Payments

How to Set Up Supplier Payment Approvals

A practical UK guide to setting up supplier payment approvals: dual authorisation, segregation of duties, Confirmation of Payee and new-supplier checks.

8 min read Published 17 Jul 2026
How to Set Up Supplier Payment Approvals

Paying suppliers is one of the most routine things a business does, and that is exactly why it is a favourite target for criminals. A single email asking finance to update a supplier's bank details can redirect thousands of pounds into an account controlled by a fraudster. Strong supplier payment approvals are the practical defence that catches these attempts before money leaves your account.

The scale of the problem is significant. UK Finance reported that criminals stole £1.17 billion through unauthorised and authorised fraud in 2024, broadly unchanged from the previous year. Authorised push payment (APP) fraud, the category that covers invoice and mandate scams where a genuine payment is redirected, accounted for £450.7 million of that total, made up of £365.7 million of personal losses and £84.9 million of non-personal losses. These are payments the victim genuinely intended to make, which is what makes them so hard to reverse.

This guide explains why payment approval controls matter, how to set up an approval workflow step by step, and the specific controls that reduce your exposure to invoice fraud, mandate fraud and business email compromise. The advice draws on primary guidance from UK Finance, the Take Five to Stop Fraud campaign, the NHS Counter Fraud Authority and Pay.UK.

Why supplier payment approvals matter

A payment approval is simply a formal check that a payment is genuine, correct and authorised before it is released. When approvals are weak or skipped, a business relies entirely on the honesty of the sender of an invoice or the accuracy of a single member of staff. Criminals exploit exactly that gap. In an invoice or mandate scam, the victim intends to pay a legitimate supplier, but a fraudster intervenes to convince them to send the money to a different account.

The tactics are well documented. Take Five to Stop Fraud, the UK-wide campaign led by UK Finance, warns that these scams often involve a criminal intercepting emails, gaining access to your supplier's email account, or pretending to be from them. The NHS Counter Fraud Authority describes the same threat as mandate fraud, also known as payment diversion fraud, and notes that the vast majority of cases now relate to the hacking of emails or the use of copycat domain names.

Approvals matter because they turn a fast, silent payment into a deliberate, checked one. Most of this fraud starts online. UK Finance found that 70 per cent of APP fraud cases began on online platforms in 2024. Building a short pause and a second pair of eyes into your process is the single most effective way to disrupt that chain.

APP fraud losses in the UK, 2024

Authorised push payment fraud losses reported by UK Finance for 2024, split into personal and non-personal losses (in millions of pounds). Source: UK Finance Annual Fraud Report 2025.

Total APP fraud losses450.7%
Personal losses365.7%
Non-personal losses84.9%

Segregation of duties and dual authorisation

Two controls form the backbone of any approval process. The first is segregation of duties: no single person should be able to create a supplier, change its bank details and release a payment to it. Splitting these tasks means a fraudster would have to compromise more than one person or account to succeed. The NHS Counter Fraud Authority states plainly that there should be a segregation of duties and an appropriate level of access with respect to invoice processing tools in payment systems.

The second is dual authorisation, sometimes called the four eyes principle. A payment, or a change to supplier bank details, is only released once a second, suitably senior person has independently reviewed and approved it. The NHS guidance recommends that a senior member of the finance team should review all changes of bank account details and formally authorise them. The reviewer should not simply rubber-stamp the request. They should confirm that the underlying invoice, the supplier record and the bank details all match what is expected before approving.

These controls work together. Segregation of duties makes sure the person approving is not the person who set up the payment, and dual authorisation makes sure that approval is a real, informed decision. Neither should ever be bypassed for convenience or because a request claims to be urgent. Pressure to act quickly is itself a warning sign of fraud.

How to set up an approval workflow

A good workflow is written down, followed every time, and simple enough that staff do not look for shortcuts. Start by mapping who does what, then set thresholds that decide how many approvers a payment needs, and finish with clear verification and record-keeping. The steps below give a practical order to build it in.

Once the workflow is live, test it with a small, low-value payment and review it regularly. Suppliers, staff and threats all change, so an approval process that is never revisited quietly drifts out of date. A quarterly review of who holds approval rights and whether thresholds still make sense keeps the control effective.

1
Map roles
List who raises, checks, approves and releases payments, keeping these as separate people.
2
Set thresholds
Agree payment values that trigger single, dual or senior approval before release.
3
Define verification
Specify how bank details and new suppliers are checked before any payment goes out.
4
Build the workflow
Configure your banking or accounting system to enforce the approvals automatically where possible.
5
Document and train
Write the process down and train finance staff to spot and report suspicious requests.
6
Test and review
Trial with a small payment, then review roles and thresholds at least quarterly.

Key approval controls to build in

The workflow above is the frame. The controls in the table below are what actually catch fraud. Each one closes a specific gap that criminals rely on, and together they make a redirected payment far harder to push through. You do not need every control on day one, but a business handling regular supplier payments should aim to have all of them in place.

Confirmation of Payee deserves particular attention. It is an account name-checking service that helps reduce misdirected payments and gives greater assurance that money is going to the intended account holder. According to Pay.UK, more than 300 organisations have implemented it, with more than two million checks completed every day, and the Payment Systems Regulator mandated its expansion in 2024. A match, close match or no match result gives your team a clear signal before a payment is released.

Nasara Connect helps firms design and evidence these controls as part of a wider payments and financial crime framework. You can explore this in our payments guidance and see how approvals fit alongside your broader control environment.

ControlWhat it doesHow to apply it
Dual authorisationRequires a second person to approve before releaseSet your banking system to need two approvers on payments and on bank-detail changes
Segregation of dutiesStops one person controlling the whole paymentSeparate the roles that create suppliers, change details and release funds
Value thresholdsScales scrutiny to the size of the paymentRequire senior sign-off above an agreed amount, with tighter checks for large sums
Confirmation of PayeeChecks the account name matches the payeeUse the account name-checking result and query any close or no match before paying
New-supplier checksVerifies a supplier is genuine before first paymentConfirm details independently and pay a small first amount to test the account
Bank-detail change controlBlocks fraudulent redirection of paymentsVerify every change by phoning the supplier on a number already held on file
Core supplier payment approval controls and how to apply them in practice.

Defending against invoice, mandate and CEO fraud

Most supplier payment fraud arrives as a convincing request to change bank details or to pay an unexpected invoice. Take Five to Stop Fraud offers clear, practical advice: always confirm the service provider's bank details directly with the company before you make a payment; when paying someone for the first time, transfer a small amount first and check the payment has been received; and if a company changes its payment details, always query this, as companies rarely change their bank details.

The critical rule is how you verify. When you check a change request, use contact details you already hold on file, never the phone number or email address contained in the request itself, because those may belong to the fraudster. The NHS Counter Fraud Authority reinforces this and adds a further trap to watch for: criminals may first ask you to update the contact details held on file, as a precursor to a mandate fraud, so it is important to check that details on file have not been subject to a recent change.

A related threat is CEO fraud, a form of business email compromise where a criminal impersonates a senior colleague and emails finance requesting an urgent payment. The email address is often spoofed or comes from a hacked account, and the request is timed for when the real executive is away. The National Cyber Security Centre describes business payment fraud as criminals sending an email tailored to your organisation, impersonating someone you correspond with regularly. Approval controls defeat this because a lone urgent email can never, on its own, move money.

If a suspicious request does slip through, speed matters. The National Cyber Security Centre advises reporting it to your IT team as soon as possible and contacting your bank directly using official channels, so that funds can be frozen before they are moved on. Build this response into your process too. Every member of finance should know exactly who to alert and how to reach the bank if they suspect a payment has been diverted, and reporting attempts to Action Fraud helps the wider effort to identify and disrupt the criminals behind them.

Vetting and onboarding new suppliers

New suppliers are a common entry point for fraud, so onboarding deserves its own set of checks. Before you make any payment, confirm the supplier is genuine and that the bank details belong to them. Take Five recommends transferring a small amount first and checking directly with the company that it has been received, which quickly exposes an account that is not really theirs.

Keep your supplier records clean and current. The NHS guidance recommends periodic reviews of the supplier database to weed out expired or obsolete records, because dormant or duplicate entries are easy for a fraudster to exploit. Where a bank account genuinely needs to change, ask the supplier to complete a formal amendment request that is signed by an appropriate person, and verify that signature against records you hold before you make any change.

Finally, protect the email accounts that handle all of this. The NHS guidance recommends that finance and procurement staff use two-step verification on their accounts to help prevent the password theft that lets criminals send convincing internal emails. Strong email security is not a substitute for approvals, but it removes one of the easiest ways in.

Conclusion

Supplier payment approvals are not bureaucracy for its own sake. They are a deliberate, evidenced defence against a threat that cost UK businesses and consumers hundreds of millions of pounds in a single year. Segregation of duties, dual authorisation, value thresholds, Confirmation of Payee and disciplined new-supplier checks each close a gap that criminals rely on, and together they turn a payment into a checked decision rather than a silent transfer.

The good news is that these controls are achievable for a business of any size, and they work. UK Finance reported that £1.45 billion of unauthorised fraud was prevented by industry in 2024, and that reflects exactly this kind of layered scrutiny. Start by writing your workflow down, verify every bank-detail change through a number you already hold, and never let a claim of urgency override your process. Nasara Connect can help you design and evidence a proportionate approval framework so that every supplier payment is checked, authorised and recorded before it leaves your account.

Frequently asked questions

What is dual authorisation in supplier payments?

Dual authorisation means a payment, or a change to a supplier's bank details, is only released after a second, suitably senior person has independently reviewed and approved it. Sometimes called the four eyes principle, it ensures no single person can move money on their own, which disrupts the most common invoice and mandate fraud tactics.

How do supplier payment approvals prevent invoice and mandate fraud?

Invoice and mandate fraud works by convincing you to redirect a genuine payment to a criminal's account. Approvals defeat this by requiring independent verification of bank details and a second approver before release. Take Five to Stop Fraud advises always confirming bank details directly with the company and querying any change, because companies rarely change their bank details.

What is Confirmation of Payee and should I use it?

Confirmation of Payee is an account name-checking service that helps reduce misdirected payments by checking whether the account name matches the payee. According to Pay.UK, more than 300 organisations use it, with over two million checks completed daily, and the Payment Systems Regulator mandated its expansion in 2024. Using the match result before paying is a simple, effective control.

How do I verify a request to change a supplier's bank details?

Contact the supplier using details you already hold on file, never the phone number or email in the request itself, as those may belong to the fraudster. The NHS Counter Fraud Authority also warns that criminals may first ask you to update the contact details on file, so check that those details have not recently changed.

What is CEO fraud and how do approvals stop it?

CEO fraud is a form of business email compromise where a criminal impersonates a senior colleague and emails finance requesting an urgent payment, often from a spoofed or hacked account timed for when the executive is away. Approval controls stop it because a single urgent email can never, on its own, release funds without independent review and sign-off.

How big is the payment fraud threat in the UK?

UK Finance reported that criminals stole £1.17 billion through unauthorised and authorised fraud in 2024. Authorised push payment fraud, which covers invoice and mandate scams, accounted for £450.7 million of that, made up of £365.7 million of personal losses and £84.9 million of non-personal losses, across just under 186,000 cases.

Ready to move money with confidence?

Nasara Pay helps UK firms send and control payments with lower fees, better rates and full visibility.

Talk to an expert
Secure by designBank-grade security and encryption
Built for UK firmsMade for FCA-regulated businesses
Data protectedYour data stays private and controlled
Global reachCross-border payments worldwide