Minimum Necessary Validations

The direction most companies are going is a minimum check with a few data sources during supplier onboarding for all suppliers and then performing deeper supplier risk reviews on select suppliers that meet custom criteria. But what kinds of sources verify the “minimum necessary validations”? Our experience is that the following broad areas will do the trick:

• Government Tax Authority: validation of tax ID and official business name 
• Postal Service: verification that the given address is recognized and complete
• Government Agencies: confirmation that the supplier is not named in “sanctions lists”
• Banking Association: validation of bank routing number

As noted, these checks provide a minimum validation that can flag prospective vendors for further scrutiny. The sources may vary around the world, but many of them have web-accessible content where users can verify given supplier data. Depending on local regulations or industry norms, even more sources may need to be checked as well.

Simple Lookups, But Lots of Them

All of this makes for a hodge-podge of lookups typically done one-by-one for each supplier and source that needs to be checked. Consider a simple Tax ID number (TIN) check in the U.S. The clerk looking at a prospective supplier copies their EIN number and Legal Name and then opens the IRS TIN Matching website, pastes the data, submits and looks at the results. Simple enough, but consider when and if the results contain warnings (maybe the legal name was slightly different). Consider also doing the same for address checks, sanctions lists and banking information. Now multiply all that by the number of prospective suppliers added monthly.

With all of this in mind, it’s little wonder that companies who’ve spent good money digitizing their supplier management process can’t claim all the automation benefits. As some processes have become more efficient, the data available and reasons for checking outside sources has also increased. In some cases, it has now become required. Worse yet, given the tedious nature of performing these lookups (where the majority of outcomes are “thanks for checking; all looks in order!”) lends itself to the possibility of clerks skipping or shortcutting the activity. So companies are either wasting labor or ignoring potential fraud.

Aggregating Lookups

Thankfully, sources are making available the necessary APIs that would allow companies to connect with them and perform the lookup automatically. These are still new and evolving, but there are enough now that it’s possible not to just connect with each source separately, but to have added-value services who:

• Dynamically route lookups to only the sources required
• Package the results so that the proper actions are taken for rejections and warnings while treating minor issues as an “fyi” only
• Offer enrichment of the supplier data with better data from the lookup source (for example, a normalized address)
• Add industry or regionally specific lookups as required and available
• Monitor for inevitable change in the source APIs and/or the destination supplier management systems so that the APIs keep working

Typically, these value-added services operate independently of the sources and of the supplier management systems because their focus is on covering the aggregation and interpretation of the lookups for proper supplier fraud detection. Of course, it’s key to understand how results are presented back into the supplier onboarding process for maximum efficiency. Service providers in this domain, therefore, need to understand the supplier onboarding process and it’s systems to maintain their value-add.

Check Again?

In fact, the broader supplier management process offers a perspective on these anti-fraud lookups as well. So far, we’ve been talking about catching suppliers who are introduced to a company through the supplier onboarding process. But what of suppliers who are already activated? Or suppliers who ask to have their address or banking information changed all of a sudden. Even further afield, what about the so-called “one-time invoice” suppliers who AP doesn’t want to set up through formal onboarding, but who nevertheless need to be activated temporarily so they can be paid?

Some of these cases would involve invoking the aggregated lookup service in supplier change workflows (such as the address, banking info change requests or even in the one-time invoice approval flow). Others, like checking already activated suppliers or doing a spot check on foreign suppliers against sanctions lists (which grow and shrink over time), would need a “bulk data sweep” type of activity. One where the Risk personnel, for example, specify a select group of suppliers which are then passed through the aggregated lookups for a renewed check against sources.

It is ironic that something thought of as “minimum necessary validation” can have use in so many places and across a broad swath of supplier records. This is why it’s important to minimize labor on these checks to just work with the exceptional (flagged) results instead of worrying about the tedious lookups themselves.