Articles
July 9, 2025
Talking Shop: Changing a Bank Portal User Access Review Process
# Banking
# Risk Management
Editor’s note: NeuGroup’s online communities provide members a forum to pose questions and give answers. Talking Shop shares valuable insights from these exchanges, anonymously. Send us your responses: [email protected].
Context: Monitoring and managing which employees have access to corporate bank accounts via banking portals is a high-stakes—if unglamourous—part of a treasury team’s financial risk management responsibilities. Doing it effectively and preventing fraud and mistakes means quickly receiving information about who is leaving the company or changing jobs; even harder for many multinationals is ensuring that banks—often dozens of them—have updated, correct info on which people have portal access and which of them are authorized signers on what can be hundreds of accounts.
Members of NeuGroup For Global Cash and Banking for years have shared their frustrations as well as suggestions on improving the critical but painstaking process of overseeing bank portal access, including through the use of technology tools designed to ease the burden. You can read NeuGroup Insights stories on this perennial issue by clicking here.
Member question: “What is your bank portal user access review process? Any details on processes, entitlement review and any relevant controls would be helpful! We review bank portal access quarterly—checking which employees have profiles, their entitlements, if they received internal approval, and employment status.
- “This is time-consuming, so we’re considering a lighter quarterly review (just confirming profiles match internal approvals and current employment), with a full entitlements review annually.”
The member posed four specific questions that are shown below with answers from peers. Three NeuGroup members began with general comments, including one who said what their company does now “has been a recent (12 months) change that I helped my team implement.” The other two:
- “We have actually been very focused on this effort recently. To give you context, we have about 100 portals that are managed globally. While I don’t think we’re currently consistent in how these are managed across the globe, our goal is to build out that consistency as best as possible in the near future. My answers focus on the Americas region.”
- “We’re actually in the middle of revamping our process. We’re basically looking to force consistency across the bank portals as much as possible (since we know the banks won’t do that). That means access to lockboxes on one bank portal should look essentially the same on another portal.
- “We’re taking a step back and defining exactly who should have access. We have a lot of users who have “reporting and statements” access, but we question whether that’s actually needed. That said, I’m going to save this thread for future reference as we get further into this project!”
Question 1:“How often do you review bank portal user access?”
- “Quarterly.”
- “Semiannually.”
- “We are in the process of establishing a monthly review. For this review, we are exporting entitlement reports and cross-referencing HR data to ensure ex-employees do not have access. We are also looking at individuals who have not logged in for six months or longer.”
- “Monthly, to check against an active directory for terminated employees or contractors.”
- “We look at termed employees biweekly, but are looking to have a structured review of all users, probably monthly or quarterly. We will potentially be using a centralized listing of who has bank portal access. This could easily be audited regularly (probably biweekly or monthly), but in-depth reviews directly in the bank portals will also need to be done to ensure the centralized listing is accurate (probably semiannually).”
Question 2: “Do you review individual entitlements each time, or just confirm who has access? If you review entitlements, how often?”
- “We review both. First, we review who has access. Then we send an email to the local regional controller to review if access for existing users in their region still makes sense and is required. We are making a change so that all approvals will come from our HQ corporate accounting assistant controller.”
- “We are working towards avoiding ‘individual entitlements’ in bank portals and moving towards using ‘user groups’ where possible. This makes it easier to identify groups of accesses vs reviewing individual entitlements user by user.”
- “On a semiannual basis, we use SailPoint to send manager verification for bank portal access. This is where a manager reviews each of their direct reports’ access and has to individually confirm that it should remain or be removed.”
- “We are thinking of reviewing just access on a monthly basis; we may also confirm that certain sensitive access (like ACH/wire initiation) isn’t granted to anyone outside of treasury. Other than that, we will probably do a full review of all entitlements maybe semiannually.”
Question 3: “Do you review all services or focus on high-risk ones (e.g., admin, wire, ACH, positive pay)?
- “We really review all, but pay special attention to users that have the ability to release cash and have administrator access.”
- “We maintain approval authorities in Kyriba, along with our bank account signers so special attention is given to people with those authorities. We are working on building automatic integration between Kyriba and our HR data so we get automatic alerts for individuals who leave the company and have access to approve payments and/or have signature authority.”
- “We focus on high risk only; we list all users who have view+ access, then we call out specifically those who have payment initiation, payment release, system admin.”
- “We do not go to this level of detail.”
Question 4: “What risk controls do you use? (For us, only treasury members are admins, new user setups require manager approval, and we remove access for departing employees within 48 hours.)”
- “Admin access is with the treasury team only. Policy dictates any new user access or changes must have a business case and be approved by the local controller. After a policy update, changes will go to the corporate assistant controller.
- “Treasury gets a daily report from HR (Workday) of employees that have been terminated. We ask the managers to inform us when employees resign/leave, but that has proven less reliable, so we have a Workday report that comes to us daily as an additional check.”
- “Treasury members are our only admins. We require supervisor approvals before we give users access. New setups in portals also require manager approval.”
- “We have the same controls as you stated. We are also looking to automate user administration through APIs where possible.”
- “For new setups, we require one-over-one approval (requested via ServiceNow) and the bank portals for our global banks are managed by a central corporate treasury team where we require dual admin to add/remove/make changes to user entitlements and access.
- “We also recently added language in our policy requiring that all users have a Workday ID, so that we have visibility to non-employees who have access and who manage contractors (this would be for third party payroll processors or third parties performing account reconciliation services, etc.). This allows us to see when contractors are terminated at the same pace as regular employees and also allows us to do the semi-annual verification process for access.”
- “Only members of our bank administration team are security administrators for bank portals. We are looking into a ticketing system and also to create specific roles and force standardization—instead of having a billion different combinations of user access options. (So, define the different access types—like Bank Rec, PosPay, Funds Mgmt., Lockbox/AR, etc., and then put users into those access groups and eliminate exception requests).”