The Two-Person Payment Rule: Stop the Big Mistakes Before They Leave Your Account

Why Payment Mistakes Happen So Predictably

Urgency. Distraction. “It looked normal.” One person executing what another person assumed was checked.

The global numbers tell the story clearly: 79% of organizations were victims of payment fraud attacks or attempts in 2024. Business Email Compromise remains the dominant threat, cited by 63% of respondents as the primary avenue for fraud attempts.

For small businesses, the damage is severe. Small businesses lose 6% of their annual revenue to fraud. Every €100 lost in fraudulent orders results in €207 in total losses when you include shipping, fulfillment costs, wholesale costs, chargebacks, and processing fees.

Invoice fraud alone costs businesses an average of €1.1 million per company, per year.

Recovery is increasingly difficult. In 2024, only 22% of organizations recovered 75% or more of the funds lost to payment fraud. That number was 41% the year before.

The pattern isn’t sophisticated. It’s structural.

Bottom line: Payment fraud succeeds because of fundamental weaknesses, not sophisticated attacks. The pattern repeats when one person handles both approval and execution under pressure.

What the Two-Person Payment Rule Protects Against

We separate approval from execution, not because we distrust people, but because we distrust pressure.

Humans make their worst mistakes when rushed and alone.

This Standard Operating Procedure removes the alone part.

No single person gets to approve and send a material payment alone.

This SOP protects you against:

• Invoice fraud and supplier impersonation — the most common entry point for payment fraud
• Paying the wrong amount due to a mistake or a misread invoice
• Paying for work not delivered — when communication between work completion and invoicing breaks down
• Duplicate payments — especially common when a company is swamped with invoices
• Founder mood approvals that bypass controls
• Internal fraud risk when duties are not separated

The outcome is precise: Any payment above a defined threshold needs one person to prepare and propose, a different person to approve, and payment evidence to be stored.

Execute the bank payment only after you have the approval evidence.

If you’re able to send a large payment alone at 23:00, your company is one stressful evening away from loss.

Bottom line: This SOP prevents fraud, errors, and unplanned decisions by requiring independent verification before money leaves. One person prepares, another approves; both actions are documented.

Which Payments Need Two-Person Approval

This SOP applies to:

• Supplier payments
• Contractor payments
• High-amount tax payments to the Belastingdienst
• Refunds
• One-time purchases
• Any transfer to a new or changed beneficiary

The last one is important.

A new beneficiary is high risk regardless of the amount.

A small payment becomes a test for larger fraud. A small mistake becomes a pattern.

When Pathé Netherlands fell victim to email spoofing, fraudsters impersonated senior executives from the parent company. The result: €19 million lost. The payment looked normal. The immediacy felt real. The framework permitted it.

Bottom line: Apply this rule to all payments above your threshold and any payment to a new beneficiary, regardless of amount. New IBANs are always high risk.

Setting Payment Thresholds Your Team Will Follow

Thresholds aren’t a moral decision. They’re an operating design decision.

You define:

• A normal workflow below a lower number
• A two-person workflow in the middle range
• A director-level decision above a higher number

The actual numbers must match your cash flow reality.

If thresholds are too low, people bypass the process. If thresholds are too high, the control never triggers.

The goal isn’t to create paperwork. The goal is to catch the payments changing your month.

For a micro business in the Netherlands with monthly expenses between €10,000 and €50,000, a reasonable structure looks like:

• Below €500: single approval
• €500 to €5,000: two-person rule
• Above €5,000: director approval required

Adjust these numbers to your reality. The principle remains: material payments require independent verification.

Bottom line: Set thresholds based on your cash flow reality. Too low creates bypass behavior. Too high means the control never activates. The goal is to catch payments that compress recovery options.

The Maker-Checker Process

The discipline is simple.

The Maker creates a payment request with:

• Clear purpose of the payment
• Source of beneficiary details

Evidence that the payment is legitimate (invoice, contract, delivery confirmation)

The Approver checks:

• Supplier identity and legitimacy
• Amount matches supporting documentation.
• Timing makes sense
• Beneficiary details are correct (especially IBAN and account name)
• Supporting evidence is present and valid.

The Approver records approval as an artifact, not a conversation.

This matters. A verbal yes in the hallway is not approval. A documented approval with a timestamp and reasoning is an approval.

Then the payment is executed. Proof is stored. Reconciliation confirms it landed correctly.

Dual control prevents human errors by requiring an additional set of eyes on each transaction. This creates accountability and an extra layer of protection against internal account abuse and unauthorized access.

Bottom line: The Maker prepares with documentation. The Approver verifies independently. Approval is documented with a timestamp and reasoning. Payment is processed only after proof is provided.

Why Human Error Makes This Control Necessary

Humans aren’t perfect. Clever, trusted, and trained people still make mistakes.

A maker-checker process adds an extra pair of eyes to spot suspicious, unusual, or incorrect details.

When you’re swamped with invoices, people stop checking each one thoroughly. When communication breaks down between completing the work and invoicing, there’s no way to verify whether the work was done.

The principle is clear: no single person controls all aspects of any financial transaction.

Divide the responsibilities for vendor management, invoice approval, and payment processing to help prevent fraudulent invoices or unauthorized payments.

Globally, fraud costs businesses €3.4 trillion. Proper controls are essential for financial protection.

Bottom line: Everyone makes mistakes eventually. A second set of eyes catches what pressure and distraction hide. No single person controls all aspects of a financial transaction.

Real Situations Where This Works

Monday morning: Your bookkeeper receives an invoice for €3,200 from a regular supplier for website maintenance.

The bookkeeper prepares the payment request:

• Attaches the invoice
• Confirms the IBAN matches previous payments
• Notes: The work was completed last week
• Flags it for approval because it exceeds €500

You receive the approval request. You check:

• The invoice fits the agreed scope.
• Amount is correct
• IBAN has not changed
• Timing makes sense

You approve. The bookkeeper executes the payment. Both actions are logged.

The payment leaves with proof, not assumption.

Tuesday afternoon: You receive an urgent email from your “supplier” asking you to update their bank details for an upcoming payment of €8,500.

The email looks real. The immediacy feels real.

But the two-person rule forces a pause.

Your bookkeeper prepares the payment request and flags the new IBAN. You review it and notice the email domain is slightly off. You call the supplier directly. They confirm they never sent the email.

The fraud attempt is stopped before the money leaves.

This is how the system works. It doesn’t prevent fraud by being smart. It prevents fraud by requiring verification only when needed.

Bottom line: The system works by forcing verification at the critical moment. A regular invoice gets checked before payment. A suspicious IBAN change triggers a phone call that stops fraud.

Execution Steps

To implement the two-person payment rule in your Dutch micro or small business:

1. Define your thresholds

• Set a lower threshold for two-person approval (e.g., €500)
• Set a greater threshold for director approval (e.g., €5,000)
• Document the thresholds clearly.

2. Assign roles clearly

• Identify who prepares payments (Maker)
• Identify who approves payments (Checker)
• Ensure these are different people.
• Document the roles in writing.

3. Create the approval workflow

• Payment request template (purpose, amount, beneficiary, supporting docs)
• Approval checklist (supplier verification, amount check, IBAN verification)
• Storage location for approval records

4. Set up your tools

• Use your accounting software’s approval workflow if available.
• Or create a simple shared spreadsheet with payment requests and approval status.
• Ensure bank access is set up to require dual authorization for payments above the threshold.

5. Train your team

• Explain why this control exists.
• Walk through the process with real examples.
• Clarify what happens in urgent situations.

6. Handle new beneficiaries with extra care

• Any payment to a new IBAN requires verification, regardless of the amount.
• Call the supplier immediately to confirm bank details.
• Never rely solely on email for IBAN changes.

7. Review quarterly

• Check if thresholds still match your cash flow reality.
• Review any payments that bypassed the process and why
• Adjust the workflow if needed.

Bottom line: Define thresholds, assign roles, create workflows, set up tools, train your team, handle new beneficiaries with extra care, and review quarterly.

Signs the System Is Working

When this SOP works correctly:

• No payment above the threshold leaves without documented approval
• New beneficiary details are always verified through a second channel.
• Payment evidence is stored and easy to retrieve
• Urgent payments still move quickly, but with verification.
• Your team understands this is protection, not bureaucracy.

You know the system works when someone catches a mistake before it becomes a loss.

You know the system fails when large payments move without question because “we trust each other.”

Trust is human. Control is structural. You need both.

Bottom line: The system works when you catch mistakes before they become losses. The system fails once trust replaces verification.

The Core Purpose

This SOP does one thing.

It forces a second set of eyes at the only moment you need it: the moment money leaves the company.

Most founders confuse trust with control. Good people still make mistakes under pressure. Structure doesn’t slow things down. Framework stops expensive mistakes.

The system doesn’t read intentions. It reads proof.

When the Belastingdienst asks you to prove a payment was legitimate, they don’t care that you trusted someone. They care that you show approval, documentation, and verification.

When a fraudulent payment leaves your account, the bank doesn’t care that you were busy. They care whether your internal controls would have caught it.

Build the control once. Save the panic forever.

If you’re able to send a material payment alone, without a second check, without documented approval, your company is one distracted moment away from loss.

Structure is cheaper than recovery.

Frequently Asked Questions

Does the two-person rule slow down urgent payments?

No. Urgent payments move quickly when you design the workflow correctly. The second person verifies in minutes, not days. The pause prevents mistakes from taking weeks to fix.

What if there are only two people in the company?

The rule still applies. One person prepares the payment request with documentation. The other person verifies and approves before execution. This protects both people from fraud and errors.

Do small payments below the threshold need verification?

Payments to new beneficiaries must always be verified, regardless of the amount. Small payments to established suppliers below your threshold follow normal workflow. New IBANs trigger extra checks.

What happens when the approver is unavailable?

Define a backup approver in your SOP. Payments wait for approval unless you have a documented emergency procedure. The alternative is for one person to control both approval and execution, eliminating control.

How long should we keep payment approval records?

Keep payment approval records for at least 7 years to comply with Dutch tax and accounting requirements. Store approval documentation with the same discipline as invoices and bank statements.

Does this apply to recurring payments, such as subscriptions?

Recurring payments below the threshold follow the normal workflow once you’ve initially approved them. Changes to recurring payment amounts or beneficiary details trigger the two-person rule again.

What if we use accounting software with built-in approvals?

Use the software approval workflow if it enforces maker-checker separation. Verify the system prevents the same person from both preparing and approving payments above the threshold.

How do we handle payments when traveling or working remotely?

Remote approval works when you document it properly. Email, messaging apps, or accounting software approvals are valid if they create a timestamp and record. The requirement is proof, not physical presence.

Key Takeaways

• Payments above a defined threshold require one person to prepare and another to approve before funds are released from your account.
• Small businesses lose 6% of their annual revenue to fraud. Only 22% recover 75% or more of lost funds.
• New beneficiaries must be verified through a second channel, regardless of the payment amount.
• Set thresholds based on cash flow reality. Too low creates bypass behavior. Too high means controls never activate.
• Document approval with timestamp and reasoning. Verbal approval in the hallway is not proof.
• The system prevents fraud by requiring verification only when it’s needed: when money leaves the company.
• Structure is cheaper than recovery. Build the control once, eliminate repeated panic.