Due Diligence and Ongoing Monitoring

 View Only

  • 1.  Foreign Vendors

    This message was posted by a user wishing to remain anonymous
    Posted 08-11-2023 02:11 PM
    This message was posted by a user wishing to remain anonymous

    Hi All,

    We are trying to define the reporting requirements for foreign vendors. The IRS does not provide definite answers in that area.

    Do you require foreign vendors to sign W9 or W8? How do you decide which forms are needed?

    If the vendors are foreign but are also incorporated in the US, they would be required to provide W9. However, there are vendors/consultants who operate only in foreign countries and do not have EIN/SSN numbers. If that is the case, should we require W8 instead?

    Thank you,



  • 2.  RE: Foreign Vendors

    Posted 08-21-2023 09:55 AM
    If you are US-based, I recommend you confirm the latest in tax reporting directly from the IRS. See https://www.irs.gov/forms-instructions-and-publications
    Beyond this tax reporting aspect, foreign vendors will have headquarters outside of your country of business. Keep in mind that domestic vendors may still have operations and offices outside of your country. Either way, here are a few considerations for extra steps in vetting and reporting:
    • OFAC/PEP checks are critical as you want to know who their owners and key management team are. Make sure they aren't affiliated with a foreign entity that you don't want to associate your organization's name with.
    • Thoroughly understand their hiring practices. Include HR and hiring as an aspect into your inquiry. ESG can fall into this category as well if desired.
    • Have the vendor list all locations that will support the product/service. You want to identify geographic concentrations in historically poor weather areas. This will open up your ability to review of their resiliency across these locations.
    • If the vendor will store or transmit data for your organization, confirm which locations will be in scope. Regulation around privacy will vary. Request SOC2, ISO27001, or ISAE 3000.

      I'd be interested in learning       what other members are doing.

    Original Message