(You can download a PDF of this visual at the bottom of this article.)
In July 2024, the Graphite Connect supplier onboarding experience will be updated to reflect what we are calling the Fenced Approach. When completing onboarding, suppliers who “touch the fence” and want to submit sensitive data like banking and tax information to the Graphite Supplier Network must go through an identity verification process.
This approach helps us balance speed and security for our customers, and protects both suppliers and buyers from fraudsters’ attempts to redirect payments through email compromise. A 2024 survey showed 75% of C-level finance and treasury leaders said they’d stop doing business with an organization that fell victim to payment fraud and lost their payment.
Here is how the Fenced Approach works at Graphite.
What Is the Fenced Approach?
A supplier receives an email invite to begin onboarding. The supplier can complete any general company information (e.g. company name and size) and compliance questions (e.g. information security or sustainability) without having to verify their identity.
Once a supplier must submit sensitive information, such as uploading a Form W-8 or W-9, submitting bank account details, or updating Admin Settings, they will be prompted to complete our Security Waterfall (marked in yellow in the image shown above).
The first attempt to verify identity is done through a simple telecom check using the mobile phone number they already provided for two-factor authentication (2FA). This telecom check is attempted only in specific countries where available. Those countries are currently US, Canada, United Kingdom, Germany, Australia, France. If that telecom check is unable to verify the supplier is who they say they are, the second attempt will prompt them to complete a biometric ID verification. (You can see this verification in action here.) This action requires a government ID and a live picture. If this attempt is unsuccessful, the third attempt is a scheduled call with the Graphite Customer Support team to do a manual verification over a live video call.
Depending on the security peferences set by the customer inviting that supplier to join the network, if a supplier is unable to verify their identity Graphite will allow the supplier to complete onboarding, but will mark the supplier as “unverified”. These unverified suppliers are clearly marked as unverified in the Trust Center section of their supplier profile.
Why Does Graphite Connect Ask Suppliers to Verify Their Identity?
Know Your Suppliers is a common buzzword in procurement right now, but the risk of vendor fraud is increasing at a hefty rate. 85% of organizations have experienced an email account takeover, making it a common cybercrime. And the cost is real to organizations large and small. The FBI in 2020 said the average loss per Business Email Compromise (BEC) incident is around $80,000, with some cases resulting in millions of dollars lost.
When Graphite sends an initial onboarding request to a supplier, email is the most popular method for delivery. However, if an email is compromised by a hacker already, any data from that initial onboarding can be tainted without an identity verification. Graphite is using cutting-edge, GDPR-compliant technology to catch fraudsters and scammers before they enter the network and fraud can be perpetrated.
Is Graphite Connect’s ID Check GDPR- and CCPA-Compliant?
Yes, our subprocessor who provides our biometric ID verification checks is both GDPR- and CCPA-compliant. You can learn more about that subprocessor here.
What Data Is Behind “the Fence”?
Sensitive data falls into four categories: tax data, banking information, admin settings and personal account Settings. The following data points are considered “behind the fence” and will not be accessible without completing an identity verification through Telecom check or biometric ID check.
Banking data includes account numbers and other sensitive financial information.
See below to understand when the fenced areas are engaged by default and where Graphite customers can adjust the defaults by request in their security preferences.
How Does Graphite Connect Verify Supplier Identity?
Graphite uses a telecom subprocessor to verify identity through a mobile phone number. This subprocessor runs a check on a provided phone number for indications it is connected to the individual identified and that it is, in fact, a real phone number.
If that check cannot be completed because of lack of coverage in that area, if potential fraud is detected or if the user declines that step, then they will be asked to verify their identity through a GDPR-compliant ID verification where an ID is shown and a live photo is taken. If this fails, the user can request a manual verification with the Graphite team over a video call and will still be asked to produce an ID to verify their identity.
When Will Suppliers Be Asked to Complete a Biometric Check?
A supplier will only be asked to complete a biometric check if their identity has not been verified previously, they want to access sensitive information (“touching the fence”) AND we are unable to verify their identity through a telecom check using their mobile phone number. Once these three criteria are met, we use a GDPR- and CCPA-compliant technology to do a short biometric ID verification requiring a live photo and government ID, similar to what LinkedIn and airports are using for verification.