Supplier Onboarding

Supplier onboarding is the process of gathering and verifying the information needed to establish a new supplier in the vendor master before any payment is made. It is the first point of contact in the supplier relationship from an AP perspective, and it is the point where the most important fraud prevention checks take place.

A supplier that has passed through a thorough onboarding process is a known entity. Their ABN has been verified, their bank details have been recorded from a reliable source, their insurance certificates have been collected where required, and the person who authorised adding them to the approved vendor list has been identified. A supplier who has not been onboarded properly is an unknown entity, and payments to them carry higher risk.

What supplier onboarding should cover

A thorough supplier onboarding process for an Australian business should collect and verify the following: the supplier's legal business name and trading name, their ABN verified against the ATO's Australian Business Register, their bank account BSB and account number confirmed directly with the supplier via a phone call to a number sourced independently (not from the onboarding form), their GST registration status, their standard payment terms, contact details for their accounts receivable team, and relevant insurance certificates if the supplier is providing services on site or under contract.

For suppliers providing professional services, the onboarding process should also include checking for any relevant licences, registrations, or accreditations required by the type of work they are performing. In construction, this means checking contractor licences. In financial services, it means checking AFSL registration. The specific requirements depend on the industry and the nature of the engagement.

Why onboarding is a fraud prevention control

The most dangerous time in a supplier relationship from a fraud perspective is at the beginning. A fraudster who wants to create a phantom vendor and redirect payments to their own account needs to get into the vendor master. The onboarding process is the gate. If onboarding requires ABN verification, direct bank confirmation, and authorisation by a manager, the gate is relatively secure. If onboarding requires only a name and a bank account number supplied via email, the gate is open.

Separation of duties matters in onboarding: the person who adds a new supplier to the vendor master should not be the same person who approves the first invoice from that supplier. This prevents a single employee from creating a phantom vendor and approving their own fraudulent invoices, which is one of the most common forms of internal AP fraud.

Onboarding for existing suppliers who change details

Supplier onboarding controls also apply when an existing supplier requests a change to their bank details. A request to change payment details should trigger the same verification steps as onboarding a new supplier: the business should contact the supplier through a known, independently sourced phone number to confirm the change is legitimate before updating the vendor master.

This step is often skipped because the request appears to come from a known supplier. Payment redirection fraud specifically relies on this assumption: the fraudster knows that a request appearing to come from a trusted supplier will be processed with less scrutiny than a request from an unknown one. Treating bank detail change requests with the same rigour as new supplier onboarding closes this gap.