IOLTA Trust Account Vendor Verification for Bookkeepers

An IOLTA (Interest on Lawyer Trust Account) holds money the firm does not own — settlement proceeds, retainers not yet earned, escrow on real estate, medical lien funds, third-party payee distributions. Every state bar treats misuse as a discipline issue, and the American Bar Association's IOLTA compliance guidance reminds practitioners that the responsible lawyer is personally accountable for misappropriation even when the mistake was made by a paralegal or bookkeeper. “I didn't see it; the bookkeeper paid the wrong account” is not a defense in front of a bar disciplinary panel.

That changes the risk profile of an everyday operational mistake. On an operating account, paying a fraudulent vendor change request costs the firm money and triggers an insurance claim. On an IOLTA, the same mistake can become a state bar grievance, a malpractice exposure, and — in the wrong jurisdiction — a public reprimand or suspension. The procedure is not heavier because IOLTA vendors are different. It is heavier because the consequences of skipping it are.

Bookkeepers new to legal accounting sometimes assume an IOLTA only holds retainer cash. In practice, third-party vendor payments flow out of trust constantly. The common ones:

• Settlement disbursements to opposing counsel, claimants, lienholders, or medical providers.
• Court reporters for deposition transcripts billed to the client matter.
• Expert witnesses — economists, medical experts, accident reconstructionists.
• E-discovery and litigation-support vendors invoicing per matter.
• Process servers, investigators, and translators.
• Mediation, arbitration, and special master fees.
• Refunds of unearned retainers back to the client.
• Real-estate escrow distributions in transactional practices.

Every one of those payees can send a “we changed banks, please update our remittance” email. Every one of them, paid out of the wrong account because the change request was actually from an attacker, becomes an unauthorized IOLTA disbursement.

The control is the same one that protects an operating-account payment, applied with no exceptions:

• Call back on an independent number. Use a phone number the firm already had in the vendor master file, on a prior signed engagement letter, or on an earlier invoice — not a number, link, or reply address from the message asking for the change. Attackers helpfully provide their own “new” number; calling it just connects you to the attacker.
• Confirm the change verbally. Ask the vendor to state the new account number and routing number out loud. Read your record back to them; do not let them simply say “yes” to a number you read first.
• Identify the matter and the client. On an IOLTA, every disbursement ties to a specific client ledger. Confirm the payment relates to a matter that has cleared funds in trust, not a matter funded from operating.
• Apply dual approval. A second authorized signer reviews and approves the change before it is keyed into the bill-pay tool. Most state bars expect dual control over IOLTA disbursements regardless; this is the same control extended to the vendor record.
• Log everything in a tamper-evident record. Date and time of the call, name and role of the person you spoke with, the number you called and where it came from, what was confirmed in their words, and the second approver. A note added to a spreadsheet after the fact is better than nothing; a time-stamped log that cannot be silently back-dated is what survives an audit.

This is not an academic point this week. The NACHA Risk Management Topics page describes the rule taking effect June 22, 2026 that requires every business originating an ACH credit to use a “commercially reasonable” method to validate the destination account before the first credit. There is no volume floor and no carve-out for trust accounts: an IOLTA paying a vendor by ACH is an originator under the rule. The 2025 AFP Payments Fraud and Control Survey reports that 79 percent of organizations were targeted by payments fraud in 2024, and BEC remained the most common vector — a baseline risk that does not stop at the bar admission line. A bookkeeper updating a court reporter's bank account in the firm's bill-pay tool is now executing exactly the workflow the rule covers.

A common point of confusion: monthly three-way reconciliation between the trust ledger, the client sub-ledgers, and the bank statement proves the IOLTA balances. It does not prove the vendor whose account you paid is actually the vendor the firm meant to pay. Reconciliation catches arithmetic and recording errors after the money has moved. The verification log catches identity errors before the money moves. Both controls are required; neither substitutes for the other.

The lawyer owns the trust account, the bar license, and the ultimate responsibility for any misappropriation. The bookkeeper owns the workflow: who calls, what they ask, what gets logged, who approves, and how the firm reproduces the record when it is asked for one. Putting the procedure in writing and following it every time is the part the bookkeeper controls — and the part the firm will be evaluated on if anything goes wrong.

If you want a starting policy your firm can adopt today, our free vendor bank-change verification template includes the independent-contact rule, a word-for-word callback script, a dual-approval step, and a log-sheet layout — no signup. The companion piece on vendor verification for bookkeeping firms running client AP covers the multi-client operational shape, and the NACHA Phase 2 article walks through the new rule firms have to comply with starting Monday.

CallbackProof itself is a documentation and workflow tool: it enforces the callback-and-approval sequence and keeps a tamper-evident, hash-chained record across every client account, so when the bar, an auditor, or the firm's malpractice carrier asks for the verification record on an IOLTA disbursement, the firm hands it over instead of trying to reconstruct it.