Most companies validate tax IDs once at customer onboarding and never look at them again. The ID checked out, it's in the system, time to move on.
But tax data doesn't stay static.
That’s why Remote, a global HR and payroll platform operating in 95+ countries, has built validation into multiple stages of their workflow. They validate tax IDs at onboarding and run quarterly revalidations across their entire customer base. Between both, they've flagged hundreds of invalid VAT IDs that would otherwise have caused downstream issues.
"Now we can catch invalid VAT IDs before invoicing," said Kirsten Best, Head of VAT at Remote.
Without that ongoing visibility, those invalid IDs would have resulted in invoices going out with bad data, potentially triggering rejected e-invoices, collection issues, and audit exposure.
This isn't an edge case. This is what happens when you treat validation as ongoing rather than one-and-done.
The data decay problem
Across various jurisdictions, Fonoa has found that 10–20% of tax IDs change status annually. VAT and GST registrations get revoked, suspended, or reinstated. Legal entities merge, split, or dissolve. Branch and fiscal representation arrangements change. Authoritative databases update asynchronously, without notification.
That customer whose tax ID checked out perfectly at onboarding? Their status may have changed since then. If you're still relying on that original validation, you're relying on information that no longer reflects reality.
One-time validation solves for data quality at the point of entry. It doesn't solve for the decay that happens over time, often without warning, without visibility, and without discovery until an audit surfaces the issue months or years later.
For companies operating across multiple jurisdictions, this challenge compounds quickly. Each country maintains its own registry, its own update cadence, its own rules for status changes. Keeping track manually becomes untenable at scale.
The question auditors now ask
Tax authorities have noticed this gap, and they've changed how they assess compliance.
E-invoicing mandates, Continuous Transaction Control regimes, and data-driven audits are raising expectations from point-in-time checks to ongoing assurance. Over 100 countries now expect proper B2B versus B2C determination to justify applying the reverse-charge mechanism.
Historically, audits focused on transactions: whether the correct tax was applied, whether an invoice was issued correctly, whether documentation existed to support the treatment. Validation of customer tax status was assessed only indirectly.
Today, authorities have significantly greater access to transaction-level data. They receive faster, sometimes near-real-time, reporting through clearance regimes. They can cross-check customer data across registries, filings, and counterparties. And they rely on analytics to identify systemic weaknesses, not just isolated errors.
Audits are shifting away from individual mistakes and toward control design. The central question is no longer whether validation occurred once, but whether reliance on customer data remained justified:
Why did you rely on this customer's tax status at this point in time, and can you evidence that decision?
Sampling, annual reviews, and manual controls may demonstrate effort, but they don't demonstrate ongoing control. In retroactive audits, authorities assess whether reliance on customer data was reasonable at the time of each transaction, not whether a check occurred at some point in the past.
"Fonoa helps us be audit-ready," Kristen from Remote said. "I can show authorities all kinds of tax data, like exactly when a VAT number was valid."
What ongoing validation actually requires
Shifting from one-time to ongoing validation sounds straightforward, but it raises practical questions that many organisations haven't fully worked through.
How often should you revalidate? The answer depends on your risk tolerance, transaction volume, and the jurisdictions you operate in. Some companies revalidate quarterly, like Remote. Others trigger revalidation based on specific events: a customer's first transaction after a gap, a significant order, or expansion into a new market. There's no universal cadence, but "never" is increasingly hard to defend.
How do you handle status changes? When a revalidation flags an ID as invalid, what happens next? Do you have a process to notify the customer, update your records, and pause invoicing until the issue is resolved? Without a clear workflow, flagged IDs become a backlog rather than a control.
Can you evidence your decisions? Auditors don't just want to know that you validated. They want to see when you validated, what the result was, and that you acted appropriately based on that result. This requires maintaining a clear audit trail that connects validation timestamps to specific transactions.
Does your approach scale? Manual revalidation might work with a few hundred customers. It breaks down quickly at thousands or tens of thousands. Any sustainable approach needs to account for growth without proportionally increasing manual effort.
These aren't technology questions first. They're process and governance questions. The tooling matters, but only after you've decided what control framework you're trying to build.
Understand where you stand
Tax ID validation is one dimension of a larger compliance picture. How you manage customer data connects directly to how you handle e-invoicing, tax determination, reporting, and audit readiness across jurisdictions.
Take our Tax Technology Maturity Assessment to understand where your organisation sits and where your biggest opportunities are.
