How to Verify US Supplier Bank Accounts: ACH, EIN, and Entity Checks
The US is the mirror image of Europe. There's no Verification of Payee, no name-on-account check before a transfer, and no central business registry. Instead there's the ACH network, Nacha's account-validation rules, a quasi-identifier in the EIN, and fifty separate Secretaries of State. And in 2025, the federal beneficial-ownership register was gutted — domestic US companies no longer report ownership at all. Verifying a US supplier means assembling the picture yourself.
If you've built a verification workflow for European suppliers, almost none of it transfers to the US. Europe spent 2025 rolling out Verification of Payee — a mandatory, real-time check that the name you're paying matches the account holder. The US has no equivalent. There is no national scheme that confirms a payee's name against their account before money moves. The closest thing is a patchwork of Nacha rules governing the ACH network and a market of commercial verification services that fill the gap the regulation leaves open.
The scale makes the gap matter. The ACH network processed 33.6 billion payments worth $86.2 trillion in 2024, and the Association for Financial Professionals found that 80% of organizations experienced payments fraud activity in the prior year, with ACH credits among the most exposed. Business email compromise and vendor bank-detail fraud are the dominant attack patterns — and unlike a European payer protected by a name-match check at the moment of payment, a US payer sending an ACH credit has no built-in name verification at all. The account number either exists and accepts the entry, or it doesn't. Whose name is on it is not checked by the rails.
So US supplier verification is a build-it-yourself exercise across two layers. At the account layer: ACH account validation, using micro-deposits, prenotes, or instant verification services, increasingly shaped by Nacha's 2026 fraud-monitoring mandates. At the entity layer: confirming the business is real and identifying who controls it — across fifty state registries, with the EIN as a partial national key, and a federal beneficial-ownership register that, as of 2025, no longer applies to domestic companies. This article covers both, and the workflow a business paying US suppliers needs in 2026.
The US verification landscape in 2026
Three things define bank account verification for US suppliers — and all three differ sharply from the European model.
- There is no Verification of Payee. The US has no mandatory, real-time name-on-account check before a credit transfer. ACH credits settle to an account number; the payee's name is not verified by the network. This is the single biggest structural difference from Europe, where VoP became mandatory across the eurozone in October 2025.
- Nacha governs ACH, and its rules are tightening. Nacha — which administers the ACH network — requires originators to validate first-use accounts for WEB debits (in effect since 2021), and its 2026 changes add standardized entry descriptions and, most significantly, risk-based fraud monitoring. The first phase and the new entry-description requirements became mandatory on March 20, 2026; the broader fraud-monitoring mandate for ACH originators follows on June 22, 2026.
- Entity verification is state-by-state, and the federal UBO register was gutted. The US has no central business registry — companies are registered with one of fifty state Secretaries of State. The EIN, issued by the IRS, is the closest thing to a national identifier. And in March 2025, FinCEN removed beneficial-ownership reporting for all domestic US companies under the Corporate Transparency Act, leaving the federal UBO register applicable only to certain foreign entities.
The practical takeaway: where a European business gets a mandatory name-match check and a national registry for free, a US business gets neither. Both the account check and the entity check are things you have to actively perform — which is exactly why US verification is a workflow problem, not a regulatory one.
The account layer: ACH validation without a name check
Because the ACH network doesn't verify the payee's name, US account verification answers a narrower question: does this account exist, can it accept the entry, and does it belong to the party you think it does? Several methods, with different speed and certainty trade-offs.
Micro-deposits
The classic method: the platform sends one or two tiny credits (typically $0.01–$1.00) to the account, and the account holder confirms the exact amounts. Confirming the amounts proves they have access to the account. It works, but it's slow — usually two to three business days — and the friction causes meaningful abandonment. Critically, verification isn't complete until the account holder actively confirms the amounts; simply not getting a return is not verification.
Prenotification (prenote)
A zero-dollar ACH entry sent ahead of real payments to confirm the account and routing numbers are valid and the account can accept entries. A prenote confirms the account details are mechanically correct — it does not confirm who owns the account. It's a validity check, not an ownership check.
Instant account verification
Commercial verification services confirm account status and ownership in real time, typically through bank-data networks or registry-sourced data, returning a result in seconds rather than days. This is increasingly the standard for higher-value B2B payments, where the two-to-three-day micro-deposit delay is unacceptable and the certainty of confirmed ownership matters. It's also the method best aligned with Nacha's expanding fraud-monitoring expectations.
What none of these do
None of these methods is a name-match check in the European VoP sense. Micro-deposits and prenotes confirm the account is real and reachable; instant verification can confirm ownership, but there is no universal, mandatory layer that says "the name you entered matches the account holder" before every payment. In the US, that assurance has to be bought and built — it isn't a property of the rails.
No name-check on the rails — so you pick a method
Nacha's 2026 rules: fraud monitoring becomes mandatory
The most important development for US payers in 2026 isn't a name-check mandate — it's a fraud-monitoring mandate. Nacha's rule changes shift the obligation from "validate the account works" to "actively monitor for fraud."
- Standardized entry descriptions (effective March 20, 2026). ACH originators must use standardized company entry descriptions — "PAYROLL" for payroll, "PURCHASE" for consumer e-commerce debits — so transactions are consistently labeled and easier to monitor.
- Risk-based fraud monitoring (Phase 1 March 20, 2026; broader June 22, 2026). ACH originators must run documented, risk-based fraud monitoring on the payments they send. The highest scrutiny is meant to fall on first-time payment recipients and on changes to a known vendor's bank details — the exact patterns where supplier-payment fraud concentrates.
- Account validation for WEB debits (already in effect). Originators must validate first-use accounts for online ACH debits, a rule in force since 2021.
The thread connecting these is that Nacha now expects you to treat first-time recipients and bank-detail changes as elevated-risk events, with documented monitoring and records retained. That's a meaningful shift for finance teams: verification and monitoring are no longer optional best practice but a rule-driven obligation. For the detail on the rule changes, see our Nacha 2026 compliance guide.
How MonitorPay helps
Account validation, EIN, and entity checks in one API.
The US gives you no name-check and no central registry — so MonitorPay assembles the picture for you: ACH account validation and ownership confirmation, EIN and entity verification, and registry-sourced company data from 200+ government registries worldwide, with continuous monitoring on the suppliers and accounts you've already verified.
US Stack
- ✓ACH account validation
- ✓Account ownership confirmation
- ✓EIN + entity verification
- ✓Sanctions + PEP screen
Beyond the US
- ✓EU VoP across SEPA
- ✓49+ country bank rails
- ✓200+ government registries
- ✓Webhook-driven monitoring
The entity layer: 50 states, the EIN, and a gutted UBO register
The US entity layer is the inverse of Europe's. There's no Companies House, no KVK, no Registro Imprese — no single national register you can query. Instead, US company verification means navigating three things: state registration, the EIN, and a beneficial-ownership picture that just changed dramatically.
Fifty Secretaries of State
US businesses are registered at the state level. A company is incorporated or organized under the laws of a particular state — Delaware, California, Texas, and so on — and its existence is recorded by that state's Secretary of State (or equivalent office). There is no federal company registry. To confirm a US supplier exists and is in good standing, you check the Secretary of State in its state of formation, each of which has its own portal, search interface, data fields, and quirks. A company can also be registered as a "foreign" entity in states where it operates beyond its home state, adding further fragmentation. For a business verifying suppliers across the country, this means there is no one place to look — the equivalent of Germany's roughly 150 local registrars, but at national scale.
One registry to query, or fifty?
Europe gives you one national registry per country. The US has no federal register at all.
The EIN: a partial national key
The closest thing to a national company identifier is the EIN (Employer Identification Number), a nine-digit number issued by the IRS for tax purposes. Nearly every US business that pays employees or files business taxes has one, and it's stable across the company's life. But the EIN has a critical limitation for verification: the IRS does not provide a public EIN lookup or verification service. You can't simply query an EIN against an authoritative federal database to confirm it belongs to a given company. EIN verification therefore relies on documentation (such as an IRS-issued letter), third-party data sources, or matching against other records. For the detail, see our EIN verification guide.
The beneficial-ownership reversal
Here's where the US moved in the opposite direction from Europe. The Corporate Transparency Act created a federal beneficial-ownership register, and from January 2024 most US companies were required to report their beneficial owners to FinCEN. Then it was unwound. On March 26, 2025, FinCEN issued an interim final rule that removed beneficial-ownership reporting for all domestic US companies — redefining "reporting company" to cover only certain foreign entities registered to do business in the US. As of 2026, domestic US companies and their beneficial owners are exempt from federal BOI reporting.
This is the mirror image of the EU, where beneficial-ownership registers exist (even if access tightened after the 2022 ECJ ruling). In the US, for domestic companies, the federal UBO register effectively does not produce usable ownership data at all. There is one important caveat: banks and other financial institutions must still collect and verify beneficial ownership at account opening under separate customer due diligence (CDD) rules, regardless of the BOI change. So beneficial ownership hasn't vanished as a compliance concept — but the public/federal register a foreign business might have hoped to rely on is, for US companies, not there. Establishing the ownership of a US supplier means working from CDD-style documentation, third-party data, and corporate-structure tracing rather than a register lookup.
The US and EU split apart on ownership transparency
Both maintained beneficial-ownership registers in 2024. Since then they have moved in opposite directions.
The full US supplier verification workflow
What a working verification workflow looks like for a business paying US suppliers in 2026 — across onboarding, before each material payment, and continuously thereafter.
At supplier onboarding
- Confirm the entity at the state level. Check the Secretary of State in the supplier's state of formation to confirm it exists and is in good standing (not dissolved, suspended, or forfeited).
- Verify the EIN. Because there's no public IRS lookup, verify the EIN against supplied documentation (such as an IRS letter or W-9) and third-party data, and confirm the legal name matches the state registration.
- Validate the bank account. Use account validation — instant verification where possible, micro-deposits or a prenote otherwise — to confirm the account exists, accepts ACH entries, and ideally that it's owned by the supplier. Remember the rails won't check the name for you.
- Establish beneficial ownership. With the federal BOI register no longer applicable to domestic companies, rely on CDD-style documentation, third-party ownership data, and corporate-structure tracing to identify who controls the supplier.
- Screen the entity and owners against sanctions and PEP lists. OFAC sanctions screening is a hard legal requirement for US payments regardless of the entity's size or location.
- Document the method, date, and outcome. Nacha's 2026 rules expect documented verification; retain the records. A timestamped record of what you checked and when is both a compliance artifact and a fraud-defence record.
Before each bank-detail change
The highest-risk event in the workflow — and the one Nacha's expanded fraud-monitoring rules specifically target. Because there's no name-check on the rails, a US payer is unusually exposed to vendor bank-detail fraud.
- Treat every bank-detail change request as suspicious by default. The question isn't "does this look like fraud" — it's "have we verified this through an independent channel."
- Call back on a known number. Not the number in the email requesting the change — a number from your existing records.
- Re-validate the new account before saving it. Run account validation (and ownership confirmation where available) on the new details, and confirm the account holder name matches the supplier's legal entity.
- Apply elevated scrutiny per Nacha. Bank-detail changes are exactly the pattern Nacha's risk-based monitoring expects you to flag and document.
Continuous monitoring between payments
US suppliers change constantly — dissolutions, status changes, ownership transfers. Continuous monitoring catches these before the next payment cycle.
- Monitor state status changes. A supplier in good standing at onboarding can be administratively dissolved or suspended later; that's a signal worth catching before you pay again.
- Monitor sanctions and PEP designations. OFAC lists change frequently; a supplier clean at onboarding may have been designated since.
- Re-validate accounts on a defined cadence and on every change. Because there's no passive name-check, active re-validation is the only ongoing assurance you get.
A concrete scenario: the bank-detail change with no name-check
A composite, anonymised US scenario showing why the missing name-check leaves US payers exposed.
The setup. “Cascade Retail Inc.” (Oregon) has paid “Summit Components LLC” (Delaware) monthly for two years — around $24,000 per invoice, by ACH credit. Summit’s details have been in Cascade’s vendor master file the whole time, and every payment has cleared.
The attack. On a Monday, Cascade’s AP team gets an email from their regular Summit contact — the familiar address. It says Summit has switched banks and asks them to update the ACH details for this month’s invoice. It references the correct invoice number and reads exactly like the contact’s normal emails.
What the process catches — and misses. Cascade updates the vendor record and sends the $24,000 ACH credit. The payment settles cleanly: the account number is valid and accepts the entry. There is no name-check on the ACH rails, so nothing in the payment process compares “Summit Components LLC” against the name actually on the destination account. The transfer simply completes.
What actually happened. The Summit contact’s email was compromised weeks earlier. The new account belonged to a money mule. Because US ACH credits carry no payee-name verification, the mismatch between the expected payee and the real account holder was never surfaced — the payment behaved exactly as a legitimate one would. In Europe, a Verification of Payee result would have flagged the name mismatch before authorisation; in the US, there was no such checkpoint.
What would have caught it. A callback to Summit on a number from Cascade’s records — not the email — would have exposed the fraud in a minute. So would instant account verification with ownership confirmation on the new details before saving them, and the elevated scrutiny Nacha’s 2026 rules now expect on any bank-detail change. In a market with no name-check on the rails, those active controls aren’t optional extras — they are the only verification layer there is.
For the full case on why one-time verification isn't enough — and why continuous monitoring is now the operational standard — see why one-time verification fails.
How US verification methods compare
Businesses paying US suppliers have several verification options. They differ in what they confirm and where they fit.
| Method | What it confirms | What it doesn't | Best for |
|---|---|---|---|
| Micro-deposits | Account exists and the holder has access (after they confirm amounts) | Real-time certainty; entity legitimacy; ownership beyond access | Lower-value or consumer onboarding where 2–3 day delay is acceptable |
| Prenotification (prenote) | Account and routing numbers are valid and can accept entries | Who owns the account; name match | A mechanical validity check ahead of recurring payments |
| Instant account verification | Account status and ownership in real time | Entity-level KYB; beneficial ownership | Higher-value B2B payments and Nacha-aligned monitoring |
| Secretary of State check | Entity exists and is in good standing in its state | The bank account; ownership; a single national view (50 portals) | Confirming a supplier is a real, active entity |
| EIN verification | Tax-identifier consistency with the legal name | No public IRS lookup — relies on documents / third-party data | Cross-checking identity against tax records |
| Manual callback verification | The supplier confirms a bank-detail change via an independently-sourced number | Speed, scale, audit-trail consistency | Bank-detail changes — a backstop, not a substitute |
The pattern: no single method is sufficient for US B2B verification — and because there's no name-check layer, the burden falls more heavily on the payer than in Europe. Account validation works alongside a Secretary of State check, EIN verification, OFAC screening, callback verification for changes, and continuous monitoring. For how these methods interact with their non-US equivalents, see our 7 verification methods compared article.
Paying US suppliers from outside the US
If you pay US suppliers from Europe or elsewhere, the asymmetry is stark. A US business paying into Europe increasingly benefits from VoP at the receiving end; a European business paying into the US gets no such name-check, because the US rails don't offer one. Cross-border payments into the US typically route through international ACH (IAT) or wire, which add OFAC sanctions screening and AML obligations but still no name verification.
The entity layer is just as fragmented for a foreign payer: fifty state registries, no public EIN lookup, and a federal UBO register that no longer covers domestic US companies. For a business outside the US verifying US suppliers at scale, the practical answer is a verification provider that handles ACH account validation and aggregates state-level entity and ownership data — rather than attempting to query fifty Secretaries of State and reconstruct ownership manually. See cross-border bank account verification for the country-by-country picture.
What's coming next: the 2026 horizon
US verification is unusually unsettled right now. The rules that matter are mid-flux — one rolled back, one ramping up, one still being litigated. Four things to watch.
The beneficial-ownership rollback is interim, not final
The March 2025 rule that removed BOI reporting for domestic US companies was an interim final rule, issued under the Corporate Transparency Act amid ongoing litigation. It is not a settled, permanent state. A future administration, court ruling, or revised rule could reinstate domestic reporting — potentially with new deadlines and update obligations. The practical implication for anyone building US verification now: treat the current absence of a federal ownership register as the present reality, but keep ownership records and corporate-structure data you can fall back on, because the requirement could return. Don't architect a workflow that assumes BOI is gone forever.
States tried to fill the gap — and mostly couldn't
The most-watched state response was New York's LLC Transparency Act, which took effect on 1 January 2026 as a state-level beneficial-ownership register modelled on the federal CTA. But because the Act incorporated the CTA's definitions by reference, and the governor vetoed the bill that would have decoupled them, the federal rollback propagated to the state level: as clarified by the New York Department of State, the Act now applies only to non-US (foreign) LLCs registered to do business in New York — US-formed LLCs are exempt, mirroring the federal outcome. The lesson for verification is that the expected "states will fill the gap" backstop has, so far, largely not materialised. US beneficial-ownership transparency is contracting, not expanding — the opposite of the EU trajectory, where registers persist even as access tightens.
Instant payments are scaling — and they're irreversible
The US instant-payment rails are growing fast. The Federal Reserve's FedNow Service (launched July 2023) had more than 1,600 participating institutions by early 2026, and The Clearing House's RTP network — which now reaches roughly 70% of US demand-deposit accounts, with a single-payment limit raised to $10 million in 2025 — processes well over a million payments a day. Industry analysts project US instant-payment volume to reach around 8 billion transactions in 2026. The relevance to verification is the same dynamic that drove Europe to adopt VoP: instant payments are push, irrevocable transfers — once sent, there's no recall window. Yet the US still has no name-check layer on these rails. As instant payments scale, the gap between the speed of settlement and the absence of pre-payment name verification widens, and the burden of getting the payee right before sending falls entirely on the payer. Whether a US name-check equivalent eventually emerges is the open question; until it does, active verification before payment is the only control.
The Nacha fraud-monitoring deadline lands mid-2026
The nearest-term certainty is Nacha's broader fraud-monitoring mandate, which applies to ACH originators from 22 June 2026 (following the Phase 1 and entry-description requirements that took effect on 20 March 2026). If your team originates ACH payments, documented, risk-based fraud monitoring — with particular scrutiny on first-time recipients and bank-detail changes — is a near-term obligation, not a future nicety. Building that monitoring now, rather than scrambling at the deadline, is the prudent move.
Verifying US suppliers at scale?
Verify 50 bank accounts for free. No credit card required.
Try MonitorPay Free →Frequently Asked Questions
Does the US have Verification of Payee like Europe?
No. The US has no mandatory, real-time name-on-account verification scheme equivalent to the EU's Verification of Payee (VoP) or the UK's Confirmation of Payee (CoP). When you send an ACH credit in the US, the network confirms the account number can accept the entry, but it does not check whether the name you entered matches the account holder. That assurance, if you want it, has to be obtained through a commercial instant-verification service — it is not built into the rails.
How do I verify a US bank account?
Three main methods. Micro-deposits send one or two tiny credits the account holder confirms (slow, 2–3 days, but cheap). A prenote is a zero-dollar entry confirming the account and routing numbers are valid (a validity check, not an ownership check). Instant account verification uses commercial services to confirm account status and ownership in seconds (the standard for higher-value B2B). None of these is a name-match check in the European sense — they confirm the account works and, for instant verification, who owns it.
What are the Nacha 2026 rule changes?
Nacha's 2026 changes add standardized company entry descriptions ("PAYROLL" and "PURCHASE"), which became mandatory on March 20, 2026, and risk-based fraud monitoring for ACH originators — Phase 1 from March 20, 2026, with a broader mandate from June 22, 2026. The fraud-monitoring rule expects the highest scrutiny on first-time payment recipients and on changes to a known vendor's bank details, with documented procedures and retained records. This is alongside the existing requirement to validate first-use accounts for WEB debits.
Is there a central US business registry?
No. Unlike the UK's Companies House or France's RNE, the US has no federal company register. Businesses are registered at the state level with one of fifty Secretaries of State (or equivalent offices), each with its own portal and data. A company may also register as a "foreign" entity in other states where it operates. To verify a US supplier exists and is in good standing, you check the Secretary of State in its state of formation — there is no single national lookup.
What is an EIN, and can I verify it?
An EIN (Employer Identification Number) is a nine-digit tax identifier issued by the IRS, and it's the closest thing the US has to a national company identifier. Nearly every US business that pays employees or files business taxes has one. The catch: the IRS does not offer a public EIN lookup or verification service, so you can't query an EIN against an authoritative federal database. EIN verification relies on documentation (such as an IRS letter or W-9), third-party data sources, and matching against other records.
Do US companies still have to report beneficial ownership to FinCEN?
Not domestic companies. On March 26, 2025, FinCEN issued an interim final rule that removed beneficial-ownership (BOI) reporting for all entities created in the US under the Corporate Transparency Act, redefining "reporting company" to cover only certain foreign entities registered to do business in the US. As of 2026, domestic US companies and their beneficial owners are exempt from federal BOI reporting. Note, however, that banks and other financial institutions must still collect and verify beneficial ownership at account opening under separate customer due diligence (CDD) rules.
If BOI reporting is gone, how do I verify who owns a US supplier?
You reconstruct it. With the federal BOI register no longer applicable to domestic US companies, beneficial ownership of a US supplier has to be established from other sources: customer-due-diligence-style documentation the supplier provides, third-party ownership data, and corporate-structure tracing — especially where the supplier sits under a parent or holding company. There is no public federal register to query for domestic-company ownership, which makes ownership one of the harder parts of US KYB.
Why is vendor bank-detail fraud such a problem in the US?
Because there's no name-check on the rails. In Europe, a Verification of Payee result warns a payer when the account name doesn't match before money moves. In the US, an ACH credit settles to whatever account number is entered, with no name verification — so if a fraudster compromises a supplier's email and sends new (fraudulent) bank details, nothing in the payment process flags the mismatch. That's why Nacha's 2026 rules single out bank-detail changes for elevated monitoring, and why an independent callback before saving any change is essential.
Does account validation protect me from business email compromise?
Only partially. If a fraudster compromises your US supplier's email and sends new bank details for an account they control, account validation will confirm that account exists and can accept ACH entries — and instant verification may confirm an account holder name — but if the fraudulent account was opened in a convincing name, the validation can still pass. The fraud lives in the change request, not the account mechanics. The reliable defence is to verify any bank-detail change through an independent channel (a callback to a known number) before saving it.
How do I verify US suppliers at scale?
For one-off payments, a manual Secretary of State check plus a micro-deposit or prenote is workable. For ongoing verification across many suppliers, querying fifty state registries, verifying EINs without a public lookup, and reconstructing ownership without a federal register doesn't scale. API-based access combining ACH account validation and ownership confirmation (account layer) with EIN and state-level entity data (entity layer), plus OFAC screening and continuous monitoring, is the operational standard. Platforms like MonitorPay provide a unified API across account validation, US entity verification, and webhook-driven monitoring, with the first 50 verifications free.