Vendor Validation: Why TIN Matching Alone Is Not Enough

Most AP teams think vendor validation means collecting a W-9. It doesn't. A W-9 tells you what a vendor claims their tax ID is. It doesn't tell you whether that ID is correct, whether the business is real, or whether it's legal for you to pay them at all. Those are three different questions — and they each require a different check.

The Three Questions Every Vendor Payment Should Answer

Before you pay a vendor, there are three things you need to know:

  1. Is their TIN correct? Does the name and tax ID they gave you match what the IRS has on file?
  2. Is their business real? Can you verify their EIN against an independent source — not just take their word for it?
  3. Is it legal to pay them? Are they on OFAC's SDN list or any other applicable sanctions watchlist?

Most AP teams answer the first question inconsistently, the second rarely, and the third almost never. That's not a compliance program — it's a gap with paperwork on top of it.

Check 1: IRS TIN Matching

TIN matching is the process of confirming that a vendor's name and tax ID combination matches IRS records. It's the foundational check — without it, you're filing 1099s against unverified data.

What it catches:

  • Vendors who transposed digits in their EIN
  • Sole proprietors who gave you their business name but their SSN — or vice versa
  • Vendors whose legal name changed after a merger or restructuring but never updated their W-9
  • Deliberate misrepresentation

What it doesn't catch: whether the business actually exists as reported, or whether the entity is on a sanctions list. That's what the next two checks are for.

Check 2: EIN Verification

A vendor can pass IRS TIN matching and still be a problem. TIN matching confirms that a name/TIN combination exists in IRS records — it doesn't tell you much about the underlying business.

EIN verification means cross-referencing the vendor's EIN against an independent business database to confirm the entity is real, active, and matches what the vendor told you. It's particularly useful when:

  • A vendor gives you an EIN but the business name doesn't match anything you can find
  • You receive a TIN mismatch from the IRS and need to find the correct EIN
  • You're onboarding a new vendor and want to confirm their business details before the first payment

TIN Comply's EIN lookup covers millions of business records, so when the IRS tells you a TIN is wrong, you have somewhere to go to find the right one — rather than waiting on the vendor to respond.

Check 3: Sanctions Screening

Sanctions screening is the check most AP teams skip entirely — and it's the one with the most severe consequences for getting wrong.

OFAC's SDN list and hundreds of other global sanctions lists identify individuals and entities that US businesses are prohibited from paying. Violations aren't limited to knowingly paying a sanctioned party — regulators expect businesses to have screening programs in place. "We didn't know" is not a defense if you had no process for checking.

What sanctions screening catches:

  • Vendors or their beneficial owners who appear on OFAC's SDN list
  • Entities subject to sectoral sanctions (energy, finance, defense)
  • Foreign vendors on EU, UK, or other country-level watchlists
  • PEPs (politically exposed persons) who require enhanced due diligence

One important note: sanctions lists change constantly. A vendor who was clean at onboarding may not be clean six months later. Screening needs to be ongoing, not a one-time check.

Why All Three Need to Work Together

Running these checks in isolation creates its own problems:

  • TIN matching without sanctions screening means you know the TIN is valid but not whether the entity is sanctioned
  • Sanctions screening without TIN matching means you're screening a name that may not even be the vendor's legal name — reducing the reliability of the match
  • EIN verification without either means you've confirmed the business exists but have no idea if you're legally allowed to pay them or if your 1099s are accurate

The checks need to feed each other. A vendor's legal name from EIN verification should be what you run through TIN matching. The validated legal name should be what you screen against sanctions lists. When the data is consistent across all three, your vendor file is actually clean.

How TIN Comply Connects All Three

TIN Comply runs all three checks in a single platform:

  • IRS TIN Matching — validate vendor TIN/name combinations against IRS records, individually, in bulk, or via API
  • EIN Lookup — cross-reference millions of business records to verify EINs and find correct TINs when the IRS returns a mismatch
  • Sanctions & OFAC Screening — screen against 250+ global watchlists including OFAC SDN, EU Financial Sanctions Files, and country-level lists
  • Audit Trails — every check logged with timestamps, exportable for IRS documentation or internal compliance review

Start a free trial and run your vendor list through all three checks in one pass.

Bottom Line

Vendor validation is not a single check — it's three questions that need three answers, consistently, for every vendor you pay. Most AP teams are answering one and calling it compliance. The exposure from the other two doesn't show up until a B-Notice arrives, an OFAC inquiry lands, or an audit starts. At that point the conversation shifts from validation to remediation — which is significantly more expensive and time-consuming than getting the process right upfront.

This article is for informational purposes only and does not constitute legal or compliance advice. Consult a qualified professional for guidance specific to your organization.