Corporate Fraud Prevention & Positive Pay
Protect issued cheques, EFT batches, and wire instructions against alteration, duplication, and business email compromise fraud — using BMO's institutional-grade Positive Pay and payee validation engine.
The Scale of Corporate Payment Fraud
The Association for Financial Professionals' annual Payments Fraud and Control Survey consistently documents that over 80% of organizations faced attempted or actual payment fraud in the prior year. Cheque fraud remains the single most prevalent vector by transaction count, but Business Email Compromise (BEC) attacks targeting wire transfers have surpassed all other fraud categories by total dollar loss — frequently exceeding seven figures in a single successful attack on a mid-market corporation.
Positive Pay — The Core Defence Against Cheque Fraud
Cheque fraud operates on a fundamental vulnerability in the traditional clearing process: a bank receiving a presented cheque for payment has no mechanism to verify, in real time, that the issuing corporation actually wrote that specific cheque for that specific amount to that specific payee. Fraudsters exploit this by stealing issued cheques and chemically washing the payee name and amount, substituting their own details. Or by manufacturing counterfeit cheques using MICR toner printers and stolen account and routing numbers. The physical document may look authentic; the clearing process cannot distinguish it from a legitimate instrument.
Positive Pay seals this vulnerability by inserting a verification checkpoint into the clearing process. When a corporation issues a cheque run — whether via accounting software, an ERP system, or a manual cheque book — the corporate treasurer or controller simultaneously uploads a Positive Pay issue file to the BMO Business Online Banking portal. This file is a structured record containing: the cheque number, the exact dollar amount in CAD, the cheque issue date, and optionally the payee name for enhanced Payee Positive Pay validation.
When a cheque presents for clearing against the corporation's BMO account, BMO's fraud detection engine cross-references the presented cheque's serial number and amount against the Positive Pay issue file. If the presented item matches (correct cheque number + correct amount + within the valid presentation window), it clears automatically. If there is any discrepancy — amount altered by even one dollar, cheque number not found in the issue file, cheque presented after a stop-payment order — the item is flagged as an Exception and held for the corporation's decision.
Payee Positive Pay — The Second Layer of Cheque Verification
Standard Positive Pay matching validates cheque number and amount, but does not evaluate whether the payee field has been altered. Payee Positive Pay — available as an enhancement through BMO Business Online Banking — extends the validation to include the payee name field. The issue file submitted by the corporation includes the payee name exactly as it was printed on the cheque, using the same name string used by the cheque printing system.
When a cheque presents for clearing through the banking system, BMO's Payee Positive Pay engine receives the payee name as captured by the MICR reader or cheque imaging system at the presenting bank. This captured payee is compared against the name in the issue file using both exact-match and fuzzy-match algorithms that account for common OCR reading errors (misreading "BMO" as "RM0", for example) while still detecting deliberate alterations like replacing "Company A Ltd." with "Company B Ltd."
The practical implication is that a chemically washed cheque — where the original payee name has been bleached and a fraudulent payee written in its place — will fail Payee Positive Pay validation even if the cheque number and amount remain unchanged. This closes the single largest technical gap in the standard Positive Pay service and represents the most complete available defence against cheque washing fraud without abandoning cheque issuance entirely.
ACH/EFT Positive Pay — Blocking Unauthorized Debits
The Positive Pay concept extends naturally to the electronic debit environment. ACH Positive Pay (also referred to as EFT or Debit Filter) addresses a different but equally serious fraud vector: the unauthorized pre-authorized debit. In this scheme, a fraudulent actor obtains a corporation's bank transit number and account number — information that appears on the face of every cheque the corporation has ever issued, or that may be exposed through a data breach — and submits an unauthorized PAD debit against the account through any participating financial institution in Canada.
Without controls, this debit will clear within 24 hours, with the corporation having no forewarning. Under Payments Canada rules, the corporation has 90 calendar days to dispute an unauthorized personal PAD and 10 business days for a commercial PAD — but recovering funds after they have been collected, especially from fraudulent operators, is practically difficult and time-consuming.
BMO's ACH Positive Pay service allows the corporation to establish an explicit allowlist of authorized debit originators. The corporate treasurer registers each company that holds a legitimate pre-authorized debit mandate — the lease financer, the insurance provider, the SaaS vendor — specifying the originator's company ID, the maximum permissible debit amount, and the debit frequency. Any debit originating from a company ID not on this allowlist, or exceeding the authorized amount threshold, is automatically held as an Exception for authorization review before funds are collected. The BMO business login portal displays these exceptions each banking day in the Fraud Control dashboard, with a decision deadline of 11:00 AM ET.
Business Email Compromise Protection
Business Email Compromise attacks targeting wire transfer instructions represent the highest-dollar-loss fraud category facing North American corporations. A successful BEC attack typically follows a predictable anatomy: criminals monitor a target company's email communications — either through phishing-obtained credentials or through spoofed executive email addresses — identify an upcoming vendor payment or real estate closing, and at the critical moment intercept the wire instruction email with a fraudulent version directing the payment to a mule account.
BMO Business Online Banking combats BEC at the structural level rather than through training and vigilance alone, which research consistently shows to be insufficient. The Maker-Checker dual authorization architecture means that no wire transfer can be released on the basis of a single email instruction, regardless of the apparent authority of the sender. The Checker who approves the wire must independently access the BMO business login portal, review the beneficiary account details against independently sourced banking coordinates on file, and authenticate with a separate hardware OTP token. An email alone cannot override this cryptographic dual-control requirement.
Additionally, BMO's payment portal supports Beneficiary Change Controls: when a pre-approved beneficiary's banking details are modified in the system, a mandatory quarantine period of 24 hours (configurable) applies before any payment can be routed to the new coordinates. This eliminates the "vendor changed their bank account" BEC attack variant, where fraudsters impersonate established vendors claiming to have switched banking institutions.
For corporations dealing with large real estate transactions or M&A closings — single-transaction wire exposures potentially worth tens of millions of dollars — BMO offers a Private Call-Back Verification service: for wires above a configurable threshold, BMO's dedicated Treasury Services team will initiate an independent telephone call to a pre-registered authorized corporate contact number to verbally confirm the wire's existence and key details before releasing the SWIFT instruction. This call-back uses a number on file established during account setup — not a number provided in any email.
Fraud Monitoring Alerts & Velocity Controls
Beyond the Positive Pay service and dual-authorization architecture, BMO Business Online Banking operates a continuous transaction monitoring engine that evaluates payment patterns for anomalous behavior indicative of account compromise. The monitoring system establishes behavioral baselines for each corporate account — typical daily payment volumes, geographic distribution of beneficiaries, payment timing patterns within the business day, and typical transaction size distributions.
When a transaction deviates materially from these established patterns — a wire transfer to a jurisdiction never previously transacted with, a payment volume spike exceeding three standard deviations from the weekly norm, a login from an IP address outside of Canadian borders, or a payment initiated at 3:47 AM local time — the monitoring engine triggers a risk alert. Depending on the risk score assigned to the anomaly, the system may escalate the transaction to manual review, require additional authentication from the initiating user, or temporarily hold the payment pending corporate confirmation through an out-of-band notification.
The BMO business login portal also provides the corporate administrator with direct access to configure velocity controls at the user level: maximum daily payment limits per user role, maximum single-transaction amounts for user categories, mandatory cooling-off periods between beneficiary addition and first payment, and geographic restrictions on login access. These controls supplement BMO's own monitoring with the corporation's specific operational risk appetite — a conservative CFO may require that all international wires exceed $500,000 to route through a second mandatory review stage not required for domestic payments.
Positive Pay
Upload cheque issue files for real-time matching against presented items. Exception decisions required by 11 AM ET. Configurable default to Pay or Return for decisions not made within window.
ACH Debit Filter
Register authorized debit originator company IDs with max-amount thresholds. Unauthorized debits held as exceptions. Allowlist maintained through the BMO business login admin panel with PCA-level sign-off required for changes.
Continuous Monitoring
Real-time transaction risk scoring against behavioural baselines. Anomaly alerts via portal notification, SMS, and email. Configurable velocity limits and geographic access restrictions per user role.
Account Reconciliation & Daily Balance Reporting
Fraud detection is most effective when unusual activity is identified promptly. A corporation that reviews its account activity only weekly may not detect a fraudulent debit until long after the reversal window has closed. BMO Business Online Banking delivers a comprehensive daily reconciliation suite designed to make complete, real-time account visibility effortless.
Prior day account statements are available in the BMO portal by 7:30 AM each banking morning. These statements are available for download in multiple formats: PDF for human review, MT940 for legacy treasury management system ingestion, and BAI2 for modern ERP systems (SAP, Oracle, NetSuite). The BAI2 format is structured to enable straight-through reconciliation: each transaction line contains a standardized bank transaction code, the full available balance, memo balance, collected balance, and available float amounts, plus the transaction narrative provided by the initiating party.
For corporate clients requiring intraday visibility — particularly those managing complex same-day payment programs or those with zero-balance concentration structures — BMO offers intraday SWIFT MT942 reports delivered at configurable intervals throughout the business day. These interim transaction reports allow the corporate treasurer to observe real-time cash position across all accounts in the structure without waiting for the prior-day statement cycle. Any unexpected debits or credits visible in the MT942 can trigger immediate escalation within the corporation's fraud control protocol.
Related Security Capabilities
Fraud prevention at the payment layer works most effectively when layered with access control governance, ERP integration for automated reconciliation, and the underlying wire transfer security architecture.