Due Diligence of New Suppliers and Changing Bank Details
What do other companies do to prevent fraud and adhere to due diligence specifically relating to bank detail checks? This is both in terms of on-boarding new suppliers and when you receive a change of bank details request from a supplier? How do you prevent fraud? For example, if a company sends in a request to change their bank details but it is in fact a fraudulent request?
Sorry Rosanna I am a little late to the discussion. All of the above comments are spot on with how most organisations go about bank detail validation. I have always stuck with at least a bank deposit slip for the supplier. These can be altered but not as easily as a letterhead which are readily available of the internet. Hope we have all helped in your supplier validation.
The risk is actually two folded:
From within: we apply a strict 4 eyes principle policy; suppliers bank accounts are checked and can only be input into our systems by another department (not Accounts Payable, as they are the ones disposing payments, nor the goods receipt / service acceptance owner).
From the outside: Accounts Payable run a first check to determine if the invoice has been issued by a real company (Google, D&B etc). A different department then contact the supplier to validate the bank account details.
The above is actually rather cumbersome, and we are reviewing our E2E Vendor mgmt process.
Happy to share thoughts if you wish so!
As well as official signed documentation and/or accessing secure company systems where the supplier only knows username/password, it is worth embedding a process where the Procurement/Finance function contacts the supplier directly to confirm the request (as essentially any documentation can be created or systems hacked unfortunately)
Hey Rosanna, our system is very similar, updated details on an official letter head supported by statement or some other documentation from the bank. Don't forget to hold these documents in a secure location for future reference.
Hi Rosanna, very good question and it's certainly a very challenging and delicate area. We actually work with a client who had been stung by that very situation where someone called in to their finance team to advise of a change of bank details, which was fraudulent.
The way that they have overcome this is to only set up suppliers bank details on the P2P solution if the supplier provides bank details on official letter headed paper, and for this client, they also need a signed letter from the bank confirming that the account details are correct. I'd be happy to discuss further if you would like to know more.