2 min read
Initial Due Diligence
Before committing to any supplier, verify their legal identity and financial standing. This is particularly important where you will be paying deposits or relying on them for critical inputs.
- Confirm company name, registration number, and registered address via Companies House
- Check for County Court Judgements or insolvency proceedings (credit reference agency search)
- Review filed accounts for financial stability — particularly for key or high-value suppliers
- Verify any required trade licences, accreditations, or regulatory registrations
- For regulated goods or services, confirm FCA, HSE, or sector-specific authorisation
Contractual Framework
Ensure a written contract is in place before the first order is raised. Relying on a supplier's standard terms without review can expose you to unfavourable dispute resolution clauses, liability caps, or IP ownership issues. Have your solicitor review any contract where the annual spend is material.
- Define scope of supply, specification, and delivery obligations precisely
- Agree payment terms in writing — default under statute is 30 days for business-to-business contracts
- Include termination rights, notice periods, and provisions for material breach
- Clarify intellectual property ownership where the supplier is creating anything bespoke
- Include a data processing agreement if the supplier will handle personal data
Banking and Payment Setup
Supplier fraud — including invoice redirection and impersonation — is a significant risk for UK businesses. Establish and document a payment verification process before adding any supplier to your accounts payable system.
- Obtain bank details in writing on the supplier's headed paper or via a verified contact
- Call a known number (not one provided in an unsolicited email) to confirm bank details before first payment
- Add the supplier to your approved payment list only after verification is complete
- Set up a re-verification process if a supplier requests a change to their bank details
Data Protection and Compliance
If your supplier will process personal data on your behalf — for example a payroll bureau, CRM provider, or IT support company — you are required under UK GDPR to have a written data processing agreement in place. You remain the data controller and are responsible for the supplier's compliance in this role.
For high-risk sectors (financial services, healthcare, food supply), also verify professional indemnity and public liability insurance levels before proceeding. Ask for a certificate of insurance rather than relying on verbal assurance.
Ongoing Supplier Management
Onboarding is not a one-time event. Establish a review cadence — at minimum annually for material suppliers — to check for changes in financial standing, ownership, or regulatory status.
- Set calendar reminders to review key supplier contracts before renewal dates
- Monitor for changes in Companies House filings (ownership or director changes)
- Review performance against SLA or delivery terms quarterly
- Update your supplier register whenever contact details, terms, or risk ratings change
Frequently asked questions
Do I need a written contract for every supplier?
Best practice is a written agreement for every supplier relationship, even if it is a brief order confirmation referencing agreed terms. For low-value, one-off purchases a supplier's standard terms may suffice, but have your solicitor review before accepting unusual clauses.
What is a data processing agreement and when is it required?
A data processing agreement (DPA) is a written contract required under UK GDPR whenever you appoint a third party to process personal data on your behalf. Your solicitor or data protection adviser can provide a template — confirm requirements for your specific supplier relationships.
Funding for UK limited companies
Credicorp lends to your company, not to you personally — short-term working capital with no personal guarantee. See what your business could access.