By NHI Mgmt Group Editorial TeamPublished 2026-07-08Domain: Cyber SecuritySource: SumSub

TL;DR: B2B payment fraud often emerges after onboarding, through spend behaviour, vendor relationships, approval workflows, reimbursements, and subscription management, with the ACFE's 2026 Report to the Nations finding organisations lose 5% of annual revenue to fraud and wait a median of 12 months to detect it. The control problem is not verification alone, but continuous visibility, enforcement, and lifecycle monitoring across the payment stack.


At a glance

What this is: This report examines how B2B payment fraud accumulates in the operational layer after onboarding and why lifecycle controls matter more than one-time verification.

Why it matters: It matters to IAM, fraud, and governance teams because payment controls increasingly depend on identity verification, approval integrity, and ongoing monitoring across human and non-human workflows.

By the numbers:

👉 Read Sumsub's report on B2B payment fraud across the full payment lifecycle


Context

B2B payment fraud is a governance problem as much as a finance problem. Once onboarding is complete, risk often shifts into approvals, vendor maintenance, reimbursements, subscription billing, and spend policy exceptions, where weak controls are harder to see and slower to stop.

The identity connection is real even when the article focuses on finance operations. Strong KYB, UBO mapping, sanctions screening, and transaction monitoring all depend on trustworthy identity data and controlled access, while shared finance tooling can create non-human identity risk through service accounts, integrations, and automated approvals.


Key questions

Q: How should organisations reduce B2B payment fraud after onboarding?

A: They should treat onboarding as only the first control point and add continuous monitoring across approvals, vendor changes, reimbursements, and subscription activity. The strongest programmes join KYB, UBO, sanctions screening, and transaction monitoring so risk is rechecked as behaviour changes. That is how teams catch fraud that appears operationally legitimate at first.

Q: Why does payment fraud persist even when identity checks are strong?

A: Because identity checks verify entry, not future behaviour. Fraud often develops later through threshold splitting, duplicate payments, policy exceptions, and automation abuse, which means the organisation loses control after trust has been granted. Strong identity verification reduces bad actors at intake, but it does not replace ongoing transaction governance.

Q: What do finance teams get wrong about fraud monitoring?

A: They often rely too heavily on reconciliation and post-payment review, which means the money has already moved before anomalies are challenged. Effective monitoring needs control points inside the workflow, where exceptions can be blocked or escalated in real time. Otherwise, policy becomes documentation instead of enforcement.

Q: Who is accountable when automated payment workflows are abused?

A: Accountability should sit with the business owner of the workflow, the finance control owner, and the security or identity team responsible for access governance. If automation uses service accounts, API keys, or delegated approvals, those identities must be governed like privileged access. Shared ownership only works when every control point has a named operator.


Technical breakdown

Why payment fraud concentrates after onboarding

Onboarding controls are designed to screen out obvious bad actors, but they do not govern the day-to-day changes that create fraud opportunity. After approval, vendors change bank details, employees split purchases to stay under thresholds, subscriptions renew unnoticed, and reimbursements become a channel for policy abuse. The operational layer is where process drift meets trust. That makes fraud harder to identify because the activity looks routine until a pattern emerges across multiple systems.

Practical implication: move from one-time verification to continuous monitoring of vendor, spend, and approval changes.

How policy without enforcement creates payment exposure

Policy documents can define what should happen, but payment fraud is prevented by controls that block or challenge transactions in real time. If thresholds, approval routing, and allowed merchant categories are only checked during reconciliation, the organisation has already absorbed the risk. Effective enforcement requires control points inside the payment workflow, not just after-the-fact review. That is especially true where finance teams rely on shared platforms, delegated access, or automation to move faster.

Practical implication: embed approval and exception checks into the payment path before money moves.

Why identity and monitoring need to be linked

The article's core insight is that identity verification alone is insufficient once operational risk starts to evolve. KYB, UBO mapping, and sanctions screening reduce exposure at intake, but fraud often appears later through changes in behaviour, relationships, or access patterns. Connecting identity records to transaction monitoring gives teams a way to detect mismatches between who was approved and how the account is actually being used. That makes governance measurable rather than static.

Practical implication: correlate identity, vendor, and transaction data in one control layer.


Threat narrative

Attacker objective: The attacker objective is to extract recurring financial value from trusted payment processes without triggering immediate detection.

  1. Entry occurs when a legitimate vendor, employee, or account passes onboarding checks and enters the payment workflow with trusted status.
  2. Escalation happens through threshold splitting, reimbursement manipulation, duplicate vendor setup, or unauthorized subscription changes that bypass human review.
  3. Impact follows as losses accumulate slowly across multiple payment cycles, often before teams recognise the pattern as fraud.

NHI Mgmt Group analysis

Payment fraud after onboarding is a lifecycle control problem, not an onboarding failure. The article correctly shifts attention away from entry checks and toward the operational layer where spend behaviour, approvals, and vendor changes evolve. That is where identity assurance decays if it is not continuously revalidated. Practitioners should treat post-onboarding monitoring as part of identity governance, not as a separate finance function.

Continuous verification is the missing control concept in B2B payment governance. The report shows why approval policy is not enough when the real risk appears inside vendor maintenance, subscription changes, and reimbursement flows. A meaningful control model needs ongoing linkage between verified identity, authorised purpose, and transaction behaviour. Teams should govern the relationship, not just the record.

Finance automation creates non-human identity exposure that most fraud frameworks undercount. When payment processes rely on integrations, service accounts, or delegated approvals, the control problem starts to resemble NHI governance even in a finance context. Secrets, tokens, and workflow identities can be abused to create or approve payments outside intended policy. Practitioners should bring machine identity controls into spend governance where automation is doing real work.

Shadow spend is a useful name for the risk that hides between policy and reconciliation. The report's examples, especially SaaS sprawl and unauthorized spend categories, show how organisations can remain compliant on paper while losing control operationally. This is not just poor visibility, it is fragmented authority over who can spend, approve, or modify payment routes. The practical conclusion is that policy, identity, and monitoring must share the same source of truth.

Regional fraud patterns should change how multinationals set control thresholds. The LATAM context suggests that loss models cannot be copied globally without adjustment to local payment behaviour, regulatory expectations, and operational scale. Central teams need region-aware monitoring, not just standardised policy. Practitioners should tune controls to the business reality they govern, not to a universal template.

What this signals

The signal for practitioners is clear: payment fraud is increasingly a lifecycle governance issue, not just a fraud operations issue. Teams that can join identity verification, spend policy, and monitoring into one control model will detect abuse earlier, especially where automated finance workflows use service accounts or delegated approvals.

Shadow spend: a useful operating concept for the gap between approved identity and actual transaction behaviour. Organisations should expect policy drift wherever workflow automation, vendor maintenance, and subscription management create hidden privilege paths. The practical response is to collapse fragmented ownership across finance, identity, and monitoring.

The broader programme implication is that regional control models need local tuning. Global standards still matter, but they must be calibrated to payment behaviour, approval culture, and loss patterns in each operating region, or the monitoring layer will miss the anomalies that matter most.


For practitioners

  • Rebuild controls around post-onboarding risk Map the payment lifecycle from vendor approval through reimbursement, renewals, and exception handling, then assign a control owner at each stage. The objective is to spot where fraud can be introduced after identity checks are complete.
  • Enforce transaction controls at the point of payment Move threshold checks, category restrictions, and approval routing into the payment workflow so violations are blocked before settlement. Reconciliation should validate decisions, not make them.
  • Link KYB, UBO, and monitoring data Use a shared control layer that joins business identity data with transaction telemetry, so changes in vendor status or behaviour are visible in near real time. This reduces the gap between verified identity and actual usage.
  • Review automation as a governance surface Inventory finance bots, service accounts, API keys, and delegated approvals used in procurement and payments. Treat them as privileged identities with scoped access, rotation, and offboarding requirements.
  • Tune controls to regional loss patterns Adjust alert thresholds, review cadence, and escalation paths for the operating region instead of applying one universal model. Multinational teams should baseline by local payment behaviour and fraud exposure.

Key takeaways

  • B2B payment fraud often grows after onboarding, where approvals, vendor maintenance, and spend exceptions create a quieter attack surface than initial identity checks.
  • The ACFE's 2026 findings point to material loss and delayed detection, which makes continuous monitoring and workflow enforcement essential rather than optional.
  • Organisations that connect identity data, transaction telemetry, and automation governance will be better positioned to stop fraud before reconciliation reveals it.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0, NIST SP 800-53 Rev 5 and CIS Controls v8 set the technical controls, while ISO/IEC 27001:2022 and GDPR define the regulatory obligations.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AC-4Identity and access governance underpins approval integrity and automated payment controls.
NIST SP 800-53 Rev 5IA-5Automated finance workflows rely on authenticators, secrets, and delegated credentials.
CIS Controls v8CIS-5 , Account ManagementPayment bots and service accounts need lifecycle governance like any privileged identity.
ISO/IEC 27001:2022A.5.15Access control policy is directly relevant to who can approve or modify payment activity.
GDPRArt.32Where personal and vendor data are processed, security controls and monitoring support lawful protection.

Align payment workflow access rules with A.5.15 and ensure exceptions are formally approved and logged.


Key terms

  • Business Identity Verification: Business identity verification is the process of confirming that a company, its owners, and its controlling parties are legitimate before allowing access to financial systems or commercial relationships. In practice, it combines document checks, ownership mapping, and risk screening to reduce exposure to fraud and sanctioned entities.
  • Ultimate Beneficial Owner: An Ultimate Beneficial Owner is the natural person who ultimately owns or controls a company, even when that control is layered through entities or nominees. UBO mapping helps organisations see who stands behind a business relationship and is essential for risk screening, sanctions checks, and fraud prevention.
  • Transaction Monitoring: Transaction monitoring is the ongoing review of payment activity to identify suspicious patterns, policy breaches, or anomalies that were not visible at onboarding. It turns payments into a continuously governed process by correlating amount, timing, destination, behaviour, and exception patterns across workflows.
  • Approval Workflow Enforcement: Approval workflow enforcement is the technical and procedural control that ensures payments, reimbursements, and vendor changes cannot proceed without the right authorisation. It is stronger than policy alone because it blocks or escalates violations inside the operational process rather than relying on after-the-fact review.

What's in the full article

Sumsub's full report covers the operational detail this post intentionally leaves for the source:

  • The six recurring payment-risk patterns in full operational context, including threshold splitting, reimbursement blind spots, and duplicate vendor payments.
  • The finance and risk workflow details behind how policy enforcement changes when controls are embedded before money moves.
  • The LATAM-specific analysis that explains why regional payment behaviour alters fraud exposure and monitoring priorities.
  • The identity verification, KYB, and transaction monitoring layers that the report says must work together across the payment lifecycle.

👉 Sumsub's full report expands the control patterns, lifecycle gaps, and LATAM risk context in more operational detail.

Deepen your knowledge

The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, workload identity, and secrets management for practitioners who need to secure automated access paths. It helps identity and security teams apply lifecycle controls to the systems and workflows that now carry operational risk.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-07-08.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org