What Businesses Should Verify Before Paying a New Vendor

A practical guide to safer vendor onboarding — because one bad payment can cost far more than the invoice. Bringing a new vendor into your business feels routine — until it isn’t. A fraudulent supplier, a missed compliance flag, or a single unverified bank account can trigger financial losses, regulatory headaches, and reputational damage that takes years to repair. Yet most businesses rush the process, treating vendor onboarding as a formality rather than a checkpoint.

Vendor payment onboarding is one of the riskiest practices in business. It is the exact moment when fraud, mistakes, and a lack of diligence occur. Proper vendor payment onboarding is a serious financial practice and good housekeeping for startups and large corporations alike.

Why Vendor Onboarding Is a Security-Critical Process

Most payment fraud doesn’t happen through a dramatic hack. It happens quietly, during onboarding. A vendor submits slightly altered bank details. A rogue employee creates a fictitious supplier. A legitimate-looking company turns out to be a shell entity with no real operations.

The Association of Certified Fraud Examiners (ACFE) states that vendor-related billing fraud is among the most common forms of occupational fraud, and manipulated or fictitious vendor records are among the largest contributors to global fraud. The schemes usually remain undetected for over a year. For a substantial period, payment is funneled to the wrong party.

An effective vendor onboarding program acts as a firewall. The fraud risk to your accounts payable process is contained to the degree that you don’t authorize payment to a vendor until that vendor has undergone a vetting process.

Verify the Vendor’s Legal Identity First

Before anything else, confirm that the vendor is a registered legal entity. This sounds obvious, but it’s skipped more often than you’d think — especially when urgency is applied (“we need this vendor approved by Friday”).

Please obtain the vendor’s official business registration documents. Verify their registered name and number with the relevant state or national business registry. Domestic entities can usually be verified through a free lookup on the Secretary of State’s website. International entities can be validated with GLEIF.

This information shows the business is operational, registered where they claim, and has the legal authority to speak on behalf of the company. Any inconsistency with the legal name, entity date, registration address, or any other information should prompt questions.

Validate Bank Account Details Through a Secure, Verified Channel

Bank account verification is where vendor payment onboarding fraud most commonly occurs. It’s known as Business Email Compromise (BEC) or vendor impersonation fraud, and it works like this: a bad actor intercepts or spoofs communication from a legitimate vendor, submits fraudulent banking details, and collects your payments before anyone catches on.

Never accept a vendor’s or partner’s updated bank account details just because they provided them via email, even if it’s their official company email. If you need to inform the partner about the bank account details they provided, use the phone number that your company has for the partner, usually provided in the partner’s official contact list. After you have provided them with the details over the phone, repeat the account details to them again after you confirm the payment.

If vendor relationships are high-volume and bank account validation services are needed, consider using micro-deposit verification services. These services use either a direct connection through their APIs or micro-deposit confirmations to verify that the bank account is legitimate and resides in the name of the vendor you expect. Companies that provide these services are in the treasury and banking solutions space, such as Plaid and Stripe. Using these services, the payment process can be extended by a day or two, potentially mitigating losses of tens of thousands of dollars.

Run Sanctions and Watchlist Checks Before Approval

Paying a sanctioned entity — even unknowingly — can expose your business to serious regulatory and legal consequences. US businesses are required to comply with OFAC (Office of Foreign Assets Control) regulations, which prohibit transactions with certain individuals, organizations, and countries.

Screen new vendors against the OFAC Specially Designated Nationals (SDN) list and other watch lists relevant to your industry and the EU consolidated sanctions list, since you mentioned international operations. Include key individuals if you can.

Sanctions screening should not be performed just once. Vendor statuses change, and re-screening should be performed quarterly or whenever an event dictates it. Compliance and ERP platforms offer automated watchlist screening, eliminating the manual burdens this task previously required.

Assess Tax Compliance and Collect the Right Documentation

In the US, this means collecting a completed Form W-9 from domestic vendors or the appropriate Form W-8 series from foreign vendors before issuing any payment. These forms capture the vendor’s taxpayer identification number (TIN) and are required for accurate 1099 reporting.

Gathering these forms is not optional. IRS laws require forms to be collected. If a vendor does not provide a TIN or delays completing the form, it is a major warning sign. Legitimate businesses know and appreciate this step. Backup withholding rules allow withholding 24% of the payment if a TIN is not provided, which is an option available to you if a vendor resists.

In addition to W-9 forms, consider checking whether the vendor has any tax liens, public records of judgments, or the like. A vendor in serious financial trouble is not likely to be a reliable, long-term business partner. Also, in some circumstances, paying the vendor may become a concern if they are subject to an IRS levy, a Creditor’s levy, or similar.

Evaluate the Vendor’s Operational Legitimacy

Legal existence and banking details are necessary, but they’re not sufficient. A vendor can be a legally registered entity with a real bank account and still be an empty shell, unable to deliver on its promises.

Operational due diligence involves evaluating whether a vendor is fulfilling its claims. Check their other customer references. Solicit their evidence of past similar work in the form of case studies, contracts (with whatever redactions you require), or project portfolios. Reliability of their website and other contact information should be verified. Check their LinkedIn and confirm their employees have real business histories and are actually present.

For more valuable vendors, you might want a site visit, a video call with their ops team, or a 3rd party due diligence report. The oversight you provide should be commensurate with the importance and monetary value of the relationship. You would not scrutinize a vendor for office supplies with the same focus and rigor as you would a vendor for IT services or one who handles customer data.

Review Contractual Terms and Insurance Coverage

Before a vendor receives their first payment, there should be a signed contract in place. This may seem elementary, but accounts payable teams frequently process invoices based on verbal agreements or purchase orders alone — leaving both parties exposed when something goes wrong.

The contract must include details on the scope of services, payment terms, deadlines, liability, and termination terms. It must also include stipulations for disputes. These are not only for legal Defense. These are ways for you to reclaim funds and/or hold a vendor accountable for poor service.

You may also have to verify insurance depending on the vendor relationship. A contractor without liability insurance and a data processor without cyber liability insurance pose risks on your balance sheet if something happens. Furthermore, in addition to having certificates of insurance, they must also confirm that your company is listed as an additional insured.

Build Approval Workflows That Prevent Single-Point Failures

Even the best verification checklist fails if one person can override it. Safer vendor onboarding requires process controls, not just documentation requirements.

The basis of your payment system should be the separation of duties. The person who creates a vendor record should not be able to approve it for payment. For high payments, higher signatory approvals are required. Each change to a vendor’s bank accounts would be followed by a review and a call to verify payment, using the same mechanisms every time.

Companies that install dual-control mechanisms reduce their risk of external fraud and internal system abuses. It’s not about not trusting employees. Payment systems should protect employees, similar to the protective systems employees are expected to implement.

Conclusion

Vendor payment onboarding is one of the most consequential processes in your accounts payable function, and it deserves to be treated that way. The verification steps outlined here — legal identity confirmation, bank account validation, sanctions screening, tax documentation, operational due diligence, contract review, and process controls — aren’t bureaucratic overhead. They’re the difference between a vendor relationship that creates value and one that creates risk.

The businesses most vulnerable to vendor fraud are the ones that prioritize speed over structure. A few extra days of verification at the start of a vendor relationship is a small investment compared to the cost of recovering from a fraudulent payment, a regulatory violation, or a failed vendor. Build the process once. Apply it consistently. Your finance team, your auditors, and your bottom line will thank you.

Frequently Asked Questions