The Verification Gap: Why DAF Disbursements Are Exposed

The methods the charitable sector uses to confirm where a payment is going were built for a world where forging a document was hard, impersonating a person was harder, and a cheque was considered reliable. That world is gone. The true cost of fraud last year for Canadians was believed to exceed $6 billion. AI is making fraud cheaper and faster to run, not harder. Charities and DAFs need to do better.

Your disbursement process likely looks something like this:

1. A donor recommends a grant to a charity you do not yet have on file, so you ask the charity for a void cheque. They send a scan, by email or, at best, through a secure link.
2. You jump on a Zoom call with the sender to confirm the cheque is real, usually a quick hello and asking them to read out the cheque number.
3. An administrator keys the numbers into a spreadsheet or a tool that generates the payment file when it is time to disburse.

Almost every time, the money lands where it should, and nobody thinks about it again. The process feels routine, and routine feels safe.

It only takes one conversation with a DAF that has been defrauded to see that routine and safe are not the same thing. What remains is a set of habits that confirm the wrong thing, carry real liability, and put a foundation's name one bad transfer away from a story it does not want to be in.

The distinction that matters

At the centre of charitable disbursement, most DAFs cannot answer one question: how do they prove the account number actually belongs to the charity, and that it is accurate on the day the money goes out?

A bank account can be real and still belong to the wrong person. A void cheque only confirms that someone can produce a void cheque, real or real-looking. Banking details can arrive safely and still be wrong.

What verification should mean

Before taking the methods apart, it helps to name the standard they should be measured against. Real verification of a charitable payment has three properties:

• Ownership, not existence. It confirms the account belongs to the registered charity, not merely that the account is real.
• Regulated, not self-attested. The confirmation comes from a regulated financial process, not from a document the recipient supplied about themselves.
• Current, not stale. It reflects where the charity banks today, not where they banked the last time anyone checked, and it is re-confirmed each time money moves rather than trusted indefinitely.

Hold each common method against those three, and the picture gets clear quickly.

What checking a charity's standing should mean

A bank account is only half the question. The other half is whether the recipient is still a registered charity at all.

Registered status is not permanent. The CRA revokes registrations, sometimes for non-filing, sometimes for cause, sometimes at a charity's own request. A grant sent to an organization that has lost its status is a compliance problem, not just an administrative one.

The standard here is timeliness. The CRA sends registration updates to select partners, including WellFunded, every five weeks. Most current processes never check this at all, and an annual review, while better than nothing, is still too slow.

What data storage should mean

Start with how the data moves. Sending banking details by email leaves you wide open before they are even stored. A monitored or compromised inbox lets an attacker read the details in transit, and a spoofed sender can slip false ones in. This is the territory of business email compromise, one of the costliest attacks aimed at organizations today, and it is a serious liability on its own. And that is only the transmission.

Holding the data afterward is a standing responsibility, and it is where a surprising amount of quiet risk builds up.

Banking details collected on void cheques and kept in shared drives, spreadsheets, and email folders are sensitive financial records sitting on systems never built to protect them. Every person with a login is another point of exposure. Every copy is another place the data can leak or be misused.

The standard is that this data should live in regulated, secure infrastructure, SOC 2 with Canadian data residency, visible to as few people as possible, and ideally held by the regulated provider that verified it rather than scattered across the funder's own systems. The safest banking data is the kind you are not storing yourself.

Does a void cheque verify ownership?

No. A void cheque proves an account exists and that a name has been printed on a piece of paper. It proves nothing about who owns the account.

1. A successfully processed void cheque tells you the account was real at some point. It does not tell you it is the right one. The name on the cheque and the owner of the account are simply assumed to match, and that assumption is the entire security model.
2. It is also no longer difficult to fake with AI. The cheque at the top of this page took seconds to make. The organization on it does not exist, and the numbers are invalid, but to anyone reviewing a batch of disbursements it would pass without a second look.

This is not theoretical. In Richmond, British Columbia, the Regional Animal Protection Society (RAPS) was targeted with a sophisticated fraud built around a counterfeit instrument, and at least two other BC animal sanctuaries were hit by the same scheme. Hamilton Community Foundation went public with a fraud of its own, and we know of others who have absorbed losses privately. The sector's systems are not built to catch this.

Against the standard:

• Existence, not ownership
• Self-attested, not regulated
• A single moment, after which it quietly goes stale

A void cheque proves an account exists. It says nothing about who owns it.

Is it safe to confirm banking details over a video call?

No, for two reasons.

1. The first is that a call cannot confirm this is the right person at the charity, or that they are still the right person the next time you need to verify. People change roles, they change in trustworthiness, and they leave.
2. The second is that AI-generated deepfakes on a video call are now cheap and easy to produce.

For a long time, seeing and hearing a person felt like proof. If the executive director got on a call and confirmed the account, that was good enough. That era ended in public.

A finance worker at a multinational firm paid out roughly $25 million after joining a video call with what he believed were several colleagues, including the company's chief financial officer. Every person on the call was an AI deepfake. He had initially suspected a phishing email and grown cautious, then set the caution aside because the people on the screen looked and sounded exactly like the colleagues he knew.

If a multinational with real financial controls can lose that much because a video call looked convincing, then confirming a charity's banking details over Zoom is resting on the precise thing fraud has now learned to fake.

A genuine call only confirms that a person said something.

A video call confirms a face, not an account. And faces can now be faked.

Why don't mailed cheques solve this?

The mail itself is no longer something to count on. And even when a cheque does arrive, it trades one set of risks for another and still never verifies the destination.

A mailed cheque can be intercepted, altered, lost, or deposited into the wrong account. There is no real-time audit trail and no confirmation of receipt until the charity calls to say thank you, or does not. Mail is unreliable often enough that delay is a normal outcome, not an edge case.

It is also expensive on both sides:

• The funder pays for printing, postage, tracking, reconciliation, and staff time.
• The charity waits weeks for funds to clear, then spends its own staff time to deposit and reconcile. For a lean charity operating remotely, simply getting a cheque to a branch is a bottleneck.

Most of all, a cheque does not verify that the destination belongs to the charity. It just moves that unanswered question into an envelope.

A cheque moves money without ever confirming where it lands.

A secure upload link fixes this, doesn't it?

This is the one that fools almost everyone, because it is half right.

A secure link does fix the transport problem. The banking details travel through an encrypted channel instead of an email attachment, so they cannot be intercepted in transit. That is a real improvement, and it is where many well-intentioned organizations stop, believing they have solved verification.

They have not. The channel is secure. The claim inside it is still unverified. A charity, or someone posing as one, uploads banking details through the encrypted link. The system confirms the upload was secure. It confirms nothing about whether the account belongs to the registered charity.

A secure link protects the envelope, not the truth inside it.

The person caught in the middle

Perhaps most troubling, there is a human being inside this process, and the current model puts them in an indefensible position.

To collect void cheques, key in banking details, and build payment files, an administrator needs access to all of it: account numbers, transit numbers, the funds in motion. That access makes them the system's single point of trust. If they ever chose to act dishonestly, they could. And if anything ever goes wrong, whether they touched it or not, they are the first person asked to explain. That is an enormous amount of liability to rest on one person's integrity, and it is unfair to them.

Sign-offs do not fix this. A second signature on a disbursement approves a dollar amount and a charity name. It does not confirm the bank account behind that name belongs to the charity. Unless a board member is personally checking account and transit numbers against a verified source, an approval controls how much leaves and to whom on paper, not where the money actually lands. The amount and the name can be exactly right and the account still wrong.

The deeper problem is the one running through this entire piece: a system built on trusting a person, rather than on verifying a fact.

What actually closes the gap

Verification that clears all three bars looks different from any of the above. It does not rely on a document, a face, or a channel. It confirms the account itself. Here is what that takes, and how WellPay does it:

• Ownership, verified at the source. Account ownership is confirmed through a regulated financial process against the account holder, not against a piece of paper. This is performed by a payments provider registered with FINTRAC, Canada's financial intelligence regulator.
• Checked every time. The bank verification is re-run on every disbursement, so the data cannot quietly go stale between one grant and the next.
• Location-aware. The system can flag where banking information is entered, so an update arriving from outside the charity's expected area is caught rather than trusted.
• Held to banking standards. Data is stored on SOC 2 infrastructure with Canadian data residency.
• Synced with the CRA. Registration status is re-checked against CRA records on a regular cycle, so a charity that has lost its standing is caught before funds move. No void cheque, call, or upload link ever checked this at all.
• Shared across the network. Verified banking data moves securely from one DAF to the next, so the network reinforces itself and the same charity is not re-verified from scratch by every funder.

Because no individual is collecting or storing banking data, no one person is left holding the access, or the blame.

Ownership, regulated, current. That is the standard, and WellPay is built to meet it.

The time you get back

Risk is the reason to move. Time is the reason you will be glad you did.

Look again at the process at the top of this piece: chasing a void cheque, scheduling a call to read out a cheque number, keying digits into a spreadsheet, building the payment file, then chasing the rejects when a transfer fails. Every step is manual, and every step repeats for every charity, every disbursement.

Verified-once-and-shared banking data removes most of that work:

• No collecting or storing void cheques
• No confirmation calls to read account numbers aloud
• No hand-keying, and far fewer failed transfers to chase
• Payment files generated, not assembled by hand

For a team disbursing at volume, that is not a marginal saving. It is hours back every cycle, and a real reduction in cost, redirected from data entry to the work donors actually want funded.

"You want us to trust a startup with our money and our charities' data"

No. The opposite.

The most reasonable objection a risk owner can raise is that adopting a new system means handing a young company control of the foundation's funds and a database of charity banking details. If that were the architecture, the objection would be correct.

WellFunded never touches the funds and never stores the banking data.

Funds move on a regulated payments rail. Authorization and fund movement are kept separate, so the system that approves a payment is not the system that holds the money. The banking data lives with the regulated provider (FINTRAC-registered, SOC 2, Canadian data residency), not with WellFunded and not with you. WellFunded is the intelligence layer: it makes the disbursement correct, keeps the authorization record, and runs the network that lets verified data move between funders. It is not a custodian of money or of banking records.

This inverts the risk conversation. Today, a DAF that collects void cheques and stores them on its own drives is itself a holder of sensitive banking data, a custody and fraud liability sitting on its own books. Adopting verified disbursement does not add that risk. It removes one you are already carrying.

Why this matters now

These methods were defensible when forging a document was hard, impersonating a person was harder, and an auditor was unlikely to ask how you confirm a destination account. All three conditions have changed.

Documents are trivial to generate. Faces and voices can be faked convincingly and at scale. And boards and auditors are starting to ask the question the old methods cannot answer well: how do you actually know the money went where it was meant to go?

The cost of getting this wrong is not only the lost grant. It is the donor who entrusted the foundation with their giving, the board that has to explain what happened, and a sector reputation that is easier to damage than to rebuild. The verification gap is quiet right up until the moment it is not.

A standard worth setting, together

A group of Canadian Donor Advised Funds are choosing to set this standard now, as founding partners, rather than waiting for a fraud event to force the conversation. The network effects here are profound: verify a charity once, and every funder on the network benefits.

If reducing your liability, improving your security, and increasing the efficiency of your disbursements are a priority, call us. Let's build the future of disbursements together.

*This is part of WellFunded's series on charitable disbursement infrastructure in Canada. Read more on how charitable dollars actually reach charities and the real cost of DIY disbursements.*