
- Membership
- Certification
- Resources
- Events
- Community
- About
- Help
The article “Are Your Internal Team Members Collecting Your Required Vendor Documents? It’s Risky” discusses the risks associated with collecting sensitive vendor information from internal team members and via risky email which can lead to payment fraud. With the latest IRS draft version of the W-9 expected to be published with a requirement to collect certain vendor’s social security numbers, it’s a great time to implement alternative methods to collect vendor sensitive data securely.
What Vendor Sensitive Data Is Collected Via Email?
For vendor adds and changes, sensitive data is collected to verify that the vendors are real, that their information matches regulatory sources and that their payments will be successful. This data can include the vendor’s birth date, social security number, individual tax identification number and banking details.
For many teams collecting this information and other information required for vendor adds and changes, the method of collecting is unsecured email where it is not possible to verify the sender of the email. Fraudsters know and take advantage of this. As a result, they try to get access to actual vendor email inboxes to intercept this information and use it to commit identify theft or to appear legitimate for subsequent fraud attempts.
Avoiding the collection of the sensitive data via risky email reduces the potential for fraud, and also reduces the burden from vendor team members for being responsible for detecting all fraud attempts despite advanced tools and techniques that make fraudulent emails appear legitimate.
Alternative Methods To Email
The list below is not intended to be an exhaustive inventory of alternatives to email, nor does it replace the due diligence required to determine the best fit for your organization. Instead, it provides a high-level overview of some options that can then be used for further research to have a more detailed discussion with leadership and your IT and/or systems team, since controls, security, audit features and quality vary by systems and tools.
Method / Option | How It’s Used | Strengths | Limitations |
Vendor Self-Registration Portal | Vendor Logs info a Portal to Enter Data and Upload Documents | Login, Authentication, Data Validations; Workflow Approvals; Audit Trail | Requires Rollout/Change Management; Not All Vendors Will Adopt; Requires IT |
Secure File Upload (e.g., SharePoint) | Link to Upload-Only Controlled Folder | Restricted Access; Audit and Retention Controls Possible | Requires Lock Down of Internal Access and Retention |
Secure Web Form (e.g. Microsoft Forms or More Robust Platforms) | Link to Enter Data and Uploads Forms into a Secure Form | Structured Fields, Access Control, Audit Trail; Possible Case/Ticketing System | Must Add Vendor Verification (OTP/Login) |
AP Automation Platform w/Document Upload (e.g. e-Invoicing Or Document Management Portal) | Existing Vendor Submit Onboarding Documents the Same Way they Upload Invoices | Centralized Vendor Interaction; Workflow Approvals; Messaging May be Available | Must Restrict Non-Vendor Team Members Access to Vendor Documents |
Secure File Transfer (SFTP) Protocol | Link to Upload Forms | Strong Protocol; Per Vendor Credentials; Logging | Less User-Friendly; Requires IT, Needs Identity Governance |
eSignature Platform (e.g. Docusign) | Link to Sign Package and Upload Documents | Tamper-Evident Audit Trail; Signer Authentication Options; Controlled Package and Workflows | Not Best For On-Going Uploads |
Secure Email (e.g. Mimecast) | Vendor Logs In to Reply to Email and Upload Documents | Vendor Team Selects Specific Email to Send Secure Email; Ability to Use Embedded Fields to Eliminate Forms | Still Email-Based |
Secure Email Experience Highlights: The secure email platform allowed the use of embedded fields within the body of the email. Embedded fields were added to collect banking information eliminating the need for a separate vendor banking form. This may not be an option if your organization requires a signature on the form. Embedded fields were also used to collect personal information from those that require payments, but that did not require an IRS Form W-9, such as job candidates whose expenses were reimbursed. Secured email providers may have additional features that can eliminate the need for forms to resolve other pain points in the vendor process.
Conclusion
Relying on email for collecting sensitive vendor information exposes organizations to significant risks, including vendor identity theft and payment fraud. As regulatory requirements evolve, particularly with the anticipated changes to the requirements of the IRS W-9 form, it’s a great time to look at more secure methods to collect vendor sensitive information. While no single solution fits all organizations, exploring and implementing more secure options not only enhances data protection, but also reduces the burden of fraud detection on vendor team members.
Resources
What are you waiting for?