Template

Supplier Onboarding Checklist for UK SMEs

A disciplined supplier onboarding process protects your company from supply chain disruption, fraud, and contractual exposure before the first order is placed.

2 min read

30 daysStandard payment terms under the Late Payment of Commercial Debts Act
3 yearsMinimum contract documentation retention recommended
25%+Shareholding triggering PSC disclosure on Companies House
AnnualRecommended frequency for supplier risk reviews

Initial Due Diligence

Before committing to any supplier, verify their legal identity and financial standing. This is particularly important where you will be paying deposits or relying on them for critical inputs.

  • Confirm company name, registration number, and registered address via Companies House
  • Check for County Court Judgements or insolvency proceedings (credit reference agency search)
  • Review filed accounts for financial stability — particularly for key or high-value suppliers
  • Verify any required trade licences, accreditations, or regulatory registrations
  • For regulated goods or services, confirm FCA, HSE, or sector-specific authorisation

Contractual Framework

Ensure a written contract is in place before the first order is raised. Relying on a supplier's standard terms without review can expose you to unfavourable dispute resolution clauses, liability caps, or IP ownership issues. Have your solicitor review any contract where the annual spend is material.

  • Define scope of supply, specification, and delivery obligations precisely
  • Agree payment terms in writing — default under statute is 30 days for business-to-business contracts
  • Include termination rights, notice periods, and provisions for material breach
  • Clarify intellectual property ownership where the supplier is creating anything bespoke
  • Include a data processing agreement if the supplier will handle personal data

Banking and Payment Setup

Supplier fraud — including invoice redirection and impersonation — is a significant risk for UK businesses. Establish and document a payment verification process before adding any supplier to your accounts payable system.

  • Obtain bank details in writing on the supplier's headed paper or via a verified contact
  • Call a known number (not one provided in an unsolicited email) to confirm bank details before first payment
  • Add the supplier to your approved payment list only after verification is complete
  • Set up a re-verification process if a supplier requests a change to their bank details

Data Protection and Compliance

If your supplier will process personal data on your behalf — for example a payroll bureau, CRM provider, or IT support company — you are required under UK GDPR to have a written data processing agreement in place. You remain the data controller and are responsible for the supplier's compliance in this role.

For high-risk sectors (financial services, healthcare, food supply), also verify professional indemnity and public liability insurance levels before proceeding. Ask for a certificate of insurance rather than relying on verbal assurance.

Ongoing Supplier Management

Onboarding is not a one-time event. Establish a review cadence — at minimum annually for material suppliers — to check for changes in financial standing, ownership, or regulatory status.

  • Set calendar reminders to review key supplier contracts before renewal dates
  • Monitor for changes in Companies House filings (ownership or director changes)
  • Review performance against SLA or delivery terms quarterly
  • Update your supplier register whenever contact details, terms, or risk ratings change

Frequently asked questions

Do I need a written contract for every supplier?

Best practice is a written agreement for every supplier relationship, even if it is a brief order confirmation referencing agreed terms. For low-value, one-off purchases a supplier's standard terms may suffice, but have your solicitor review before accepting unusual clauses.

What is a data processing agreement and when is it required?

A data processing agreement (DPA) is a written contract required under UK GDPR whenever you appoint a third party to process personal data on your behalf. Your solicitor or data protection adviser can provide a template — confirm requirements for your specific supplier relationships.

Funding for UK limited companies

Credicorp lends to your company, not to you personally — short-term working capital with no personal guarantee. See what your business could access.