Why Your SaaS Should Validate VAT Numbers at Signup
Format checks pass random VAT numbers. Here is why live VAT number verification is the only way to stop fake-company signups in your SaaS.
Most B2B SaaS products ask for a VAT number during signup or at checkout to apply the reverse-charge exemption. A surprising number of them never actually check whether the number exists. That gap is exactly what fraudsters exploit.
The fake-company problem
When your product offers business pricing or VAT-exempt invoicing, it creates an incentive to supply a VAT number — real or not. Bad actors register with a plausible-looking string like DE123456789 or FR12345678901 and sail straight through if you only validate the format. The number looks correct on paper, passes your regex, and the account is live within seconds.
The downstream damage compounds quickly: your accounting records contain unverifiable company names, your invoices are legally invalid for the reverse-charge exemption, and your tax authority will not accept "the format looked right" as a defence during an audit.
Format check vs. live check
A format check (regex or length rules) only confirms that a string could be a valid VAT number for a given country. It says nothing about whether that number is actually registered to a real, active business.
A live check queries the EU VIES database in real time and returns whether the number is registered, plus the official company name and address on file. That is the only way to know you are dealing with a legitimate entity.
What to do at signup
The check is a single API call. Send the VAT number the user typed, get back a valid flag and the registered company details:
GET /api/v1/validate?vat_number=DE123456789
Authorization: Bearer your_api_key{
"valid": true,
"country_code": "DE",
"vat_number": "123456789",
"company_name": "Example GmbH",
"company_address": "Musterstraße 1, 10115 Berlin"
}If valid is false, block the signup or flag the account for review. If valid is true, store the company_name and company_address from the response — not what the user typed. That stored data is your evidence that you performed due diligence at a specific point in time.
Two signals that catch most fraud
- Number does not exist in VIES — the most common case. The user guessed a plausible string. Reject immediately.
- Company name mismatch — the number is real but belongs to a different company than the one in your signup form. This catches identity theft and name spoofing.
Keep it lightweight
You do not need to build the VIES integration yourself. Handling SOAP, timeouts, and the 27 different national back-ends adds maintenance overhead for a non-core feature. A wrapper API like VatBase returns clean JSON in under 50 ms and handles outages gracefully, so your signup flow stays fast and reliable.
Automate your VAT checks with VatBase
One API call. Clean JSON. 27 EU countries. Try it free.