Finance Index
How do you write a corporate card policy people actually follow?
Reference guide to corporate card policy design, including card controls, policy design, employee spend workflows, receipt capture, and reconciliation.
A followable card policy is short - two to three pages - written in plain language with examples, and enforced primarily by the card platform rather than by the document. It covers issuance criteria, limits and how to change them, prohibited categories, receipt and coding obligations with deadlines, personal-use rules, lost-card and termination procedures, and consequences. Policies fail from length, legalese, and selective enforcement - not from missing clauses.
At a Glance
| Aspect | Short Answer | Why It Matters |
|---|---|---|
| Corporate card policy | A followable card policy is short - two to three pages - written in plain language with examples, and enforced primarily by the card platform rather than by the document. | Keeps spend tied to policy, ownership, and review. |
| Related terms | Three things: brevity, tool-embedded enforcement (a declined transaction teaches faster than a memo), and visible consistency - the first publicized exception for a senior person repeals the document. | Reduces payment errors, timing issues, and reconciliation cleanup. |
| Control point | The instrument itself: who qualifies for a card, the limit-setting and raise process, prohibited merchant categories, card security and lost-card duties, what happens at termination or transfer, and personal-use consequences. | Keeps vendor records and payment decisions reliable. |
| Hard rules | Hard-enforce what's objective (limits, blocked categories, receipt thresholds); audit what requires judgment (business purpose, reasonableness). | Keeps evidence clear and reduces control risk. |
| How often should policy | Review annually or on program changes; re-acknowledge at issuance and after material changes. | Helps finance decide what to do next. |
What makes a policy followed vs ignored?
Three things: brevity, tool-embedded enforcement (a declined transaction teaches faster than a memo), and visible consistency - the first publicized exception for a senior person repeals the document.
What should a card policy cover that the expense policy doesn't?
The instrument itself: who qualifies for a card, the limit-setting and raise process, prohibited merchant categories, card security and lost-card duties, what happens at termination or transfer, and personal-use consequences. The expense policy covers what spend is allowable; the card policy covers the tool.
Hard rules in the platform vs trust-plus-audit in documents - where's the right mix?
Hard-enforce what's objective (limits, blocked categories, receipt thresholds); audit what requires judgment (business purpose, reasonableness). Platform rules set the floor, sampling and review handle the gray.
How often should policy be reviewed and re-acknowledged - does annual re-acknowledgment change behavior?
Review annually or on program changes; re-acknowledge at issuance and after material changes. Annual click-through changes little by itself - pair it with a one-page "what changed" summary and in-tool prompts at the moment of relevance.
How do I handle exceptions so one-offs don't become precedent?
A documented exception path: written request, a named approver above the policy owner, an expiry date on every exception, and a quarterly review of all active exceptions. An exception with an end date is a decision; one without is a new policy nobody approved.
What should the cardholder agreement say?
Acknowledgment of the policy, receipt and coding obligations with deadlines, personal-use prohibition and repayment authorization (where law permits), security duties, and return/cancellation at separation - signed before activation, stored with the card record.
How should policy differ for executives - and what happens when leadership is visibly exempt?
Executives can have higher limits; they should not have lower documentation standards - audit risk concentrates at the top, not the bottom. Visible executive exemption is the single most corrosive thing that can happen to a card program; compliance follows what leadership does, not what the policy says.
Stampli perspective
Stampli's view is that policy belongs in the workflow, not the binder. Spending limits by cardholder, merchant category, or vendor enforce the rules at the swipe; employee-initiated card requests put issuance criteria into an approval flow finance controls; and pre-coded transactions with mobile receipt prompts make the compliant path the easy path.