Vendor Compliance Checks
In an ever-evolving world of compliance requirements and fraud concerns, it's more important than ever to know for sure that the people you're paying are who they say they are. Routable has built a suite of tools into our experience to help.
To start using Vendor Compliance Checks, you will need to enable the feature. First, contact your Routable success manager to request activation of compliance checks. Additional fees may apply. Once that's done, you'll need to configure the feature under Payables and vendors
under Account Settings on the Routable Dashboard. There, you can specify how vendors get enrolled - essentially, setting the criteria a vendor needs to meet before Routable will verify them. You can also determine whether you want Routable to prevent Payables from being sent to a vendor if their compliance checks turn up any issues.
In the Routable API, you can get a quick summary of a vendor's Compliance Check status by inspecting the risk_summary
field in the Retrieve a Company response. It has the following potential values:
cant_validate
: An error occurred when we attempted to verify the vendor, and the verification could not be completed.dismissed
: Issues were found when Routable ran our compliance checks, but one of your TeamMembers manually dismissed them to allow payment to proceed (see below for more about this.)not_evaluated
: The Company is not enrolled for vendor compliance checks. This could be because you haven't added vendor compliance checks to your Routable workspace, because the vendor has not met the threshold specified in your Account Settings, or because a TaxForm has not been collected for the vendor (this is required in order to obtain the government IDs and other information necessary to validate the vendor.) Calls to the Retrieve Compliance Report endpoint will return a404 Not Found
for vendors in this state.passed
: All of the checks completed, no issues were found, and the vendor is verified and safe to pay! 🎉queued
: The vendor is set up for compliance checks, but the checks have not yet been run.review_required
: Issues have been found with the compliance checks. Depending on the hold payment settings you have configured in Account Settings, you will likely need to manually dismiss the compliance checks (either via the Routable Dashboard or the API) before payment to this vendor will be released.
Of course, if something has gone wrong with a check, you're probably going to want to know what it is. Don't worry, we've got you covered! Hit the Retrieve Compliance Report endpoint, and you'll get back a detailed report of all of the checks we ran - when and how we ran them, which checks passed and which didn't, and details about any issues we found.
You're making a list, we're checking it twice...
Currently, Routable runs two checks against vendors enrolled in compliance monitoring. One validates that the provided government ID - which might be a TIN or ITIN, or some other government-issued identifier depending on the vendor's country - is valid and matches the
legal_name
provided in the TaxForm. The other searches a variety of watchlists to confirm that there are not sanctions or other restrictions placed on the company that could prevent payments to them. Routable will be adding more checks to this offering over time.
The Compliance Report response looks a bit like this:
{
"object": "ComplianceReport",
"id": "09579c08-f73d-4237-8c56-77f39c53b64a",
"checks": [
{
"id": "175da0b2-5210-4f20-b9e7-0e04c57d0b53",
"type": "tin",
"created_at": "2025-09-19T19:47:20.927000+00:00",
"issues": [],
"status": "passed",
"updated_at": "2025-09-19T19:47:23.991000+00:00"
},
{
"id": "113cf4bf-1909-463d-9f05-95d2e16076bd",
"type": "watchlist",
"created_at": "2025-09-19T19:47:20.925000+00:00",
"issues": [
{
"type": "watchlist",
"checked_at": "2025-09-19T19:47:20.985000",
"fields": [
{
"label": "score",
"value": "100%"
},
{
"label": "remarks",
"value": "Type: Entity | Remarks: (Linked To: PERDOMO ROSALES, Gustavo Adolfo)"
}
],
"source": {
"name": "FEDERAL EXCLUSION - Specially Designated Nationals [SDN] List",
"region": "North America"
},
"subject_name": "My Test Business",
"url": "https://sanctionssearch.ofac.treas.gov/Details.aspx?id=26211"
},
{
"type": "watchlist",
"checked_at": "2025-09-19T19:47:20.985000",
"fields": [
{
"label": "score",
"value": "100%"
}
],
"source": {
"name": "FSE List",
"region": "North America"
},
"subject_name": "My Test Business",
"url": "https://ofac.treasury.gov/specially-designated-nationals-list-data-formats-data-schemas"
}
],
"status": "issues_found",
"updated_at": "2025-09-19T19:47:24.002000+00:00"
}
],
"created_at": "2025-09-19T19:47:24.007000+00:00",
"dismissal": null,
"status": "review_required",
"subject": {
"government_id": {
"type": "ein",
"value": "*********"
},
"legal_name": "My Test Business"
},
"links": {
"self": "https://api.sandbox.routable.com/v1/companies/157de565-a360-4344-b2df-24b979696a2d/compliance-checks",
"company": "https://api.sandbox.routable.com/v1/companies/157de565-a360-4344-b2df-24b979696a2d"
}
}
The checks
array shows all of the things we checked out. In the case of this vendor, their government ID - in this case a tin
because it's a US vendor - matched the records we checked, so the tin
check has a status of passed
. Looking good!
If a TIN/Government ID mismatch is reported, you'll see a
status
ofissues_found
with that check, but theissues
array will be empty. This means the legal name provided on the TaxForm does not match the name associated with the provided TIN or Government ID.
But, the watchlist
check has a status of issues_found
. Rut roh. Looking in the issues
array of that check, we can see that the vendor appeared on two watchlists, indicating potential problems that probably mean you don't want to send them any money.
Forcing failures for sandbox testing
In the Routable Sandbox, any vendor enrolled in compliance checks will pass all checks by default. If you want to force a failure state for testing purposes, when creating the TaxForm vendor, add one or more of these strings in the legal name field - either the
last_name
field for apersonal
Company, or thebusiness_name
for abusiness
Company:
nomatch
- the TIN or government ID check will be reported as a mismatch.hits
- Simulatedwatchlist
hits will be reported asissues
.
The status
of the compliance report itself is review_required
, which matches the value of risk_summary
in the Retrieve a Company response. This means, unless you have overly permissive settings chosen, you probably can't pay this vendor. Payables sent to them would be placed into compliance_hold
status so you can evaluate the potential risk of sending funds to the vendor and decide if you want to proceed.
If you do want to go ahead and release the funds, you'll need to tell Routable you've manually verified the vendor and are comfortable with allowing money to flow to them. You can do this by dismissing the compliance check, either via the API or on the Routable Dashboard. The payload to do this in the API is super-simple, just requiring a TeamMember ID for the person on your team who authorized the release. This information will be recorded. If the vendor's Compliance Report is retrieved again, it will show a status
of dismissed
, and the dismissal
object in the report will be populated with the name and ID of the TeamMember that authorized the dismissal and the timestamp at which it occurred. Any Payables in the compliance_hold
status will be released to proceed through their normal workflow.
Want to dig even deeper to secure your flow of funds? We've got you covered.
It's great to know that a vendor is who they say they are, but that only helps if the bank account you have on file for them actually belongs to them and not someone else. That's where the companion feature to this offering, Bank Account Validation, comes into play. We'll check to make sure that the account is open, valid and not prevented from receiving funds by some governmental restriction, and that its ownership information matches the identifying information we have on file for the vendor.
Updated 10 days ago