While it may be a surprise to the average person that business payments fraud is the largest source of cybercrime in the U.S, it’s at the forefront of every professional working in accounts payable today—those responsible for authenticating and authorizing that critical payments are in fact going to the right vendor, day in and day out.
This is especially true for those working in higher education. With its public expenditure disclosures and decentralized procurement, higher education is especially vulnerable.
Not to mention, most colleges and universities conduct business with thousands of payees—individuals and enterprises, foreign and domestic—making payee identity management enormously challenging.
Sadly, many universities know this threat firsthand. University of San Diego lost $749,000 a year later. They are not alone.
So why isn’t anyone talking about it?
Turns out, while those in higher education are adept at sharing best practices to support peer growth and advancement, falling victim to a fraudster is not an experience that many are willing to share. Over the past year, however, COVID has exacerbated the incidents of fraud, making it more prevalent than ever, and magnified the shortcomings of the antiquated process of verifying payee information.
The paper-based, manually intensive and error-prone process leaves both the institution and the individual responsible, vulnerable to increasingly savvy fraudsters.
Burdened by collecting and managing confidential personal vendor information via paper, not to mention having to validate vendor identities, accounts payable professionals bear the increasingly difficult responsibility of authorizing payments, secured only by a wish and a prayer.
While industry pundits suggest we “be more careful” to safeguard against this rising threat, the risk is far too great to leave in the hands of fallible humans.
As the world accelerates toward digital payments and a distributed workforce becomes the norm, higher education institutions must consider how to safeguard against the very real risk of business payments fraud and modernize the critical business functions to do so—from eliminating checks to digitally enabling the payee verification process. It’s time to address the costly and dangerous elephant in the room.
The good news is that there are practical steps accounts payable professionals can take today to safeguard against the risk of fraud:
1. Review vendor invitations and approvals
Start at the foundation of your vendor onboarding process: inventory who at your organization currently can initiate business with a new vendor, and document (or revisit the documentation regarding) controls in place for adding new vendors. Ask yourself questions including:
- Do people at your college or university have free rein to determine who they want to do business with?
- Do you have controls in place to limit the number of vendors you do business with in a particular vertical, for example: how many different office supply vendors do you use?
- Do you have controls in place regarding inviting or approving new vendors?
2. Re-examine your existing controls
You likely already have controls in place that prevent a single person from adding and approving new vendor information and invoices. Now, take the time to re-examine these controls to determine fraud vectors that could be exploited by bad actors, both inside and outside your organization’s walls.
More from UB: Here’s the latest on how to use COVID higher ed stimulus
This examination should be done with regularity as new fraud vectors can be discovered and exploited at any time. Ask yourself:
- Is there one person (or one role) who has too many responsibilities?
- Who (or which department) ultimately owns the data integrity of your vendor master?
- What will you do in the event that you do pay a fraudster? Do you have an escalation path for investigating and adjusting? Do you have adequate insurance coverage or reserve cash to deal with the loss?
3. Verify ALL identity elements before accepting them into the ERP
Examine your process for when a vendor submits their tax id, remit address and banking details and, perhaps more importantly, when an existing vendor updates these identity elements. Changes to banking details are the No. 1 fraud vector entry point for payments fraud attempts. This is a critical item to verify.
Of all of the ways you can shore up for increased payments fraud protection, this is likely the most critical area to invest in 3rd party partnerships. Ask yourself:
- Do we confirm bank account ownership via a 3rd party or via microtransactions?
- What is the change request process and who owns the acceptance of payment information?
- When do we check for debarment or other sanctions related activity in relation to payment? Who owns this process?
The risk of business payments fraud is real and growing. While the loss of carefully budgeted funds is costly and unfortunate, the loss of trust is harder to quantify and harder to recover from. As colleges and universities consider modernizing critical business functions, examining the payee verification process should be a top priority—especially because the institution’s reputation is at stake.
By sharing best practices to mitigate risk and acknowledging the bigger problem—an antiquated and inefficient system—accounts payable and procurement professionals will make strides in mitigating the greatest threat no one has been willing to discuss.
Taylor Nemeth is head of payments at PaymentWorks.