Dual Approval for Vendor Bank Changes: Small-Firm Setup

A vendor bank change is the single highest-leverage data edit in your accounts payable workflow. Get it wrong once and the next ACH run sends client money to the wrong account. The 2024 FBI Internet Crime Report attributed $2.77 billion in adjusted losses to business email compromise, the bulk of which followed a payee-redirect — an email that read like a normal “our bank changed, please update before the next invoice” note (FBI IC3 2024 Report, p. 9).

A single approver means a single point of failure. If the same person:

• Received the change request,
• Decided it looked legitimate,
• Updated the vendor record, and
• Released the next payment —

then there is no independent check anywhere in the chain. Even an experienced bookkeeper on a bad Tuesday can be the only thing standing between a forged invoice and a six-figure ACH. Dual approval splits the request from the decision to act on it.

In a large finance department, dual approval is two named staff: a “maker” updates the vendor master file, a “checker” approves the update. That model doesn’t survive intact at a one- or two-person bookkeeping firm. What does survive is the principle: the change is verified through one channel, approved through a second, and recorded by name on both sides.

For a small firm running client AP, the most defensible setups are:

• Bookkeeper + client engagement owner. You perform the callback to the vendor on an independently sourced number. The client owner (controller, partner, owner) then approves the change in writing — through the client’s known business email, a shared workspace they own, or a signed approval form. This is the most common small-firm setup and the one your engagement letter probably already implies.
• Bookkeeper + partner firm or co-founder. If you have a peer reviewer (a partner, a co-owner, an outsourced second pair of eyes), they review the callback record and approve the change before it’s saved.
• Self-approval with a hard threshold. Below a dollar threshold defined in your engagement letter (e.g., $500), one person can both verify and approve, provided the callback and the approval are still recorded. Above the threshold, no exceptions — second signal required.

Every one of those setups produces the same thing: two attributable signals against the same bank-change request, captured before money moves.

Whichever setup you pick, what defends the change later is the record. At minimum, capture:

• The original request. Email, portal message, or letter — saved, not summarized.
• The callback evidence. Date, time, the number you called, where that number came from (signed contract, prior invoice, vendor master entry — not the change request itself), who you spoke with at the vendor, and what they confirmed in their own words.
• The approver’s identity and channel. Not “client approved” — who approved, from what email or system, at what time.
• The dollar threshold the change is being held against. So a reviewer can see why one person sufficed (or didn’t).
• A tamper-evident trail. A spreadsheet edited after the fact is better than nothing, but a record where entries are time-stamped and can’t be silently altered is far more credible to an auditor or claims adjuster.

The shape of the record matters as much as the steps. Reviewers six months later read evidence, not memory.

You’ll see online guidance saying segregation of duties is impossible for a solo operator. That isn’t true for the vendor bank-change control specifically, because the client is already an independent party. The structural separation already exists: you are not the person whose money is moving. The work is to make that structural separation operational — to require, every time, that the client (or your designated alternate approver) explicitly approves the change on a channel of their own, in writing, before the new banking is saved.

Two practical patterns that hold up:

• The “approve via client domain” rule. The client owner’s approval must come from their own business email or a shared system you both use. A reply on the change-request thread doesn’t count — attackers can sit in that thread. A new message from the client’s known address counts.
• The “no payment without two stamps” rule. Your AP runbook treats the vendor bank-change record as a pre-condition for the next payment to that vendor. If the record isn’t there with two attributable approvals, the payment doesn’t go out.

Both rules are enforceable by a solo bookkeeper because they don’t require a second internal employee — they require a procedure you refuse to break.

A cyber or crime insurer reviewing a denied social-engineering claim, or an auditor asking about your AP controls in an engagement review, is testing the same thing: did the firm have a written procedure, and can it produce evidence the procedure was followed for this specific change, including a second attributable approval where required.

What they typically want to see, in order:

1. A written vendor bank-change verification procedure.
2. The original change request as it arrived.
3. The callback evidence, sourced independently.
4. The second approver’s identity and channel.
5. A time-stamped record connecting all four to the same vendor and the same payment cycle.

Firms get tripped up on item 4 more than any other. They performed the callback, made the right call — and never captured who approved it on the client side, or accepted approval on the same thread as the request. That’s the gap that small-firm dual approval is designed to close.

The reason firms quietly drop dual approval isn’t laziness — it’s that, in the moment, the request looks legitimate and the next payment feels urgent. The fix is to make the procedure the default path, not a judgment call. Every payment-detail change is treated as unverified until: (a) the callback is performed on an independently sourced number, (b) the second approver signs off on a known channel, and (c) all of it is logged. No record, no payment.

If you want a ready-made version, our free vendor bank-change verification template lays out the independent-contact rule, a word-for-word callback script, a dual-approval step, and a one-page log sheet — no signup, nothing to buy. For the underlying mechanics, see how to verify a vendor bank account change, and for the firm-level picture, accounts payable internal controls for bookkeeping firms.

CallbackProof itself is a documentation and workflow tool: it enforces the callback-and-approval sequence and keeps a tamper-evident, hash-chained log across all of your clients, so when an insurer or auditor asks for your dual-approval record, you hand them the record instead of trying to reconstruct it.