Risky Business with PaymentWorks: E1–The Evolution of Risk
PaymentWorks and Former CEO of Boston Private Bank Clayton Deutsch Discuss Trends in Vendor Risk Assessment
by Angela Sarno
VP Marketing
PaymentWorksRisky Business with PaymentWorks: E1–The Evolution of Risk
[This post was originally published in 2020 but has been updated in December 2025 to reflect the evolving state of vendor risk management.]
Welcome to the inaugural episode of our podcast, Risky Business with PaymentWorks!
In each episode, we interview industry experts and front line practitioners in the world of vendor management and risk.
Read an except of the first episode below or listen in full here.
Table of Contents
Overview of Evolution in Vendor Risk Assessment
Risk Management in the Vendor Management Space
Fast-Moving Threats to Vendor Management Processes
From Static Review to Real-Time Risk Intelligence
Why Resolving the Payments Fraud Problem is So Hard
Building Modern, Future-Proofed Vendor Risk Programs
Want the Full Episode on Vendor Risk Assessment?
Want More Takeaways on Vendor Risk Assessment?
People Also Ask – Vendor Risk Assessment FAQs
Clayton Deutsch has been a strategic advisor to PaymentWorks since our early days, bringing us decades of experience in the financial sector and the vendor risk assessment space, most recently as CEO of Boston Private Bank.
Previously, he was a managing director at McKinsey. Clay brings an unrivaled perspective on what risk assessment entails and what is at stake for a company if a payments fraud gets through.
Our head of strategy and market development, Taylor Nemeth, sat down with Clay to discuss why it’s so difficult to solve the problem of securely and efficiently onboarding vendors, and how this problem contributes to the overall risk a company needs to manage.
Originally recorded for our initial podcast, the conversation is excerpted below and has been edited for clarity. You can listen to the entire podcast here.
Overview of Evolution in Vendor Risk Assessment
Taylor: In your time at McKinsey or Boston Private, did you have any exposure to business-to-business payments fraud?
Also, it seems like over the last 5-6 years it’s gone in a hockey stick direction. Was that ever a concern for you?
Clay: For most of my career, “capital R, capital M,” Risk Management was not front and center. For years, risk management primarily meant credit risk assessment, balance sheet management, audit and compliance and crime.
I think it didn’t really gain a head of steam until post 2000. Since then what has come into the foreground is obviously fraud, crime and cyber…9-11, obviously aggravated things. All of the concerns about KYC, AML, Patriot Act, all the lists came from then.
I’d summarize the whole thing by saying: if you’re leading a financial intermediary, you have an unambiguous accountability to not only risk manage your own shop, there’s an accountability to absolutely warrant that you’re doing business with appropriate clients, appropriate counter parties, and appropriate business partners and vendors.
That’s a real accountability that’s inescapable. And if you shirk that duty, if you do it with anything less than superb operating integrity, you’re going to pay a high price. You’re going to face regulatory sanctions.
As a CEO, I actually felt that the regulatory sanction risk, to some extent, dwarfs the financial risk. And I think anyone leading a financial institution today knows that, and at the same time views it as one of their most vexing business problems to solve.
Fraud risk is no longer theoretical: 79% of organizations experienced a payments fraud attempt in 2024 (AFP Payments Fraud & Control Survey 2025). This reinforces Clay’s point that fraud and compliance risk are among the most pressing, enterprise-level challenges executives must address.
Risk Management in the Vendor Management Space
Taylor: It’s well known that the banks do quite a bit of diligence around customer onboarding. They know who, what, where, why, when and how those people got to where they are.
Conversely, risk management is sort of a broad category and generally has not been focused on in the world of vendor management. What are the banks doing today to verify the identity of their payees, and are they doing some of this KYB diligence when they choose a vendor?
Clay: I think what’s most vexing about the KYB problem—qualifying business partners and vendors, and then ensuring integrity in all the arrangements—is that it is extraordinarily manual, it’s extraordinarily labor intensive. And for a CEO, that’s the worst kind of a problem. I think every CEO likes to solve operating problems with replicable, highly efficient processes.
I think most institutions, even some of the most sophisticated, solve the problem just by throwing people at it. And that’s a high cost problem. Those kinds of solutions that are driven just by people don’t really solve the problem. You’re still exposed.
So figuring out how to bring real process discipline, real process efficiency to this problem, I think remains a challenge. Even very large technology-forward companies are doing the vendor qualification and vendor management thing in a very labor intensive way. It’s typically relatively distributed. It’s a very hard thing to render efficient.
“The real complication is that the threats are very dynamic. This is not a static problem. Every day every financial institution will be fending off all kinds of nefarious activity, fraudulent activity, et cetera. It’s an incredibly fast moving, incredibly dynamic space.” – Clay Deutsch
Exposure is not a minor issue: the AFP notes that 60% of organizations reported vendor impersonation attempts in 2024, showing that manual processes are no match for increasingly sophisticated social engineering attacks.
Fast-Moving Threats to Vendor Management Processes
Taylor: If you’re looking at the totem pole of risk at a financial institution, and you consider all the other types of risk that a bank sees on a day-to-day basis, is this towards the bottom, the KYB and the vendor maintenance piece?
Clay: I don’t think it’s a lack of attention. The vendor management, vendor payables function is typically under very able guidance, usually in the finance function or within treasury. But it’s very complicated. Risk management people absolutely have to have a say in the protocols and the requirements.
The real complication is that the threats are very dynamic. This is not a static problem. Every day every financial institution will be fending off all kinds of nefarious activity, fraudulent activity, et cetera. It’s an incredibly fast moving, incredibly dynamic space.
And what we’re finding now is some of the most elegant frauds are in this B2B space. And why? Because that’s where the big tickets are. It’s kind of like Willie Sutton, who famously said, “Why do I rob banks? Because that’s where the money is.”
Payment method also matters: 63% of companies still report check fraud, and 20% report ACH credit fraud, proving that even “safer” rails like ACH can be exploited when controls are weak.
From Static Review to Real-Time Risk Intelligence
Today, vendor risk is not moment-in-time. It’s dynamic. Leading organizations have moved beyond annual questionnaires to continuous risk scoring fed by external signals: breach alerts, ownership changes, certificate expirations, dark web mentions, sanctions updates, and more. These real-time indicators help flag vendor vulnerability before damage occurs, turning vendor risk assessment into a living, proactive defense system.
Why Resolving the Payments Fraud Problem is So Hard
Taylor: You’ve brought up a fast moving dynamic experience as it relates to some of this risk.
Why is this payments fraud problem so prevalent? Why haven’t people like the Fed or the banks solved this problem? Additionally, why is it so challenging?
Clay: First off, I think the Fed is trying very hard to be a constructive agent here. My impression though, historically at least, is the Fed’s preference is not to solve problems in isolation.
I think the Fed tries to play a very powerful convener role to get the right kind of public sector, private sector interaction, to solve problems like this in concert. They’re trying to be a very constructive influencer of solutions.
These big multi-participant problem-solving efforts are, by nature, complicated. And I think in B2B specifically, the problem requires any individual institution to efficiently collect information from an astounding array of primary feeds or primary sources.
And even those sources are changing pretty rapidly in terms of quality and confidence you can have in the data. So the amount of just pinging and assembly that you have to do, with the overlay that this is a global identity problem, it’s not just a US identity problem.
So in the old days when banking was local, knowing your customer was a little more…they lived right next door. Your suppliers lived right next door. Your clients lived right next door.
If you’re even a relatively smaller financial intermediary today, you’re dealing with a staggering array of clients, partners, vendors, et cetera. I’ll stop there. This is really complicated.
Building Modern, Future-Proofed Vendor Risk Programs
Effective vendor risk assessment now combines automation with strong process controls. Best-in-class programs leverage platforms like PaymentWorks to centralize vendor onboarding, validate banking and tax information at the point of entry, and continuously monitor vendor data for changes. Automated alerts and configurable workflows ensure that when vendor details are updated, risk is reassessed and approvals are captured in an audit-ready trail—protecting payments and compliance from start to finish.
Want the Full Episode on Vendor Risk Assessment?
Listen to the full vendor risk assessment podcast episode here.
About Our Guest, Clay Deutsch
Clay Deutsch was Chief Executive Officer of Boston Private Financial Holdings and Boston Private Bank for eight years, responsible for overseeing the strategic management of the Company and its affiliates.
During his tenure, the Company had a $7 billion Private Banking balance sheet, and managed $30 billion of client assets.
He began his career in banking in the 1970s before joining McKinsey & Company in 1980. There, he was a Director, served on the Shareholders Council which manages the Firm worldwide, and was Global Leader of the firm’s Merger Management Practice.
Clay also developed deep experience working with many leading financial institutions, with a particular focus in the private banking, wealth advisory, and wealth management sectors, helping to establish and build McKinsey’s Financial Services practice globally.
He holds a Bachelor of Arts in economics from Brown University and a Masters of Business Administration from the Weatherhead School of Management at Case Western Reserve University.
Clay is a past Trustee of the New York Yacht Club, on the boards of the Courageous Sailing Center and the International Yacht Restoration School, the Board of Overseers of Beth Israel Deaconess Medical Center, and the Massachusetts Insight Financial Services Leadership Council.
Want More Takeaways on Vendor Risk Assessment?
To sum up, there’s a lot to say about risk management in the payables space. Want more insight?
Below are a few of our best resources to assess your risk and keep your organization safe.
Key Vendor Tips and Takeaways–From the Experts Themselves
Frequently Asked Questions
Vendor Risk Assessment FAQs
What is a vendor risk assessment?
A vendor risk assessment is the process of evaluating suppliers for potential risks (which might be financial, operational, security, or compliance-related) before and during the business relationship. It ensures vendors meet your organization’s standards and helps protect against fraud, regulatory violations, and supply chain disruptions.
Why do vendor risk assessments matter?
Vendors often have access to sensitive data, systems, or funds. Without proper vetting, they can expose your organization to cyberattacks, fraud, or compliance breaches. Vendor risk assessments identify weaknesses early, allowing you to mitigate risks, negotiate better terms, and meet regulatory requirements like SOX, GDPR, or HIPAA.
What should be included in a vendor risk assessment?
A thorough vendor risk assessment should evaluate financial stability, cybersecurity posture, regulatory compliance, data privacy controls, insurance coverage, and history of fraud or legal issues. Regular reassessments help ensure risks remain within acceptable thresholds throughout the vendor relationship lifecycle.
How can vendor risk assessments be automated?
Modern platforms automate vendor questionnaires, pull third-party data (sanctions, credit scores, cybersecurity ratings), and generate risk scores. Automated alerts notify teams when vendor risk changes, enabling proactive management and reducing the burden on procurement and compliance teams. This streamlines due diligence and supports continuous monitoring.
