The 5 Most Undersold Treasury Management Fraud Controls (And How to Position Each One)

The Gap Between Fraud Risk and Fraud Protection

Here is a number worth sitting with: ACH Network volume hit 35.2 billion payments in 2025 — a 5% increase over the prior year. B2B payments alone grew nearly 10%. More volume means more exposure, more entry points, and more opportunity for fraud attempts to slip through.

Yet despite rising fraud across every payment channel, the same five Treasury Management controls that prevent the majority of incidents remain chronically undersold at community and regional banks. Not because clients do not want them. Not because they are hard to implement. But because most RMs do not have a clear, confident way to explain what each one does and why it matters right now.

It’s time to fix that.

Below is a plain-language positioning guide for the five most undersold Treasury Management fraud controls: what each one does, who needs it most, the data that supports the conversation, and a two-to-three sentence script your RMs can use starting today. No product-pushing. No fear tactics. Just clear, confident conversations that position your bank as a proactive partner in protecting your clients' businesses.

Why These Five Controls Stay Undersold

Before diving in, it is worth naming the pattern. These controls do not fail to sell because clients reject them. They fail to sell because they never get a real conversation.

The most common reasons:

·       RMs are not confident explaining the mechanics, so they avoid the topic or keep it vague

·       Controls get buried in onboarding paperwork and never revisited

·       Clients assume they are already covered because they have something in place

·       The bank has not packaged controls into clear, easy-to-recommend bundles

·       Fraud conversations happen reactively, not on a scheduled cadence

The result is a portfolio full of clients who are under-protected and an RM team leaving Treasury Management fee income on the table every quarter.

The fix is not a complicated new sales process. It is giving your RMs five clear scripts and the confidence to use them.

Control 1: ACH Debit Filters and Blocks

What It Does

ACH debit filters allow a business to pre-approve which companies are authorized to pull funds from their account. Any debit attempt from a company not on the approved list is blocked before it automatically clears, without requiring any action from the client in the moment.

Why It Is Undersold

This control is often introduced during onboarding as a checkbox item rather than a value conversation. Clients often do not realize it is optional, or that not having it means any company with their account number and routing number can attempt an unauthorized debit.

The Data

ACH debits were among the top three most targeted payment types for fraud in 2024. B2B ACH volume grew nearly 10% in 2025, meaning the attack surface is expanding. Unauthorized ACH debits are one of the fastest-growing fraud vectors targeting small and mid-size businesses, and recovery after a fraudulent debit clears is not guaranteed.

Positioning Script

"Right now, any company that has your account number could attempt an ACH debit against your account. ACH filters let you create an approved list — only the vendors and companies you authorize can pull funds. Everything else is blocked automatically before it ever clears. Setup takes about 15 minutes, and it works in the background every single day."

Ideal Client Profile

Your ideal client is any business making or receiving ACH payments, which at this point is nearly every commercial client. Prioritize businesses with multiple vendors, high ACH volumes, or industries with high vendor turnover such as property management, healthcare, and construction.

Three Discovery Questions

1.      "Do you know which companies are currently authorized to debit your account via ACH?"

2.     "Have you ever had an ACH debit hit your account that you did not recognize or did not authorize?"

3.     "When you set up your Treasury Management account, were ACH filters part of your initial setup?"

Control 2: Positive Pay for Checks

What It Does

Positive pay matches every check presented for payment against a file the client issues by comparing check number, dollar amount, and payee. Any check that does not match the issued file is flagged before it clears, giving the client the opportunity to approve or return it.

Why It Is Undersold

The most common objection from both RMs and clients is that check volume is declining, so check fraud is less of a concern. The data says the opposite is true. And many clients assume positive pay requires complicated daily file uploads — a problem which modern platforms have largely rectified.

The Data

63% of organizations faced check fraud in 2024. More importantly, while check volume has declined, the dollar value of check fraud has increased. Fraudsters are writing fewer checks but for larger amounts, targeting businesses with high-value payables. Altered checks and counterfeit checks remain two of the easiest fraud attempts to execute and two of the hardest to recover from without positive pay in place.

Positioning Script

"Check fraud is actually increasing in dollar value even as check volumes drop. Fraudsters know checks are written less frequently, so when they target one, it tends to be for a significant amount. Positive pay catches altered or counterfeit checks before they clear your account. You issue the file and we match every check that comes in. Most clients set it up once and it runs automatically from there.”

Ideal Client Profile

This would be any business still issuing checks, particularly those in accounts payable-heavy industries such as real estate, construction, legal, and professional services. Also strong for businesses that have recently experienced a data breach or employee turnover in finance roles.

Three Discovery Questions

1.      "Is positive pay currently enabled on your checking accounts?"

2.     "When did you last have a check come through that did not match what your team issued?"

3.     "Do you have a process right now for catching an altered or counterfeit check before it clears?"

Control 3: Dual Control for Payments

What It Does

Dual control requires a second authorized user to review and approve payments above a defined dollar threshold before they are released. It applies to ACH batches, wire transfers, and other high-value payment types depending on configuration.

Why It Is Undersold

Clients often resist dual control because they see it as friction — especially owners or finance directors who are used to having sole authority over payments. Banks frequently make the problem worse by setting approval thresholds too high to catch real risk, which gives clients the impression the control is more of a formality than a safeguard.

The Data

Wire transfers were the most targeted payment method in 2024, with 68% of organizations under $1 billion in revenue reporting wire fraud attempts. Business Email Compromise (where a fraudster impersonates an executive or vendor to redirect a payment) drove approximately 50% of wire fraud incidents. Dual control is one of the most direct defenses against BEC because it requires a second person to independently verify the payment before it goes out.

Positioning Script

"One person approving high-dollar payments without a second set of eyes is one of the most common fraud vulnerabilities we see in businesses your size. Dual control adds a second authorized approver before money moves, which stops both external fraud attempts and internal errors before they become a problem. We would recommend setting your threshold at $[X] based on your transaction patterns. It is designed to be fast, not bureaucratic."

Ideal Client Profile

You are looking for any business regularly initiating wire transfers or large ACH batches. Prioritize clients with lean finance teams, single-person approval processes, or those in industries commonly targeted by BEC such as professional services, real estate, and healthcare.

Three Discovery Questions

1.      "How many people in your organization are currently authorized to initiate or approve wire transfers?"

2.     "What is your current approval process for a same-day or urgent wire request?"

3.     "Have you ever received an email request to change vendor payment instructions or redirect a wire?"

Control 4: Wire Callback Verification

What It Does

Wire callback verification is a documented procedure requiring a verbal callback to a pre-verified phone number before processing wire instructions received via email or online message. The callback number is established in advance, not taken from the instruction itself.

Why It Is Undersold

This control often lives in the operations manual as a bank procedure rather than being framed as a client-facing protection feature. Because it is process-based rather than technology-based, it rarely gets positioned as something the client is actively receiving. Most clients do not know their bank has this capability or that it can be formally set up on their account.

The Data

Business Email Compromise was behind approximately 50% of wire fraud in 2024. The FBI's Internet Crime Complaint Center consistently ranks BEC as the costliest form of cybercrime by total dollar loss, and the average loss per incident for businesses under $1 billion in revenue exceeds $125,000. The mechanics of BEC rely almost entirely on the receiving bank or business skipping a verification step. A single phone call to a verified number stops the majority of these attempts cold.

Positioning Script

"BEC scams work by sending wire instructions that look exactly like they come from a trusted vendor or a company executive: same email format, same name, just a different account number. A callback procedure to a pre-verified number (not a number from the email) stops most of these attempts before money ever moves. We can document this as a formal procedure on your account so it is consistent every time, regardless of who is handling the payment that day."

Ideal Client Profile

Your targets should be any business regularly initiating wire transfers, particularly those with multiple vendors, international payments, or executive teams that travel frequently. Also essential for businesses in industries commonly targeted by BEC such as real estate closings, legal escrow, and professional services.

Three Discovery Questions

1.      "If you received an email from a vendor asking you to update their wire instructions, what is your current process for verifying that request?"

2.     "Do you have a documented callback procedure for wire transfers — and is it consistent across your team?"

3.     "Has anyone on your team ever received an email that appeared to be from an executive asking for an urgent wire?"

Control 5: User Access Reviews and Entitlement Audits

What It Does

A user access review is a periodic, structured audit of who has access to initiate or approve Treasury Management transactions, cross-referenced against current employee status and role. Stale entitlements are removed or updated, and access levels are aligned with each user's current responsibilities.

Why It Is Undersold

This is treated almost universally as an administrative task rather than as a fraud control. No one owns it consistently. It happens when someone remembers to do it, usually after an employee departure that should have triggered an immediate review but did not. Because it does not have a visible technology component, it rarely surfaces in product conversations.

The Data

Credential-based attacks, where fraudsters use compromised or stolen login credentials to initiate fraudulent transactions, are a central and growing fraud vector in 2026. Former employees retaining access to Treasury Management platforms after departure is one of the most preventable vulnerabilities in any business's fraud posture. Research consistently shows that 10 to 15 percent of entitlements at businesses that do not conduct regular reviews are stale — meaning they belong to users who have left, changed roles, or should have reduced access.

Positioning Script

"Stale entitlements, or access that was not removed when an employee left or changed roles, are one of the most overlooked fraud risks in Treasury Management. We can build a quarterly access review into your setup so it happens on a schedule, not only when something goes wrong. We facilitate the review, flag the changes that need to be made, and your team approves them. It takes about 20 minutes per quarter and eliminates one of the most common vulnerabilities we see."

Ideal Client Profile

Any business with more than three Treasury Management users, high employee turnover, or a history of informal access management needs strong user management protocols. Particularly important for businesses in healthcare, property management, and professional services where staff changes are frequent and payment access is broad.

Three Discovery Questions

1.      "When was the last time you reviewed your complete list of Treasury Management users and their access levels?"

2.     "Do you have a formal process for removing Treasury Management access when an employee leaves or changes roles?"

3.     "How many people currently have the ability to initiate or approve payments in your Treasury Management system — and do you know what level of access each one has?"

Putting It Together: A 10-Minute Add-On Conversation

You do not need a dedicated 45-minute meeting to introduce these controls. Two or three of them can be woven naturally into conversations your team is already having.

At onboarding:
"Now that you are live, there are two controls we would recommend adding in your first 90 days. The first is ACH filters, which takes about 15 minutes to set up. The second is positive pay, which we can activate before your next check run. Want to walk through both now?"

At an annual review:
"Let us do a quick five-minute check on your current fraud controls to make sure your setup matches where your business is today. A few things may have changed since we last reviewed this."

After receiving a fraud alert:
"This is a good reminder to add the controls we discussed at your last review. Given what just happened in your industry, I would start with ACH filters and dual control. Here is what that looks like in practice."

The key is that these conversations do not require a special agenda or a separate meeting. They require a team that knows the scripts and uses them consistently.

Confidence Sells Controls

The five controls in this post are not new. Your bank almost certainly offers all of them. The gap is not product availability; it is RM confidence and consistency in positioning them.

When your team can explain what each control does in two sentences, name the specific risk it addresses, and tie it to a real fraud pattern affecting businesses like your client's, the conversation stops feeling like a sales pitch and starts feeling like exactly what it is — a bank acting as a genuine partner in protecting their client's business.

That is the positioning that builds long-term relationships, generates Treasury Management fee income, and makes your bank genuinely harder to replace.

Ready to make the most of your fraud catalog?

Contact us today to learn more about how your institution can create competitive fraud and risk offerings that keep you ahead of the curve.