Do You Do a Credit Check on Card Applicants?

Should you give a card to an employee with a poor credit history? This was a question someone asked me recently because his company was undecided about how to proceed. More on that below, including my opinion and related recommendations, but I also welcome diverse comments on the matter. Ultimately, every organization should be prepared to address this issue.

The Situation

The person who approached me works in the financial services industry. His company was interested in giving a Commercial Card (P-Card) to an executive assistant whose job responsibilities included making purchases and paying bills. However, when a routine credit check revealed the employee had a poor credit history, it sparked internal debate among senior management. Some thought the assistant should have a card, but with extra controls, such as low spend limits. Others disagreed with card issuance altogether. (It is unknown whether the credit check occurred before, or some time after, this person was hired). On a separate note, the employee had a clear criminal background check.

My Opinion

As I expressed to the person who contacted me, having a poor credit history does not mean a person will commit fraud. Nor does a clean credit check indicate a person will not commit fraud.

Since the employee in question was already hired and the job role involved procure-to-pay (P2P) duties, then she should have a card like anyone else in her same position. The caveat to my opinion is that this company, like every card-using organization, should be following Purchasing Card control best practices. Beyond that, I would be inclined to audit this employee’s card activity more often (if audits occur manually). Having an automated auditing solution would naturally address this. It is also important to remember that Commercial Cards have the added protection of liability waivers.

Conversely, by not giving the employee a card or by issuing a card with restricted usage, the company would need some sort of alternative process to cover her P2P responsibilities.

As demonstrated by the countless news stories on internal fraud, the real problem is organizations that are lax about controls and oversight, especially concerning long-time employees.

Related Resource

Report to the Nations on Occupational Fraud and Abuse by the Association of Certified Fraud Examiners (ACFE), which includes a section on perpetrators.

What Else to Do

Credit checks are common, but has your organization defined the following details?

  • When will credit checks occur—pre-employment only or at certain intervals?

  • Which applicants/employees are subject to the process?

  • What type of results warrant specific action? For example, what would prevent someone from being hired and/or being issued a card?

While some situations will not fit into a neat box, establishing general parameters can help guide organization decision making. 

Would you give a Commercial Card to an employee with poor credit history?

Would you give a Commercial Card to an employee with poor credit history?

Educational Opportunities Related to Fraud Prevention

  1. Sign up to participate (no charge) in the AP Fraud Prevention Week by AP Now, October 7–11, 2019. Visit AP Now for details.

  2. Encourage your auditors to register for the October virtual workshop on Purchasing Card audits, sponsored by The Institute of Internal Auditors/Public Sector™ Audit Center. For details, including registration, visit The IIA website.



Subscribe to the Blog

Receive notice of new blog posts.

About the Author

Blog post author Lynn Larson, CPCP, is the founder of Recharged Education. With 20 years of Commercial Card experience, her mission is to make industry education readily accessible to all. Learn more

A New Fraud Tactic and What You Can Do to Prevent It

New fraud tactics continue to emerge, as described below, and our defense strategies might fail unless we stay informed about what can happen. To discern between fraudulent and legitimate business communications, some people rely on verifying an email address. That is, they hover over the sender name and look for anything slightly off that would indicate a fraudster. Others feel comfortable with a request if it comes via phone versus email. These actions are not enough. AP Now issued a warning today about how criminals have stepped up their efforts, but there are things your organization can do to prevent becoming a victim.

The Fraud

As shared by AP Now, cyber criminals have used artificial intelligence (AI) and voice technology to impersonate a UK business owner, resulting in the fraudulent transfer of almost a quarter of a million dollars. Would your organization fall for something like this?

Prevention Tips

  1. As AP Now stresses, pick up the phone and verify the request using a phone number already on record. Alternatively, go to the organization’s website, get the main number and call. This should be done even if the caller ID associated with the transfer request seems to confirm the legitimacy of the call. Why? It is possible to spoof the number. While making a verification phone call is extra work, it could spare your organization a lot of pain.

  2. Update your internal controls as necessary. Besides telling employees to make a phone call to verify a request, ensure the written procedures specify this protective action.

  3. Anyone with the ability to spend or commit your organization’s money, such as accounts payable and cardholders, must stay educated about fraud tactics. Continuously share any examples you read about, discuss fraud within department meetings, and mandate annual training for employees.  

Educational Opportunities

The above is one of many issues that will be addressed during AP Now’s How to Recognize New Frauds during AP Fraud Prevention Week October 7–11, 2019. Visit AP Now to learn more.

In addition to what AP Now is doing, I will be delivering a virtual workshop on Purchasing Card audits, aimed at auditors, for The Institute of Internal Auditors/Public Sector™ Audit Center beginning October 16. For details, including registration, visit The IIA website.

Personal Experience

Speaking of fraudulent communications, I could have easily become a victim last week. I received an email reply from a company that I was doing business with. The sender’s email address was a correct match and the email content included my past communications with this company. The only odd part was that the sender included a zip file attachment, asking me to open to view details about our upcoming meeting. This did not seem right to me, so I called the phone number I had for this company. The employee confirmed her email had been hacked. Opening the zip file would have unleashed trouble for my computer. Always independently verify anything that seems odd.



Subscribe to the Blog

Receive notice of new blog posts.

About the Author

Blog post author Lynn Larson, CPCP, is the founder of Recharged Education. With 20 years of Commercial Card experience, her mission is to make industry education readily accessible to all. Learn more

Survey Results Reveal P-Card Control Opportunities

If you assume that most organizations require cardholders and the “manager-approvers” to sign an internal agreement pertaining to their card program role and responsibilities, I have contrary news. According to a survey on internal controls conducted by AP Now at the end of 2018, only 29% of the respondents whose organizations have a card program follow the best practice of requiring both groups to sign such an agreement. These organizations represent all types and sizes, proving that best practices are accessible to everyone. Keep reading to see more about the survey results, including a surprising outcome concerning card limits and restrictions.

Internal Agreements

Most organizations only require cardholders to sign an internal agreement, but there are even some organizations that do not utilize one at all. If you do not have one, make it a priority to develop one. Further, ensure your organization is not overlooking the manager-approvers who are responsible for confirming that cardholders’ transactions comply with program policies and procedures. Requiring them sign an internal agreement helps reinforce accountability for their role.

See more about internal agreements, including sample statements to include.

Card Controls

The survey by AP Now, which pertained to all sorts of AP-related controls—not just cards, also explored card controls like spend limits. Respondents were directed to check which ones—from a list of six—they apply to all or most cards. As shown in the graph below, it is very common to utilize a monthly/cycle spend limit, but the results for the other controls are lower than what I expected. Hence, there is ample opportunity here.

Card Controls Utilized_AP Now.JPG

Approximately one-third of respondents’ organizations only apply one or two of the above card controls to all or most employees’ cards. While I always try to steer end-user organizations away from being overly restrictive (to prevent declines of legitimate transactions and encourage card usage), I do recommend taking advantage of what is available. The key is to strike the right balance, aligning card controls with program goals. At a minimum, besides utilizing a monthly/cycle spend limit, organizations should block “high risk” merchant category codes (MCCs), including automated teller machines (ATMs).

Final Thoughts

Internal agreements and card controls are basic components of a program that help deter fraud. I have to wonder if the organizations that fall a bit short in these areas made conscious decisions about them or whether they simply got overlooked. The good news is both are easy to act on and improve.

If you are concerned about potential control gaps within your program, consider attending the three-hour virtual workshop on P-Card risk assessments June 25, hosted by AP Now.

Help your card program withstand the elements that could impede its success. Strengthen the protective controls.

Help your card program withstand the elements that could impede its success. Strengthen the protective controls.



Subscribe to the Blog

Receive notice of new blog posts.

About the Author

Blog post author Lynn Larson, CPCP, is the founder of Recharged Education. With 20 years of Commercial Card experience, her mission is to make industry education readily accessible to all. Learn more