April 07, 2023

A Checklist Approach to Reduce Fraud in Payroll Origination


Devon Marsh

Devon Marsh

Senior Director, ACH Network Administration


ACH Network Logo with background

A checklist approach to initiating a payroll can help ACH Originators and Third-Party Senders comply with rules and regulations, avoid errors, and reduce fraud. Nacha has published a general electronic payment initiation checklist that contains 10 steps. A checklist for payroll origination closely resembles the basic checklist, but includes steps tailored to a payroll environment.

These steps help mitigate the risk of fraud schemes that attempt to redirect payroll transactions to accounts controlled by fraudsters. Although the sample checklist below addresses a single transaction, its steps apply equally well to a batch of transactions.

Sample Electronic Payroll Origination Checklist

  1. Authenticate the requestor when adding or updating a Receiver (i.e., a payee).
  2. Confirm any change request through a separate channel, using known contact information.
  3. Verify the account number of Receiver prior to the first payment.
  4. Verify the routing number of Receiver prior to the first payment.
  5. Confirm the effective date of the transaction.
  6. Confirm payment-related information.
  7. Confirm sufficient funds in the payroll funding account.
  8. Obtain approval for the transaction.
  9. Initiate the transaction.
  10. Require a second person to confirm and release the transaction.


The first step in this checklist is critically important. A great deal of fraud is predicated on a change of account information to redirect a payment. For this reason, some practitioners advise treating any request to change account information as an attempt to commit fraud. Authenticating a requestor and confirming a request through a separate channel, using known contact information, can greatly reduce the likelihood of successful fraud.


The last two steps in the Electronic Payment Checklist constitute a traditional fraud mitigation activity called “dual control.” Originally designed to thwart internal fraud, dual control has a renewed relevance in an age of identity theft, imposter fraud, and business email compromise.

Although this list focuses on ACH, it could apply to any push payment channel. Some of the steps are required by rule or law, while others are necessary to route the transaction appropriately. When any step goes wrong, the error decreases the efficiency of the payment process. It can even cause a transaction to be misrouted, possibly without opportunity for recovery. The checklist therefore offers a low-cost tool that can provide value to a payroll practitioner or processor by reducing the risk of error and fraud.