Validate EIN format locally: a valid EIN is exactly 9 digits, formatted as XX-XXXXXXX, and the first two digits (the prefix) should be a known IRS campus code — maintain a current list of valid 2-digit prefixes to catch obvious fakes
At vendor or payee onboarding, collect a signed W-9 form which requires the signer to certify under penalties of perjury that the EIN provided is correct — this shifts legal responsibility to the submitter
Use the IRS TIN Matching program (accessible via IRS e-Services for enrolled payers) to validate the EIN-to-name combination before the first payment; this is a manual portal process, not a public API
If a 1099 is returned by the IRS with a TIN mismatch notice (CP2100 or B-Notice), follow the IRS backup withholding procedures: send a first B-Notice to the payee requesting a corrected W-9 within 15 business days
Document all validation steps taken with timestamps; in an IRS audit, demonstrating a good-faith TIN verification workflow is essential to avoiding liability for failure to backup withhold
Known gotchas
There is no public REST API to validate an EIN — any third-party service claiming to verify EINs in real time against IRS records is not using an official IRS data feed; treat such services with caution and do not rely on them as the sole validation method
Certain EIN prefixes are reserved or have been associated with fraudulent activity; prefix 00 is invalid and prefixes in certain ranges may warrant additional scrutiny, but prefix lists are advisory only
Sole proprietors may use either their SSN or an EIN on a W-9; either is acceptable, but the name on the W-9 must match the IRS records for that TIN exactly (including suffixes and middle names) to avoid a mismatch notice
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp