How Supply Chain Risk Managers Use Public Data to Vet Suppliers Before It's Too Late

Supply chain risk is finally getting the board-level attention it deserves. After a few years of high-profile collapses — sanctions violations, FDA enforcement actions, shell company fraud — procurement teams are being asked to do what compliance teams have been doing for a decade: verify before you trust.

The problem is that most supplier vetting tools are either too expensive to use at scale or too shallow to catch the issues that actually matter. A vendor portal that checks a company name against a list is not due diligence. Real vetting means pulling business registration data, checking sanctions lists, reviewing regulatory enforcement history, and understanding who actually controls the entity you're about to send a purchase order to.

This post walks through how I've built automated supplier screening workflows using public government data sources — the same data that enterprise compliance platforms resell at 10x markup.

---

Why Public Data Covers More Than You Think

The US government publishes a remarkable amount of supplier-relevant data for free:

• OFAC SDN List — Treasury's sanctions blacklist. If a supplier or its beneficial owner appears here, transacting with them is a federal crime.
• FDA enforcement records — Warning letters, 510(k) clearance status, recall notices. Critical for anyone sourcing medical devices, food ingredients, or pharmaceutical components.
• SAM.gov debarment records — Suppliers debarred from federal contracting. A useful proxy for serious fraud or compliance failures even if you're not a government contractor.
• Secretary of State registrations — Confirms the entity is legally registered, identifies registered agents, and surfaces shell company red flags (single-member LLCs with no physical address, recently-formed entities, etc.).
• SEC EDGAR filings — For publicly-traded suppliers or their parent companies, financial health, related-party transactions, and material risk disclosures.

The challenge has always been that these databases don't talk to each other. You'd have to manually query five different portals for every supplier review. Automating that is exactly where this gets interesting.

---

The Screening Workflow

Here's the workflow I use for Tier 1 supplier onboarding. It takes about 15 minutes of setup per supplier run and can process a batch of 50 suppliers in parallel.

Step 1: Confirm the Entity Exists and Is Registered

Before anything else, verify the company is a real, active legal entity — not a shell formed last month or a doing-business-as name with no legal registration behind it.

For California-based suppliers: california-business-leads

For Texas suppliers: texas-business-leads

For Florida: sunbiz-florida-business-leads

For New Jersey: new-jersey-business-leads

Run the supplier's legal name through the relevant state SOS. What you're looking for:

• Status: Active — not dissolved, revoked, or administratively suspended
• Formation date — a company formed three months ago asking for a $2M PO is a red flag
• Registered agent — mass-registered agents (like CT Corporation) are normal; a random individual with a PO box is worth a second look
• Entity type — an LLC with one member and no operating history warrants more scrutiny than a 10-year-old C-corp

Step 2: Run OFAC Sanctions Screening

This is non-negotiable. If your supplier, its owners, or its parent company appears on the OFAC Specially Designated Nationals list, you have a legal problem, not just a business risk problem.

Use ofac-sanctions-screening to query the SDN list by company name, individual name, or country. The actor returns match scores, so you can set a threshold (e.g., flag anything above 80% similarity for manual review) and process bulk lists without hitting the Treasury website hundreds of times.

Screen the company name, any parent company names, and — if you have them — the names of beneficial owners or executives.

Step 3: Check FDA Enforcement History (for Regulated Goods)

If you source anything that touches FDA jurisdiction — food ingredients, packaging, medical components, cosmetics, dietary supplements — this step is essential.

openfda-drug-adverse-events-recalls pulls FDA recall notices by company name. Cross-reference with fda-510k-medical-device-clearances to verify that any device components your supplier claims are cleared are actually in the 510(k) database.

A supplier claiming FDA clearance for a device that doesn't appear in the 510(k) database is either confused or lying. Either way, you want to know before the purchase order is signed.

Step 4: Pull SEC Filings for Public Companies or Their Parents

For larger suppliers or those with publicly-traded parent companies, SEC EDGAR is a goldmine. sec-edgar-company-filings lets you pull 10-Ks, 10-Qs, 8-Ks, and proxy statements by ticker or company name.

What to look for:

• Going concern language in the 10-K — a supplier under financial stress may not be able to fulfill orders six months from now
• Related-party transactions — are they doing business with entities controlled by their own executives in ways that look like self-dealing?
• Material weakness disclosures — internal control failures are a leading indicator of future compliance problems
• 8-K filings — sudden leadership departures, regulatory investigations, and major contract losses show up here before they hit the news

Step 5: Check SAM.gov for Debarment

Even if you're not a government contractor, the SAM.gov exclusions list is a useful compliance signal. Suppliers excluded from federal contracting have typically committed fraud, failed to perform, or been found to have violated labor or environmental laws.

sam-gov-contract-opportunities lets you search the SAM.gov database. Cross-check your supplier list against active exclusions before onboarding.

---

What This Catches That Vendor Portals Miss

Most vendor management portals do a name-match against a sanctions list and call it due diligence. That catches obvious hits. It misses:

• A supplier that's clean on OFAC but whose parent company is sanctioned
• A company with an active recall in a product category adjacent to yours
• A financially distressed supplier whose 10-K buried a going-concern opinion
• An entity formed 60 days ago with no regulatory history

Combining SOS registration data, OFAC screening, FDA enforcement records, and SEC filings gives you a materially more complete picture — and it's all public data.

---

Practical Notes

A few things I've learned running this in production:

• Entity name matching is harder than it looks. "Acme Corp" and "Acme Corporation" are the same company. "Acme Group LLC" might not be. Build fuzzy matching into your pipeline, not exact string comparison.
• Run screening at onboarding AND on a periodic refresh cycle. A supplier that was clean 18 months ago may have been sanctioned or debarred since. Quarterly rescreening for Tier 1 suppliers is a reasonable cadence.
• Document your methodology. If you're ever in front of a regulator explaining why you continued to source from a sanctioned entity, "we ran an automated screen quarterly using public OFAC data" is a better defense than "we checked when we onboarded them."

The tools exist. The data is public. The gap is the workflow to connect them — and that's exactly what this kind of automation closes.

---

All actors mentioned run on Apify. You can try them individually or chain them into a single workflow using Apify's dataset and webhook system.