AML Compliance and TIN Matching: What AP Teams Need to Know

Anti-money laundering compliance is often treated as a banking problem — something handled by financial institutions, not accounts payable teams. But if your business pays vendors or contractors without validating their identity and screening them against sanctions lists, you have AML exposure. The question is whether you know about it before the IRS or OFAC does.

Why AP Teams Have AML Exposure

AML regulations are designed to prevent businesses from — knowingly or unknowingly — moving money to sanctioned individuals, shell companies, or entities tied to criminal activity. The "unknowingly" part is what catches most AP teams off guard.

When you pay a vendor, you are responsible for knowing who you are paying. That means:

  • Confirming their identity matches their tax ID
  • Verifying their TIN against IRS records
  • Screening them against OFAC and other applicable sanctions lists

Most AP teams do some version of the first two steps through W-9 collection. Very few do the third consistently. And almost none connect all three into a single workflow — which is where the exposure lives.

The TIN Matching and AML Connection

TIN matching and AML screening address different risks but share the same starting point: you need to know who you are actually paying.

TIN matching confirms that the name and tax ID a vendor gave you matches what the IRS has on file. It catches typos, stale data, and deliberate misrepresentation — the kinds of errors that generate B-Notices and 972CG penalties.

Sanctions screening confirms that the entity you are paying is not on a government watchlist — OFAC's SDN list, EU sanctions lists, or any of hundreds of other global lists. It catches a different kind of problem: legitimate-looking vendors who turn out to be restricted parties.

Used together, they answer the same fundamental question: is this vendor who they say they are, and is it legal to pay them?

Where the Gaps Usually Are

In most AP workflows, TIN validation and sanctions screening are either siloed or missing entirely:

TIN validation without sanctions screening Many AP teams collect W-9s and run IRS TIN matching but never screen the same vendor list against OFAC or other watchlists. They know the TIN is valid — they don't know if the entity is sanctioned.

Sanctions screening without TIN validation Some compliance teams run periodic sanctions checks but don't connect them to the AP vendor master. A vendor can pass a sanctions screen under one name and appear in the vendor master under a slightly different name — and the two records never get linked.

Neither, on a consistent basis The most common scenario: both checks happen occasionally, manually, and incompletely — particularly for lower-volume or legacy vendors who were onboarded before formal processes existed.

What a Connected Workflow Looks Like

The goal is a single onboarding and ongoing monitoring workflow that covers both:

At vendor onboarding:

  • Collect W-9
  • Validate TIN/name combination against IRS records
  • Screen against OFAC SDN list and any other applicable sanctions lists
  • Log all results with timestamps

Ongoing:

  • Re-screen existing vendors against sanctions lists periodically — watchlists update frequently and a vendor who was clean at onboarding may not be clean today
  • Re-validate TINs before annual 1099 filing season
  • Flag any changes in vendor data for re-screening

When issues surface:

  • TIN mismatch: cross-reference EIN database to find the correct TIN, reach out for corrected W-9, re-validate
  • Sanctions hit: escalate for review before next payment, document the decision

How TIN Comply Covers Both

TIN Comply combines IRS TIN matching and sanctions screening in a single platform:

  • IRS TIN Matching — validate vendor TIN/name combinations against IRS records, in bulk or via API
  • Sanctions & OFAC Screening — screen against 250+ global watchlists including OFAC SDN, EU Financial Sanctions Files, and country-level lists across North America, Europe, Asia, and beyond
  • EIN Discovery — when a TIN comes back as a mismatch, cross-reference millions of business records to find the correct one
  • Audit Trails — every validation and screening result logged with timestamps, exportable for compliance review

Start a free trial and run your vendor list through both checks in one pass.

Bottom Line

AML compliance and TIN matching are not separate workstreams — they are two sides of the same question about vendor identity. AP teams that treat them as unrelated, or that handle one without the other, carry exposure that typically surfaces at the worst possible time: during an audit, a B-Notice response, or an OFAC inquiry. Building a connected workflow before that happens is straightforward. Fixing it after is not.

This article is for informational purposes only and does not constitute legal or compliance advice. Consult a qualified professional for guidance specific to your organization.