Accounts Payable (AP) has historically been a transactional engine for organisations. For some, this is still the case but there has been a marked shift in many organisations whereby AP has evolved from a back-office processing function into a strategic
enabler of financial control, operational efficiency, and risk management.
The importance of the AP function cannot be underestimated as it is a critical control point where payment risks converge. Ask any CFO where the greatest exposures lie in their organisations, and AP is likely to be near the top of the list. Why is this?
AP is where large sums of money leave the organisation on a daily basis. The sheer volume and speed of transactions make it a prime target for errors, fraud, and control failures.
Yet despite innovations in financial management technology and a move towards automated workflows, one foundational control remains stubbornly manual, fragmented, and outdated: Authorised Signatory Management (ASM).
Why robust ASM matters?
Strategic lever for better, faster and more secure payment operations
Often overlooked, ASM is not just an audit and compliance checkbox, it is a frontline defence against fraud, operational errors, and regulatory breaches. Without robust ASM policies and practices, payments can be approved by the wrong people, or worse, by
no one at all.
AP is also a common entry point for phishing, invoice fraud, and business email compromise. In these instances, without strong signatory controls in place, a simple scam can turn into a costly breach. This all creates vulnerabilities that are hard to detect
until the damage has been done.
In an era of increasing workloads for AP teams, evolving threats, and constant scrutiny, getting ASM right should not be seen as optional, it should be seen as essential.
Protecting the bottom line
Sadly, we live in an age where fraud economics are getting worse, not better. And the cost to organisations is significant. According to the Association of Certified Fraud Examiners (ACFE)
Occupational Fraud report (2024), globally organisations lose ~5% of their revenue to fraud annually, causing total losses of more than $3.1bn.
The ACFE’s data is based on the analysis of 1,921 fraud cases from 138 countries and territories that were investigated by Certified Fraud Examiners (CFEs) between January 2022 and September 2023. Across these cases, the ACFE reports that over half of cases
involved either a lack of internal controls or an override of existing controls. A robust, signatory regime can directly target these two root causes of fraud.
How can you strengthen ASM and safeguard your payables?
We believe this is a shared responsibility between organisations and their financial partners.
For organisations:
1. Audit your current process
This should be your starting point. Identify where signatory data is stored, how it is updated, who has access, and what the signatory process looks like. Look for manual steps, outdated lists, or gaps in control.
Common risks that organisations find during this process include:
- Outdated signatory lists and mandates: Where staff changes, mergers and acquisitions, or reorganisations outpace manual updates
- Control overrides: When ‘urgent’ supplier payments, executive escalations, etc. lead to controls being bypassed
2. Digitalise your ASM
Digitalising your ASM is key as it transforms a traditionally manual, error-prone process into a secure, efficient, and – very importantly – a scalable control. Move away from spreadsheets and static documents. Implement a system that integrates with HR,
legal, compliance and finance platforms to keep signatory rights current and enforceable.
In Europe and the UK, there have been a number of important developments in the digital identity and electronic transactions space that support digital ASM, e.g., in the UK: ETDA (Electronic Trade Documents Act – UK), and in Europe: eIDAS 2.0 (Electronic
Identification, Authentication and Trust Services Regulation). These developments ensure that digital signatures now carry clear legal weight.
3. Embed ASM into AP workflows
Ensure that signatory checks are part of the payment approval process, not a separate or afterthought control. Embedding ASM within AP workflows ensures that controls are proactive, not reactive. It strengthens internal control frameworks, improves operational
efficiency, ensures regulatory compliance, maintains data integrity, and supports strategic financial management. Treating signatory checks as a post-process activity undermines these benefits and increases exposure to fraud, errors, and compliance breaches.
4. Define clear policies and thresholds
Establish rules for who can approve what, based on role, amount, and context. Automate enforcement wherever possible. For high-value transactions, implement dual approval policies. Clear policies and thresholds help drive operational efficiency, financial
discipline, and risk management. Having a structured environment will reduce errors and fraud, ensure compliance, and potentially help strengthen supplier partnerships.
5. Train your teams on ASM importance
Make sure AP and finance staff understand the risks of weak ASM and how digital tools can protect the organisation. Your people are a key line of defence and training is essential to ensure appropriate control over approvals, reduce fraud risk, and maintain
compliance. You should be mindful of any knowledge gaps and potential resistance to change within your teams. Mitigate these through providing structured, role-specific training modules that use real-world scenarios and examples to illustrate risks and consequences.
We recommend delivering formalised training programmes on ASM, and linking this into your wider risk management and compliance training. We also recommend working with your financial partners to help you support the build and delivery of this training.
6. Monitor and review regularly
Establish a routine process for reviewing signatory rights. These reviews should be scheduled periodically and triggered by key events such as role changes, organisational restructures, mergers and acquisitions, or any control failures.
For financial partners / providers:
1. Offer integrated ASM solutions
Provide your clients with tools or APIs that allow them to manage signatory rights directly within your platforms. Integrating ASM with financial and ERP systems centralises approvals and reduces the need to chase documents and reconcile spreadsheets. Integrated
ASM systems also help maintain indisputable audit trails, ensuring that all changes to signatory lists, approvals, or account authorisations are timestamped, traceable, and compliant. Integration should also be across all modules and systems so there is a
single source for signatory data, preventing inconsistencies caused by multiple spreadsheets or siloed systems.
2. Facilitate secure signatory updates
Make it easy for clients to update signatory information securely and ensure changes are reflected instantly. This is a back-office enabler that supports compliance and internal controls. Changes to signatory authority or account status should be updated
in real-time across systems, providing all relevant parties instantaneous insight on and confirmation of approved signatories. Attention should be given to optimising user experience, security protocols, and integration with HR, finance (including ERPs), legal,
compliance, or any other governance systems.
3. Support real-time signatory validation
Enable your clients to verify signatory authority at the point of payment. This is a front-line defence in payment execution and fraud prevention; whereby your clients can validate signatory authority at the moment of payment initiation, ensuring the right
person is approving the right transaction. This will reduce risk and improve your client’s confidence in making payments.
4. Enable controls and exception reporting
Ensure your solutions allow clients to have the ability to proactively block payment approvals that violate signatory policies, such as actions by unauthorised users or breaches of delegated authority. In addition, enable real-time alerts and exception reporting
to flag attempted overrides and support internal audits with clear, timestamped logs of all deviations.
Ideally your solutions should prevent unauthorised payment approvals altogether, not just alert after the event. Alerts and exception reporting are important for visibility and auditability, but they should be a secondary line of defence, not the primary
control.
5. Educate clients on ASM risk and best practice
Include ASM in fraud prevention briefings, onboarding materials, and risk assessments for your clients. Educating clients on ASM risks and processes helps empower them to properly manage and / or oversee those individuals that can expose their organisations
to serious risks. Whilst many companies will tend to have Delegation of Authority (DoA) policies in place, training and enforcement is usually limited, and when it is delivered is rarely formalised. This is often due to ASM being seen as a back-office function,
not a strategic risk area, and no single team being accountable for training or oversight on this area. We recommend supporting your clients to build formalised training programmes on ASM, and link this into wider risk management and compliance training.
6. Collaborate on standards
This is a call to the industry. A single unified standard does not exist; this provides challenges for many of your clients, particularly those operating across jurisdictions or with complex governance structures. Many organisations will be struggling with
inconsistent risk controls, manual or siloed ASM processes and inconsistent technology integration; all of which increases the risk of unauthorised transactions and fraud. We urge providers to work together, and to work with regulators, to define and promote
ASM standards that support interoperability and compliance.
To sum up
ASM is a foundational control that reduces fraud, accelerates payments, and simplifies audits. Without robust ASM practices, organisations risk significant blind spots in their payment governance, leaving them exposed to errors, inefficiencies, and potential
breaches.
With the threat of both internal and external fraud constantly evolving, alongside the legal and technical rails now being in place (e.g., ETDA and eIDAS 2.0), organisations that embed digital, consistent, and scalable signature authority processes will
be far better positioned to safeguard their payables than those that do not.
