By the time the invoice lands in your accounts payable (AP) system, it may already be too late. That is the working assumption Martin Resch wants every chief financial officer (CFO) in the country to adopt. As President and Chief Executive Officer (CEO) of Cass Information Systems, the 120-year-old St. Louis firm that processes more than $90 billion in payments annually on behalf of its corporate clients, Resch has a vantage point on payment fraud that few executives can match. What he sees demands a fundamental rewrite of how finance teams think about risk. “Every financial process has to move to a zero-trust environment,” Resch states. “The expectation should be that every transaction is fraudulent until proven that it is not, as opposed to the old model of accepting a transaction as valid until you identify fraud.”
The Economics of Forged Trust
The threat most boardrooms have not yet absorbed is not sophisticated, it is cheap. On the dark web, fake invoice creation engines are available for next to nothing, preloaded with thousands of vendor portals and geo-targeted to generate convincing regional utility bills, such as Pacific Gas and Electric invoices for California portals and utility bills that are visually indistinguishable from legitimate ones. The economic asymmetry is what Resch returns to most often: building defenses is expensive and slow, while attacks have become cheaper.
That asymmetry has rendered much of the conventional AP wisdom obsolete. The pattern-matching that once allowed AP systems to recognize recurring vendors – the kind of learning that made a utility bill pop up automatically after the third or fourth appearance – is now precisely the predictability that fraudulent engines exploit. The fictitious invoice looks exactly like the real one. Processes that were once sufficient no longer are and most internal teams have not yet recalibrated to that reality.
Visibility First, Then Control
Effective risk management in high-volume payment environments begins with knowing what is actually happening inside your own systems. “You need visibility and transparency through your process flow,” he insists. “You can only control those transactions if you can see them.” Each step in the process needs a defined control point and a clear exception protocol. When a vendor’s remittance details on an incoming invoice differ from those captured at onboarding, that mismatch is the signal. The question is whether the organization has built the capability to catch it before the payment goes out.
Much of this has gotten harder as payment channels have multiplied. Where corporate treasurers once routed nearly everything through a single bank portal with tight control points, today’s CFO faces a sprawl of rails, automated clearing houses (ACHs), wires, virtual cards, real-time networks, and financial technology (fintech) channels marketed on the promise of rebate revenue. Each new channel is a new attack surface. On rebates specifically, Resch is direct: “This idea that card rebates are a revenue source or an expense offset is massively overstated.”
Friction Is Now a Feature
The implication for finance leaders accustomed to optimizing for vendor experience is uncomfortable. Zero trust in payments explicitly trades convenience for security at the front end. Vendors should be required to create authenticated profiles. Two-factor authentication at submission becomes baseline, and generic upload portals designed to lower friction for new suppliers become liabilities. “You want to make it more challenging for vendors to submit,” Resch acknowledges, “which isn’t ideal, but you just can’t enable a generic portal for somebody to upload an invoice anymore.”
The trade-off holds on the back end. A vendor that clears the higher onboarding bar processes straight through and gets paid on time. The friction lives at the door, not in the payment cycle. This is also not something that can be managed off the side of someone’s desk. “This has to be somebody’s role,” Resch is unequivocal. “They’ve got to own it. They’ve got to have accountability for risk management, transparency and visibility.” For organizations not willing to build that capability internally, the answer is a partner who has already embedded those controls into their process. What is not an option, given how fast the threat is moving, is assuming that yesterday’s approach will handle tomorrow’s exposure.
Follow Martin Resch on LinkedIn or visit Cass Information Systems for more insights into payment risk management, high-volume transaction controls, and building zero-trust frameworks that protect enterprise payables.
