From Chaos to Control: UK startup guide to treasury controls that stops unauthorised payments

Why UK Startup Treasury Controls Matter More Than You Think

For a busy founder, approving payments often happens in the margins of the day. It might be a quick Slack message or an email forward between investor calls. While this speed is essential for an early-stage business, it creates a silent but significant risk. As your UK startup grows from pre-seed to Series B, this informal process for managing treasury controls can lead to costly errors, duplicate payments, or even fraud.

The challenge is clear: establishing a clear, auditable approval workflow that stops unauthorised payments without slowing down day-to-day operations. Many founders delay this, fearing cumbersome bureaucracy will kill their agility. However, the opposite is true. A well-designed system empowers your team to operate safely and provides the financial discipline investors expect.

This guide provides a pragmatic framework for setting up robust payment controls using the tools you already have. You can implement these principles without needing a full-time CFO, building a scalable foundation for future growth and protecting your company’s most critical asset: its cash.

The Founder's Treasury Toolkit: Three Core Principles

Before diving into software configurations, it is crucial to understand the fundamental ideas behind any strong treasury process. These principles are not about creating bureaucracy. They are about building intentional friction to prevent mistakes and the misuse of company funds. Think of them as the basic building blocks of startup financial risk management.

1. Segregation of Duties (SoD)

Segregation of Duties (SoD) is the concept that no single individual should have control over all aspects of a financial transaction. In a large corporation, this means different people handle invoicing, payments, and accounting. The reality for most pre-seed to Series B startups is more pragmatic. When your finance team is one or two people, you focus on separating *actions*, not just people.

At its core, this means the person who enters a supplier bill into your accounting software, like Xero, should not be the same person who has the final authority to release cash from the bank. This separation creates a natural check and balance, making it significantly harder for errors or fraudulent activity to go unnoticed. It is a cornerstone of good corporate governance, even for the smallest teams.

2. Dual Control

Dual Control is the most practical application of SoD for payments. It simply means that two authorised individuals are required to complete a payment. One person initiates or prepares the payment (the ‘maker’), and a second person reviews and approves it (the ‘checker’). This single step is the most effective way to prevent both internal fraud and external payment errors, such as paying the wrong supplier or a duplicate invoice.

Implementing dual control immediately addresses common startup vulnerabilities. The 'maker' can be an operations manager or bookkeeper who sets up a payment run based on approved bills. The 'checker' is typically a founder or C-suite executive who provides the final sign-off, often directly within the business banking portal. This process ensures every payment is reviewed by at least two people before it leaves the company account.

3. Compensating Controls

In the real world of a small but growing company, perfect SoD is not always possible. When you cannot fully separate duties, you rely on Compensating Controls. These are alternative measures designed to mitigate risk when the primary control, like SoD, is not feasible.

For a startup with a very small finance team, this could mean using a non-finance co-founder or a senior leader as the final, independent approver on all payments over a certain threshold. This provides a crucial second set of eyes from someone with a vested interest in the company's financial health but no involvement in the day-to-day accounting process. For a summary of internal control components that apply to these arrangements, see these internal control component examples.

Designing Your Startup Payment Approval Process (From Chaos to Control)

Creating a clear, auditable workflow is about moving from ad-hoc requests to a structured, predictable system. This directly addresses the core pain point of establishing control without introducing crippling bureaucracy. The transformation from a chaotic, informal process to a controlled one is often stark and immediately beneficial.

The 'Before' Scenario: Fast but Risky

A typical early-stage process looks like this: an invoice for a new software subscription arrives in a founder’s inbox. They forward it to the Head of Operations on Slack with a message: 'Can you pay this?'. The manager logs into the company's Starling account on their phone, manually types in the details, makes the payment, and replies 'Done'. The process is fast but invisible, unaudited, and relies entirely on trust. There is no record of who approved it, why, or when.

The 'After' Scenario: Structured and Secure

An ideal payment authorization workflow operates differently: the same invoice is sent to a central bills@company.com address, which uses Xero's functionality to automatically create a draft bill. The Head of Operations reviews the bill in Xero, codes it to the correct department and expense account, and submits it for approval. The founder receives a notification, reviews the attached invoice and coding directly within Xero, and clicks 'Approve'. The approved bill is then added to a payment run, which is prepared by the operations head and requires a final release from the founder within the business banking platform, enforcing dual control. Every step is documented and time-stamped.

Building Your Approval Matrix

To implement this structured process, you need an Approval Matrix. This is not complex software; it is a simple ruleset, often in a shared document, that defines who can approve spending up to certain value thresholds. It eliminates ambiguity and empowers budget holders to make decisions within their remit.

For a 30-person deeptech startup, it might look like this:

• Up to £1,000 (e.g., lab consumables, software tools): Requires approval from the relevant budget holder (e.g., Head of R&D).
• £1,001 - £10,000 (e.g., specialist equipment, contractor payments): Requires approval from a C-suite member (e.g., CTO, CEO).
• Over £10,000 (e.g., payroll, major capital expenditure): Requires approval from the CEO and notification to the board.

This simple framework provides clarity for the entire team and creates a robust audit trail. This level of record keeping is not just good practice; it is essential for due diligence in future funding rounds and supports tax and R&D claims.

How to Set Up Payment Controls for UK Startups Using Your Existing Tools

Your ability to implement these controls depends entirely on the capabilities of your bank and accounting software. For UK startups, a critical distinction exists between the two main banking options, and understanding their features is key to setting up treasury controls effectively.

UK Challenger Banks vs. High Street Banks

Challenger banks like Starling, Monzo, and Tide are incredibly easy to set up and have excellent user interfaces, making them perfect for getting a company off the ground. However, most were not built with multi-user, segregated treasury controls in mind. They often lack true dual control ('maker-checker') functionality for payments, meaning one user can typically do everything from preparing to releasing funds. While convenient, this becomes a significant risk as the team and payment volumes grow.

High Street banks, such as HSBC, Barclays, and NatWest, may have a clunkier interface and a more involved setup process, but they offer sophisticated business banking platforms. These platforms are designed for robust controls, allowing you to create different user profiles with specific permissions. You can configure one user to only *prepare* payments and another user to only *approve* them, effectively enforcing dual control within the banking portal itself. Almost every scaling startup reaches the point where the control features of a high street bank outweigh the convenience of a challenger.

Configuring Your Accounting Software (Xero)

Proper user permissioning in your accounting software is a cornerstone of good SoD. The goal is to match roles to responsibilities, ensuring no single user has end-to-end control. In Xero, this is managed through user roles:

• Adviser: This is the highest level of permission, with access to everything, including bank reconciliations, VAT returns, and system settings. This role should be reserved for a founder, a head of finance, or your external accountant.
• Standard: This role can manage sales, purchases, and reconcile most bank accounts, but cannot view sensitive reports or change lock dates. This is often suitable for a bookkeeper or an operations manager responsible for day-to-day finance tasks.
• Invoice Only: This role is highly restricted. You can configure it to allow users to only submit draft bills, not approve them. This is perfect for junior team members or department heads who need to raise purchase orders but should not be involved in the payment or approval process.

By ensuring the person with 'Standard' access (who manages bills) is different from the person who holds the 'Adviser' role and releases bank payments, you have effectively configured a compensating control within your software stack.

Making Sure It Is Working: Simple Monitoring Habits

Controls are only effective if they are monitored. Without dedicated treasury staff, this responsibility falls to the founder or finance lead. The good news is that effective monitoring can be achieved through simple, consistent habits rather than expensive software. This rhythm of review is your best defence against errors and fraud.

1. Implement a Weekly Cash Review

This is a non-negotiable 15-minute meeting with yourself. Log in to your primary bank account and scan every outgoing transaction from the past seven days. Look for unusual supplier names, unexpected amounts, or payments on odd days like a Sunday. This habit helps you develop a feel for the company's cash flow patterns and spot anomalies instantly. This is particularly vital given the rise of online payment fraud. According to UK Finance, in H1 2023, 78% of Authorised Push Payment (APP) fraud cases originated online.

2. Review the Monthly Bank Reconciliation Report

Make it a habit to review the monthly bank reconciliation report from Xero. This report confirms that your accounting records perfectly match the bank's records. A clean, timely reconciliation is a strong signal that your financial data is accurate and that all cash movements have been accounted for. Any discrepancies or long-outstanding items should be investigated immediately, as they can be early indicators of errors or unauthorised transactions.

3. Set Up Automated Payment Alerts

Finally, use the technology at your disposal. A scenario we repeatedly see is founders being surprised by large, unexpected payments. A simple fix is to set up email or SMS alerts for any payment over a certain threshold, for example, £1,000. Most business bank accounts offer this feature. It acts as a real-time safety net, notifying you immediately of significant cash outflows and allowing you to verify their legitimacy before it is too late.

Practical Takeaways: Your 3-Tier Action Plan

Setting up treasury controls is a process that should evolve with your company. The level of formality should match your startup's stage. Here is a practical, tiered action plan for how to set up payment controls for UK startups.

Tier 1: The 'Right Now' Fix (Pre-seed / <10 Employees)

At this stage, your goal is simple, robust security. Stick with a Challenger bank for its ease of use but enforce manual dual control. The founder should be the only person with the credentials to make payments. An operations person or bookkeeper can prepare a payment run in a spreadsheet with links to the invoices. The founder reviews this list against the source documents and then personally executes the payments. It does not scale, but it is highly secure and appropriate for this stage.

Tier 2: The 'Scaling Up' Setup (Seed / Series A / 10-50 Employees)

As you grow, it is time to formalise the process and introduce automation. Migrate to a High Street bank that offers true 'maker-checker' payment permissions. Document your Approval Matrix and share it with the team so everyone understands the rules. Configure user roles in Xero to enforce SoD, ensuring the person managing bills is not the one reconciling bank accounts. This is also the time to consider a spend management platform like Pleo or Spendesk to handle team expenses and software subscriptions, keeping these smaller, frequent payments out of your core accounts payable workflow.

Tier 3: The 'Ready for Audit' Structure (Series B / 50+ Employees)

At this stage, your controls should be documented, auditable, and systematically reviewed. You have clear SoD, even if your finance team is still small, with distinct roles for payables, treasury, and accounting. You should conduct quarterly reviews of bank user permissions and the Approval Matrix to ensure they are still fit for purpose as the company evolves. Your process is now a core part of your financial operations, ready for the scrutiny of investors and auditors. This is not just about fraud prevention for startups; it’s about building a scalable foundation for future growth. See the Treasury Controls hub for broader resources.

Frequently Asked Questions

Q: What is the biggest mistake UK startups make with payment controls?

A: The most common mistake is waiting too long to implement them. Founders often believe their company is too small or that controls will slow them down. In reality, establishing good habits early prevents costly errors, builds investor confidence, and creates a secure foundation that scales with the business.

Q: Can I use a challenger bank like Starling for dual control?

A: While challenger banks are excellent for many startup needs, most lack native 'maker-checker' dual control features for payments. You can create manual workarounds, like one person preparing a payment list for the founder to execute, but this relies on discipline rather than system-enforced security. Scaling companies typically migrate to a high street bank for these robust features.

Q: How can we implement a payment authorisation workflow without a full-time finance person?

A: You can effectively manage this by distributing roles. An operations manager or a part-time bookkeeper can act as the 'maker' who prepares bills and payment runs in Xero. A founder or another senior leader then acts as the 'checker' who approves bills and releases payments from the bank. This uses existing team members to create the necessary separation of duties.

Q: How do strong treasury controls help with fundraising?

A: During due diligence, investors scrutinise a startup's financial health and operations. A documented payment approval process, clear approval matrix, and clean audit trail demonstrate financial discipline and low operational risk. It shows that you are a responsible custodian of their capital, which can significantly improve their confidence in your company.