Rob Rogers
Disbursement Risk Overview
Most disbursement control programs are built in response to something that already went wrong. A vendor changes banking details and nobody catches it before the wire clears. An employee runs a ghost vendor scheme for two years before an auditor notices the pattern. A payment processor has a data breach and suddenly the organization's banking credentials are in the wrong hands. The controls that exist often reflect the specific failures that prompted them — which means the gaps in the program ref
Strategic and Reputational Risks
The sections preceding this one describe risks that are, in various ways, operational in nature. Fraud schemes, control failures, regulatory violations, technology vulnerabilities — these are problems that manifest in specific transactions, specific systems or specific compliance failures. They can be investigated, quantified, remediated and in most cases contained. The organization identifies what went wrong, fixes it, and moves forward. Strategic and reputational risks are different. They are
Third-Party and Technology Intermediary Risks
The first three sections of this risk taxonomy describe threats that operate through recognizable human mechanisms — a vendor whose systems are compromised, an employee who exploits a control gap, a payment that triggers a regulatory prohibition. The risks in this section are different in character. They are embedded in the technology infrastructure that modern disbursement operations depend on: the processors that move funds, the platforms that automate invoice and payment workflows, and the da
Regulatory, Compliance, and Legal Risks
The risks in the previous two sections — internal process breakdowns and vendor-resident failures — share a common characteristic: something goes wrong, money is lost or misdirected, and the harm is primarily financial. Regulatory, compliance, and legal risks operate differently. Here, a payment can be made correctly in every operational sense — properly authorized, accurately recorded, delivered to the intended recipient — and still expose the organization to penalties, criminal liability, repu
Vendor-Resident Risks
There is a category of disbursement risk that receives less systematic attention than it deserves, largely because it originates outside the paying organization's direct control. These are risks that live inside the vendor — in their systems, their people, their finances and their business practices — but that transfer financial, legal or operational harm directly to their customer. The paying organization didn't create the problem. It still absorbs the consequences. Understanding vendor-reside
OFAC (Sanctions) Screening & Barred Parties
The Legal Obligation No AP Function Can Delegate OFAC sanctions operate on strict liability. Ignorance of a vendor's sanctioned status is not a defense. For accounts payable, this means that screening against the SDN list and all applicable international watchlists is not a best practice — it is a legal duty that attaches before the first payment is authorized. Accounts payable sits at the terminal point of the disbursement cycle — the moment at which an obligation becomes a payment and orga
At the Heart of the Matter: Vendor Authentication, Validation and Verification
Every payment your organization makes begins with a decision made long before the invoice arrives: the decision to trust a vendor. That trust, if poorly established, becomes a liability — a gap in your controls that fraudsters exploit and auditors flag. Vendor verification is how organizations convert trust from assumption into evidence. For CFOs and Controllers, vendor authentication, validation and verification are not a procurement formality. They are foundational disbursement controls — the
Onboarding Controls: Secure Vendor Onboarding
The Onboarding Moment Is a Control Moment Vendor onboarding is the point at which a new payment relationship is established — and it is one of the highest-risk moments in the entire accounts payable lifecycle. It is the moment when vendor identity is either verified or assumed, when banking information is either authenticated or taken on faith, and when the controls either hold or fail. What happens at onboarding sets the risk profile for every payment that follows. Despite this, many organiza
Beyond OFAC: Foreign Screening Obligations
Organizations that process payments in currencies other than U.S. dollars, that are incorporated or operate in the UK or EU, or that have vendors with international ownership structures face layered screening obligations under multiple regulatory regimes. OFAC compliance alone is an incomplete sanctions program for any organization with international exposure. The United Kingdom: The UK Sanctions List (UKSL) The United Kingdom's sanctions regime has operated independently from the EU framewor
Vendor Selection & Due Diligence: Authenticating the Vendor
Before a single invoice is approved, accounts payable must have established that the vendor is who it claims to be, that it is authorized to receive payment, and that its risk profile is commensurate with what is being purchased. The disbursement of funds through accounts payable is not a clerical act. It is the terminal point of a control system whose integrity depends, above all, on one foundational question: is this vendor legitimate? Vendor selection and due diligence are not procurement fu