The vendor compliance checklist every property management team needs
· 10 min read · OnFile team
A vendor compliance program isn't software — it's a set of documents, a set of rules about when each one expires, and a process for catching the gaps before they cost you something. The software just makes the program tractable at more than a handful of vendors.
This post is the program itself: the seven documents to collect, the four questions to ask before onboarding, the four compliance states to track, the reminder cadence that actually works, and what to retain. At the bottom is a copy/paste markdown checklist you can drop into your own onboarding doc — no email gate, no PDF download form, no lead magnet. Just the list.
If you're building a vendor compliance program from scratch, work through it in order. If you're auditing one you inherited, use it as a punch list to find the gaps.
The 7 documents every vendor compliance program needs
Every program looks slightly different — your insurance carrier, your local jurisdiction, and your owners all have a vote — but the core list is remarkably consistent across small and mid-sized property management firms.
1. Form W-9
Required for any U.S. vendor you pay $600 or more in a calendar year. Collect once at onboarding; re-confirm annually because business structure changes (sole prop → LLC, LLC → S-corp) silently invalidate the version on file. Without a current W-9, you can't issue a 1099-NEC, which means the IRS comes asking. See our deeper post on automating W-9 collection for the workflow.
2. Certificate of insurance (COI)
The headline document. Validates general liability (typically $1M / $2M), workers' comp where required, commercial auto where vehicles are involved, and the endorsements that make all of it actually apply to you (additional insured, certificate holder, sometimes waiver of subrogation and primary/non-contributory). Renews annually at minimum; some carriers issue mid-year. See our COI tracking post for the full requirements list.
3. Business license
Whatever the vendor's home jurisdiction requires for them to legally operate. For property management vendors this is mostly straightforward — a generic city or county business license — but it varies. The lesson is to verify the license is actually current, not just that one was sent at some point. Most municipalities renew annually.
4. Workers' compensation coverage proof
Most states require WC coverage for any contractor with employees. Sole proprietors with no employees are usually exempt, but in some states they're not — Florida construction is the famous example. Get this confirmed in writing for any solo operator you're onboarding. The COI usually shows WC coverage as a separate line; if it doesn't, ask for a separate certificate.
5. Professional licenses (where applicable)
Not all vendors, but a meaningful subset. The trades that almost always require licenses in the U.S.:
- HVAC (most states, often state-issued, separate from city license)
- Electrical (state-issued; some cities also require local registration)
- Plumbing (state-issued)
- Pest control / pesticide application (state-issued)
- General contracting (varies wildly by state and project value threshold)
- Roofing, asbestos abatement, lead remediation (project- and state-dependent)
For each, capture the license number, issuing authority, and expiration. Most state license boards have a public lookup; verify on first onboarding and at each renewal that the license is in good standing, not just unexpired.
6. Master services agreement (MSA) or vendor agreement
A signed contract that defines the relationship: scope of work, payment terms, indemnification, insurance requirements, confidentiality, term and termination. The MSA is what makes everything else load-bearing. Without it, your insurance requirements are aspirational; with it, they're contractual.
For vendors who do project work, you'll often layer statements of work (SOWs) under a single MSA — the MSA holds the legal terms, the SOW holds the scope of one job. Track both per vendor.
7. Background check authorization (for vendors with property access)
Anyone who gets keys, key fobs, smart-lock codes, or unsupervised access to common areas or units. Most jurisdictions require written authorization from the individual contractor before you can run a background check. Capture the signed authorization on file alongside the result. If you don't run background checks, document that decision and the rationale — your owners may eventually ask.
The 4 questions to ask before onboarding a vendor
Before requesting any of the seven documents above, answer four questions about the vendor in front of you. The answers determine which documents are actually required.
1. Does this work require a license in our jurisdiction?
State and city license requirements vary. A handyman who hangs a TV doesn't need an electrical license; a handyman who installs a 220V outlet usually does. Knowing which side of the line a job sits on determines whether item #5 above is mandatory or optional. When in doubt, look it up — most state license boards have a "do I need a license?" page.
2. Does our insurance require subs to carry their own?
Almost always yes, but the limits and endorsements your insurance dictates vary by carrier and policy form. Pull your master insurance policy or call your broker and get the requirements in writing. Then make those exact requirements (limits, endorsements, the magic phrases like "primary and non-contributory") the contractual minimum in your vendor agreement. Don't make them up.
3. What's the renewal cadence on their docs?
W-9: annual confirm. COI: annual at minimum, sometimes shorter. Business license: usually annual. Professional license: varies (1, 2, or 3 years). For each vendor, capture the next renewal date for each document at onboarding. This is what makes the reminder cadence work.
4. Do they need property access?
If yes, you need:
- Background check authorization (item #7).
- Whatever your owner's lease addendum requires.
- A documented key/code distribution log.
- Often: separate insurance language about theft and vandalism.
If no, you can skip item #7 and reduce the operational burden meaningfully.
The four compliance states
Every vendor in your system should be in exactly one of four states at any given time. The states are operational, not legal — they tell your team what action (if any) to take today.
| State | Definition | What it means operationally |
|---|---|---|
| Compliant | Every required document is on file, current, and meets requirements. | Schedule work freely. |
| Expiring soon | At least one required doc expires within 30 days. | Reminder workflow already running; no new action. Don't pause work yet. |
| Missing documents | Required document(s) never submitted. | Pause new work scheduling until resolved. Existing work in progress can usually continue. |
| Non-compliant | Required document(s) past expiration with no replacement on file. | Pause all work. Don't schedule new jobs. Escalate. |
The line between expiring soon and non-compliant is where most programs fail. A COI that expired four days ago feels harmless until something happens on day five. Treat the transition seriously.
The reminder cadence that actually works
For each renewing document, run the same cadence:
| Days before expiration | Recipient | Channel | Message |
|---|---|---|---|
| 90 | Vendor | First touch: "your X expires on [date], here's the upload link." | |
| 30 | Vendor + your team | Second touch with secure upload link; team gets a copy so it's visible. | |
| 14 | Vendor | Reminder; tone unchanged. | |
| 7 | Vendor + your team | Final reminder; team flagged because risk is now real. | |
| 0 | Your team | Email + dashboard | Doc has lapsed; vendor moves to non-compliant. |
| +7 | Your team | Escalation: assign someone to call the vendor or pause the relationship. |
Three notes on this cadence:
- Don't email more than four times. Vendors stop reading. Three nudges in the 90 → 7 day window is the right density.
- Stop the cadence the moment a renewed doc lands. The single most common reason vendors hate compliance reminders is getting them after they already complied. Build in the auto-stop.
- Different docs, different cadences if needed. Annual W-9 confirm doesn't need a 90-day nudge — the doc usually doesn't take a vendor much time to re-confirm. Use a two-touch cadence (30, 7) for low-effort renewals; use the full six-touch cadence for COIs that require broker involvement.
What to keep and for how long
Retention requirements come from a mix of IRS rules, state licensing boards, your insurance carrier, and your own owner's expectations. The conservative defaults below cover most U.S. property management firms; verify against your specific state and policy.
| Document | Retention period | Reason |
|---|---|---|
| W-9 | 4 years after the latest tax year it applied to | IRS recommendation; matches 1099 records retention. |
| COI | Duration of contract + 4 years after | Insurance claim discovery period. |
| Business license | Until superseded; keep prior copy 1 year | Audit trail. |
| Professional license | Until superseded; keep prior copy 4 years | Some state boards request historical records. |
| Workers' comp coverage proof | Same as COI | Same insurance claim window. |
| MSA / vendor agreement | Duration of contract + 7 years after | Statute of limitations on most contract claims. |
| Background check authorization | 5 years after the engagement ends, or longer if state law requires | FCRA / state laws vary. |
Build the retention rules into your storage layer. Don't manually delete files; let the system archive them on the right schedule and produce a deletion log so you can prove records were retained for the right window.
The copy/paste vendor compliance checklist
Drop this into your onboarding doc, your Notion, or your team's Slack canvas. Edit to match your actual jurisdiction and insurance requirements. No email gate, no download.
# Vendor onboarding compliance checklist
## Before requesting documents
- [ ] Confirm scope of work (license-required? property access?)
- [ ] Confirm own insurance requires this vendor type to carry coverage
- [ ] Capture vendor's renewal cadence per document
## Required documents
- [ ] W-9 (with TIN, business name, classification, signature)
- [ ] COI with required limits and endorsements
- [ ] General liability (per-occurrence and aggregate limits met)
- [ ] Workers' compensation (or sole-prop exemption documented)
- [ ] Commercial auto (if vehicles involved)
- [ ] Additional insured endorsement (CG 20 10 / CG 20 37)
- [ ] Certificate holder listed correctly
- [ ] Optional: waiver of subrogation, primary/non-contributory
- [ ] Business license (current, not expired)
- [ ] Professional license (if work requires one)
- [ ] Signed MSA / vendor agreement
- [ ] Background check authorization (if property access)
## After onboarding
- [ ] All renewal dates entered into tracking system
- [ ] Reminder cadence enabled per document
- [ ] Vendor contact email confirmed (uploads will go here)
- [ ] Assigned internal owner for this vendor
## Quarterly audit
- [ ] All vendors in "Compliant" or "Expiring soon" state
- [ ] No vendor scheduled for new work while "Non-compliant"
- [ ] Retention policy applied (no orphan files past retention window)
That's the entire program. Seven documents, four onboarding questions, four compliance states, six-touch reminder cadence, and a retention table. Everything else is software around those primitives — and the right software just makes running this for 100 vendors take the same amount of time as running it for five.