Entity Relationship Identification, Verification and Control

Entity Relationship Identification, Verification and Control

Rob Rogers
Rob Rogers
– 8 min read
Share

Share this article

Facebook
X
LinkedIn
Email
WhatsApp
Telegram
Threads
Mastodon
Reddit
Pinterest
LINE

Page Link

Why Entity Relationships Are an Advanced Control Challenge

Most vendor data validation controls operate at the level of the individual vendor record. Does this bank account belong to this vendor? Does this TIN match this legal name, does this address correspond to this entity? These are essential controls, and their absence creates serious vulnerability. But they share a common limitation — they evaluate each vendor record in isolation, without reference to the relationships between vendors, between vendors and employees, or between vendors and the organization's own ownership and management structure.

What makes entity relationships a control problem is concealment: when the relationship is not disclosed, it cannot be governed ...

Entity relationship verification is the discipline that addresses what individual record validation cannot: the connections between vendors that may indicate related-party arrangements, conflicts of interest, duplicate payment risk, fictitious vendor networks or the kind of ownership complexity that conceals a vendor's true identity or beneficial ownership.

It is an advanced topic because the data required to perform it is more complex, the analytical methods are more sophisticated, and the judgments involved are less binary than those required for TIN matching or bank account validation. But for organizations managing significant vendor payment volumes or operating in regulated industries, it is an essential component of a complete vendor due diligence program.

The Parent-Child Vendor Structure: What It Is and Why It Matters

A parent-child vendor relationship exists when a single corporate family — a parent company and one or more subsidiaries, affiliates or related entities — appears in the vendor master as multiple separate vendor records. This is a common and often entirely legitimate condition. A large supplier may have separate legal entities for different product lines, geographic regions or service categories, each with its own EIN, banking information, and invoicing address. From the vendor master's perspective, these appear as distinct vendors. From a control perspective, they are related parties whose combined payment volume, contractual terms and risk profile should be understood in aggregate.

The control implications of unrecognized parent-child relationships are significant.

Payment concentration risk is obscured when related vendors are managed as independent records. An organization may have payment policy thresholds — requiring enhanced approval for vendors above a certain annual payment volume, for example — that are effectively circumvented when payments to related entities are not aggregated. A parent company and three subsidiaries, each receiving payments just below the enhanced approval threshold, may together represent a payment relationship that would trigger a very different level of scrutiny if recognized as a single corporate family.

Contract and negotiation leverage is diminished when procurement and AP do not have visibility into the full scope of a vendor relationship across related entities. Volume discounts, consolidated payment terms, and strategic sourcing decisions all depend on understanding total spend with a corporate family, not just with individual legal entities within it.

Duplicate payment risk is elevated when related vendors share similar names, addresses, or banking information and the vendor master does not reflect the relationship between them. Invoice processing systems that lack parent-child mapping may process duplicate invoices from related entities without recognizing the duplication.

Fraud risk is concentrated in unrecognized related-party arrangements, which are difficult to detect precisely because the relationship between the parties is not visible in the vendor master.

The most consequential category of entity relationship risk in the AP context is the undisclosed conflict of interest — a vendor relationship in which an employee, officer or other organizational insider has an undisclosed financial interest or ownership stake.

This risk takes several forms. An employee may own or co-own a vendor entity that does business with the organization, collecting payments that are approved through normal channels without disclosure of the ownership relationship. A manager may direct business to a vendor in which a family member has an interest. A senior executive may hold an equity stake in a supplier whose contract terms have never been subjected to arm's-length scrutiny.

These arrangements are not always illegal, and they are not always fraudulent. Many organizations permit related-party vendor relationships subject to disclosure and recusal requirements. What makes them a control problem is concealment: when the relationship is not disclosed, it cannot be governed, and the organization's procurement and payment decisions may be systematically distorted in ways that benefit the insider at the organization's expense.

The ACFE's research consistently identifies conflicts of interest as one of the most financially damaging categories of occupational fraud, with median losses substantially higher than those associated with simpler schemes. The reason is duration: conflict-of-interest arrangements, precisely because they are concealed and operate within normal approval workflows, tend to persist for years before detection.

Detecting undisclosed conflicts of interest requires comparing vendor ownership and contact data against employee records — a cross-referencing discipline that goes beyond standard vendor record validation and requires access to data sources that AP functions do not always control directly.

Beneficial Ownership: The Emerging Compliance Dimension

The identification of entity relationships has gained a significant new compliance dimension with the implementation of beneficial ownership reporting requirements under the Corporate Transparency Act (CTA). Effective January 2024, most U.S. corporations, LLCs, and similar entities are required to report their beneficial owners — individuals who own or control 25 percent or more of the entity, or who exercise substantial control over it — to the Financial Crimes Enforcement Network (FinCEN) through the Beneficial Ownership Information (BOI) reporting system.

While the CTA's primary obligation runs to the reporting entity itself rather than to its customers or vendors, the BOI database creates a new data resource for organizations seeking to understand the true ownership of their vendor entities. FinCEN has indicated that authorized recipients — including financial institutions with customer due diligence obligations — will have access to BOI data for compliance purposes.

The practical availability and scope of this access for AP programs is still developing, but the directional implication is clear: beneficial ownership transparency is an increasing regulatory expectation, and vendor due diligence programs that do not address beneficial ownership are operating below the emerging standard of care.

For organizations in regulated industries — banking, government contracting, healthcare, and others — beneficial ownership verification of key vendors may already be a requirement under existing regulatory frameworks, independent of the CTA.

Identification Methods: Finding Relationships That Are Not Self-Reported

The central challenge of entity relationship verification is that the relationships most worth finding are precisely those that have not been disclosed. A vendor that voluntarily identifies itself as a subsidiary of a known parent company requires relationship mapping but not investigation. A vendor whose connection to an organizational insider has not been disclosed requires detection.

Several methods and data sources support entity relationship identification.

Corporate Hierarchy Databases

Commercial business intelligence services — including Dun & Bradstreet's corporate linkage data, Bureau van Dijk's Orbis database, and similar platforms — maintain corporate family tree data that maps parent-subsidiary relationships across large portions of the global business population. These services assign a global ultimate parent identifier to each entity in their database, allowing organizations to identify all members of a corporate family and aggregate vendor master records accordingly.

Dun & Bradstreet's Data Universal Numbering System (DUNS) and Global Ultimate DUNS identifiers are the most widely used standard for corporate family mapping in the U.S. procurement and AP context. Organizations that append DUNS numbers to vendor records — and that use Global Ultimate DUNS to identify the top of each corporate family — have a systematic basis for parent-child mapping that does not depend on vendor self-report.

State Business Registry Cross-Reference

Secretary of State registries disclose registered agent information, officer and director names, and in some states ownership information for registered entities. Cross-referencing vendor officer and director names against employee records and against the officer and director data of other vendors in the master file is a practical method for identifying undisclosed relationships that does not require access to commercial databases.

Tax ID and Banking Data Pattern Analysis

Vendors that share a TIN — which should not occur in a properly governed vendor master — are almost certainly the same entity appearing under multiple names. Vendors that share banking information are either the same entity or related entities whose payments flow to the same destination. Either condition is a significant control finding. Systematic analysis of TIN and banking data across the full vendor master is a basic data integrity check that many organizations have not performed and that routinely surfaces both legitimate duplicate records and fraudulent ones.

Address and Contact Data Analysis

Vendors sharing the same address, phone number, or contact name may be related entities — or may be fictitious vendors created by the same actor. As discussed in the Address Verification section of this series, multiple vendors sharing a single address, particularly a residential or mail drop address, is a pattern that warrants investigation. The same principle applies to shared contact data: a phone number or email domain that appears across multiple vendor records is a relationship indicator that deserves examination.

Employee and Vendor Data Cross-Referencing

Identifying potential conflicts of interest requires comparing vendor contact information, addresses, and — where accessible — ownership data against the employee master file. At minimum, this means checking whether any vendor address matches an employee address, whether any vendor contact name appears in the employee directory, and whether any vendor's listed principals share a surname with employees in procurement, AP, or management roles.

More sophisticated implementations use identity resolution tools that go beyond exact matching to detect near-matches — name variations, address formatting differences, and other data quality issues that prevent straightforward duplicate detection — and that cross-reference vendor data against beneficial ownership disclosures, public records, and professional network data.

The Vendor Master Governance Dimension

Entity relationship management is inseparable from vendor master governance. A vendor master that does not systematically capture parent-child relationships, that does not flag related-party indicators, and that does not enforce policies on conflict-of-interest disclosure has a structural gap that individual record validation cannot fully address.

A vendor master that does not systematically capture parent-child relationships, that does not flag related-party indicators, and that does not enforce policies on conflict-of-interest disclosure has a structural gap that individual record validation cannot fully address.

Best practice in vendor master governance includes assigning a corporate family identifier — such as a DUNS Global Ultimate — to every vendor record, so that related entities are always visible in aggregate. It includes a conflict-of-interest disclosure requirement, embedded in the vendor onboarding process, that asks vendors to identify ownership relationships with organizational employees or officers. And it includes a periodic relationship review process — not just at onboarding — that reassesses known relationships and screens for newly identified ones as the vendor population evolves.

The vendor master is a living dataset. Corporate structures change. Acquisitions create new parent-child relationships that did not exist when a vendor was onboarded. Employees join the organization with existing business relationships that were not identified at hire. A relationship verification program that operates only at the onboarding event will miss the relationships that develop afterward.

Practical Implementation: Where to Start

For organizations building an entity relationship verification capability, a practical sequence begins with the data that is already in the vendor master.

1. The first step is internal consistency analysis: identifying vendors that share TINs, banking information, addresses, or contact data. This analysis surfaces both data quality problems and potential fraud indicators, and it requires no external data source — only the vendor master itself.

2. The second step is employee cross-reference: comparing vendor address and contact data against the employee master to identify potential conflict-of-interest indicators. This is the highest-return analysis for fraud detection purposes and is typically within the reach of any organization with access to both datasets.

3. The third step is corporate hierarchy enrichment: appending DUNS or equivalent corporate family identifiers to vendor records, either through a commercial data service or through manual research for the highest-value vendor relationships, to establish a systematic basis for parent-child mapping and aggregate spend analysis.

4. The fourth step is process integration: embedding relationship verification into the vendor onboarding workflow as a defined step, so that new vendor submissions are checked against existing records and against employee data before activation, and so that identified relationships are documented and reviewed rather than simply logged.

Third-Party Services and Technology

The analytical capabilities required for entity relationship verification — identity resolution, corporate hierarchy mapping, beneficial ownership data, and conflict-of-interest screening — are available through several categories of third-party service.

Commercial business intelligence platforms provide corporate hierarchy data, beneficial ownership information, and entity risk scores that can be integrated into vendor onboarding workflows through API connections. These platforms vary in their coverage, data currency, and the depth of their relationship mapping capabilities.

Specialized vendor risk management platforms combine entity verification with the banking, TIN and address validation capabilities described elsewhere in this series, providing a unified due diligence environment in which relationship data is assessed alongside other record elements as part of a holistic vendor risk score.

Data quality and identity resolution tools address the matching problem — identifying relationships between records that share similar but not identical data — and are particularly valuable in large vendor master files where exact-match analysis misses a significant proportion of related records.

Share this article
Share

Written by

Rob Rogers
Rob Rogers

What's Next?

Ensuring Vendor Data Accuracy and Completeness: Governance, Hygiene and Controls

Ensuring Vendor Data Accuracy and Completeness: Governance, Hygiene and Controls

Data Accuracy as a Governance Imperative The other articles in this section have addressed specific categories of vendor data validation: bank account verification, TIN matching, address verification, and entity relationship identification. Each addresses a defined vulnerability in the vendor record. Each provides a layer of assurance that a specific data element is what it purports to be. Data accuracy governance addresses the layer beneath all of the categories of vendor data validation, det
Vendor Address Verification Methods: Why Address Data Matters in the AP Control Framework
Data Integrity

Vendor Address Verification Methods: Why Address Data Matters in the AP Control Framework

Address Verification as a Control, not a Formality Vendor address verification is frequently treated as a routine data quality exercise — a matter of ensuring that checks reach their destination and that 1099s are mailed to the right place. That framing understates both the control value and the fraud detection utility of address verification in a well-governed accounts payable program. A vendor's address is more than a mailing coordinate. It is a corroborating data point that either supports
Vendor Data Validation Explained: Why Accuracy in the Vendor Master Is a Control Imperative
Data Validation

Vendor Data Validation Explained: Why Accuracy in the Vendor Master Is a Control Imperative

What Vendor Data Validation Is — and What It Is Not Vendor data validation is the systematic process of confirming that the information held in an organization's vendor master file is accurate, complete, current, and trustworthy. It encompasses the verification of banking information, tax identification, business addresses, entity status, and the relationships between related data elements — and it applies not only at the point of vendor onboarding but throughout the life of the vendor relation
Beyond OFAC: Foreign Sanctions Screening
Data Validation

Beyond OFAC: Foreign Sanctions Screening

Organizations that process payments in currencies other than U.S. dollars, that are incorporated or operate in the UK or EU, or that have vendors with international ownership structures face layered screening obligations under multiple regulatory regimes. OFAC compliance alone is an incomplete sanctions program for any organization with international exposure. The United Kingdom: The UK Sanctions List (UKSL) The United Kingdom's sanctions regime has operated independently from the EU framewor
At the Heart of the Matter: Vendor Authentication, Validation and Verification
Data Validation

At the Heart of the Matter: Vendor Authentication, Validation and Verification

Every payment your organization makes begins with a decision made long before the invoice arrives: the decision to trust a vendor. That trust, if poorly established, becomes a liability — a gap in your controls that fraudsters exploit and auditors flag. Vendor verification is how organizations convert trust from assumption into evidence. For CFOs and Controllers, vendor authentication, validation and verification are not a procurement formality. They are foundational disbursement controls — the
Onboarding Controls: Secure Vendor Onboarding
Vendor Onboarding

Onboarding Controls: Secure Vendor Onboarding

The Onboarding Moment Is a Control Moment Vendor onboarding is the point at which a new payment relationship is established — and it is one of the highest-risk moments in the entire accounts payable lifecycle. It is the moment when vendor identity is either verified or assumed, when banking information is either authenticated or taken on faith, and when the controls either hold or fail. What happens at onboarding sets the risk profile for every payment that follows. Despite this, many organiza
Know Your Business (KYB) Explained
Compliance

Know Your Business (KYB) Explained

Organizations can no longer afford to treat vendor onboarding as a routine administrative task.  The process of verifying who you are doing business with, commonly known as Know Your Business (KYB), has become a foundational control for managing financial risk, ensuring regulatory compliance, and protecting against fraud. For accounts payable (AP), treasury, procurement, and compliance leaders, KYB is more than a regulatory requirement.  It is a strategic capability that directly impacts the in
Evolution of Disbursement Controls in Finance
Controls

Evolution of Disbursement Controls in Finance

From Clerical Safeguard to Strategic Control Function The history of disbursement controls is, at its core, a history of hard-won institutional knowledge — knowledge accumulated through fraud schemes uncovered, funds unrecovered, and audit findings that arrived too late to prevent the loss. To understand where disbursement controls stand today, and why they matter more than ever, it is necessary to understand where they began: as a modest administrative mechanism designed for a far simpler fina