top of page

Does In-House Vendor Credentialing Lead to Asymmetric Risk?

Property managers and owners handling vendor credentialing and compliance on their own are more vulnerable for risk than they may realize. Having friendly relationships with a suite of contractors trusted at their word, or asking community managers, coordinators or untrained staff to perform insurance, financial, licensing and criminal background checks can spell trouble. Relying on employees and manual processes to govern vendor credentialing to save on costs or because “we’ve always done it this way” can cloud better judgement on the risks involved.

Viewing in-house vendor compliance as a money-saving measure can lead to asymmetric risk. Owners and property managers assume unnecessary liability. There are long-term expenses and consequences to maintaining this practice. If you’re thinking of continuing your vendor compliance using an in-house team, it’s fair to ask, “Am I really mitigating my risk by doing my own credentialing?”

Before you answer that question, keep reading to see what risks may be lurking.

Principal Information

A key approach to vendor credentialing involves gathering information on the corporate structure, named principals and W-9 tax information for every contractor a property hires. Vendors usually comply with submitting their W-9 details. It’s customary for accounting departments to require having tax information on file, before a contractor can get paid.

There’s more to getting a vendor’s W-9 copied and submitted over to accounts payable. Verifying the Tax ID provided by the vendor matches the company and principal name(s) with the IRS is needed. Identity theft using invalid or stolen tax information has become an everyday occurrence. This phenomenon affects commercial enterprises too. Merely collecting a 9-digit number with a company name and a signature is no guarantee that your vendor’s Tax ID number is correct. Waiting until tax time to confirm the vendor’s tax data is not a good idea because of the potential for fines, or worse.

Many property management employees do not suspect their contractor would have incorrect or less than stellar credentials with the IRS. Transmitting a vendor’s tax information directly to the government databases for verification is important. Performing this activity with the proper tools avoids financial penalties. The IRS can charge organizations high fees for incorrect 1099’s. Providing misinformation can lead to additional review and audits. Not knowing who your vendor is can adversely affect a company’s balance sheet and reputation.

With Tax ID and identity compromise issues, there’s renewed national attention on OFAC compliance. OFAC is the acronym for Office of Foreign Asset Control. Federal law states all individuals and organizations within the United States cannot have any business dealings with individuals or entities listed on OFAC’s Specially Designated Nationals (SDN) or the Blocked Persons List. These watch-lists include known terrorists, terrorist supporters and persons involved in money laundering, international narcotics trafficking and other nefarious activities.

Companies bear the burden and the resultant liability to determine if a vendor company or its principals appear on government watch-lists. They must avoid doing business with them. It’s worth repeating: it’s against Federal Law under the Patriot Act to have any business dealings with anyone appearing on the lists. All U.S. companies and nonprofits must comply with the OFAC requirements. Some states may have even more restrictive regulations than those at the Federal level.

If a vendor is funneling money to a terrorist on the watchlist, the government will begin tracing the funds. The fines for anyone doing business with someone on the list by hiring them or giving them money can be severe. Failure to perform proper due diligence upfront can mean huge fees for failure to comply, up to and including criminal penalties.

Vendor vetting and verification activities are an ongoing process. The status of individual principals and vendor companies is always in flux. It’s important to frequently and consistently check U.S. Treasury, OFAC, state, county and other databases to avoid costly and reactive compliance errors.

How Certs Can Hurt

Asking employees to verify insurance certificates (COI’s), policy limits, contract language and endorsements makes sense if they possess the qualifications to do so. People who are collecting vendor insurance coverage data on behalf of property management companies or owners typically do not have this level of expertise. You wouldn’t hire an unqualified contractor, so why would you ask an unqualified employee to review insurance documents submitted by third-party vendors?

Proficiency within each state’s insurance regulations regarding allowable coverage types, and the valid stacked and combination umbrella options are key areas to be aware of. Being able to correctly evaluate varying policy limits, analyze exceptions and interpret non-standardized endorsement language is not for laymen. Here is why:

  • Risk management professionals know that verifying coverage involves more than confirming a few data points like an annual policy renewal date. They know there can be multiple permutations of insurance coverage that may or may not apply to different projects, work locations and scenarios. They understand carrying adequate amounts of the right kind of coverage can be unique to each type of vendor-contractor and the physical property being serviced. They also know to look for policy ownership, named and additional insureds and verify the company entities and names align properly

  • Vendors may in fact carry adequate coverage via multiple coverages or endorsements, though not all certificates will appear the same. Non-trained staff may take extra time trying to verify confusing or contradictory information on insurance documents. Folks who are less thorough may ignore red flags. Those who are unsure may be unlikely to ask questions about possible discrepancies. Inconsistencies in the insurance certificate review process may jeopardize an organization down the road.

  • Missing an important data mark, not asking questions or ignoring details when verifying insurance certs can make a huge difference at claim time. Utilizing under-insured or uninsured vendors can lead to the transfer of liability for property damage, worker’s compensation or other litigation when unfortunate accidents or events happen.

Licensing Concerns

Keeping up with valid professional licensure is another aspect that can suffer with in-house compliance processes. Often, contractors appear competent and trustworthy. A professionals license may have been valid in years past, but that doesn’t guarantee that the license hasn’t lapsed or that disbarment from a state licensing board hasn’t occurred over the course of time.

Many owners and property managers rue the day they didn’t follow through on verifying licensing and insurance credentials for their vendor population. Text alerts and news stories cover horrific accidents at properties due to the fault of hired workers. It’s no surprise that litigation and lawsuits often follow.

Accidents and unplanned events may not be avoidable. Managing known risk and lowering the potential for liability is. Following a consistent process for credentialing all contractors and subcontractors may mean taking an honest look at your staff’s capabilities, hours they have available in the day and whether automation would help. Managing hundreds of details without having expertise to do so places a larger portion of the risk equation on the company, and not on the vendor where it belongs.

Changing the Risk Equation

By engaging with a professional organization that specializes in vendor risk management to assist, companies find that their staff can utilize time better by reviewing recommendations, results and dashboards. Using a firm like ERC to provide insights on robust background checks and expertly verify insurance coverage and licensing helps narrow the amount of data a company has to sift through and manage. Working with ERC allows companies to simplify vendor compliance with repeatable vendor credentialing techniques. Employees can quickly monitor results and escalate exceptions to their leadership team.

Using reminders or trying to manually process credentialing for all the vendors a property uses can be ineffective and overwhelming.. It consumes a disproportionate amount of time to complete. Verifying W-9’s and tax information with the IRS is important. Knowing that vendors do not appear on OFAC or other government-mandated watchlists is another concern. Managing the granular details of insurance policies and keeping up with professional state licensing boards are additional challenges. Detailed inquiries, verification and analysis are juggled with other customer needs competing at the same time.

Using ERC’s tools to take control of vendor credentialing and compliance lowers risk, saves on future costs and helps avoid potential litigation.


Enterprise Risk Control brings to market one of the most advanced, feature-rich vendor management solutions in the industry. Our technology, coupled with our unparalleled service, allows you to automate the collection of vendor information based on their risk exposure. This information is continuously evaluated against your criteria, thus reducing your exposure while giving you the tools to effectively manage your vendor database. ERC services all sizes of business across all business verticals. Small oversights can have enormous consequences; let ERC provide you with the peace of mind that comes from knowing that you are proactively protecting your business with our accurate, intuitive and customizable compliance solution.

Search By Tags
Follow Us
bottom of page