Safety in Banking and Dual Authority

Looking into the safety aspects of business internet banking & making payments online.

In 2021, internet banking is something most people and firms use to manage their daily needs. For law firms it is a core part of their infrastructure. The ability to be able to make quick decisions and pay monies promptly is not only crucial for the firm but is expected by the firm’s clients and third-party suppliers.

There is however a danger with internet banking which can be taken for granted and that is the security aspect. This article explores the advantages and pitfalls of the different systems.

There are two main types of internet banking for businesses which almost every bank provides. There is Business Online Banking and a Corporate/Commercial/NET version.

The Business Online Banking model is designed for small businesses where most of the payments are likely to be made by the business owner and/or signatories. Quite often they require a debit card to login. Some banks like Barclays allow users to have an “Authentication Card” and some like HSBC provide a “Secure Key” but usually no payments can be made unless the user is on the mandate.

The Corporate/Commercial/NET versions of business internet banking are a lot more sophisticated and are designed for businesses who utilise an accounts department. Generally, these systems are designed for staff across the firm to be set up as “users” and are granted different permissions by an administrator (designated user within the firm). The permissions can be tailored to suit that person’s role. Each user receives an authentication card and a card reader with their own PIN giving them secure access to their own dashboard within the system.

Dual Authority plays a major part of business internet banking and should always be considered when choosing which platform to use. Dual Authority is designed to ensure that no payments can be made without two people authorising them. This is to avoid money being stolen or mistakes being made where money is accidentally sent to the wrong person. Whilst banks are starting to use beneficiary checkers, matching the name to the account details, mistakes can still happen.

I liken the process within a firm to a legal cashier writing the cheque for the director/partner to check and sign before it goes out. Essentially the accounts department sets the payment up on the system after their due diligence and ledger scrutiny and the director/partner checks the payment and then authorises it to go out. This is dual authority. This should make things extra secure, especially with the corporate/commercial/NET systems as they usually ask the authoriser to use their card, PIN, and passcode again to confirm the setting up or signing of the payment.

Each platform handles dual authority slightly differently.

If the firm is utilising Business Online Banking, then it is usually more difficult to get a user set up on the system. Firstly, the firm must apply to the bank to have a “Complex Mandate” as opposed to a “Simple Mandate” and each user needs to be added to that as a signatory. The complex mandate means that no payment can be made from a bank account by one person alone. There must be at least two staff members signatures on the mandate. What would usually happen in this scenario for extra protection is that the payment limits for the accounts department are set to zero and set to maximum for the partner/director. The result is that the accounts department can then safely set up payments and transfers for the director to authorise.

The downsides to using Business Online Banking are:

  • Some providers do not allow dual authority on the system despite having a complex mandate.
  • The firm must change to a complex mandate to utilise Dual Authority on the systems that allow it & users must become signatories.
  • If a complex mandate is not utilised, then users can pay money out directly without dual authority which is unsafe.

When a firm uses Corporate/Commercial/NET banking everything becomes significantly easier and more secure. The key is to get the system set up in correctly in the first instance. It is important to ensure via the banking system that dual authority is enabled for all users needing to undertake transactions. It must also be specified who has first or second authority when setting up a user. Users do not have to be on the mandate at all when utilising corporate banking, however personal details will be required for security purposes. The administrator can tailor the access rights for each user ensuring that they can only see specified elements and access specific functions, again for security reasons. This means that staff can be added and removed easily at the administrators’ discretion, safe in the knowledge that no payment or transfer can be made without the signatory’s authorisation.

We always recommend that firms use the corporate banking model because of the bonuses in security, safety, and ease of user administration. Some examples of corporate systems are shown below:

  • Barclays.NET
  • Lloyds Commercial
  • Natwest Bankline
  • RBS Bankline

Alex Simons MAAT ILFM – New Business Manager
The Law Factory LLP


Posted on 21.05.21