reference List - Template to validate vendor data for new vendor setup and existing vendor change

Sign-Up here: Plug Up The Gaps In Your Vendor Process

Need help? Get a Vendor Process ReDesign where I review your current vendor setup and maintenance process, add up to 5 Authentication Techniques, 29 Internal Controls, 17 Best Practices and 16 Vendor Validations to avoid fraud, fines and bad vendor data. Two Weeks to enhance, document and train your team.

Don't forget to subscribe to my monthly newsletter sharing content that will help you avoid fraud, compliance fines, and bad vendor data in the vendor process.