managing-vendor-due-diligence-compliance

# Managing Vendor Due Diligence Compliance

## When To Use

- Onboarding a new third-party vendor that will access customer data, perform regulated functions, or handle material outsourced activities
- Conducting periodic reassessment of existing vendor relationships (annual review cycles, contract renewals)
- Responding to a regulatory exam finding or audit deficiency related to third-party risk management
- Evaluating whether a vendor qualifies as "critical" or "significant" under applicable regulatory guidance (OCC Bulletin 2013-29, FDIC FIL-44-2008, Federal Reserve SR 13-19/CA 13-21, or Interagency Guidance on Third-Party Relationships) [VERIFY applicable framework for institution type]
- Assessing outsourcing arrangements for compliance with DORA, EBA Guidelines on Outsourcing, or equivalent non-US regimes [VERIFY jurisdiction]

## Inputs To Gather

- **Vendor identification**: Legal entity name, jurisdiction of incorporation, ultimate beneficial ownership, DUNS/LEI numbers
- **Service description**: Exact functions being performed, whether the activity is customer-facing, and whether it involves access to NPI/PII or regulated data
- **Criticality classification criteria**: Institution's internal tiering framework (critical, high, moderate, low) and the factors driving classification (revenue impact, regulatory exposure, data sensitivity, substitutability)
- **Existing documentation**: Prior DD reports, SOC 2 Type II or equivalent audit reports, financial statements, insurance certificates, BCP/DR plans, information security policies
- **Regulatory context**: Which regulators oversee the institution, any open MRAs/MRIAs related to vendor management, consent order requirements
- **Contract terms**: Current or proposed SLA metrics, termination and transition provisions, subcontracting restrictions, audit rights, data handling obligations

## Workflow

1. **Classify vendor risk tier**
   - Apply the institution's criticality matrix against the service scope
   - Determine whether the vendor performs a "critical activity" or "significant outsourcing" under applicable guidance [VERIFY definition thresholds]
   - Document the rationale for the assigned tier — this drives the depth of remaining DD steps

2. **Conduct financial and operational due diligence**
   - Review audited financial statements (minimum 2 years) for solvency indicators, going-concern qualifications, and material contingencies
   - Obtain and evaluate SOC 2 Type II report (or SOC 1 if financially relevant processing); flag any qualified opinions or exceptions
   - Assess BCP/DR capabilities: RTO/RPO commitments, testing frequency, last test results
   - For critical vendors: request on-site or virtual assessment if audit reports are insufficient

3. **Assess regulatory and compliance posture**
   - Confirm vendor holds required licenses, registrations, or certifications for the services provided [VERIFY by jurisdiction and service type]
   - Screen against OFAC SDN list, BIS Entity List, and other applicable sanctions/debarment databases
   - Review vendor's own compliance program: AML/BSA policies (if applicable), privacy program, information security framework (SOC, ISO 27001, NIST CSF alignment)
   - Check litigation history and regulatory enforcement actions via PACER, state AG databases, and industry-specific registries

4. **Evaluate information security and data privacy**
   - Map data flows: what data the vendor receives, stores, processes, and transmits
   - Review vendor's incident response plan and breach notification commitments against contractual and statutory requirements (state breach notification laws, GLBA Safeguards Rule, GDPR Art. 33-34 if applicable) [VERIFY applicable data privacy regime]
   - Assess fourth-party (subcontractor) risk: identify material subcontractors and confirm oversight controls
   - Validate encryption standards, access controls, and penetration testing cadence

5. **Establish ongoing monitoring framework**
   - Define monitoring frequency by risk tier (critical: quarterly metrics + annual full reassessment; high: semi-annual review; moderate/low: annual attestation)
   - Specify trigger events requiring off-cycle reassessment: material breaches, financial deterioration, M&A activity, regulatory action against vendor, significant service failures
   - Set SLA performance tracking mechanisms and escalation thresholds
   - Schedule next periodic review date and assign responsible owner

6. **Compile DD report and recommendations**
   - Summarize findings by risk category (financial, operational, regulatory, information security, reputational)
   - Assign residual risk rating after accounting for mitigating controls and contract protections
   - Identify open items requiring remediation, with responsible parties and target dates
   - State approval recommendation: approve, approve with conditions, or reject

## Output

The final deliverable is a **Vendor Due Diligence Report** containing:

- **Executive summary**: Vendor name, service description, risk tier, overall residual risk rating, and approval recommendation
- **Criticality classification**: Tier assignment with supporting rationale
- **DD findings matrix**: Organized by risk domain (financial, operational, regulatory, infosec, reputational) with finding severity (satisfactory / needs improvement / unsatisfactory)
- **Open items tracker**: Each item with owner, due date, and status
- **Ongoing monitoring schedule**: Frequency, metrics, trigger events, and responsible parties
- **Appendices**: Supporting documents reviewed, screening results, and any vendor-provided certifications

## Quality Checks

- Confirm the criticality classification aligns with the institution's board-approved third-party risk management policy
- Verify that all required screening databases were checked and results documented with date stamps
- Ensure contract terms (audit rights, termination provisions, data handling) are cross-referenced against DD findings — flag gaps
- Validate that the monitoring cadence meets or exceeds the minimum frequency required by the institution's primary regulator [VERIFY regulatory minimum]
- Check that fourth-party/subcontractor risks are addressed, not just direct vendor risks
- Confirm that the residual risk rating accounts for both inherent risk and the effectiveness of mitigating controls
- Mark any data point sourced from vendor self-attestation (rather than independent verification) with [VERIFY]