ibanchecker.cash
Finance OperationsJune 5, 2026 · 7 min read

How to Audit Vendor Bank Details Before Processing Payments

A quarterly vendor IBAN audit framework for finance teams — covering structural validation, bank name cross-reference, change history review, dormant vendor cleanup, and access control.

Share

Vendor bank detail fraud — where a threat actor substitutes a fraudulent IBAN into your supplier master file — accounts for hundreds of millions in corporate payment losses annually. The attack is effective precisely because it exploits the routine: finance teams process payments to known suppliers repeatedly, and a vendor whose IBAN changed without scrutiny receives the same level of trust as a vendor whose details have never changed.

An IBAN audit is the process of systematically reviewing every vendor bank account stored in your payment systems, confirming that each IBAN is structurally valid, matches the bank your vendor claims to use, and was obtained through a controlled process with a documented approval chain. This guide gives you a repeatable audit framework that finance teams of any size can run quarterly.

What Makes a Vendor Bank Detail Audit Different From Ongoing Validation?

Ongoing validation — checking an IBAN when a vendor first submits it — catches errors and fraud at the point of entry. A periodic audit catches a different set of problems: IBANs that were entered before a formal validation process existed, changes that were made informally without following the current process, dormant vendor accounts that should have been removed, and IBANs that have become invalid because the underlying bank account was closed or the bank was merged.

Most organizations that have experienced vendor fraud discover on investigation that the fraudulent IBAN was present in their system for weeks or months before payment was made. A quarterly audit would have identified the anomaly before it resulted in a loss.

What Should a Vendor IBAN Audit Cover?

A complete vendor bank detail audit has five components:

1. Structural Validation of All Stored IBANs

Export every IBAN from your vendor master file or accounts payable system. Run each through a structural validator that checks the country code, total length, BBAN format, and MOD-97 check digits. Any IBAN that fails structural validation must be flagged for immediate investigation — it either contains a data entry error or was never valid.

The bulk IBAN checker accepts CSV and Excel uploads and validates up to 100 IBANs in a single operation, returning a status column and bank identification for each row. For larger vendor files, the ibanchecker.cash API can process batches programmatically with no volume cap.

2. Bank Name Cross-Reference

For each valid IBAN, compare the bank name returned by the validator against the bank your vendor claims to use. A German supplier whose IBAN resolves to a French bank, or a UK vendor whose BIC identifies an institution you have never heard of, warrants a call to the vendor through a verified phone number before the next payment.

3. Change History Review

Pull the change log for every IBAN in your vendor master and review any change made in the last 12 months. For each change, confirm: who requested it, through which channel, who approved it, and whether the approval chain matches your current policy. Changes that were approved by a single person without secondary confirmation are a risk item.

4. Dormant Vendor Review

Identify vendors for whom you have not processed a payment in more than 12 months but whose bank details remain active in your system. Dormant vendor records are a common vector for insider fraud — a rogue employee can update the IBAN on a dormant vendor and create a plausible-looking payment. Either remove dormant vendors or flag them for re-verification before any future payment.

5. Access Control Audit

Review who has write access to the vendor master file or the accounts payable module. The principle of least privilege applies: only the personnel responsible for vendor onboarding should have access to create or change bank details. Read-only access should be sufficient for everyone who processes payments but does not onboard new vendors.

How Should You Prioritize the Audit Workload?

A large vendor file can make a full audit seem daunting. Prioritize in this order:

  1. High-value vendors: Any vendor for whom your cumulative annual payment exceeds a defined threshold (e.g., €50,000) should be audited first. These are the highest-value targets for fraud and the highest-consequence errors.
  2. Recently changed IBANs: Any vendor whose bank details changed in the last 90 days should be re-verified regardless of payment volume.
  3. Vendors with no approval trail: Any IBAN in your system that lacks documentation of how it was obtained and verified is a risk item, regardless of the vendor's payment history.
  4. International vendors: Cross-border payments are harder to recall and recover than domestic payments, making errors and fraud more costly.

How Do You Handle IBANs That Fail the Audit?

The response depends on why the IBAN failed. Three categories:

Structural failure: The IBAN fails the MOD-97 check or has an incorrect format for its country. Do not process any payments to this vendor until the IBAN is corrected. Contact the vendor through a verified channel — not email — and request their correct bank details. Re-validate the corrected IBAN before updating the vendor record.

Bank name mismatch: The IBAN is structurally valid but the bank name does not match the vendor's stated bank. This may have an innocent explanation (a correspondent banking arrangement, a recently rebranded bank) or it may indicate fraud. Do not process payment until you have spoken directly with the vendor and they have confirmed the bank name discrepancy and provided a satisfactory explanation.

Missing approval trail: The IBAN is valid and the bank name matches, but there is no record of how the IBAN was obtained or who approved it. Treat this as a medium-risk item: re-confirm the IBAN with the vendor through a verified channel, document the confirmation, and update your records. Process payment only after confirmation.

What Tools Support a Vendor IBAN Audit?

The core tool requirement for a vendor IBAN audit is a bulk validator that can process your full vendor list and return a structured result. The bulk IBAN checker handles this for files up to 100 rows via browser upload. For larger files, use the ibanchecker.cash API to automate the validation step — export your vendor file, run it through the API, and import the validation results back into your spreadsheet or ERP.

For IBAN extraction from unstructured documents — for example, PDFs of vendor bank confirmation letters — the smart IBAN extractor identifies and validates all IBANs in a block of text, which can speed up the process of pulling IBANs from legacy documentation.

How Often Should You Audit Vendor Bank Details?

Quarterly for any organization processing more than 100 vendor payments per month. Annual for smaller operations. In addition to scheduled audits, trigger an unscheduled review after any of the following events: a staff change in the accounts payable team, an IT system migration that involved importing vendor data, or a security incident that affected your email or file systems.

The quarterly cadence is not arbitrary — it reflects the typical dwell time of BEC fraud campaigns, which often insert a fraudulent IBAN weeks before triggering a payment request. A quarterly audit catches most fraudulent IBANs before the fraudster has an opportunity to request payment.

Last updated: June 2026

Validate an IBAN instantly

Free IBAN checker — MOD-97 verification, bank lookup, and SEPA status across 84 countries.

Open IBAN Checker →

Related Articles

How to Validate Supplier IBANs Before Paying: A Finance Team Checklist

7 min read

Bulk IBAN Verification: How to Check 500 Vendor IBANs in 3 Minutes

6 min read

IBAN Validation for Accountants: Tools, Workflows, and Best Practices

7 min read

← All articles