Subscribe to the Non-Human & AI Identity Journal
Home FAQ Who is accountable when a scam uses associated…

Who is accountable when a scam uses associated companies to move funds?

← Back to all FAQ
By NHI Mgmt Group Editorial Team Updated July 10, 2026

Accountability sits with the operators, facilitators, and any counterparties that knowingly enable the scheme. From a governance perspective, firms that provide payment, hosting, or administrative support should expect scrutiny over onboarding, due diligence, and ongoing monitoring. The right control question is whether the relationship was validated before it was trusted.

Why This Matters for Security Teams

When a scam moves money through associated companies, accountability is rarely confined to the named front entity. Security, fraud, legal, and finance teams need to determine who controlled onboarding, who approved payment paths, and who failed to challenge unusual relationships. The operational risk is not just loss of funds, but weak governance that can turn ordinary counterparties into enablers.

That is why the control question matters: was the relationship validated before trust was granted? NHIMG’s Ultimate Guide to NHIs notes that 92% of organisations expose NHIs to third parties, which is a reminder that hidden dependencies often sit behind apparently legitimate business relationships. In practice, many security teams encounter accountability gaps only after a payment chain has already been used to obscure ownership, rather than through intentional counterparty vetting.

How It Works in Practice

Scams that use associated companies usually rely on layered legitimacy. One company may open the account, another may issue invoices, a third may provide hosting or administrative support, and a fourth may receive or pass funds. Each step can look routine in isolation, but together they create a laundering path for trust. Accountability therefore depends on the quality of due diligence, the approval trail, and whether exceptions were escalated.

From a governance perspective, teams should look for four things: beneficial ownership checks, sanctions and adverse media screening, verification of commercial purpose, and ongoing monitoring for changes in control or payment behaviour. Where the relationship involves digital services, the same logic applies to non-human identities, service accounts, API keys, and automated billing workflows. NHIMG’s Ultimate Guide to NHIs also highlights that only 5.7% of organisations have full visibility into their service accounts, which shows how easily hidden operational channels can be missed.

Practitioners should align this with recognised control expectations in NIST SP 800-53 Rev 5 Security and Privacy Controls, especially supplier, access, and audit controls. Useful questions include:

  • Who approved the counterparty and on what evidence?
  • Were beneficial owners, directors, and payment beneficiaries verified?
  • Did any connected entity share infrastructure, bank details, or administrative access?
  • Were unusual transfers, rapid entity changes, or transaction splitting reviewed?

These controls tend to break down when group structures are opaque, outsourced finance operations lack visibility, or account ownership is treated as a procurement issue rather than a fraud and security control.

Common Variations and Edge Cases

Tighter counterparty screening often increases onboarding friction, requiring organisations to balance faster commercial execution against stronger fraud prevention. Current guidance suggests there is no universal standard for attributing accountability across affiliated entities, so the practical answer depends on evidence of control, knowledge, and benefit. If a parent company directed the scheme, enabled the transaction flow, or ignored obvious red flags, accountability can extend beyond the shell entity.

Edge cases often arise in shared-service groups, franchised operations, and cross-border arrangements where payment rails, hosting, and administration are intentionally centralised. In those environments, firms should document who owns each control, not just who owns the contract. That includes approval thresholds, periodic relationship reviews, and revocation procedures for system access when a counterparty changes risk profile.

This is also where identity governance intersects with financial crime controls. Associated entities may be legitimate in structure but still risky in execution if their digital credentials, admin accounts, or automation keys are over-privileged. The broader lesson from NHIMG research is that weak visibility and third-party exposure create blind spots that scammers exploit long before funds are moved.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0 and NIST SP 800-53 Rev 5 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0GV.SCSupply chain governance fits associated-company due diligence and monitoring.
NIST SP 800-53 Rev 5SA-9External system services control maps to third-party payment and hosting arrangements.

Assign ownership for counterparties, verify relationships, and monitor them throughout the lifecycle.

NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on July 10, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org