Founded in 2008 · Built for AP professionals · Community-led · Practical guidance, not sales fluff
BreakingNACHAAI AutomationVendor FraudJobsCertifications
Friday, July 10, 2026
Updated
Accounts Payable Professionals Group
Practical intelligence for the people who keep business moving
Accounts Payable news, controls guidance, automation coverage, career resources, and professional insight built for the people doing the work.
Popular now AP automation Fraud controls Vendor management Career development Why APPG exists →
Leadership
APPG appoints Mariann Ruhno as Chief Education Officer
Mariann Ruhno will help guide future APPG courses, certifications, and educational resources designed for working Accounts Payable professionals. Read the announcement →
Rules & Compliance
NACHA fraud monitoring Phase 2 took effect June 22, 2026
Volume thresholds are gone. All non-consumer Originators, TPSPs, and TPSs must now monitor for fraud, while RDFIs must screen incoming credits. Read the APPG update → Official NACHA summary →
Start here
APPG
01
Join the professional community
Connect with AP professionals, leaders, vendors, and job seekers.
Visit the LinkedIn group →
02
Get practical AP updates
Receive useful news, controls guidance, career resources, and process ideas.
Join the newsletter →
03
Find your next AP opportunity
Browse roles selected for Accounts Payable and finance operations professionals.
Browse AP jobs →
Join the APPG community
Practical AP content. No clutter. No generic finance noise.

Thursday, July 9, 2026

NACHA Fraud Monitoring Deadline

AP News | Controls & Risk

The NACHA Deadline You Already Missed

A new rule changed how AP teams have to fight ACH payment fraud. It is already in effect. If your team sends or collects ACH payments, it may now apply to you, no matter how small your volume is.

By Robert Ruhno, Executive Director, Accounts Payable Professionals Group (APPG)
Last reviewed: July 9, 2026

Abstract impressionist image representing ACH fraud monitoring, payment protection, bank controls, and vendor payment risk

Here is the part most accounts payable teams have not caught yet: a major NACHA fraud monitoring rule is now in effect for smaller-volume ACH participants too.

The formal effective date for NACHA's Phase 2 fraud monitoring rule was June 19, 2026. Because June 19 was a federal holiday, NACHA's summary of upcoming rule changes lists the operational date as June 22, 2026.

If your team has not built anything for it yet, you are behind. The good news is that catching up is doable, and this article walks through the issue in plain AP terms.

First, what is NACHA, and why should AP care?

NACHA writes the rules for the ACH Network. ACH stands for Automated Clearing House. It is the system that moves many electronic payments between U.S. bank accounts, including direct deposit, vendor payments, and bill pay.

A few terms you will see below:

  • Originator: The party that starts a payment. If your company sends ACH payments, your company may be an originator.
  • ODFI: Originating Depository Financial Institution. This is usually your bank, the one that pushes the payment into the ACH Network.
  • RDFI: Receiving Depository Financial Institution. This is the receiving bank, such as the vendor's bank.
  • Third-Party Sender (TPS) or Third-Party Service Provider (TPSP): A company that handles ACH activity on your behalf, such as a payment processor or AP automation provider.

If your team pays vendors or collects money by ACH, you are part of this risk environment. The new rule makes fraud monitoring harder to ignore.

What actually changed

The change is part of NACHA's larger Risk Management package. It rolled out in two phases.

Phase 1, March 20, 2026: Applied to all ODFIs, plus non-consumer Originators, Third-Party Senders, and Third-Party Service Providers whose 2023 ACH volume exceeded 6 million entries.

Phase 2, June 22, 2026: The volume threshold is gone. Now all other non-consumer Originators, TPSPs, and TPSs must comply with the fraud monitoring rules, regardless of origination or transmission volume.

That second line is the one that catches teams off guard. Many AP departments assumed the rule was only for banks, giant processors, and high-volume ACH users. It is not that narrow anymore.

You can read NACHA's official Phase 2 rule summary here: NACHA Risk Management Topics, Fraud Monitoring Phase 2.

What the rule asks you to do

The rule does not hand AP teams one exact software tool or one exact checklist. Instead, it requires risk-based processes and procedures reasonably intended to identify ACH payments that may have been initiated because of fraud.

Two phrases matter:

  • Risk-based means you put more effort where the risk is higher and less where it is lower. You do not have to treat a $50 payment the same way you treat a $500,000 payment.
  • Technology-neutral means you choose the method. NACHA references approaches such as velocity checks, anomaly detection, pattern recognition, and behavioral tolerances.

In plain AP terms, you need a written, repeatable way to spot a payment that looks wrong before it goes out the door.

Meet false pretenses, the scam this rule is really about

NACHA added a named fraud type called false pretenses. This is a payment that appears authorized, but only because someone lied about who they were, what authority they had, or which account should receive the money.

For AP teams, the most familiar version is the vendor bank-change scam. A real supplier's payment details get swapped by an imposter. Everything looks normal, so the payment is approved, and the money lands in a criminal's account.

This is a form of credit-push fraud. The payer is tricked into pushing money out voluntarily. Your job now is to have a documented process that helps catch that lie before the payment is released.

The controls examiners will expect to see

You have some freedom in how you comply, but these are the controls your bank, auditors, and internal reviewers are likely to ask about:

  1. Dual control. Two people, not one, should release higher-risk payments. A fraudster may fool one person. Fooling two is harder.
  2. Account validation. Confirm that a vendor's bank account is real and open before you pay it, and re-check when the details change.
  3. Out-of-band verification. When a vendor asks to change bank details, confirm it using contact information you already have on file, through a different channel. Call a known number. Do not use the phone number or email address included in the change request.
  4. Multi-factor authentication. Require a second step beyond a password to access payment systems. An authentication app or physical token is usually stronger than a texted code.
  5. Written procedures and review. You need documented procedures, not just good habits. Plan to review them at least once a year, and whenever your payment process changes.

The hard truth about who pays

This is the first time fraud monitoring obligations have been expanded this broadly to non-consumer ACH Originators and related third parties. Before this package, fraud detection requirements were more limited, such as certain WEB debits and Micro-Entries.

Here is the part that stings for AP teams: these rules do not automatically shift the loss to your bank when your company is tricked into sending money to a criminal. In many credit-push fraud situations, the payer may still bear the loss.

That is why the controls above are not just compliance work. They are practical loss-prevention work.

One more change to keep on your radar

The Same Day ACH limit is scheduled to increase from $1 million to $10 million per payment on September 17, 2027.

That change is not here yet, but AP teams should pay attention now. Bigger payments moving faster can be useful for cash management, invoice payments, payroll funding, and tax payments. It also raises the stakes because faster money is harder to recover if a fraudulent payment slips through.

NACHA's official Same Day ACH rule update is available here: Increasing the Same Day ACH Dollar Limit to $10 Million.

Your 10-minute gut check

Run through these questions with your AP, Treasury, and Finance teams this week:

  • Do we send or collect any ACH payments?
  • Do we have a written fraud-monitoring procedure?
  • Does every vendor bank-change request get an out-of-band callback?
  • Do two people release high-value or higher-risk payments?
  • Do we validate new vendor bank accounts before the first payment?
  • Do we re-check vendor bank accounts when payment details change?
  • When did we last review these steps?

APPG takeaway: If your team cannot point to a real, written, risk-based ACH fraud monitoring process today, that is this week's project. Start with vendor bank-change callbacks. It is one of the cheapest controls to add, and it can stop one of the most expensive fraud losses AP teams face.

Bottom line

The deadline is not coming. It is here.

The rule does not expect perfection. It expects a real, documented, risk-based process. If your team cannot show one today, start with the highest-risk step first: vendor bank-account changes.

Call the vendor using known contact information already on file. Document the verification. Require a second person for higher-risk changes and higher-value releases. Then build the rest of your monitoring process around that foundation.

Official sources

Editorial Note: This article was developed with the assistance of artificial intelligence and edited, reviewed, and approved by Robert Ruhno, Executive Director of the Accounts Payable Professionals Group (APPG).

Headshot of Robert Ruhno, Executive Director of APPG
APPG Contributor
Robert Ruhno
Executive Director, Accounts Payable Professionals Group
Accounts Payable Professionals Group logo

Practical AP reporting, controls guidance, automation coverage, and career support for the accounts payable community.

Back to top ↑

Sunday, July 5, 2026

APPG Appoints Mariann Ruhno as Chief Education Officer

APPG Leadership Announcement

APPG Appoints Mariann Ruhno as Chief Education Officer

The Accounts Payable Professionals Group is proud to announce that Mariann Ruhno has been appointed Chief Education Officer, effective June 29, 2026.

APPG announces the appointment of Mariann Ruhno as Chief Education Officer

Mariann is already a valued member of APPG. Over the past year, she has served on our Board of Advisers, bringing her experience as an award-winning educator and her passion for learning, mentorship, and professional development to our growing community.

In this expanded leadership role, Mariann will help guide the development of formalized courses, professional certifications, and educational resources created specifically for accounts payable professionals at every stage of their careers.

Building a Stronger Learning Path for AP Professionals

Accounts payable is changing quickly. AP professionals are being asked to understand automation, internal controls, vendor management, fraud prevention, compliance, reporting, communication, and leadership.

At the same time, many AP professionals are looking for clearer career paths, better training, and more practical resources created by people who understand the work.

Mariann’s background in education makes her especially well suited for this role. Her focus will be on helping APPG turn practical AP knowledge into learning experiences that are useful, understandable, and connected to the real challenges AP professionals face every day.

What Comes Next

As Chief Education Officer, Mariann will help APPG build toward a stronger educational foundation for the profession. This includes future courses, certification pathways, member learning resources, and professional development programs designed to support both new and experienced AP professionals.

Please join us in congratulating Mariann on this well-deserved next chapter.

We are excited for the impact she will have on APPG, our members, and the accounts payable profession.

Editorial Note: The article formatting was updated on July 10, 2026.

Headshot of Robert Ruhno, Executive Director of APPG
APPG Contributor
Robert Ruhno
Executive Director, Accounts Payable Professionals Group
Accounts Payable Professionals Group logo

Practical AP reporting, controls guidance, automation coverage, and career support for the accounts payable community.

Back to top ↑

Wednesday, June 17, 2026

Stewardship Foundation of Accounts Payable

Stewardship in Accounts Payable illustration showing invoices, a compass, and principles such as accuracy, integrity, accountability, diligence, and transparency

Stewardship: The Real Foundation of Accounts Payable

Long before accounting standards, ERP systems, and internal controls, societies relied on trusted individuals to collect, record, and safeguard financial resources. Tax collection in the Roman world required accountability, recordkeeping, and the management of financial obligations.

One such figure was Saint Matthew, who worked within the Roman taxation system before becoming one of the twelve apostles. Today he is remembered as the patron saint of accountants, bookkeepers, and financial record keepers. His role required documentation, judgment, and accountability. The core responsibility was stewardship.

Stewardship predates accounting standards, regulatory bodies, and enterprise systems. It is the disciplined management of resources that do not belong to you. Accounts payable operates under the same principle.

I have spent over 20 years in AP across insurance, tax, finance, media, and energy. Stewardship is the foundation that holds everything together. Here is what it looks like in practice.

What Stewardship Really Means in AP

When you work in Accounts Payable, you manage money, vendor relationships, and financial records on behalf of the company, its employees, its owners, and sometimes its customers.

A steward takes ownership. You treat every invoice as if your own money were on the line. You ask the hard questions. You make sure the right person approves it. You watch for anything that does not look right.

This is a big responsibility. A single mistake or a fraud that slips through can delay payroll, leave vendors unpaid, or hurt cash flow. I have watched small problems snowball into big ones when someone treated AP like a routine task instead of a sacred trust.

Stewardship shows up in daily habits:

  • Keep your vendor master file clean and accurate.
  • Insist on proper supporting documents before payment.
  • Separate duties so one person cannot both approve and pay.
  • Question anything unusual, even if it comes from someone important.

When AP works this way, people start to see the department differently. Instead of being viewed only as the bill payers, AP becomes one of the guardians of the company’s financial health.

Why It Matters More Than Ever

Fast payments and automated systems create pressure to move quicker. That speed helps when done right, but it also opens doors for mistakes and fraud. A steward slows down just enough to do things correctly.

Every invoice approval is a decision that affects cash flow, profitability, and sometimes jobs. Strong AP teams understand this. They run tight processes, train people on why controls matter, and celebrate catches before they cost money.

Actionable Steps to Build a Stewardship Mindset

  1. Start each day with a quick review of what is coming due. Know where the money is going.
  2. Document everything so the next person can follow the trail.
  3. Ask questions when something feels off. Better to look foolish for a minute than pay a bad invoice.
  4. Train your team that accuracy beats speed every time.
  5. Celebrate the wins when someone catches a duplicate or stops a risky payment.

Core Principles That Guide Strong Stewardship

  • Accuracy first. Every entry feeds reports, taxes, and decisions.
  • Transparency. Make records easy to follow.
  • Accountability. Own your part and hold others to the same standard.
  • Diligence. Check details even on busy days.
  • Integrity. Do the right thing even when no one is watching.

Apply these principles consistently and AP builds trust with leadership, vendors, and other departments.

Avoid These Common Pitfalls

  • Rushing approvals just to clear the queue.
  • Weak vendor master file controls.
  • Over-reliance on automation without human judgment.
  • Poor separation of duties.
  • Ignoring small red flags.

Fix them with simple checklists and regular reviews. I have seen teams cut errors in half with one extra verification step on high-risk items.

Practical Tools and Practices

You do not need fancy software to begin. Focus on solid basics:

  • Use positive pay or bank validation services.
  • Run regular vendor statement reconciliations.
  • Set up approval workflows with clear dollar thresholds.
  • Maintain a living procedures manual everyone can access.
  • Schedule monthly close reviews focused on exceptions.

Using simple tools consistently frees you to focus on the issues that require judgment.

Leading with Stewardship

Stewardship begins with the example you set. Share successes in meetings. Build the concept into job descriptions and performance reviews. Cross-train team members, collaborate across departments, and revisit processes as the business evolves.

Teams that embrace this mindset become more confident and effective. They catch problems early and bring forward better ideas.

This is the opening section from Book One of The AP Bible. Stewardship is the foundation everything else builds on.

Technology will continue to evolve. Processes will change. Automation will accelerate. Yet the most important control in any Accounts Payable department remains the same: people who understand they are entrusted with resources that belong to others.

Stewardship is where great AP begins.

If you are leading an AP team or working in the trenches, start here. What are your biggest stewardship challenges right now? Drop a comment below. I read them and we can tackle them together.

Stay tuned for more excerpts as the book comes together.

Headshot of Robert Ruhno, Executive Director of APPG
APPG Contributor
Robert Ruhno
Executive Director, Accounts Payable Professionals Group
Accounts Payable Professionals Group logo

Practical AP reporting, controls guidance, automation coverage, and career support for the accounts payable community.

Back to top ↑

Sunday, May 24, 2026

Two AP Fraud Cases That Expose Dangerous Internal Control Gaps

Two AP Fraud Cases That Expose Dangerous Internal Control Gaps

Years ago, we shared the story of an accounts payable clerk who was sentenced to 7 years in prison for embezzling $545,000 from a New Jersey auto dealership. It served as a stark reminder of how vulnerable an organization becomes when internal controls lapse.

Illustration of an accounts payable fraud investigation with internal control warning elements

To this day, the core risk factors remain exactly the same. Accounts payable professionals continue to find themselves on the front lines of defense against occupational fraud. Here are two recent high-profile federal cases that demonstrate why robust internal audit tracks and rigid segregation of duties are non-negotiable in any finance department:

Case #1: The $24 Million Casino AP Manager

An Accounts Payable Manager for Muscogee Nation Gaming Enterprises LLC in Oklahoma exploited top-tier AP authority to systematically siphon off more than $24 million. By altering company records and falsifying documents, the individual bypassed standard operational tracking. In October 2025, the former AP manager was sentenced to nearly 8 years in federal prison and ordered to pay millions in restitution to the former employer and the IRS.

Key Vulnerability: Lack of regular external transaction reconciliation and concentrated systemic oversight permissions.

Case #2: The Vendor Payment Manipulation

A former Accounts Payable Clerk for Décor Craft, Inc. in Rhode Island abused access to company bank codes intended for legitimate vendor wire transfers. Instead of paying suppliers, the employee rerouted partial or full balances into personal bank accounts to pay off personal creditors, manually altering the ledger to falsely show complete fulfillment. The former clerk was sentenced to 18 months in federal prison and ordered to pay over $302,000 in restitution.

Key Vulnerability: Allowing the same individual who initiates online bank wire transfers to also edit internal ledger records.

The Accounts Payable Takeaway

Whether it is a $300,000 small-business loss or a multi-million-dollar corporate exploit, the failure points are consistent: unmonitored ledger control and dual authorization gaps. To safeguard your organization, ensure that the employee inputting the invoice is never the individual releasing the wire or reconciling the end-of-month bank statement.

Editorial Note: This article was developed with the assistance of artificial intelligence and edited, reviewed, and approved by Robert Ruhno, Executive Director of the Accounts Payable Professionals Group (APPG).

Headshot of Robert Ruhno, Executive Director of APPG
APPG Contributor
Robert Ruhno
Executive Director, Accounts Payable Professionals Group
Accounts Payable Professionals Group logo

Practical AP reporting, controls guidance, automation coverage, and career support for the accounts payable community.

Back to top ↑

Thursday, May 21, 2026

Accounts Payable Office Health Risks

Skip to main content
Workplace Health and Accounts Payable

Accounts Payable and the Modern Office: The Health Risks Nobody Talks About

By Robert Ruhno, Executive Director, Accounts Payable Professionals Group

Modern Accounts Payable office scene showing a standing desk, expense reports, nitrile gloves, coffee cup, and article title about workplace health risks.

Most Accounts Payable professionals spend their careers focused on financial controls, fraud prevention, reconciliations, audit trails, and operational discipline. We are trained to identify risks before they become expensive problems.

Far fewer people stop to consider the long-term health risks built into the modern office itself.

Many AP professionals spend decades sitting under artificial lighting, processing paper, handling receipts, eating at their desks, and working through close cycles with very little movement. Over time, those patterns begin to add up.

The modern office has changed dramatically over the last 30 years. We now live in a world filled with plastics, thermal papers, sedentary workflows, remote work isolation, convenience packaging, and repetitive computer-based tasks. Researchers and health professionals have started asking whether these patterns may contribute to long-term health concerns, especially when repeated daily over the course of a 20- or 30-year career.

Many of these risks may be reduced through awareness and better workplace habits.

The Sedentary Nature of AP Work

Invoice processing, ERP navigation, reconciliations, approval routing, reporting, three-way matching, and month-end close activities often require AP professionals to remain seated for long periods of time.

Hybrid and remote work may intensify this. Many people no longer walk to meetings, commute through office buildings, or naturally move throughout the day the way they once did.

Research continues to associate prolonged sedentary behavior with increased risks involving circulation, cardiovascular health, metabolic issues, fatigue, posture problems, and other health concerns. Some researchers now describe prolonged sitting as an independent health risk, even among individuals who otherwise exercise regularly.

A standing desk is not the same thing as walking, stretching, or moving naturally throughout the day. Still, alternating between sitting and standing may be considerably better than remaining seated continuously during long close cycles or reconciliation sessions.

The goal is not to stand all day. The real objective may be reducing long uninterrupted periods in the same posture.

Practical Ideas for AP Professionals

  • Alternate between sitting and standing throughout the day.
  • Take short walking breaks during approval delays or long processing sessions.
  • Pace during phone calls or Teams meetings.
  • Use smartwatch or calendar reminders for movement.
  • Consider under-desk pedals or treadmill workstations.
  • Build short reset walks into month-end close routines.

Thermal Paper Receipts and BPA Exposure

This is one area where AP professionals may face exposures that many office workers rarely think about.

Receipts, expense reports, mailed invoices, retail transaction records, and thermal paper documents are common throughout finance and accounting environments. Studies have examined BPA and BPS chemicals used in some thermal papers, with researchers noting that these compounds may transfer through skin contact during handling.

My personal recommendation: If I were regularly handling large volumes of thermal receipts or mailed documents every day, I would absolutely use proper nitrile gloves during batch processing tasks. The research surrounding thermal paper exposure is serious enough that I believe the precaution is justified, particularly over a long career in accounting or finance.

Research involving receipt handling has shown that nitrile gloves may significantly reduce BPA exposure during prolonged contact with thermal paper.

This becomes even more relevant in AP environments where professionals may process:

  • Mailed receipts.
  • Expense reports.
  • Shipping documents.
  • Point-of-sale records.
  • Stacks of invoices during close periods.

Researchers have also noted that lotions, oils, or hand sanitizers may increase skin absorption during receipt handling.

Practical Ideas for AP Professionals

  • Keep disposable nitrile gloves available for heavy receipt-handling tasks.
  • Prioritize digital receipts and paperless workflows when practical.
  • Wash hands thoroughly after handling thermal paper.
  • Avoid applying sanitizer or lotion immediately before processing receipts.
  • Reduce unnecessary physical document handling where possible.

Office Kitchens, Plastics, and Convenience Culture

Close week culture often creates unhealthy office habits.

Many AP professionals know the routine:

  • Rushed lunches.
  • Reheated coffee.
  • Eating at the desk.
  • Microwaving food in plastic containers.
  • Relying heavily on convenience foods during deadlines.

Researchers continue studying endocrine-disrupting chemicals such as BPA, BPS, phthalates, and PFAS compounds found in plastics, food packaging materials, thermal papers, and non-stick coatings.

The issue is less about one plastic container or one receipt. The larger concern may involve cumulative exposure from many small daily sources repeated over decades:

  • Food packaging.
  • Water bottles.
  • Canned linings.
  • Thermal paper.
  • Office kitchen containers.
  • Sedentary work environments.

When practical, I prefer glass or stainless steel for food and beverage storage.

I have also worked in offices that intentionally used glass water cooler bottles instead of plastic ones. They were heavier, more expensive, and less convenient to handle, but the reasoning was straightforward: glass does not rely on bisphenol-based plastics or plasticizers used in many synthetic materials.

To be fair, even many glass cooler systems still use plastic caps or components similar to standard office water systems. Modern life makes avoiding plastics entirely difficult. The more realistic goal may be reducing unnecessary exposure where practical.

Practical Ideas for AP Professionals

  • Use glass or stainless steel containers for reheating food.
  • Avoid microwaving heavily worn plastic containers.
  • Consider stainless steel or ceramic mugs for hot beverages.
  • Stay hydrated during long close cycles.
  • Reduce reliance on highly processed convenience foods during busy periods.
  • Use fresh air and short outdoor breaks whenever possible.

The Remote Work Paradox

Remote work has brought major benefits to many AP professionals, including flexibility, reduced commuting stress, and better work-life balance.

At the same time, remote work may unintentionally increase sedentary behavior even further.

Many remote workers now spend entire days:

  • Sitting at the same workstation.
  • Eating lunch at the desk.
  • Attending back-to-back virtual meetings.
  • Moving only short distances throughout the day.

Those small movements that once existed naturally in office environments often disappear completely at home.

Practical Ideas for Remote AP Teams

  • Create a dedicated workspace separate from eating or sleeping areas.
  • Schedule intentional movement breaks throughout the day.
  • Take short walks before or after work to simulate a commute.
  • Maximize natural lighting when possible.
  • Use ergonomic seating and monitor positioning.
  • Stand during lower-intensity meetings or document review sessions.

A Professional Sustainability Mindset

Accounts Payable professionals are trained to think in terms of long-term controls, risk mitigation, operational consistency, and sustainability.

That mindset may also apply to workplace health.

The goal is not perfection, fear, or eliminating every possible exposure from modern life. That would be nearly impossible.

The more realistic objective may be reducing avoidable risks where practical:

  • Moving more frequently.
  • Reducing prolonged sitting.
  • Minimizing unnecessary receipt handling.
  • Improving food storage habits.
  • Creating healthier daily work routines.

Small improvements repeated consistently over decades may matter far more than most people realize.

Quick-Start Checklist for AP Professionals

  • Alternate between sitting and standing throughout the workday.
  • Take movement breaks during long processing sessions.
  • Use nitrile gloves for heavy receipt-handling tasks.
  • Wash hands after handling thermal paper.
  • Use glass or stainless steel containers when practical.
  • Reduce unnecessary plastic food heating.
  • Build movement into month-end close routines.
  • Optimize remote work ergonomics and lighting.
  • Prioritize digital workflows whenever possible.

Accounts Payable professionals spend their careers protecting organizations from operational and financial risk.

It may be time for the profession to think more seriously about protecting its people as well.

Note: This article discusses general workplace wellness concepts and emerging research surrounding sedentary behavior and environmental exposures. Readers should consult qualified healthcare professionals regarding individual medical concerns or occupational health decisions.

Selected Sources and Further Reading

Headshot of Robert Ruhno, Executive Director of APPG
APPG Contributor
Robert Ruhno
Executive Director, Accounts Payable Professionals Group
Accounts Payable Professionals Group logo

Practical AP reporting, controls guidance, automation coverage, and career support for the accounts payable community.

Back to top ↑

Saturday, April 11, 2026

Anthropic Mythos Ai Cyber Risk Banks AP

Skip to article body
Controls & Risk

Anthropic Mythos 5 and the New AI Cyber Risk Facing Banks and Accounts Payable

Anthropic’s Mythos models have moved from a restricted research preview into a broader defensive cybersecurity program. The latest developments make the implications for banks, payment systems, and Accounts Payable more concrete.

By Robert Ruhno
Executive Director, Accounts Payable Professionals Group
Published
Updated
Updated July 10, 2026: This article now includes the launch of Mythos 5, Project Glasswing’s international expansion, Anthropic’s reported vulnerability findings, temporary U.S. access restrictions, restored access, new safeguards, and a recent government cybersecurity case study.
AI cyber risks affecting Accounts Payable workflows, banking systems, and payment infrastructure
Illustration: AI-driven cybersecurity risks across banking and Accounts Payable systems.

Mythos and Project Glasswing Timeline

April 7, 2026
Anthropic announces Project Glasswing and introduces Claude Mythos Preview .
April 10, 2026
Reuters reports that Treasury Secretary Scott Bessent and Federal Reserve Chair Jerome Powell warned major bank CEOs about cybersecurity risks tied to Anthropic’s new model.
May 22, 2026
Anthropic reports that it and approximately 50 Project Glasswing partners identified more than 10,000 findings they classified as high or critical severity. The company says the bottleneck is shifting from finding vulnerabilities to verifying, disclosing, and patching them.
June 2, 2026
Anthropic expands Project Glasswing to approximately 150 additional organizations in more than 15 countries, bringing the reported partner network to roughly 200 organizations.
June 8, 2026
Anthropic publishes research on how advanced AI could accelerate the development of exploits for known but incompletely patched vulnerabilities, often called N-days.
June 9, 2026
Anthropic launches Claude Mythos 5 for a small group of vetted cybersecurity defenders and infrastructure providers participating in Project Glasswing.
June 12, 2026
Anthropic suspends access to Mythos 5 and Fable 5 after receiving a U.S. government directive restricting access by foreign nationals.
July 1, 2026
Anthropic restores Mythos 5 access to a limited group of approved U.S. organizations after the government lifts the export controls.
July 2, 2026
Anthropic publishes additional information about its cybersecurity classifiers and proposes a framework for evaluating the severity of AI jailbreaks.
July 6, 2026
Anthropic publishes a case study reporting that the Government of Alberta used Claude to scan 466 million lines of code in 20 hours and help identify and remediate security gaps.

There are moments when technology improves gradually, and then there are moments when it changes the rules of the game.

Anthropic’s Mythos work appears to be an important step in that second category.

Anthropic introduced Claude Mythos Preview as part of Project Glasswing . Anthropic described the unreleased model as unusually capable at computer security tasks, including identifying and exploiting serious software vulnerabilities under controlled conditions.

The company did not release Mythos Preview broadly. Instead, it gave selected technology companies, infrastructure providers, open-source organizations, and security teams restricted access so they could use the model defensively.

That should matter to Accounts Payable professionals because AP sits directly on top of the systems that approve, transmit, and record money.

Why this matters:
AP teams may not manage cybersecurity directly, but they depend on bank portals, ERP systems, payment integrations, browsers, cloud applications, vendor portals, and approval workflows. If those systems become easier to attack, AP becomes part of the blast radius.

What Changed After the Original Article Was Published

The April announcement was initially about the potential of a restricted model. The developments since then have provided more evidence of the scale, the defensive opportunity, and the control challenges.

May 22, 2026

More Than 10,000 Reported Findings

Anthropic reported that it and its initial Glasswing partners identified more than 10,000 high or critical-severity findings across important software systems.

That number is Anthropic’s report, not an independent audit of every finding. Even so, it illustrates the operational challenge created when automated discovery moves faster than human validation and patching.

June 2, 2026

Glasswing Expands Internationally

Anthropic added approximately 150 organizations in more than 15 countries to the program. The expansion included organizations supporting power, water, healthcare, communications, hardware, and other critical infrastructure.

June 8, 2026

AI Accelerates Known-Vulnerability Exploitation

Anthropic reported that Mythos Preview could turn a collection of known software patches into working exploit attempts much faster than traditional manual research.

This raises the importance of applying critical security patches promptly once vendors make them available.

June 9 to July 1, 2026

Mythos 5 Launches, Pauses, and Returns

Mythos 5 replaced Mythos Preview for a small group of vetted cyberdefenders. A June 12 U.S. directive led Anthropic to disable access temporarily.

By July 1, limited access had been restored for approved U.S. organizations after the restrictions were lifted.

July 2, 2026

Safeguards Become Part of the Story

Anthropic published additional information about the classifiers used to block dangerous cybersecurity requests and proposed a common framework for evaluating the severity of model jailbreaks.

July 6, 2026

A Government Cybersecurity Case Study

Anthropic reported that a Government of Alberta team used Claude to scan 466 million lines of code in approximately 20 hours, identify vulnerabilities, support remediation work, and build additional security tools.

This case study shows the defensive side of the same technology: organizations may use advanced AI to examine large systems much faster than a traditional manual review.

Important distinction:
Finding a vulnerability is not the same as successfully exploiting it. Reporting should distinguish between discovery, validation, exploit development, and confirmed compromise.

What Makes This Different

Cyber threats are not new, and software vulnerabilities are not new. What appears to be changing is the speed, the scale, and the automation.

Traditionally, finding a serious vulnerability required time, specialized expertise, and patient manual investigation. Developing a working exploit required additional technical skill and testing.

Advanced AI can compress parts of that process. A model may be able to inspect code, reason through system behavior, identify a weakness, and help a trained user develop a test or proposed fix much faster than before.

The risk is not only that vulnerabilities exist. It is that the time between disclosure, exploit development, and active attack may continue to shrink.

“This is not necessarily a panic-now event. It is a warning that the defensive timeline is getting shorter.”

Why Banks and Regulators Paid Attention

Reuters reported that Treasury Secretary Scott Bessent and then-Federal Reserve Chair Jerome Powell warned major bank CEOs about potential cybersecurity risks associated with Anthropic’s new model.

Banking infrastructure depends on shared technology, including operating systems, browsers, cloud services, APIs, authentication tools, internal applications, and third-party software libraries.

If AI systems can identify weaknesses across that stack faster than before, banks and the organizations that rely on them may have less time to assess and remediate exposed systems.

In June, The Associated Press reported that Mythos identified vulnerabilities in sensitive U.S. government systems during a controlled testing exercise within hours.

The official cited by AP specifically cautioned that this did not mean the model exploited those vulnerabilities within that same period.

Operational warning for AP:
Even when an organization is not using Mythos or another advanced cybersecurity model, its AP workflows still depend on banks, software vendors, cloud providers, browsers, and integrations affected by the faster threat cycle.

Where Accounts Payable Fits Into the Picture

Accounts Payable is no longer a stand-alone back-office paperwork function. In many organizations, AP operates through a connected ecosystem of systems, credentials, data, and approvals.

AP ecosystem at a glance
ERP or Accounting System
Invoice Automation
Vendor Portals
Banking and Treasury Portals
API Integrations
Approval Workflows

This puts AP close to the software layers through which vendor data is changed, invoices are approved, and payments are released.

In practical terms, AP may become a meaningful target area in a future wave of faster, AI-assisted cyberattacks.

What This Could Look Like in the Real World

1. Payment Workflow Compromise

A weakness in a browser session, identity layer, plugin, or integration could be used to interfere with payment approvals or access controls.

2. Vendor Portal Manipulation

A serious supplier portal vulnerability could expose vendor records or allow unauthorized changes that normal AP review may not detect immediately.

3. API-Level Risk

Integrations between ERP systems, banks, payment platforms, and approval tools create efficient data paths. They can also create technical routes that attackers may attempt to exploit.

4. Faster Data Theft

Vendor master data, banking instructions, invoices, payment histories, and approval logs are valuable. AI may help attackers identify weak paths into those datasets more quickly.

5. Disruption Timed Around Critical Payment Periods

Attackers do not always need to shut down an entire company. Interrupting payment systems near payroll, month-end, quarter-end, or a major payment run may create enough pressure to cause mistakes or control bypasses.

The Patch Gap Is Becoming an AP Issue

Anthropic’s June research focused on N-day vulnerabilities, meaning flaws that have already been disclosed but are not yet patched everywhere.

Once a security patch is published, attackers can compare the old and new software versions to identify what changed. Advanced AI may make that comparison and the development of a working exploit faster.

For AP, the practical lesson is simple: software updates affecting bank access, browsers, ERP integrations, invoice automation, identity tools, and payment applications may become more urgent than they once appeared.

AP control lesson:
Accounts Payable should not install enterprise software independently, but it should know who owns patching for every payment-critical platform and how AP will operate if a system must be taken offline quickly.

What AP Teams May Notice

  • More frequent software patches and security notices
  • New multifactor authentication requirements
  • Shorter deadlines for applying critical updates
  • Temporary downtime for bank or AP platforms
  • Stricter controls around vendor changes and payment releases
  • More scrutiny of service accounts and API credentials
  • More questions from auditors, insurers, and security teams

Even when the threat feels technical or abstract, the operational consequences for AP may become very concrete.

The Defensive Opportunity

The same capabilities that may help attackers move faster can also help defenders identify weaknesses earlier. That is the central purpose of Project Glasswing.

Anthropic says participating organizations have used its models not only to find vulnerabilities, but also to suggest patches, test software before release, and help modernize older code.

The Government of Alberta case study provides a more recent example of this defensive opportunity. Anthropic reported that a small government team used Claude to examine hundreds of millions of lines of code in hours rather than attempting a manual review that could take years.

The remaining challenge is organizational capacity. A security team must still confirm that a reported vulnerability is real, determine its severity, coordinate disclosure, develop a safe fix, test that fix, and deploy it.

AI may accelerate discovery faster than organizations can complete those later steps.

What Accounts Payable Professionals Should Do Now

  • Review dual approval controls for high-value and high-risk payments.
  • Recheck vendor bank-change procedures and independent callback requirements.
  • Separate vendor maintenance, invoice processing, payment approval, and payment release duties where practical.
  • Limit banking and payment credentials to employees who need them.
  • Confirm that shared credentials are prohibited and service accounts are documented.
  • Ask who owns patching for the ERP, AP automation platform, bank portal, browser, and integration tools.
  • Maintain an emergency-payment procedure that does not abandon normal verification controls.
  • Include AP systems and payment runs in business-continuity and incident-response planning.
  • Treat unusual workflow behavior, unexpected login changes, and unexplained vendor-data changes as potential security events.
  • Preserve system logs and supporting documentation so suspicious activity can be investigated.

Questions AP Leaders Should Ask IT and Treasury

  1. Which AP and banking systems are considered payment-critical?
  2. How quickly can critical security patches be tested and deployed?
  3. What happens if a bank portal, ERP integration, or approval platform is unavailable during a payment run?
  4. Are privileged credentials, service accounts, and API keys reviewed regularly?
  5. Can the company identify who changed vendor banking data, when it changed, and who approved it?
  6. Does incident-response planning include Accounts Payable, Treasury, Procurement, and vendor communications?

Bottom Line

The story has developed beyond an April product announcement. Mythos Preview produced reported findings at scale, Project Glasswing expanded, Mythos 5 was introduced, government restrictions interrupted access, and Anthropic responded with additional safeguards and a proposed jailbreak framework.

The Alberta case study also shows how the same class of technology could help defenders examine large systems, prioritize security work, and remediate vulnerabilities much faster than before.

For Accounts Payable, the main lesson is not that every AP department needs its own cybersecurity model. The lesson is that the technology supporting invoices, vendor data, approvals, and payments is entering a faster security cycle.

AP professionals do not need to become penetration testers. They do need to protect payment authority, follow vendor-change controls, respond to security updates, and participate in continuity planning.

Security is no longer somebody else’s problem once it reaches the payment workflow.

Sources & Further Reading

Editorial Note: This article was updated on July 10, 2026, to improve the formatting and include developments reported after the original April 11, 2026 publication date.

Headshot of Robert Ruhno, Executive Director of APPG
APPG Contributor
Robert Ruhno
Executive Director, Accounts Payable Professionals Group
Accounts Payable Professionals Group logo

Practical AP reporting, controls guidance, automation coverage, and career support for the accounts payable community.

Back to top ↑

More on this topic:

NACHA Fraud Monitoring Deadline

Back to Home AP News | Controls & Risk The NACHA Deadline You Already Mis...