New Vendor Compliance and Verifications Overview

Along with verifying that a vendor can provide the product or services needed at the appropriate specifications and requirement, an organization must also ensure that certain vendor information is correct. For example, the tax ID should be verified, as should bank information.

But before that, an organization first must ensure that it may legally engage the vendor. That is, it must check to see that working with the vendor is not blocked, sanctioned or otherwise prohibited.

Some of the following checks apply to all organizations; some apply only within certain industries or to those involved with U.S. government contracts.



If you are a government agency or your organization works for the government, there are vendors and contractors barred from working on government projects. You may not use them. Excluded parties are flagged in the U.S. Government’s unified System for Award Management (SAM). Individuals and entities may be excluded from government contracts for a host of reasons, including but not limited to owing the government money, a fraud conviction, violation of security protocols, or being barred entry to the country.


Healthcare organizations must ensure that the vendor has not been banned from health care work in which funding comes from the government (Medicare, Medicaid or other) due to past healthcare fraud. See OIG’s List of Excluded Individuals and Entities (LEIE), Department of Health and Human Services.

U.S., U.K., & E.U. Sanction Lists

All organizations must screen vendors against government sanction lists. The government prohibits you doing business with entities connected with terrorists and their sponsors, or traffickers in narcotics, conflict diamonds, WMDs and other illegal items. For most, a check of U.S. sanction lists will suffice, but organizations with overseas operations may also have to check U.K. or European Union sanction lists. Best known of these are the Treasury Department Office of Foreign Assets Control’s (OFAC) Specially Designated Nationals and Blocked Parties List (SDN), which aggregates U.S. federal government lists, and OFAC’s country sanctions. There are a few others, such as the FBI list. And there are U.K. and E.U. sanction lists that apply to organizations operating in those countries.


TIN Matching

Tax Identification numbers (TINs) are necessary to comply with payment reporting regulations. TINs should be verified through the Internal Revenue Service’s (IRS) TIN Match Program prior to relying on those TINs for 1099 reporting. Social Security numbers (SSNs) should be protected.

Bank Account Information

Bank information should be confirmed independently of the source. Many organizations do prenoting to test routing and account number. Bank information should also be protected.

USPS & Other Mail Address Correction

A vendor’s mailing address should conform to USPS address standards. For countries outside the U.S., formats differ. Consult the S42 International Addressing Standards by the Universal Postal Union.

Disadvantaged Business Status

Depending on your organization, you might also track business status of your vendors, e.g., SB, WBE, MBE, DBE, SDB, VOSB, SDVOSB, WOSB, HUB, 8(a). Government agencies and companies that work with them, as well as many other organizations, track whether a vendor is, for example, minority-owned, woman-owned or veteran-owned small business. Status is noted in the vendor master file with vendor-provided certification.

You can find detailed exploration of these issues on VIMCOE, including the “what, why, where, when and how” to address them.