Vendor Risk Scoring for Indian Finance Teams: Beyond GSTIN Verification

When a vendor is onboarded, the AP team verifies their GSTIN, collects a cancelled cheque, and files the paperwork. The GSTIN check confirms the vendor is registered and currently active. It tells you nothing about whether they file GST returns on time, whether their GSTR-1 data is accurate, whether they have ever had their registration suspended and reinstated, or whether their invoices will actually appear in your GSTR-2B next month. Onboarding verification and ongoing vendor risk are different problems — and most Indian mid-market companies are solving only the first.

What a Vendor Risk Score Actually Measures

GST filing regularity is the most consequential component for ITC protection. Track the date of each vendor's GSTR-1 filing for the last 12 months. A vendor who consistently files before the 11th of the following month is low risk for ITC timing gaps. A vendor who routinely files between the 12th and 20th creates recurring ITC delays. A vendor who files after the 20th, or misses months, is an ITC risk that needs active management — either payment holds pending GSTR-1 confirmation, or pre-payment vendor follow-up.

This score is not static. A vendor with a perfect 12-month filing record who then misses two consecutive months is signaling something — cash flow pressure, operational disruption, or a CA change that created a compliance gap. The risk score should update in response to recent behavior, not just historical average.

GSTR-2B appearance rate measures what percentage of this vendor's invoices actually appear in your GSTR-2B within the expected filing period. A vendor with a 70% appearance rate means that 30% of their invoices — and 30% of the corresponding ITC — require follow-up. Over 12 months of invoice volume, that is a significant recurring cash flow burden.

Dispute and exception rate tracks how many invoices from this vendor required corrections, credit notes, quantity adjustments, or TDS disputes. A vendor with a 15% exception rate has a process problem that is costing your team time on every batch. This is operationally significant beyond the compliance risk.

Bank detail change frequency is a behavioral signal that warrants monitoring. A vendor who has changed bank details twice in 24 months is at the higher end of normal. Three changes in 12 months is a flag. Four changes in 6 months requires a direct conversation with the vendor to understand why.

PAN and MCA status for companies: a vendor that has not filed MCA annual returns for two years may be operationally stressed. This is not a disqualifying factor by itself, but combined with other risk signals, it adds weight.

Why Continuous Scoring Matters More Than One-Time Verification

A vendor's risk profile at onboarding may be completely different from their profile 18 months later. A CA change can disrupt their GST filing cadence for three months. A banking transition can introduce bank detail changes. A growth phase can make their invoicing less consistent. A financial stress period can make their ITC a liability to your company.

The companies that manage vendor risk well treat it as a relationship-level monitoring process, not a one-time check. The vendor master is not just a record of who vendors are — it is a living profile of how reliable they have been, how compliant they currently are, and what the ITC risk of processing their next invoice looks like.

The practical output of a continuous vendor risk score: when a vendor crosses a risk threshold, the AP team is notified before the next invoice arrives rather than after it has been paid and the ITC gap has appeared in GSTR-2B. The difference between catching a risk signal on day 1 and catching it on day 45 is the cost of following up versus the cost of reversing a credit claim with interest.