Treasury, Payments & Fraud Prevention

The Payment Control Gap That TIN Matching Closes

Most payment approval workflows verify that an invoice exists, that it matches a purchase order, that the payment amount is within authorization limits, and that the approver has the appropriate authority. What standard AP controls typically don't verify is whether the vendor record the payment is releasing against represents a real, IRS-registered entity whose name and EIN actually belong together.

A ghost vendor — a fictitious entity created in the AP system to divert payments — typically has a fabricated EIN that doesn't resolve against IRS records, or a real EIN paired with a name that doesn't match the IRS registration for that EIN. IRS TIN matching at the payment control layer catches both.

Vendor Fraud Patterns That TIN Matching Detects

Payment fraud schemes that target AP and treasury systems rely on the assumption that vendor identity isn't verified at the point of payment. The most common schemes have detectable signals in the name/TIN relationship that TIN Comply's IRS matching surfaces.

TIN Comply doesn't replace a full fraud prevention program — bank account verification, positive pay, dual authorization for high-value payments, and other controls remain essential. What TIN matching adds is the specific check on vendor legal identity that fraud prevention controls typically don't include: does this name and EIN belong together in IRS records?

OFAC Screening at the Payment Control Point

OFAC sanctions compliance requires that payments aren't made to sanctioned entities or individuals. In most organizations, OFAC screening happens at vendor onboarding — the vendor is screened when they're added to the vendor master, and the assumption is that the screening result from onboarding covers subsequent payments. Two problems with this:

First, OFAC lists are updated continuously. A vendor that was clean at onboarding may be designated after onboarding, and a point-in-time screening result doesn't catch new designations.

Second, if OFAC screening didn't happen at onboarding — which is more common than treasury teams realize, especially in vendor populations onboarded before a compliance program was formalized — the vendor has never been screened.

TIN Comply's OFAC and 250+ list screening runs automatically with every TIN matching call — so the payment-point validation confirms both vendor identity and current sanctions status in a single step.

High-Value Payment Validation Workflow

For treasury teams managing high-value ACH and wire payments — payments above defined thresholds that require enhanced controls — TIN Comply's API supports a pre-release validation step that confirms vendor identity and sanctions status before the payment is authorized for release.

Vendor Impersonation and Bank Account Change Fraud

Business Email Compromise (BEC) schemes targeting AP and treasury frequently involve convincing a vendor's AP contact that the vendor has changed their banking information. The fraudster, posing as the vendor, requests a bank account update — and subsequent payments go to the fraudster's account rather than the legitimate vendor.

A bank account change request is one of the highest-risk events in a payment workflow. When a bank account change is submitted, re-validating the vendor's name and TIN against IRS records confirms that the entity requesting the change is still the IRS-registered entity in the vendor master — not an impersonator who has substituted their own TIN information alongside the bank account change.

Duplicate Vendor and Fictitious Vendor Detection

Duplicate vendor records — the same entity appearing multiple times in the vendor master with different vendor IDs, slightly different names, or inconsistent TINs — create payment risk independent of fraud. Payments may be made against the wrong vendor record, spend data can't be consolidated, and compliance screening may have been completed on one record but not the other.

TIN Comply's bulk validation with TIN-keyed analysis identifies: records sharing the same confirmed EIN (potential duplicates), records where the same name appears with different EINs (potential data errors or impersonation), and records where the submitted EIN doesn't resolve against IRS records at all (potential ghost vendors or data entry errors). This analysis gives treasury and AP teams a risk-stratified view of the vendor master from an identity integrity standpoint.

How TIN Comply Supports Treasury and Payments Compliance

Specific Scenarios TIN Comply Handles for Treasury and Payments

The high-value payment where the vendor's name and EIN don't match. A $240,000 ACH payment is queued for a vendor. TIN Comply's pre-release validation returns a mismatch — the vendor's name in the system doesn't resolve against the EIN on file. Treasury holds the payment, contacts the vendor through an independently verified channel, and discovers the vendor record has a data entry error from the original onboarding. Corrected W-9 collected, revalidated, payment released to the correct entity.

The bank account change request from a vendor the AP team has worked with for years. A vendor submits a bank account change request by email. Standard AP policy is to require a new W-9 for bank account changes. The new W-9 is submitted through TIN Comply's portal. TIN matching returns a mismatch — the EIN on the new W-9 doesn't match the confirmed EIN on the original W-9. Treasury escalates; investigation reveals a BEC impersonation attempt. The original bank account is preserved; no payment misdirected.

The vendor master with legacy records that predate the OFAC screening program. A treasury team implements TIN Comply and runs bulk validation across their full vendor master. The exception report identifies 340 active vendors who have never been screened against OFAC because they were onboarded before the current compliance program existed. One returns a potential match against a FinCEN advisory list. Compliance reviews and resolves; the remaining 339 are cleared and documented. The vendor master now has a baseline OFAC screening record for every active vendor.

The quarterly re-screening that catches a new OFAC designation. A scheduled quarterly re-screen of the active vendor population identifies a supplier that received a new SDN designation since the last re-screen. The supplier is flagged before the next payment run; procurement is notified; alternative supplier engaged. The OFAC violation that would have occurred on the next payment cycle is avoided.

Best Practices for Treasury and Payments Fraud Prevention

Frequently Asked Questions for Treasury and Payments Teams

How does TIN Comply integrate with payment authorization and ERP AP workflows?

TIN Comply provides a REST API that integrates with payment authorization systems, ERP AP workflows (SAP, Oracle, Workday, NetSuite), and treasury management systems. The API can be called at defined payment control points — vendor creation, bank account change, high-value payment pre-release — and returns validation results that drive workflow routing decisions. Contact TIN Comply's team for specific integration details.

How quickly does TIN Comply's API return results for pre-payment validation?

Real-time single-record validation typically returns results in under 2 seconds — designed for use within payment authorization workflows where response time affects operational throughput.

Does TIN Comply replace positive pay, dual authorization, or bank account verification controls?

No — TIN Comply's TIN matching and OFAC screening address vendor legal identity and sanctions status, which are distinct from and complementary to bank account verification, positive pay, and dual authorization controls. The strongest payment fraud prevention programs layer multiple controls: identity confirmation (TIN Comply), account verification (bank account validation services), payment authorization (dual approval), and transaction monitoring (positive pay). Each addresses a different fraud vector.

What's the value of EIN & Company Lookup specifically for treasury teams?

EIN & Company Lookup allows treasury teams to independently verify what legal entity name the IRS has registered for a specific EIN — without relying on what the vendor submitted on their W-9. For high-value payment events where independent verification is warranted, looking up the IRS-registered name for a vendor's EIN and comparing it to the name in the vendor master is an out-of-band identity confirmation that catches both data errors and impersonation attempts.

How does TIN Comply support fraud investigation documentation?

TIN Comply's per-vendor audit trail retains every validation result, screening result, and re-validation event with timestamps. When a fraud event triggers an internal investigation or external reporting requirement, the TIN Comply record provides a timeline of when the vendor's identity was validated, what results were returned, and what actions were taken — supporting the investigation narrative and the documentation of what controls were operating at the time of the fraud attempt.

Put Vendor Identity Verification at the Payment Control Point