Vendor Master Data

Vendor master data is the central record of information about each supplier a business pays. It typically includes the supplier's legal name, ABN, trading name, contact details, bank account number, BSB, payment terms, preferred payment method, and any notes about the supplier relationship. In Xero, this is the contact card. In MYOB, it is the card file. In a dedicated AP system, it is the supplier profile.

Vendor master data is not just administrative housekeeping. It is the reference point against which every invoice is validated. When an invoice arrives claiming to be from a supplier, the AP system or the AP clerk checks the invoice details against the vendor master to verify that the supplier is known, that the ABN matches, and that the bank details on the invoice match the bank details on record. If the vendor master is inaccurate or out of date, these checks are unreliable.

Why vendor master data is a fraud target

Payment redirection fraud works by changing the bank account details that a buyer has on record for a supplier. If an attacker can update the vendor master record with a fraudulent bank account, every subsequent payment to that supplier goes to the wrong account until the error is detected. The legitimate supplier eventually calls about unpaid invoices, the fraud is discovered, and the business attempts to recover funds that have already been moved.

Changes to vendor master data are one of the highest-risk events in the AP process. A fraudulent bank account update does not require any invoice to be forged; it simply changes where legitimate invoices get paid. This is why vendor master data changes should require a separate authorisation process, distinct from invoice approval, and why changes should be verified by contacting the supplier through a known, independently sourced phone number, not through contact details provided in the change request itself.

What vendor master data should contain

A complete vendor master record for an Australian business should include: the supplier's registered legal name, their ABN, their ACN if they are a company, their trading name if different from their legal name, their primary contact name and phone number, their invoicing email address, their bank account BSB and account number, their PayID if applicable, their standard payment terms, their GST registration status, a record of when the account was created and by whom, and a record of any changes to bank details including the date, the old details, the new details, and who authorised the change.

The record of bank detail changes is often missing from vendor master data in small businesses. Without it, there is no way to audit the history of where payments have been sent or to detect when a change may have been fraudulent.

Maintaining vendor master data quality

Vendor master data degrades over time. Suppliers change their banking arrangements, merge with other businesses, change their ABNs, or go out of business entirely. A vendor master that has not been reviewed in two years will contain records that are materially inaccurate for a proportion of suppliers.

For Australian businesses, periodic vendor master reviews should include ABN verification against the ATO's Australian Business Register, confirmation of bank details for high-value or high-frequency suppliers, and removal of suppliers that have not been paid in more than 12 months. This maintenance is a controls function, not just a data quality function: accurate vendor master data is the prerequisite for meaningful invoice validation.