India's vendor ecosystem is vast, fragmented, and — for compliance teams — genuinely treacherous. Thousands of onboarding decisions are made each year by procurement and finance teams who rely on little more than a registration certificate and a GST invoice. The consequences of that shortcut are well-documented: fraudulent vendors, input tax credit reversals, regulatory enquiries, and in some cases, criminal liability for the buyer organisation.
A structured vendor verification framework — anchored in India's three primary business identifiers (GST, PAN, and CIN) — closes most of this risk surface before the first purchase order is raised. This guide explains how to execute that framework, what each data source reveals, and where it falls short without continuous monitoring.
Download our India Vendor Compliance Checklist to share with your procurement and finance teams.
Download the ChecklistWhy Vendor Verification Is a Regulatory Imperative in India
Vendor verification is no longer a best-practice recommendation — it is a hard regulatory requirement across multiple Indian regulatory frameworks.
RBI Outsourcing Guidelines: The Reserve Bank of India's Master Direction on Outsourcing of IT Services (2023) and the earlier outsourcing guidelines for banks and NBFCs mandate that regulated entities conduct documented due diligence on all material third parties before engagement. This includes financial health assessment, legal standing, and ongoing monitoring. For financial services companies, an unverified vendor is a compliance gap that can trigger regulatory action.
DPDP Act Vendor Compliance: India's Digital Personal Data Protection Act, 2023 (DPDP Act) creates accountability for Data Fiduciaries and Data Processors. If your vendor processes personal data on your behalf, you are responsible for ensuring they meet the Act's security and processing standards. Onboarding a vendor without verifying their legal standing, operational stability, and regulatory compliance exposes you to joint liability under the DPDP framework.
SEBI Circular on Third-Party Risk: SEBI-regulated entities — stock brokers, asset management companies, depositories, and market infrastructure institutions — are subject to escalating third-party risk management requirements. SEBI's cybersecurity framework and DPDP-aligned circulars require documented vendor risk assessment processes as part of operational resilience compliance.
The regulatory and financial case for structured vendor verification is unambiguous. The question is how to build a process that is both comprehensive and operationally sustainable.
GST Verification — What Compliance Teams Must Check
The GST Portal is the starting point for any vendor verification exercise. Every business with a turnover above the GST threshold — Rs 20 lakh for services, Rs 40 lakh for goods in most states — is required to register. The GSTIN is a 15-digit identifier that encodes the state code, PAN, and entity sequence. That structure makes it cross-verifiable against PAN from the outset.
Active vs Suspended GST Status
The most critical data point is registration status. The GST Portal's 'Search Taxpayer' function returns one of several statuses: Active, Suspended, Cancelled, or Provisional. A Suspended status means the GST officer has initiated action against the taxpayer — typically for non-filing of returns. An Active registration confirms the vendor is currently in good standing but says nothing about filing behaviour.
For procurement teams: do not treat an Active status as a clean bill of health. A GSTIN can remain Active even while the vendor has filed no returns for months. The active status simply means the registration has not yet been suspended or cancelled by the department.
GST Return Filing Regularity (GSTR-1, GSTR-3B History)
GSTR-1 (outward supply statement) and GSTR-3B (summary return with tax payment) filing history is publicly accessible for any GSTIN. A vendor that consistently files both returns on time is demonstrating three things simultaneously: operational continuity, tax compliance discipline, and financial stability sufficient to discharge GST liabilities. Irregular or nil filings — particularly in GSTR-3B — are a strong indicator that the vendor may not be remitting collected GST to the government.
This matters directly to your organisation's ITC position. Under Section 16(2)(c) of the CGST Act, input tax credit is available only if the supplier has actually paid the tax to the government. If your vendor collects GST from you but does not remit it, your ITC claim is at risk of being reversed during a GST audit.
Composition vs Regular Taxpayer — What It Reveals About Vendor Scale
The taxpayer type field on the GST portal reveals whether a vendor is registered as a Regular taxpayer or a Composition scheme dealer. Composition dealers — with turnover below Rs 1.5 crore — cannot issue tax invoices and cannot charge GST on their supplies. If you are onboarding a Composition scheme vendor expecting to claim input tax credit on their invoices, you will be disappointed: ITC is not available on supplies from Composition dealers.
Beyond the ITC implications, a Composition registration signals that you are dealing with a micro-scale enterprise. For critical or high-value vendor engagements, this is relevant context for your vendor risk rating and contract terms.
PAN Verification — The Identity Foundation
PAN is India's universal tax identifier, issued by the Income Tax Department. For vendor verification, PAN validation is the identity anchor — it confirms that the legal entity you are dealing with is who they claim to be, and cross-validates the GSTIN (since the 4th to 13th characters of a GSTIN are derived from the PAN). A mismatch between the PAN on your vendor's documents and the PAN embedded in the GSTIN is an immediate red flag.
PAN-Aadhaar Link Status
For individual proprietorships and sole traders, the PAN-Aadhaar link status is a meaningful due diligence signal. The Income Tax Department has mandated PAN-Aadhaar linking for individuals; an unlinked PAN (which technically becomes inoperative) creates complications for TDS compliance — specifically, the TDS deduction rate doubles for payments to a person with an inoperative PAN under Section 206AA. Verifying this before onboarding allows your accounts payable team to apply the correct TDS rate and avoid notices for short deduction.
Income Tax Filing History as a Financial Health Signal
ITR filing history — accessible through the Income Tax portal with vendor consent for shared data, or through the vendor's Form 26AS — provides a valuable financial health signal that GST data alone cannot give you. A vendor that has not filed income tax returns for two or three years despite being active on GST raises legitimate questions about financial transparency, management integrity, and long-term viability. For high-value or strategically critical vendor relationships, requesting two years' ITR acknowledgements as part of the onboarding process is a proportionate and defensible due diligence step.
CIN and MCA Lookup — Corporate Identity Checks
For vendors registered as Private Limited companies, Public Limited companies, or LLPs, the CIN (Corporate Identification Number) is the key to the MCA21 portal — India's official corporate registry. MCA21 holds the authoritative record of a company's legal existence, registered office, director history, and statutory filing compliance. For compliance teams, it is the most information-dense public data source in the Indian vendor verification toolkit.
Struck-Off Companies on MCA21
Under Section 248 of the Companies Act, 2013, the Registrar of Companies can strike off companies that have failed to commence operations or have been non-compliant for extended periods. A company with a "Strike Off" status on MCA21 has no legal standing to enter into contracts. Any agreement executed with a struck-off company is legally void, and any payments made cannot claim GST benefits or be treated as legitimate business expenses without risk of scrutiny.
The MCA21 search returns the company status in real time. This is a thirty-second check that eliminates a category of risk that cannot be remediated after the fact.
ROC Annual Filing Defaults (Form AOC-4, MGT-7)
Every company registered in India is required to file Form AOC-4 (financial statements) and Form MGT-7 (annual return) with the ROC each year. These filings are publicly available on MCA21 and are a proxy for management governance quality. A company that has not filed its annual returns for two or more consecutive years is not only non-compliant — it is also at elevated risk of being struck off. For procurement teams, persistent ROC filing defaults are a credible indicator of financial distress or management disengagement.
Director DIN Status and Disqualification
Each director of an Indian company holds a Director Identification Number (DIN). Under Section 164(2) of the Companies Act, a director who has been on the board of a company that failed to file annual returns or financial statements for three consecutive years is automatically disqualified. A company led by disqualified directors is simultaneously a governance risk and a regulatory liability. MCA21 allows you to check DIN validity and director disqualification status. Including this check in your vendor onboarding workflow costs minutes and surfaces risks that would otherwise take months to discover.
Crest's Intelligence Platform pulls from 3,300+ data sources to give you a complete vendor risk picture — before onboarding and throughout the relationship.
See the PlatformMSME/UDYAM Verification and its Risk Implications
If a vendor claims MSME status — whether to justify payment terms, qualify for government procurement preferences, or satisfy your supply chain diversity reporting — that claim must be verified against the UDYAM registration portal. UDYAM replaced the older Udyog Aadhaar system in July 2020, and all MSMEs are required to have re-registered under UDYAM. An older Udyog Aadhaar number without a corresponding UDYAM registration is no longer valid for most statutory purposes.
Why does MSME status matter for risk? Three reasons:
- Payment terms obligation: Under the MSMED Act, buyers are required to pay MSME vendors within 45 days of delivery. Failure to do so triggers interest at three times the RBI bank rate, and delayed payments above a threshold must be disclosed in your company's annual report under Section 22 of the MSMED Act. Incorrectly classifying a vendor as non-MSME can create statutory liability.
- Financial scale signal: MSME classification (Micro, Small, or Medium) is based on declared turnover and investment. Cross-checking the UDYAM-declared turnover against GST filings and MCA financial statements catches misrepresentation — vendors inflating or deflating their category depending on which is advantageous.
- Concentration risk: A critical supplier that is a Micro enterprise (turnover below Rs 5 crore) presents meaningful business continuity risk. That risk should be reflected in your vendor risk rating and contingency planning.
eCourts — Checking for Litigation and Legal Disputes
The eCourts portal provides searchable access to case records across district courts and high courts in India. While it does not cover all tribunals and arbitration proceedings, it is the most accessible public database for identifying litigation risk associated with a vendor.
For vendor due diligence, eCourts searches serve two distinct purposes:
Counterparty default history: Cases where the vendor is the defendant in a commercial dispute — particularly cases filed by banks, NBFCs, or other suppliers — signal payment default history. A vendor that routinely defaults on its own obligations is a credit risk to your accounts payable and delivery timeline continuity.
Regulatory and criminal exposure: Cases filed under the Prevention of Corruption Act, the Companies Act, or FEMA indicate regulatory risk that extends beyond the specific proceeding. For vendors handling sensitive data, financial assets, or government-adjacent work, this layer of scrutiny is particularly important under the DPDP Act and RBI outsourcing frameworks.
eCourts data has limitations: records are updated at varying frequencies, smaller courts may have incomplete digitisation, and Supreme Court records require a separate search on the SCI website. A comprehensive litigation check for high-value vendors should supplement eCourts with a search of NCLT (insolvency proceedings), NCLAT, and SEBI enforcement orders where relevant. This is where automated monitoring platforms deliver substantial efficiency gains over manual checks.
A 7-Step Vendor Verification Checklist for Indian Procurement Teams
This checklist is designed to be embedded into your vendor onboarding workflow as a mandatory gate before a purchase order or contract is executed. Each step maps to a specific regulatory risk surface.
Collect Primary Identifiers
Obtain the vendor's GSTIN, PAN, CIN (for companies and LLPs), and UDYAM registration number (if claiming MSME status) at onboarding intake. Make these mandatory fields in your vendor master form.
GST Status and Filing History Check
Search the GSTIN on the GST Portal. Confirm Active status, taxpayer type (Regular or Composition), and review GSTR-1 and GSTR-3B filing history for the past 12 months. Flag nil or absent filings as a risk item.
PAN Verification and Income Tax Check
Validate the PAN through the Income Tax portal. Cross-check entity name, PAN-Aadhaar link status (for proprietorships), and confirm ITR filing for the last two financial years. Apply correct TDS rate based on PAN status.
MCA21 Corporate Status and Filing Check
Search the CIN on MCA21. Confirm company status (Active vs Struck Off/Under Liquidation), review ROC annual filing compliance for AOC-4 and MGT-7, and verify DIN validity and disqualification status for key directors.
MSME/UDYAM Verification
Validate the UDYAM registration on the Udyam portal. Confirm the enterprise category (Micro, Small, or Medium) and check that declared turnover is consistent with GST filings and MCA financials. Note payment term obligations.
eCourts Litigation Search
Search the vendor's registered name, trading names, CIN, and director names on eCourts. Flag any active commercial disputes, NI Act Section 138 cases, or regulatory proceedings as risk items for review.
Set Up Continuous Monitoring
One-time onboarding checks are insufficient. Configure automated alerts for GST status changes, MCA filing defaults, and new court filings throughout the vendor relationship. Risk profiles change — your monitoring must too.
This checklist maps to regulatory requirements under RBI outsourcing guidelines, DPDP Act accountability obligations, SEBI TPRM frameworks, and the CGST Act's ITC conditions. For a template version to share with your team, visit the Crest Help Hub.
Key Takeaways
- GST status alone is insufficient. Filing regularity (GSTR-1 and GSTR-3B) matters as much as registration status. ITC risk is real and auditable.
- PAN is the identity anchor. It cross-validates the GSTIN and provides income tax filing visibility. PAN-Aadhaar link status affects your TDS obligations.
- MCA21 is non-negotiable for company vendors. Struck-off status, ROC filing defaults, and director disqualification are all material risks that are invisible without this check.
- MSME verification has legal consequences. Incorrect classification affects payment terms obligations and MSMED Act disclosure requirements.
- eCourts adds a litigation layer. Pattern of NI Act cases, commercial disputes, or regulatory proceedings is a risk signal that no other database captures.
- Continuous monitoring is the only sustainable approach. Vendor risk status changes throughout the relationship. A one-time check at onboarding is a snapshot, not a risk management programme.
Frequently Asked Questions
You can verify a vendor's GST registration status on the GST Portal (gst.gov.in) under the 'Search Taxpayer' section using their GSTIN. This will show you whether the registration is Active, Suspended, or Cancelled, along with the taxpayer type (Regular or Composition) and date of registration. For compliance teams, it is equally important to review GSTR-1 and GSTR-3B filing history to assess operational health beyond mere registration status.
MCA21 (mca.gov.in) is the Ministry of Corporate Affairs' digital portal containing the official registry of all companies and LLPs registered in India. For vendor due diligence, you can use the CIN or company name to pull up incorporation details, check whether the company is Active or Struck Off, review annual filing compliance (Form AOC-4 and MGT-7), and check whether directors hold a valid and non-disqualified DIN.
PAN is the foundational tax identity for any business or individual in India. Verifying a vendor's PAN confirms the entity exists in the Income Tax database and helps cross-check the name and entity type against the vendor's declarations. PAN-Aadhaar link status and ITR filing history provide financial health signals. Onboarding a vendor with an invalid or mismatched PAN can expose your organisation to TDS liability and GST input tax credit denial.
The eCourts portal (ecourts.gov.in) provides searchable case records across district and high courts in India. Searching a vendor's name, CIN, or director names can reveal pending civil suits, commercial disputes, cheque dishonour cases under Section 138 of the Negotiable Instruments Act, or criminal proceedings. Active litigation — especially involving counterparty defaults or regulatory violations — is a material risk signal that should inform both onboarding decisions and contract structuring.
Onboarding a vendor whose company has been struck off under Section 248 of the Companies Act, 2013 creates significant legal and operational exposure. Contracts with a struck-off entity may be legally void or unenforceable. Payments made cannot claim valid GST input tax credit. Directors of struck-off companies may be disqualified under Section 164(2). Internal and statutory auditors will flag such vendors as lapses in due diligence controls, potentially indicating fraudulent intent by the vendor.