Bank Account Ownership Validation Is A Valuable Part of Your Fraud Prevent Strategy Once You Account For Potential Gaps

For accounts payable (AP) and vendor teams, ensuring that payments reach the correct, legitimate vendors is critical. Bank account ownership validation has emerged as a key tool in this fight against payment fraud.  However, it is important for users to recognize certain gaps in the validation process and address them to ensure a comprehensive fraud prevention strategy.

What is Bank Account Ownership Validation?

While providers that offer this validation process can vary in the results offered, a basic validation includes at least three pieces of data from the vendor to match to the information on the bank account:

While failed validations—such as no account found or mismatched information—indicate a risk of fraudulent payment, a successful validation does not eliminate risk and can still signal potential fraud.

The following three (3) scenarios show the gaps of bank account ownership validation.  They are based on legitimate activities by your vendors and, of course, the evolution of fraudsters.

Vendors Submit A UPIC Code Instead of A Bank Account Number

A Universal Payment Identification Code (UPIC) is a unique identifier issued by financial institutions for a bank account in the United States. Its primary purpose is to allow organizations to receive ACH (not wire) payments without divulging confidential banking information.  A UPIC acts like a US bank account number, but it masks the actual bank account number. A great benefit for both you and the vendor is that they are portable, allowing for changes in banking that do not require risky change requests, 

While the use of UPICs can reduce the potential for payment fraud, when performing the bank account ownership validation, what is assumed to be a bank account number, may be UPIC, and thus no account is found.   

Options to Resolve: Ask your provider if there is a way to interpret the bank account number behind the UPIC.  Ask your vendor for their true bank account number for this validation. 

Vendors Have Legitimate Reasons for Bank Account Holder Names That Do Not Match Their Legal Names

A common scenario that complicates bank account ownership validation is when the bank account holder's name does not match the vendor's legal name. While this could be a red flag for fraud, there are many legitimate reasons for such discrepancies such as:

• Subsidiary or Parent Company Relationships: A subsidiary might require payments to be sent to its parent company's bank account, or vice versa.
• Doing Business As (DBA) Names: The vendor might operate under a DBA name, which is the name on the bank account, while their legal name is different.
• Mergers or Acquisitions: A company might have undergone a merger or acquisition, and the name change may not yet be reflected consistently across all records, including bank accounts.
• International Entities: International vendors might use a U.S. affiliate or agent bank to receive payments, leading to a different name on the account.

Options To Resolve: Ask your provider if they have results from external databases that can make a connection between the vendor’s legal name and the bank account holder’s name if different.  Research collected vendor documents and external databases like Dunn & Bradstreet or State business records for a DBA or parent/subsidiary name to establish a relationship, then perform the validation using that name.

Fraudsters Evolving:  Fraudsters Are Opening Bank Accounts with Your Vendor’s Information

Fraudsters are becoming increasingly sophisticated. They are no longer just trying to divert payments to random accounts; instead, they are actively opening bank accounts using the same information as legitimate vendors. This means they might use the vendor’s legal name, tax ID, address to open a bank account to pass the bank account ownership validation.  Further, they may open the account at the same bank to appear more legitimate.

This tactic renders basic bank account ownership validation less effective than one might assume, as a "positive" validation might simply mean the fraudster successfully mimicked the legitimate vendor's details.

Options to Resolve: Ask your provider if they have the open date of the bank account or any other details that may be a red flag for an established vendor. Also, review your end-to-end vendor onboarding and change process to add authentication techniques, internal controls, best practices and other vendor validations.  By laying fraud prevention, this “false positive” validation can still be exposed as fraud in the validation results or at a different step in the vendor add or change process.    

Conclusion

These three scenarios show why bank account ownership validation, while valuable, is not a standalone defense for fraud prevention. Understanding that factors like UPICs, vendors requiring payments in parent company bank accounts, and evolving fraudster strategies can complicate the validation. As part of your fraud prevention strategy, check with your provider to see how they mitigate these risks, and add authentication techniques, internal controls, best practices and other vendor validations into your vendor set up and maintenance process to avoid not only payment fraud, but also regulatory fines and bad vendor data.

Resources: 

1.     The Clearing House:  How ACH Works:  https://www.theclearinghouse.org/payment-systems/ach

2.     Fraud.com:  New account fraud – Understanding and Preventing It https://www.fraud.com/post/new-account-fraud

3.     Business Impersonation New Account Fraud Targets Wisconsin Banks https://www.wisbank.com/business-impersonation-new-account-fraud-targets-wisconsin-banks