Funds Transfer Authentication Policy

This policy establishes authentication requirements for processing funds transfers and banking detail changes to protect Vaxa from fraudulent payment requests and business email compromise.
Print this page

Purpose

The purpose of this policy is to protect Vaxa from fraudulent payment requests, business email compromise, and unauthorised banking detail changes by establishing mandatory authentication requirements for processing funds transfers and updating banking information.

Scope

This policy applies to:

  • All Vaxa employees, contractors, and third parties authorised to process payments or modify banking details
  • All funds transfer requests, regardless of payment method (electronic transfer, wire transfer, cheque, etc.)
  • All requests to add or modify banking details for suppliers, employees, or other payees

Responsibilities

  • Finance team is responsible for implementing and enforcing the authentication procedures outlined in this policy, including maintaining records of all verification activities.
  • Payment approvers are responsible for ensuring proper authentication is completed before authorising any funds transfer over $5,000 or any banking detail change.
  • All employees are responsible for following the authentication procedures when requesting or processing payments, and reporting any suspicious payment requests immediately.
  • Managing Director is responsible for approving exceptions to this policy and ensuring adequate resources are allocated for compliance.

Policy/Process/Standard

Funds Transfer Authentication Requirements

All funds transfer requests over $5,000 must be authenticated using a secondary means of communication before processing. The authentication must:

  1. Use a communication channel different from the original request channel
  2. Be documented with details of who verified, when, and how
  3. Confirm the legitimacy of the payment request with the authorised requester

Approved Secondary Communication Channels

The following communication methods are approved for secondary authentication (original request channel must not be reused):

  • Phone call to a verified contact number (from company directory or previously confirmed)
  • Video call with visual identification of the requester
  • SMS/text message to a verified mobile number
  • In-person verification (where practical)
  • Alternative email address that has been pre-registered and verified (not used for the original request)

Email alone is not acceptable as the sole secondary communication channel if the original request was also by email.

Authentication Procedure

When processing a funds transfer request over $5,000:

  1. Receive the payment request through standard channels (email, purchase order, invoice, etc.)
  2. Before processing, contact the requester using a different communication channel from the approved list above
  3. Verify the following details:
    • Payee name and amount
    • Purpose of payment
    • Banking details (if new or changed)
    • Authority to request the payment
  4. Document the verification including:
    • Date and time of verification
    • Method used (phone, video call, etc.)
    • Contact details used
    • Name of person who verified
    • Name of person performing verification
  5. Process the payment only after successful verification

Banking Detail Change Authentication

All requests to add or modify banking details must be authenticated using a secondary means of communication, regardless of transaction amount. This applies to:

  • New supplier banking details
  • Changes to existing supplier banking details
  • Employee banking details for payroll
  • Changes to any payee banking information

Authentication Procedure for Banking Detail Changes

  1. Receive the request to change or add banking details
  2. Contact the requester using a different communication channel from the approved list
  3. Verify the following:
    • Identity of the requester
    • Authority to request the change
    • Accuracy of the new banking details (read back the details)
    • Reason for the change
  4. For supplier banking detail changes, consider requesting supporting documentation (e.g., letter on company letterhead, bank statement)
  5. Document the verification as outlined above
  6. Update the banking details only after successful verification
  7. Notify the payee of the change via a separate communication confirming the update

Emergency and Exception Procedures

In exceptional circumstances where immediate payment is required and secondary authentication cannot be completed promptly, the following emergency procedure may be used:

  1. The Managing Director or designated delegate must approve the payment
  2. Enhanced due diligence must be performed, including additional verification steps where possible
  3. The payment must be documented as an exception with full justification
  4. Retrospective verification must be completed within one business day
  5. A report of all exceptions must be reviewed monthly by the Managing Director

All exceptions must be recorded and reviewed as part of the compliance monitoring process.

Suspicious Activity Reporting

Any of the following should be treated as red flags and warrant additional scrutiny:

  • Unexpected or unusual payment requests
  • Urgent or pressured requests to process payments quickly
  • Requests to change banking details without prior notice
  • Requests that bypass normal approval processes
  • Communication from unusual email addresses or phone numbers
  • Requests that deviate from established payment patterns

Suspected fraudulent requests must be reported immediately to the Finance team and the Managing Director. Do not process the payment until the matter has been investigated and resolved.

Compliance and Monitoring

Training

All staff involved in payment processing must complete training on this policy and fraud awareness annually. New staff must complete training within one month of commencing duties involving payment processing.

Auditing

The Finance team will:

  • Maintain records of all authentication activities for payments over $5,000 and banking detail changes
  • Conduct monthly reviews of compliance with this policy
  • Review all exceptions and assess whether policy adjustments are needed
  • Report compliance metrics and trends to the Managing Director quarterly

Non-Compliance

Failure to comply with this policy may result in:

  • Immediate review of payment processing privileges
  • Retraining requirements
  • Disciplinary action up to and including termination of employment
  • Personal liability for losses resulting from unauthorised payments where policy was not followed

Records Retention

All authentication records must be retained for a minimum of seven years in accordance with financial record-keeping requirements.

  • Corporate Credit Card Policy (POL-FIN-0001)
  • Instrument of Delegations—Financial Authorisations
  • Crimes Act 1914 (Cth)
Last modified December 19, 2025: Merge pull request #18 from vaxa-tech/add-new-policies (681b088)