Security isn’t just a technical checkbox — it’s a core control that protects your organization, your clients, and your reputation. Without the right safeguards in place, the risks are real: fraud, regulatory penalties, and even loss of business.

When implementing Electronic Funds Transfers (EFTs) in Yardi, the first priority is protecting your financial data. At a high lever, the best practices for doing so involve:

  • Strengthening oversight
  • Improving visibility into changes
  • Building smarter internal controls around EFT and ACH management

This article provides practical steps you can take to put these best practices in action. 

  1. Restrict EFT/ACH Edit Permissions

As a first step, we recommend limiting EFT/ACH editing rights to a small, designated security group (for example, AP Manager and Controller). Restricting edit permission reduces exposure to unauthorized or fraudulent changes. You can do so by:

  • Removing EFT edit permissions from general AP users and all other user groups.
  • Ensuring vendor maintenance access does not automatically include banking field edits.
  • Implementing segregation of duties where possible. For example, one user enters/updates information and then a second user approves the change. We recommend Vendor Workflow to ensure segregation of duties.
  1. Route Vendor Updates Through RentCafé or VendorCafé (Where Possible)

Vendor self-service reduces the risk associated with emailed change requests. If you are using RentCafé or VendorCafé for vendor onboarding or maintenance, ensure that you:

  • Require vendors to update their own EFT.
  • Disable manual internal updates except in documented exception cases.
  • Use approval workflows where configured.

If you do not have Rentcafé or VendorCafé now, consider this advice for the future implementation.

  1. Enable Audit Tracking for Vendor and ACH/EFT Tables

Audit tracking provides full traceability. To support reporting and monitoring, enable audit functionality for:

  • Vendor master record changes
  • ACH/EFT banking tables

Once audit tracking is active, you can capture:

  • Vendor ID and name
  • Date and time of change
  • User who made the change
  • Fields updated (e.g., routing number, account number, ACH flag)
  • Prior value vs. new value (depending on audit configuration)
  1. Create and Schedule an EFT Change Audit Report

After audit logging is enabled, a security audit report is available to identify EFT-related changes over a defined time period (e.g., previous 24 hours). This scheduled audit-based reporting approach is the most common and reliable method for monitoring EFT updates. 

The security audit report includes:

  • Vendor information
  • Change date/time
  • User making the change
  • Modified fields 

You can schedule the security audit report to run nightly or at another defined frequency. The report can automatically be emailed to designated recipients such as AP leadership or Accounting management.

  1. Evaluate If Custom Development Is Needed

If the standard out-of-the-box Audit Report does not fully meet your operational or compliance requirements, you’ll need Custom Report development to bridge the gap. Our development team provides end-to-end services, including detailed specification design, requirements validation, and tailored report buildout to ensure the final output aligns precisely with your business objectives. This approach enables organizations to extend reporting capabilities beyond default system functionality while maintaining accuracy, scalability, and performance.

  1. Implement Vendor Banking Verification Procedures

In addition to bolstering your system’s reporting configuration, we strongly recommend the following AP fraud prevention best practices:

  • Do not accept EFT changes solely via email.
  • Independently verify the request by calling the vendor using a published or previously established phone number (not the number included in the change request).
  • Require secondary approval before activating updated banking details by using a Vendor workflow.
  1. Establish a Formal Vendor Change Digital Workflow

We recommend documenting and enforcing a structured process, such as the following:

  1. Vendor submits a change request (preferably through VendorCafé).
  2. AP enters or reviews the update.
  3. A designated reviewer, such as an AP Manager or Accounting Supervisor, verifies the banking information.
  4. A secondary approver reviews and approves the change. This activates the EFT.
  5. Senior Management reviews and confirms the audit report.

Summary

Remember that without the right safeguards in place, there is significant risk of fraud, regulatory penalties, and even loss of business. It is vital for you to protect your organization, your clients, and your reputation–and we can help you.

Lynx offers a full security review for the database. If you would like additional details on this process, please reach out to schedule a meeting.