Forbes published an article by Davey Winder on August 20, 2019 that stated “According to Risk Based Security research newly published in the 2019 MidYear QuickView Data Breach Report, the first six months of 2019 have seen more than 3,800 publicly disclosed breaches exposing an incredible 4.1 billion compromised records.”
Data breaches expose our sensitive personal information. Should we be worried about our vendors data? In Accounts Payable (AP) Vendor Maintenance should we be worried about our vendors sensitive data? Yes.
What is Sensitive Personal Information For our IRS Reportable Vendors in the Vendor Master File?
Banking Details – Many vendors include banking details on their invoices (especially International vendors) because the accounts that AP uses is a “deposit only” account. That is not always the case. Many Individuals, Single Member LLCs do not have “deposit only” accounts, so banking details are considered sensitive personal information.
Birth Date – In specific scenarios, the IRS requires the collection of a birthdate for Foreign Individuals. Birthdates are considered sensitive personal data that should only be collected for regulatory requirements.
Tax ID – For US Vendors, it can either be the Employer Identification Number (EIN) or the Social Security Number (SSN). Since the SSN can be assigned to an individual and the fact that some accounting systems have one field for either tax identification number, the Tax ID should be considered sensitive personal information
Many companies are turning to 3rd Party tools to remove vendor banking from their Accounting System/ERPs. 3rd Party e-Invoicing or Payment Tools, can put the onus on the vendor to update their banking details versus having that sensitive information sent to AP Vendor Maintenance to update the vendor record. Collecting birthdates can pose a huge issue if there is a data breach, however, due to the limitations with W-8 tracking tools in many Accounting System/ERPs, this information may be kept on an external spreadsheet maintained by AP Vendor Maintenance or the Tax Team, not to mention the volume of vendors with the birthdate collected is minimal.
I don’t have a recommendation for the Foreign Tax Identification Number; however, I do have a recommendation for all IRS reportable US vendors that submit a W-9. We collect one from every US Entity/Vendor and save it on the vendor record. The best way to reduce the risk of exposing our vendors SSN is to not collect it in the first place.
Federal TAX IDs – Can we Require an EIN from All IRS Reportable US Vendors?
Of the Business Entity Types or Tax Classifications from the W-9s, those vendors that select the box Individual/sole proprietor or single-member LLC are those that may include their SSN on the W-9 form and thus will be entered on the vendor record in your Accounting System or ERP.
The IRS does not require Individuals, Sole Proprietors or Single-Member LLCs to have an EIN. Each may use their SSN’s. That changes when either has one or more employees on the payroll since an EIN is required to report payroll taxes. For more detailed information, check out the IRS page on Employer ID Numbers here or confer with a Tax professional.
But, the IRS does not limit these tax classifications from getting an EIN. If a vendor in that tax classification is a business entity, they can request an EIN. So in the example of Jane Doe dba Jane Doe Plant Care, Jane can apply for and receive an EIN.
Asking and Then Making it Easy For the Vendor To Get An EIN from the IRS
So now that we know it is possible, how do we convince the vendor to get an EIN? We make it easy for them.
First, explain the “Why”. Include in your Vendor Setup Forms, on your Vendor Self-Registration Portal and have a script ready for your AP Help Desk Team Members. Then provide the IRS link to register. Get it approved by leadership/legal, but the verbiage can be as simple as:
We strive to protect your sensitive data and prefer that an IRS Employer ID Number (EIN) not a Social Security Number (SSN) be obtained and stored in our vendor master file. For your convenience, here is the link to the IRS to apply and generate an EIN in minutes.
Unless there are complications, the whole process for the vendor should take about 15 minutes.
You are not requiring the vendor to have an EIN, however, you are putting them at ease because you have controls in place to protect their data. And while not all vendors will be motivated to obtain an EIN, there will be some that will appreciate both the effort you are taking to protect their data and providing a resource that they may not have otherwise known was an option. Win-win.
Resource to Help! W9 Manager
Ever thought of automating your W-9 collection process? W-9 Manager enables the vendor to generate a valid and complete W-9 and works with you to manage and track your vendors’ W-9, as well as mange W-9 forms centrally and help you determine 1099 responsibility. Use Discount Code HAPPY19 to save 10%. Click here to learn more and save.
Haven’t performed a vendor inactivation or Vendor Master File clean lately? See my 5 Day Vendor Master File Clean-Up.
Want a handy Cheat Sheet that includes the links to vendor validation resources? Sign up for my mailing list to download the Vendor Validation Reference List and share with your entire team!
Protect the Vendor Master File from Fraud. Keep it Clean.
Debra R Richardson
MBA, APM, APPM, CPRS
Debra is an accounts payable speaker, consultant, and trainer with over 20 years of experience in AP, AR, general ledger, and financial reporting for Fortune 500 companies including Verizon, General Motors and Aramark.
For the past eight years, Debra has focused on Global Vendor Maintenance, and implemented a vendor self-registration portal for 140k+ global vendors across five Accounting Systems/ERPs. In her consultancy, she focuses on internal controls and authentication to prevent fraud in the vendor master file.