RESOURCE

Vendor Onboarding Checklist for Australian Businesses

A step-by-step checklist for onboarding and verifying new suppliers. Covers ABN validation, identity checks, bank account verification, documentation, and ongoing monitoring.

14-step process

Australian requirements

Bank detail verification

Why a vendor onboarding checklist matters

Every vendor you add to your payment system is a potential payment path. If that vendor's details are wrong, compromised, or fraudulent, money goes to the wrong place. A structured onboarding process is the first line of defence against payment redirection fraud, fake invoice scams, and vendor master file manipulation.

Most businesses have some form of vendor onboarding, but few cover all the steps that matter. The most commonly skipped step is verifying bank account ownership. Businesses collect bank details from vendors and enter them into the system without confirming that the account actually belongs to the vendor. That single gap is where most payment fraud occurs.

This checklist covers everything from initial due diligence through to ongoing monitoring. For a deeper look at supplier verification requirements in Australia, see our dedicated guide.

PHASE 1

Before you add a vendor

These pre-onboarding checks confirm that the vendor is a real, registered entity and that the person representing them is who they claim to be.

Collect ABN, entity name, contact details, and bank details

Request the vendor's Australian Business Number, registered entity name, primary contact person, phone number, email, and bank account details (BSB and account number). Use a standardised form so you collect the same information from every vendor.

Validate the ABN on the Australian Business Register

Look up the ABN on abr.business.gov.au to confirm it is active and matches the entity name provided. Check the registration date, business location, and GST status. An inactive or cancelled ABN is a red flag. For more on this step, see our guide to ABN verification before payment.

Check ASIC registration for companies

If the vendor is a company (Pty Ltd, Ltd, etc.), check their registration on the ASIC register. Confirm the company is registered, not deregistered or under external administration. Cross-reference the company name and ACN with what the vendor provided.

Verify GST registration if they are charging GST

If the vendor includes GST on their invoices, confirm they are registered for GST. This is visible on the ABN lookup. Paying GST to an unregistered vendor means you cannot claim the GST credit, and it may indicate the vendor is not legitimate.

Confirm the contact person's identity

Verify that the person setting up the vendor relationship is authorised to act on behalf of the business. For high-value vendors, this means confirming their identity independently, not just accepting their word. This step catches impersonation and business email compromise early.

PHASE 2

Verifying bank details

This is the step most businesses skip, and it is the step where most payment fraud occurs. Verifying a supplier's bank account before you pay is the single most effective control against payment redirection.

Validate the BSB

Confirm the BSB is a valid, active branch code. Cross-reference it with the vendor's stated bank. If a vendor says they bank with Commonwealth Bank but the BSB belongs to a different institution, something is wrong.

Verify bank account ownership

This is the critical step. Confirm that the bank account actually belongs to the vendor entity, not just that the BSB and account number are valid. Confirmation of Payee (CoP) checks verify account ownership directly through banking infrastructure. Without this step, you are trusting that the bank details are correct based on an email or form submission.

Cross-reference the account holder with the ABN entity

The bank account holder name should match the registered entity name on the ABN. Mismatches (such as a company ABN but a personal bank account, or a different entity name) require investigation before proceeding. There may be a legitimate reason, but it needs to be confirmed and documented.

For a detailed explanation of Confirmation of Payee and how it works in Australia, see our dedicated guide.

PHASE 3

Documentation and record keeping

Verification without documentation is verification you cannot prove. When auditors, insurers, or regulators ask how you verified a vendor, you need evidence.

Record what was checked, by whom, and when

For every vendor, document each verification step completed, the name of the person who performed it, the date and time, and the result. This creates accountability and makes it clear whether a vendor was fully verified or had steps skipped.

Store verification evidence in an audit trail

Keep the actual evidence: ABN lookup results, ASIC register screenshots, bank verification confirmations, and identity check results. Store these in a tamper-proof system, not in email threads or shared drives where they can be altered or lost.

Set a re-verification schedule

Verification is not a one-time event. Set a schedule for re-verifying vendor details. At minimum, re-verify annually for all vendors and before every pay run for bank details. High-risk vendors (large payment volumes, recent changes, overseas entities) should be re-verified more frequently.

PHASE 4

Ongoing monitoring

Onboarding is the start, not the finish. Vendor details change, businesses get compromised, and fraud can happen months after a vendor was initially verified.

Re-verify before every pay run

Check that the bank details you are about to pay still match the verified details on file. If anything has changed since the last verification, hold the payment until the change is confirmed through a verified, independent channel. This is the single most important ongoing control.

Flag and investigate any bank detail changes

Every bank detail change request should be treated as suspicious until confirmed. Scammers use compromised emails, spoofed phone calls, and social engineering to request bank detail changes. Never confirm a change through the same channel it was requested. Call the vendor on a number you already have on file.

Conduct periodic vendor master file reviews

At least quarterly, review your full vendor master file for anomalies: duplicate entries, dormant vendors, vendors with no recent transactions, and entries where details have changed without corresponding verification records. For more on this, see our guide to vendor master file fraud.

EZYSHIELD

How ezyshield automates this checklist

Every step in this checklist maps to an automated ezyshield verification. What takes your team 15 to 30 minutes per vendor happens in seconds, with a complete audit trail.

Steps 1 to 5: Business verification

ezyshield validates the ABN, checks ASIC registration, confirms GST status, and verifies the identity of the person representing the vendor. All in a single flow, all against live government registers.

Steps 6 to 8: Bank account verification

ezyshield verifies BSB validity, confirms bank account ownership via Confirmation of Payee, and cross-references the account holder with the ABN entity. No phone calls. No guessing.

Steps 9 to 11: Automated audit trail

Every verification is logged automatically with timestamps, results, and evidence. Exportable as PDF for auditors. No manual record keeping required.

Steps 12 to 14: Continuous monitoring

ezyshield re-verifies before every pay run. Any change to vendor details triggers automatic re-verification. Anomalies are flagged instantly, not discovered during a quarterly review.

See How It Works

Vendor Verified

ABN/ASIC Active & Valid

GST Registration Confirmed

Contact Identity Verified

Bank Account Owner Match

Audit Trail Recorded

Monitoring Active

Frequently asked questions

How often should we re-verify vendor bank details?

Best practice is to re-verify before every pay run. Bank details can change between payments, and a compromised email can trigger a fraudulent change at any time. At minimum, re-verify quarterly and always re-verify when a vendor requests a bank detail change through any channel.

What should we do when a vendor changes their bank details?

Treat every bank detail change as a potential fraud attempt until proven otherwise. Do not confirm the change through the same channel it was requested (if it came by email, do not reply to that email). Call the vendor on a number you already have on file, verify the change independently, and document the verification. ezyshield automates this by re-verifying bank account ownership whenever details change.

Do we need to verify sole traders the same way as companies?

Yes. Sole traders should still be verified by ABN, identity, and bank account ownership. The ABN lookup will show them as "Individual/Sole Trader" rather than a company. The bank account should still be confirmed as belonging to the person or entity you intend to pay.

What if a vendor refuses to provide verification information?

This is a red flag. Legitimate vendors understand the need for verification, especially when you explain it is for their protection as well as yours. If a vendor refuses to verify their identity or bank details, escalate to management and consider whether the vendor relationship should proceed.

How long does vendor onboarding take with ezyshield?

ezyshield completes the full verification flow (ABN, identity, and bank account ownership) in minutes. Compare that to 15 to 30 minutes of manual verification per vendor, which often requires multiple phone calls and follow-ups over days. The vendor experience is also smoother because it is a single digital flow rather than back-and-forth emails.

Can we use this checklist for existing vendors?

Absolutely. If your existing vendors have never been properly verified, run them through this checklist as a vendor master file cleanup. Prioritise vendors with the highest payment volumes first. ezyshield can verify your entire vendor base, not just new additions.

Automate your vendor onboarding

ezyshield handles every step of this checklist in a single verification flow. ABN, identity, bank account ownership, and audit trail. All automated.

Book a Demo How It Works