Talk to Sales

Blog

Trust Your SupplierBlogBlogYour Supplier Data Has an Expiry Date. Most Teams Miss It.

Your Supplier Data Has an Expiry Date. Most Teams Miss It.

Author: April Harrison 8 min read
Your Supplier Data Has an Expiry Date. The Data Drift Problem.

The approval is done. The vendor is active. There is a record in the system with a date on it, and that date feels like evidence of something solid. 

It is not. It is a timestamp on a snapshot. 

The supplier you onboarded twelve months ago may have changed ownership since then. Their insurance certificate may have lapsed. The certification they submitted has an expiry date that nobody tracked. Their financial risk profile shifted after a credit event that happened six months after you approved them. None of that shows up in the original record because none of it existed when the record was created. 

This is the data drift problem. It is cumulative, and it is sitting inside most supplier bases right now. The onboarding process created a foundation. Time has been eroding it. 

Why Supplier Data Ages Faster Than Most Teams Realize 

A supplier record that was accurate and complete at onboarding becomes progressively less reliable as the relationship matures. Here is what changes, usually without anyone noticing: 

  • Ownership and corporate structure. Companies are acquired, restructure, or transfer beneficial ownership. The entity you contracted with may no longer be the entity processing your invoices. 
  • Bank and payment details. Suppliers update payment information for legitimate reasons. Fraudsters also submit change-of-bank-details requests designed to look like routine updates. Either way, details verified at onboarding and never rechecked are a vulnerability. 
  • Compliance certifications and insurance. Every document has an expiry date. Most onboarding workflows collect these once and file them. The expiry passes. Nobody notices until an audit or an incident makes it impossible to ignore. 
  • Financial and risk profile. Credit conditions deteriorate, sanctions exposure shifts, ESG posture changes. A supplier that scored low risk at onboarding may be a materially different risk today. 
  • Regulatory requirements. What counted as adequate due diligence two years ago may not meet the standard your auditors are applying now. Frameworks evolve. Records do not update themselves. 

The record in your system does not change when any of these things happen. It just ages. 

How to Prioritize Your Revalidation Exercise 

Not every supplier in your base carries the same urgency. A revalidation exercise applied uniformly across every vendor relationship is not a realistic starting point for most mid-market teams. Prioritization by risk and spend is the practical approach. 

Three-column card grid showing how to prioritize supplier revalidation by spend level, compliance sensitivity, and document expiry status, with urgency labels for each tier.
Click image to enlarge

Start with your highest-spend suppliers. The financial exposure attached to a data quality failure scales directly with spend. A supplier representing five percent of your total spend deserves more scrutiny than one representing half a percent, regardless of category. 

Layer in compliance sensitivity. Suppliers with access to your systems or data, suppliers operating in regulated geographies, suppliers in categories subject to specific legal or audit requirements, and suppliers who hold financial data or payment credentials sit at the top of any revalidation priority list regardless of spend level. 

Add document expiry date as a third filter. Pull the compliance documents on file across your active supplier base and identify which ones have expiry dates in the past or within the next ninety days. These are not revalidation candidates. They are already overdue. 

The combination of high spend, compliance sensitivity, and lapsed or near-expiry documentation gives you a working priority list. That list is where a targeted revalidation effort starts. 

What a Structured Revalidation Process Covers 

Revalidating a supplier is not the same as onboarding them again. The relationship exists. The history is there. The goal is to update and verify the data that has aged, not to restart from scratch. 

A structured revalidation exercise covers five areas: 

Compliance documentation. Collect current versions of all documents with expiry dates. Verify that they are current, that they come from a credible source, and that the issuing authority confirms validity where possible. A supplier-submitted document alone is not sufficient verification. 

Ownership and corporate structure. Confirm that the legal entity, beneficial ownership, and corporate structure on file match current reality. This is particularly important for suppliers in markets with higher rates of ownership transfer, and for any supplier where a change in control could trigger sanctions or conflict-of-interest concerns. 

Bank and payment details. Reconfirm the bank details on file through an independent verification step, not just a supplier-submitted update. Payment fraud through bank detail change requests is one of the most common fraud vectors in procurement. 

Risk profile. Run the supplier through your current risk screening criteria, including any third-party data sources you use for financial health, sanctions, ESG, and cyber risk. Compare the result against the original onboarding assessment and document any material changes. 

Regulatory compliance. Confirm that the supplier still meets the compliance requirements applicable to the relationship under current regulatory frameworks, including any requirements that have come into effect since onboarding. 

The Difference Between Monitoring and Revalidation 

These two practices are related but distinct, and both matter. 

Continuous monitoring watches for changes in real time. It flags when a sanctions status changes, when a financial risk signal crosses a threshold, or when a document expiry date is approaching. It tells you when something has changed and requires your attention. 

Two-column comparison showing what continuous monitoring catches in real time versus what structured revalidation confirms through a scheduled review, covering sanctions, risk signals, document expiry, ownership, bank details, and regulatory compliance.
Click image to enlarge

Revalidation is active and periodic. It is the deliberate decision to take a supplier through a structured review process to confirm that the full picture is current and accurate. 

Think of it as the difference between a smoke detector and a fire inspection. The smoke detector catches what changes in real time. The inspection confirms that the whole system is still sound. 

Both serve a purpose. Monitoring covers the interval between revalidations. Revalidation provides the comprehensive check that monitoring alone cannot replace. 

We cover topics like this every week. Practical supplier management insights for procurement and supply chain teams. Get it in your inbox →

The Suppliers Most at Risk Are the Ones Nobody Has Looked at in Years 

The instinct in most supplier programs is to focus attention on new supplier relationships. New suppliers are the unknown quantity. They get the scrutiny. 

Established suppliers — the ones who have been in the base for years, the ones everyone is comfortable with — tend to get less attention. They have a track record. Nobody has flagged them. 

That comfort is where the data quality problem hides. The longer a supplier has been active in your base without a structured revalidation, the more likely it is that something has changed that your records do not reflect. 

The supplier your team has worked with for five years and never revisited is not necessarily your lowest-risk relationship. It may simply be your least examined one. 

What Structured Revalidation Looks Like in TYS 

Trust Your Supplier (TYS) includes frequency-based revalidation as a configurable feature. Buyers can create revalidation rules that define how often suppliers need to be reviewed, set in years or months, with filters for supplier category, region, market, spend threshold, and risk category. The system calculates the revalidation date from each supplier's last onboarded date and initiates the process automatically on that date. The schedule is built into the system rather than left to someone's memory or a spreadsheet reminder. 

Revalidation frequency can be calibrated to supplier risk. High-spend or high-risk suppliers can be scheduled for annual review. Lower-risk relationships reviewed less frequently. 

TYS also supports risk-based alerts that flag when third-party data changes for a supplier — if a risk score crosses a defined threshold, the system can assign additional questionnaires and route an approval request to the designated team. Both tracks run together: scheduled revalidation confirms the full picture at defined intervals, and risk-based alerts cover what changes in between. 

See the frequency-based revalidation workflow and risk-based alerts in action. Watch the demo on YouTube. 

Frequently Asked Questions 

What is supplier revalidation? Supplier revalidation is the process of periodically re-verifying and updating a supplier's information after they have been onboarded. It covers compliance documentation, ownership, bank details, risk profile, and regulatory compliance — confirming that the data on file still reflects current reality. 

How often should suppliers be revalidated? Frequency should be based on supplier risk and spend. High-spend or high-risk suppliers are typically reviewed annually. Lower-risk relationships may be reviewed every two to three years. Document expiry dates should trigger renewal workflows independently of the scheduled revalidation cycle. 

What is the difference between supplier revalidation and continuous monitoring? Continuous monitoring tracks changes in real time and flags when something requires attention. Revalidation is a scheduled, structured review of the full supplier record. Both are needed: monitoring covers the interval between revalidations, and revalidation provides the comprehensive check that monitoring alone cannot replace. 

Which suppliers should be prioritized for revalidation? Start with your highest-spend suppliers, then layer in compliance sensitivity — suppliers with system access, suppliers in regulated geographies, and suppliers holding financial or payment data. Any supplier with compliance documents that have already expired should be treated as immediately overdue. 

What happens if supplier data is never revalidated? Data drift accumulates. Certifications lapse unnoticed. Ownership changes go unrecorded. Risk profiles that have deteriorated since onboarding remain unchanged in your system. The exposure shows up in audits, payment fraud incidents, or compliance findings — usually at the worst possible moment. 


Blog Compliance Management Data Management
Previous reading
Your Supplier Data Has an Expiry Date. Most Teams Miss It.
Next reading
Six Years. Zero Exceptions. What That Actually Means for Your Supplier Data.
MENU