Rethinking treasury governance and signatory management at board level
Many boards are unable to confirm at any given time who is authorised to move company funds, despite the organisational chart indicating otherwise.
When a CFO asks, "Who is currently authorised on our HSBC account?" in a board meeting, the usual response is uncertainty, followed by a promise to follow up. And this is not a minor administrative issue, but a control failure.
The issue is not a lack of concern for authorised signatory management. But rather the perception that this is not a board-level priority, often viewed as a simple CoSec and Treasury admin task, only until a crisis occurs.
Boards want confidence, but they're getting compliance theatre instead
Most board reporting on financial controls is superficial. While compliance statuses and attestations are presented, critical follow-up questions are rarely addressed:
If the CFO resigned this morning, could the company execute a payment this afternoon?
When someone leaves the business, how long does it take for them to be removed from all bank mandates?
If a regulator asked for proof of who approved the last signatory change, could that evidence be produced in under an hour?
And in most organisations, the honest answer is no.
According to Cygnetise research, 53% of company secretaries report that it takes a week or more to update signatory lists. During this period, organisations operate with outdated authority records. Former employees may remain authorised, new hires lack the necessary access, and the current version is unclear.
Boards should not accept "we have a policy" as sufficient evidence of control. The key question is whether the organisation can demonstrate, in real time, that the policy is being followed.
Audits have moved from "show me the document" to "show me the evidence"
Auditors now require more than a formatted Authorised Signatory List from several months ago. They seek specific, up-to-date information:
Who approved adding Sarah to the mandate?
When did that approval happen?
What was the business justification?
Where's the time-stamped log?
Does the bank's version match the internal version?
If the answer involves phrases like "it should be in an email somewhere" or "the company secretary would have that," the audit has already identified a control gap.
The Mazars fraud case demonstrates this risk. A former managing director, in collusion with a bank representative, set up multiple unofficial accounts to siphon funds. When new management tried to take control, the bank refused to provide account details or update signatories, even with CEO authorisation. Why? Because there was no clear, defensible record of who should have authority. The fraudster's documentation looked as legitimate as anyone else's.
When signatory management is manual, fragmented, and relies on email, fraudulent and legitimate activities are indistinguishable in documentation.
Banking crises expose the brutal reality: speed is a control, not a convenience
March 2023. Silicon Valley Bank collapses on a Friday. By Monday morning, treasury teams across the UK and Europe are scrambling to open emergency accounts and move funds. (Bank of England and Government respond to Treasury Committee on collapse and rescue of Silicon Valley Bank UK, 2023)
The bottleneck wasn't the decision to move money. It was proving who had the authority to execute it.
And many treasury teams would discover that CFOs weren't listed on backup bank mandates. Listed signatories had left months earlier. Internal versions didn't match what banks had on file. And the approval process for updating mandates normally took weeks.
In a crisis, this is not a minor inconvenience but a significant risk. If authority cannot be proven quickly, the organisation cannot act. In volatile markets, the window for action is measured in hours, not days.
Network Rail faced this problem at scale. They were taking four weeks to update signatories across their banking relationships. When they implemented Cygnetise, that dropped to one morning. (From a 12-step manual process to 3 digital touchpoints: Network Rail’s signatory management transformation journey, 2025) Not because they hired more people or wrote better processes, but because they stopped treating signatory governance like an admin task and started treating it like the control infrastructure it is.
Banks are tightening the screws, and poor mandate hygiene will cost the relationship
Bank relationships are only as strong as the mandate documentation. When records are clean and current:
Payments clear without holds
Account openings happen in days, not weeks.
Compliance queries get resolved with a single email.
The organisation's operational maturity signals affect how the bank prices risk.
When records are a mess:
Transactions get flagged for manual review.
Relationship managers spend more time chasing paperwork than adding value.
The bank applies extra scrutiny to everything.
The organisation looks operationally inefficient, even if its financials are strong.
Banks are tightening controls because they have to. The Westpac scandal, where over $290 million in fraud went undetected because "processes for checking invoices were non-existent", made that unavoidable. Westpac insiders blamed the bank's lax approach to invoice verification for failing to detect fake invoices and forged signatures across 100 transactions over several years. (Chau, 2021)
If banks are asking more questions, it's because someone else's failure forced them to.
Best practice isn't complicated, but it requires honesty about the current state
Effective signatory governance comes down to four things:
Accuracy – one authoritative source of truth, not ten spreadsheets that might match.
Currency – updates happen in real time, not quarterly when someone remembers.
Traceability – every change is logged, time-stamped, and attributable. No "Jane probably approved it."
Accessibility – the right people can see what they need, when they need it, without creating security gaps.
Most organisations fail on at least two of these, and often three.
The solution is not simply purchasing additional software. Organisations must recognise that spreadsheets, email approvals, and shared folders do not constitute effective control environments and that they are ineffective for governance.
Digital ASM isn't about replacing the TMS, but about fixing the gap that the TMS can't address
Many organisations assume their Treasury Management System (TMS) or ERP handles signatory governance. It doesn't.
A TMS tracks cash positions, forecasts liquidity, and manages payments. It does not maintain a real-time, bank-facing register of who is authorised to act, where, and under what limits, especially across multiple banks and jurisdictions.
That's why purpose-built Digital Authorised Signatory Management (ASM) exists. It's not an e-signature tool. It's not a workflow system. It's a control environment for the financial authority.
Cygnetise operates in this category. The platform maintains a tamper-resistant, auditable system of record for signatory authority and bank mandates using blockchain technology for immutable record-keeping. When a board asks, "Who can act today?" Treasury can answer in seconds, not hours. When an auditor asks for proof, the evidence is already there with full audit trails. When a bank needs verification, the documentation is current and consistent.
A practical 6-step path (that doesn't require boiling the ocean)
For organisations recognising this gap, here's where to start:
Map the reality – Document where signatory data actually lives today. Not where policy says it should be, but where it is.
Assign a single owner – Signatory governance requires a single accountable individual rather than shared responsibility.
Standardise the workflow – Define how authorities are created, changed, and revoked. Include approval thresholds and evidence requirements.
Retire spreadsheets as the primary record – Excel may be used for exports and analysis, but not for governing financial authority.
Embed evidence by default – Changes should automatically generate traceable logs. If it requires manual documentation, it won't happen consistently.
Operationalise monitoring – Use alerts for expiring authorities, leavers, dormant mandates, and bank mismatches. Make the system proactively flag issues.
Looking ahead: Governance maturity now depends on authorisation maturity
Within three years, regulators will likely begin asking detailed questions about signatory governance during supervisory reviews, treating it as a standalone control gap rather than a minor aspect of operational resilience.
The pattern is already visible. Every major fraud case, every operational failure, every "how did this happen" post-mortem traces back to the same root cause: nobody knew who was authorised to do what, and nobody could prove it when it mattered.
If an organisation can't answer "who can act right now" without opening a spreadsheet and hoping it's up to date, the risk isn't theoretical. It's operational. And it's already costing time, friction, trust, and eventually, money.
Organisations that treat signatory governance as strategic infrastructure will operate more efficiently, pass audits more easily, and maintain stronger banking relationships. Those who do not will continue to face challenges in demonstrating financial authority to their boards.
Which side of that divide would you like your organisation to be on?