Vendor Master Data Hygiene: The Housekeeping That Prevents Fraud, Duplicate Payments, and 1099 Failures
Most construction AP systems' vendor master files are accretion systems — vendors get added over time, rarely deleted, rarely reviewed. After a few years, the master accumulates duplicates (same vendor under different names or spellings), inactive vendors (left over from projects that closed years ago), expired W-9s (vendors whose tax information hasn't been refreshed), stale banking data (ACH routing numbers that may no longer be valid), and general noise that slows the AP team's daily work and creates risk.
Vendor master data hygiene is the systematic process of cleaning up the master. It's not exciting work, but the payoff is real: fewer duplicate payments, fewer fraud vulnerabilities, cleaner year-end 1099 filing, faster invoice matching, and better data for vendor spend analytics. Most AP teams who do this periodically find the first cleanup produces significant results; subsequent cycles are easier and maintain the cleanliness.
The first hygiene pass is deduplication. Duplicate vendor records arise when AP staff create new records for what they don't realize is an existing vendor — subtle spelling variations, different contact addresses, different entity structures (LLC vs Inc.), or just accidental duplication. A vendor master with 8,000 records might easily have 200-500 duplicates across active records.
The authoritative key for deduplication is the tax identification number (EIN for businesses, SSN for sole proprietors). Two vendor records with the same TIN are the same vendor. After TIN matching, review name similarity (fuzzy string matching catches obvious variations) and address matching (same address suggests same operation) to find duplicates that TIN data doesn't catch (for example, vendors whose TIN is missing on one record).
Deduplication workflow
- Export active vendor list with TIN, name, address, banking
- Group by TIN — any group of 2+ records with the same TIN are candidates for merge
- Fuzzy name matching across different TINs — some may be legitimate different entities, some may be mis-captured
- Review each candidate pair — decide merge (same vendor, combine records) or keep separate (genuinely different entities)
- Merge duplicate records — point all transactions, payments, W-9s to the surviving record; deactivate the duplicates
- Document the merge decisions in an audit trail
Every active vendor's TIN should match what the IRS has on file. TIN mismatches trigger B-notices at year-end 1099 filing, which requires backup withholding and reissue of 1099s. Proactive TIN matching — before invoice processing — prevents this.
The IRS provides a TIN Matching Program that allows contractors to validate a vendor's TIN against IRS records before submitting 1099s. Running the active vendor master through TIN matching periodically identifies mismatches so they can be corrected with the vendor before year-end. The effort during the year is much smaller than the effort to correct B-notices in January.
The IRS TIN Matching Program is free and available through e-Services. Most AP teams who start using it find 5-10% of their vendor master has mismatches — often minor (name spelling doesn't exactly match what's on the SSN/EIN record) but requiring vendor outreach to correct.
W-9s should be current for every active vendor. In practice, many vendor masters have W-9s from when the vendor was onboarded five years ago, with no updates since. If the vendor changed their name, their entity structure, their address, or their TIN, the old W-9 is stale.
Periodic W-9 refresh — annually for high-volume vendors, every few years for low-volume — catches these changes. Updated W-9s also reset the start date for the contractor's recordkeeping obligation, which for tax purposes is at least 4 years.
A specific process: each year, identify vendors whose W-9 is over 3 years old and request a refreshed W-9. Block invoice payment until the updated W-9 arrives. The inconvenience drives vendors to respond; the annual refresh keeps the file current without excessive burden.
For vendors paid by ACH, banking data on file must be accurate. Stale routing numbers, closed accounts, or incorrect account details all cause failed payments — and worse, sometimes cause payments to go to the wrong account if the routing/account data has been changed by fraud.
Banking verification should be periodic. On any change to a vendor's banking data (ACH details), verify with the vendor via a trusted channel (phone call to a known contact, not reply to the email that requested the change). Fraud patterns where vendor email accounts are compromised and fake banking-update requests are sent are common; verified changes prevent payments to fraudsters.
Annual verification of active vendor banking data, even without changes, catches the cases where the vendor's bank has changed names or closed without notification.
Get AP insights in your inbox
A short monthly roundup of construction AP + accounting posts. No spam, ever.
No spam. Unsubscribe anytime.
Inactive Vendor Pruning
Vendors with no transactions for some period (say 18-24 months) should be moved to inactive status. They don't need to be deleted — historical transaction data is retained — but they shouldn't be active candidates for new transactions. An active vendor master with too many dormant records is both a processing inefficiency and a fraud risk (dormant vendor accounts can be reactivated with falsified invoices).
A typical pruning pass:
Inactive vendor pruning workflow
- Identify vendors with no invoice activity for 18+ months
- Review each — confirm the vendor relationship is actually ended, not just dormant
- Deactivate confirmed-ended vendors — mark as inactive, block further invoice processing without reactivation
- Document the deactivation with date and reason
- For any future invoice from a deactivated vendor, require explicit reactivation with current W-9 and updated information before processing
Specific vendor patterns are fraud red flags:
Vendor master fraud patterns
- Vendor addresses that match employee home addresses (pay-to-self fraud)
- Vendor banking data matching employee personal bank accounts
- Vendors with no W-9 on file who are receiving payments
- Vendors with mail-drop addresses (UPS Store, mailbox service) rather than real business addresses
- Vendors with sequential invoice numbers or strange naming patterns
- Vendors whose spending patterns are anomalous — large invoices compared to project sizes, frequent round-dollar amounts
- Recently-added vendors receiving disproportionate spend
Periodic screening for these patterns — automated where possible, manual review for the edge cases — catches fraud that routine invoice processing doesn't surface. Some vendor masters reveal ghost vendors that have been receiving payments for years when these checks are run.
Once the initial hygiene pass is done, maintenance is much lighter. A typical ongoing cycle:
Ongoing vendor master maintenance
- Monthly — review new vendor additions (are they legitimate, with proper W-9 and documentation?)
- Quarterly — run TIN matching against IRS records for recently-added or recently-paid vendors
- Semi-annually — run fraud pattern screens across the vendor master
- Annually — W-9 refresh for vendors over 3 years old; inactive vendor pruning pass
- Year-end — comprehensive review before 1099 generation, ensuring all W-9s, TINs, and addresses are current
Vendor master data hygiene is the housekeeping discipline that keeps AP running cleanly. Deduplication prevents duplicate payments. TIN validation prevents B-notices and 1099 failures. W-9 currency keeps tax records compliant. Banking verification prevents fraud. Inactive vendor pruning reduces the processing surface. Fraud pattern screens catch what routine processing doesn't. The initial cleanup of a long-neglected master is a meaningful project; ongoing maintenance is much lighter. For construction AP teams that haven't done it, the first pass usually finds real money and real risk waiting to be addressed.
Written by
Alex Kim
Engineering Lead, AI
Engineering lead for Covinly's AI and ML systems. Previously built fraud detection at a B2B fintech. Writes about how AI actually reads invoices — the math, the edge cases, and why OCR alone isn't enough.
View all posts