Vendor Onboarding Compliance Checklist: W-9, TIN Matching, OFAC, and More
Most IRS compliance problems don't start at filing season — they start at vendor onboarding. Incorrect legal names, missing W-9 documentation, unvalidated TINs, and skipped sanctions screening all enter the system during setup and surface months later as CP2100 notices, B-Notice workflows, and 972CG penalties. A consistent, documented onboarding process is the most effective control a compliance team can implement — because fixing bad vendor data before the first payment is far easier than cleaning it up after year-end.
Why Onboarding Is the Most Important Compliance Control Point
Every bad vendor record in the system was created at a point in time when it could have been caught. The legal name that triggers a CP2100 mismatch every year was entered wrong at setup. The missing W-9 that creates backup withholding exposure was never collected at activation. The duplicate vendor record that produces incorrect 1099 totals was created because no one checked for an existing EIN match. Vendor onboarding is where compliance problems begin — and where they're cheapest to prevent.
- CP2100 mismatch notices from TINs that were never validated at setup
- B-Notice outreach requirements triggered by legal names entered incorrectly at activation
- 972CG penalty assessments from filing errors that trace back to onboarding data
- Backup withholding exposure from vendors paid before W-9 collection was complete
- OFAC violations from vendors who were never screened before payment
- Returned 1099s from addresses that were never validated
- Duplicate vendor records that split payment history and corrupt 1099 aggregates
A compliance team that enforces consistent onboarding controls doesn't eliminate all year-end cleanup — but it eliminates most of it. The ones that remain are vendor-side changes and external events, not internal process failures.
The Vendor Onboarding Compliance Checklist
1 — Collect Complete Vendor Information Before Creating a Record
The onboarding form should capture everything needed for tax compliance and payment processing before the vendor record is created — not as a follow-up task.
Required fields at onboarding:
- Legal business name (exactly as registered with the IRS — from W-9 Line 1)
- DBA or trade name (if applicable — stored in a separate field)
- Federal Tax ID: EIN or SSN, confirmed TIN type
- Tax classification: Individual / Sole Proprietor, LLC, C-Corp, S-Corp, Partnership, Trust/Estate
- Mailing address and remittance address
- Vendor contact name, email, and phone
- Payment method (ACH, check, wire)
2 — Require a Signed W-9 Before Vendor Activation (U.S. Vendors)
The W-9 is the certified IRS document through which the vendor attests to their legal name, tax classification, and TIN. It is the only documentation that establishes a certified basis for the taxpayer data in your vendor master.
A compliant W-9 must include:
- Line 1: Legal name (IRS-registered entity name)
- Line 2: Business name/DBA (if different from Line 1)
- Box 3: Tax classification checked
- Box 4: Exemption codes (if applicable)
- Part I: TIN entered and TIN type confirmed
- Part II: Certification signature and date
No vendor should be activated for payment until a signed, complete W-9 is on file — unless a documented exception process exists.
3 — Determine W-9 vs. W-8 (U.S. vs. Foreign Vendors)
Foreign vendors require a W-8 form, not a W-9. Collecting the wrong form is a compliance failure that creates audit exposure regardless of whether the payment was otherwise legitimate.
| Form | Who Uses It |
|---|---|
| W-9 | U.S. persons and entities subject to U.S. tax reporting |
| W-8BEN | Foreign individuals certifying non-U.S. status |
| W-8BEN-E | Foreign entities certifying non-U.S. status |
| W-8ECI | Foreign entities with U.S. effectively connected income |
| W-8EXP | Foreign governments, tax-exempt organizations |
| W-8IMY | Intermediaries and flow-through entities |
When a vendor's country of residence or entity structure is unclear, confirm before collecting the form — not after.
4 — Validate the Vendor's Name and TIN via IRS TIN Matching
A signed W-9 is the vendor's attestation that their information is correct. It is not confirmation that the IRS agrees. Vendors regularly submit DBAs instead of legal names, incorrect TIN types, and transposed digits in complete good faith. IRS TIN matching is what confirms the name + TIN combination will actually pass validation at filing.
- Transposed digits in the EIN or SSN
- DBA submitted as legal name on the W-9
- Missing or incorrect entity suffix (LLC, Inc., Corp.)
- Wrong TIN type (EIN provided where IRS expects SSN)
- Outdated legal name from an entity restructuring
- Vendor-provided incorrect taxpayer information in good faith
Running IRS TIN matching at onboarding — before the first payment — converts what would become a filed mismatch into a correctable data quality issue. It's the same validation that determines whether a CP2100 notice is generated; running it at onboarding means the answer is known before it becomes a compliance event.
5 — Confirm TIN Type: EIN vs. SSN
TIN type mismatches are a distinct and common mismatch category. A sole proprietor may provide an EIN registered to their business name, but if their IRS record associates payments with their SSN and personal name, filing under the EIN will produce a mismatch.
| Vendor Type | Expected TIN Type | Common Problem |
|---|---|---|
| Corporation / LLC taxed as corporation | EIN | Usually straightforward |
| Partnership | EIN | Usually straightforward |
| Sole proprietor | SSN (or EIN if issued) | High confusion rate — may have both; must confirm which IRS record is authoritative |
| Single-member LLC | SSN of owner (default) or EIN if elected | Most common TIN type confusion category |
| Individual contractor | SSN | Sometimes provides EIN for privacy — confirm which is correct for IRS matching |
W-9 Part I should specify the TIN type. Confirm it aligns with the vendor's entity structure before accepting the W-9.
6 — Run OFAC and Sanctions Screening
Every new vendor must be screened against OFAC and applicable sanctions lists before activation. Paying a sanctioned entity — even unknowingly — constitutes a potential violation. Strict liability applies in many OFAC sanctions programs.
Screening must include:
- OFAC SDN List (Specially Designated Nationals)
- Sectoral Sanctions Identifications (SSI) List
- OFAC Consolidated Sanctions List
- Additional U.S. government restricted party lists (BIS, SAM.gov)
- International sanctions programs
The screening engine must support fuzzy matching and alias detection — exact-match-only screening misses name variations that are standard in how sanctioned entities operate.
7 — Validate the Vendor's Mailing Address via USPS
Address validation at onboarding prevents returned 1099 copies, failed B-Notice delivery, undeliverable payment checks, and failure-to-furnish penalty exposure. Run USPS standardization to confirm deliverability, normalize formatting, and append ZIP+4.
Flag undeliverable addresses for immediate correction before the vendor record is activated — not at year-end when the 1099 furnishing deadline is approaching.
8 — Determine 1099 Reportability Status
Establish whether the vendor is likely to be 1099-reportable at onboarding, based on:
- Vendor type: services vs. goods
- Tax classification from W-9 (corporations are generally exempt; individuals, sole proprietors, partnerships, and LLCs are not)
- Exemption codes from W-9 Box 4
- Payment category: contractor services, rent, legal, medical, etc.
- Expected annual spend relative to reporting thresholds
Setting the 1099 reportability flag at onboarding prevents year-end surprises when payment totals cross the reporting threshold.
9 — Enforce Required Fields and ERP Record Structure
The vendor record in your ERP or AP system should be configured to require all compliance-critical fields before activation is permitted:
- Legal name (from W-9 Line 1)
- TIN and TIN type
- Tax classification
- Mailing address
- W-9 on file indicator and date
- 1099 reportability flag
- OFAC screening result and date
10 — Run a Duplicate Vendor Check Before Creating the Record
Before creating any new vendor, search the existing vendor master by EIN/SSN, mailing address, and similar legal name patterns. Duplicate vendors split payment history, produce incorrect 1099 aggregate totals, and may result in multiple 1099s being issued to the same TIN — all of which create IRS reconciliation problems.
Use the EIN/SSN as the primary deduplication key. Name-based search alone misses the most common cases, where the same payee has been entered under slightly different name variations.
11 — Document Every Step of the Onboarding Process
The compliance record of a vendor onboarding isn't just the W-9 — it's the full documentation trail: when the W-9 was requested, when it was received, when TIN matching was run and what the result was, when sanctions screening was run and what the result was, and who approved the vendor for activation.
This documentation serves two purposes: it demonstrates that the process was followed for audit defense, and it supports reasonable-cause penalty abatement claims if a mismatch appears later despite good-faith validation at onboarding.
12 — Approve for Payment Only After All Checkpoints Are Cleared
No payment should be processed until all onboarding compliance checkpoints are complete and documented:
- W-9 or W-8 received, complete, and signed
- TIN type confirmed and IRS TIN matching passed
- OFAC and sanctions screening cleared
- USPS address validated
- 1099 reportability status set
- Duplicate check confirmed — no existing EIN match
- All required ERP fields completed
- Documentation stored centrally and linked to the vendor record
Any exception to this gate should be formally documented with a reason and approval — not quietly bypassed. Undocumented exceptions are audit findings waiting to be discovered.
Common Onboarding Mistakes
| Mistake | Why It's a Problem |
|---|---|
| Paying vendors before W-9 is received | No certified taxpayer data on file — backup withholding may apply |
| Using DBA as legal name | IRS name control failure on every 1099 filed for that vendor |
| Skipping TIN matching at onboarding | Mismatches only discovered at CP2100 time — months after the fact |
| Accepting incomplete W-9 forms | Missing data creates the same risk as no W-9 |
| Skipping sanctions screening | Potential OFAC violation — strict liability applies |
| No address validation | Returned 1099s; undeliverable B-Notices; failure-to-furnish exposure |
| No duplicate check | Incorrect 1099 totals; multiple forms to same payee |
| W-9s stored in email threads | Not audit-ready; impossible to retrieve under deadline |
| No outreach documentation | Can't demonstrate reasonable cause if penalties arrive |
Best Practices
- Treat W-9 collection as a hard gate — no activation without it
- Source legal names from W-9 Line 1 explicitly — never from vendor-provided informal names
- Run IRS TIN matching before the first payment — not at year-end
- Confirm TIN type against entity structure, not just what the vendor provided
- Screen all vendors against consolidated sanctions lists — including domestic vendors
- Validate addresses via USPS before activation
- Set 1099 reportability status at onboarding — don't leave it for year-end determination
- Check for duplicate EIN/SSN matches before creating any new vendor record
- Store all W-9s, screening results, and validation records centrally and linked to the vendor record
- Document every outreach attempt and approval decision for audit readiness
Vendor Onboarding Compliance Checklist
- Legal name, DBA, TIN, tax classification, address, and contact collected
- W-9 or W-8 (correct form for entity type) received, complete, and signed
- TIN type confirmed (EIN vs. SSN) and consistent with entity structure
- IRS TIN matching run — name + TIN confirmed against IRS records
- OFAC and sanctions screening run against consolidated 250+ list
- USPS address validation confirmed — address is deliverable
- 1099 reportability status determined and flagged in ERP
- Duplicate check run — no existing EIN/SSN match in vendor master
- All required ERP fields completed — legal name, TIN, tax classification, address
- W-9, screening results, and validation records stored centrally and linked to vendor record
- Onboarding approval documented — compliance owner, date, and checkpoint status
- Vendor activated for payment only after all checkpoints cleared
Frequently Asked Questions
Is a W-9 required for every vendor?
A W-9 is required for any U.S. vendor for whom 1099 reporting may apply — which includes most vendors paid for services, rent, legal, medical, or consulting work. Even vendors below the reporting threshold should have a W-9 on file, because payment totals can change and a W-9 collected at onboarding is far less disruptive than outreach during filing season.
Should IRS TIN matching be run at onboarding, not just at year-end?
Yes — and onboarding is actually the more valuable validation point. TIN matching at onboarding catches mismatches before they produce a filed 1099, while year-end bulk validation catches them before the next filing cycle. Both are required for a complete compliance program, but onboarding is where the most prevention value is created.
What if a vendor refuses to provide a W-9?
Document the refusal and follow your organization's escalation policy. IRS rules allow — and in some cases require — payers to apply backup withholding (24%) on payments to vendors who refuse to provide valid taxpayer information. Payment should be held until the W-9 is received or the withholding process is formally initiated.
Should sanctions screening be part of vendor onboarding?
Yes — for all vendors, not just international ones. Sanctioned entities operate through U.S.-registered companies and shell entities. OFAC violations don't require intent; they require a transaction. Screening at onboarding is the control that prevents prohibited payments from being initiated.
How often should onboarded vendor data be revalidated?
Annually at Q4, at minimum. Additionally: whenever a vendor reports a legal name change, entity restructuring, or new TIN; and before high-value payments to vendors whose last validation was more than 12 months ago. Onboarding validation confirms the data at the point of setup — Q4 revalidation confirms it's still accurate.
Conclusion
A vendor onboarding checklist isn't a formality — it's the compliance infrastructure that determines whether your 1099 filings are clean or not. The controls that matter most are simple: collect a complete W-9 before activation, validate the name and TIN via IRS TIN matching, screen against sanctions lists, validate the address, confirm TIN type, check for duplicates, and document everything. Organizations that enforce these checkpoints consistently have shorter CP2100 lists, cleaner vendor masters, and significantly less year-end remediation work. The ones that skip them pay for it — in penalty exposure, B-Notice workflows, and the vendor outreach that should have happened months earlier.
Streamline Vendor Onboarding with TIN Comply
Real-time IRS TIN matching, automated W-9 collection with e-signature and required field enforcement, OFAC and sanctions screening across 250+ lists, USPS address validation, and centralized audit-ready documentation — all integrated into a single onboarding workflow that connects to your ERP.
- Real-time IRS TIN/Name matching at onboarding — before first payment
- Automated W-9 collection with e-signature, required field enforcement, and completion tracking
- OFAC and sanctions screening across 250+ global watchlists
- USPS address validation at onboarding and at year-end
- Audit-ready validation and screening history retained per vendor from day one
- API integration with SAP, Oracle, Workday, NetSuite, and more