- Vendor due diligence is the practice of thoroughly assessing and managing the risks associated with your bank’s third-party service provider relationships.
Banks leverage third-party relationships with vendors, independent consultants, affiliates, fintechs, and other service providers because they offer significant benefits, including access to the latest technologies, products, services, human capital, and markets.
However, third-party relationships expose your bank to risk. Due diligence for vendors is essential because it minimizes your bank’s risk exposure by gauging your third-party vendors' ability to deliver products and services as promised while maintaining compliance, security, and operational integrity.
Failing to understand and assess the risks posed by your vendors prevents you from executing your strategic plan. It prevents you from leveraging your resources to their fullest while minimizing your exposure to unforeseen events that could jeopardize your bank and customers.
Due diligence is also a regulatory requirement for banks. If your third-party vendors fail to comply with regulatory requirements, your bank failed to comply with regulatory requirements. Regulators do not recognize a difference between third-party vendor compliance and your bank’s compliance with regulations.
Effective vendor due diligence is necessary to avoid potential regulatory actions and fines.
Table of Contents
Why is Vendor Due Diligence Important for Banks?
When you enter a relationship with a third-party vendor to provide products or services, you’ll first want to ask how the relationship aligns with your bank’s broader strategy and risk tolerance.
You need to ensure that your bank doesn’t rush into a relationship with a vendor and make mistakes, such as underestimating the risks posed by a particular vendor or not receiving the necessary documentation.
Due diligence provides the information to accurately assess and classify the risks of your proposed vendor. It helps you understand if the relationship aligns with your institution’s risk tolerance and identify critical vendors that require greater scrutiny.
Due diligence enables you to effectively evaluate and set the stage for mitigating risks posed by third-party vendors, carefully calibrating these risks to your bank’s strategic needs.
Vendor Due Diligence as a Regulatory Requirement
Banks regulated by the OCC, FDIC, and Federal Reserve must conduct due diligence on third parties under the Interagency Guidance on Third-Party Relationships: Risk Management
But what exactly are the due diligence recommendations of regulators?
There are five steps in the third-party risk management lifecycle.
Planning – Sound risk management requires that your bank thoroughly analyze and determine how it will manage risks posed by third-party relationships before entering them.
Due Diligence and Third-Party Selection – When selecting a third-party vendor, you need to ensure the vendor is a good fit and will operate safely and soundly. It is important to note that even if you have previously worked with a vendor, you must perform due diligence for all new activities. RFPs help you determine if a vendor is a good match.
Contract Negotiation – Most third-party relationships require a contract establishing the scope of activity and performance metrics, data security protocols and standards (if applicable), indemnification and liability, and other internal controls. While most third parties offer standard contracts, your bank may seek modifications, provisions, and addendums to these contracts to protect your institution from risk.
Ongoing Monitoring – Monitoring third-party relationships allows your bank to assess the sustainability of vendors’ internal controls and ensure they meet the contract's obligations. It enables you to respond and seek remediation for any issues that may arise.
Termination – Banks may terminate their relationship with a third-party vendor for various reasons, including breach of contract, a vendor’s failure to comply with regulatory requirements, or the desire to seek another vendor or bring an activity in-house.
Does Every Third-Party Relationship Require the Same Amount of Due Diligence?
The short answer to this question is no. Some vendors are identified as “critical,” “high-risk,” or “significant.” Critical vendors demand more due diligence and monitoring because they pose a greater risk to your bank.
For example, if you outsource your marketing functions to a third-party vendor, you may not need the same level of due diligence as with a vendor processing payments that has access to your institution’s systems and customer data. Any vendor with access to sensitive data requires robust due diligence. Quality vendor management requires assessing the potential for data breaches, ransomware, and other cyber threats.
Cybersecurity breaches from critical third-party vendors can significantly increase your bank’s operational, financial, and reputational risk. In April of 2023, the company NCR Corp., which provides POS (point-of-sale) payment processing, inventory, and scheduling for 100,000 small restaurants and eateries, was hit by a ransomware attack.
Although this attack was not on the data center that stored customer credit card information, it disrupted its clients’ scheduling, payroll, and inventory systems.
In this instance, the risk was operational. Restaurants that used NCR Corp.’s cloud processing systems suffered financial setbacks as they struggled to schedule and pay employees and track inventory.
This story is a cautionary tale for banks that use third-party vendors with access to critical operational functions. From a due diligence perspective, not all third-party vendors expose your institution to the same level of risk. Higher-risk or critical activities performed by third parties require more comprehensive and rigorous oversight throughout the lifecycle of your relationship.
Read also: Outsource Marketing Activities? Make Sure You Have a Vendor Management Program
Factors to Consider for Vendor Due Diligence
Your bank needs to consider many factors when it comes to vendors. Based on the degree of risk involved in your bank’s third-party relationships, you might want to consider the following:
Strategies and Goals – Assessing how your third party’s existing business relationships, such as mergers, acquisitions, and partnerships, might influence their ability to perform an activity. Additionally, it is essential to evaluate your third party’s approach to service and employment policies, including its commitment to diversity and inclusion practices.
Legal and Regulatory Compliance – Determining if your third-party vendor possesses the expertise, processes, and controls to comply with applicable laws and regulations. This includes their responsiveness to regulations and if they have a process for mitigating any potential harm.
Financial Condition – Obtaining all the financial information related to your potential vendor, including audited financial statements, annual reports, and SEC filings.
Business Expertise – Evaluating your third-party vendor’s resources, expertise, and experience performing a contracted activity, and its background in addressing customer complaints – including prior litigation – helps you make an informed decision regarding their effectiveness.
Qualifications of Key Personnel – Assessing the skills and experience of your third party’s principals and critical staff associated with the activity offers insight into their ability to execute effectively for your bank.
Risk Management – Due diligence involves evaluating the efficacy of your third party’s overall risk management, including its policies, procedures, and internal controls. This entails assessing your third party’s governance procedures, including their delineation of roles, responsibilities, and separation of duties relevant to the activity.
Information Security – Understanding the possible implications for your institution’s information security, such as a third party’s access to your organization’s systems and data, enables your bank to determine whether to contract with a vendor.
Management of Information Systems – When technology plays an integral role in your third-party relationship, your bank benefits from evaluating both your institution’s and your third party’s information systems, helping uncover gaps in expected service levels, business processes and management, and compatibility issues.
Operational Resilience – It's essential to evaluate contingency plans in case your third party’s ability to perform an activity is compromised and ascertain if your third party upholds robust operational resilience and cybersecurity practices, including disaster recovery and business continuity planning (with an exact timeframe for the resumption of activities and data recovery).
Incident Reporting – Examining your third party’s incident reporting helps determine if there are documented processes, timelines, and accountability for identifying, reporting, investigating, and escalating incidents.
Physical Security – It is critical to assess if your third party has adequate physical and environmental safeguards to protect employees and customers, its facilities, technology systems, and data.
Subcontracting – Assessing the quantity and variety of subcontracted tasks and the extent of your third party’s dependence on subcontractors provides insights into whether these subcontracting arrangements introduce increased risk to your bank (aka fourth-party risk). A third party’s obligations to other parties may lead to legal, financial, or operational consequences for your institution.
Insurance – Assessing whether your third party has existing insurance coverage aids your organization in determining the offset of potential losses.
How Does Your Bank Receive the Information It Needs to Perform Due Diligence?
Regulators expect banks entering third-party relationships to dig deep into a laundry list of documents. Adequate due diligence requires more than glancing at a SOC report related to your vendor’s data centers and calling it a day.
Due diligence in vendor management covers a wide range of financial statements and reports, SEC filings, compliance reports, and other public documents.
Financial statements and reports provided by the vendor help your bank gauge your vendor’s financial stability and health. For example, you might ask to review your vendor’s balance sheet, which provides an overview of assets and liabilities. Your bank may also want to assess a potential vendor’s funding sources. Any available financial reports or projections are integral to vendor due diligence.
You should also obtain documentation of your chosen vendor’s compliance risk, especially as it pertains to their security protocols. The second section (Safeguards Rule) of the Gramm-Leach-Bliley Act (GLBA) stipulates that financial institutions (and by proxy their third-party service providers) must implement security protocols to protect private financial information.
Your vendor should provide documented proof of their defense-in-depth network security measures. This includes a penetration testing report, which offers information regarding network vulnerabilities and remediation plans. Documentation related to GLBA-protected data acquired from service providers focuses on any lags in discovering and reporting breaches, failure to patch flaws quickly, employee access to data, and much else.
Records of lawsuits or other legal actions against your chosen vendor offer information essential to sound due diligence. This information is publicly available and can prevent problems that may arise during your third-party relationship.
Proof of insurance from third-party service providers including general liability insurance and cyber liability insurance may also be necessary. The type of insurance that your vendors need to carry will depend on your contractual arrangement and the activities they will perform.
There are additional public documents essential to the due diligence process for vendor selection and management, including public complaints (often filed with regulatory agencies such as the CFPB), media reports, information regarding the company’s ownership structure, and more.
What needs to be emphasized is that due diligence for vendor management requires a lot of documentation to mitigate the risks posed by third parties. See our nearly exhaustive list of due diligence documentation for further information.
SOC Reports
There are two types of SOC reports – SOC 1 and SOC 2. SOC 1 reports provide a vendor’s financials, whereas SOC 2 reports focus on compliance.
SSAE 18 audits generate SOC 2 reports and demonstrate how a potential critical vendor handles customer data, including data stored in the cloud.
An SSAE 18 audit encompasses nearly everything you need to understand about how a company safeguards data from a compliance standpoint. From data security and privacy to business continuity planning and internal policies and procedures related to staff, SSAE 18 audits and the SOC 2 reports it generates are the most potent documents in your risk management arsenal.
SOC 2 reports reveal how efficient critical third-party vendors are at discovering risks to your data and how they will mitigate those risks.
With regard to risk assessment and due diligence for critical third-party vendors, nothing replaces the comprehensiveness of an SSAE 18 audit.
What Happens When a Vendor Doesn’t Have Documentation?
Unfortunately, not every third-party vendor will have the documentation you require. It’s important to remember that you don’t need a SOC 2 report for every vendor. Only critical vendors with access to sensitive data that put your bank at significant risk require this level of scrutiny.
At the same time, you might be negotiating a contract with a critical third-party vendor and discover that they haven’t undergone an SSAE 18 audit. SSAE 18 audits are thorough but require tremendous time and commitment. Not every vendor will have a SOC 2 report, and many will focus on only one aspect of their business rather than providing a company-wide report.
Suppose a potential third-party vendor lacks the documentation necessary for your bank to perform due diligence to assess the risk they pose accurately. In this case, it doesn’t necessarily mean you can’t work with this vendor, but it may require you to take additional steps, such as scheduling an on-site review.
While on-site visits are often a waste of your time and resources when you possess what you need and an SSAE 18 audit, they can be essential when you can’t access the necessary documents from your desk.
What Should Your Bank Do with the Information It Gathers?
Your bank should use the information listed above to conduct vendor risk assessments. As we pointed out earlier, not every third-party relationship requires the same level of due diligence because vendors are not created equal.
A sound vendor risk management program should consider whether the third-party relationship involves high-risk or critical activities.
What are the characteristics of a critical activity? How does one distinguish them from other activities performed by third parties?
Critical activities are those performed by vendors that:
Pose significant risks to your bank should the third party fail to meet expectations
Have a significant impact on your customers
Expose your bank to significant operational or financial risk
Each bank is responsible for identifying its critical activities and the third-party relationships supporting them. It’s worth noting that an activity deemed critical by one bank may not be critical to your bank.
Some banks may categorize each third-party relationship by criticality or risk level, whereas others identify the activities supported by third-party vendors that support such activities. Regardless of how your bank defines the risk posed by third-party relationships – by vendor or by activity – your risk management strategy requires a sound methodology to determine what activities and/or relationships require more robust supervision.
When Can Your Bank Stop Performing Due Diligence on Vendors?
Effective third-party risk management occurs throughout the duration of your relationship until it is terminated. How closely you need to monitor a third party should be proportional to the level of risk in the activity they perform and the complexity of the relationship. Your bank may monitor third parties on an ongoing or periodic basis depending on the risks posed to your institution.
Sometimes, during your relationship with a vendor, the level of risk posed by the activity may change. Your bank should take a flexible approach to monitoring third-party risk, adapting monitoring and review procedures as the relationship evolves. The frequency of monitoring and the information you gather may change over time.
How to Make Third-Party Due Diligence Easier?
Managing third-party vendors often feels like an endless chore. Your bank employs many vendors. Sometimes it seems that as soon as one relationship ends, another begins. Consistently monitoring your existing vendors and onboarding new vendors can be overwhelming. Thankfully, there are ways to make third-party due diligence easier.
Organize and Centralize Your Documents – You don’t need to reinvent the wheel for every vendor. Ensure your bank has a vendor management program that allows you to engage your third-party relationships at each phase in the lifecycle. When your vendor management program flows across every business line and department at your bank, separate departments will have a unified documentation strategy according to each vendor's risk profile.
Automate Your Process – You save your bank time by automating your due diligence process for vendor management. Setting up alerts regarding the documents you need to add to your repository and when you need them holds both your bank and vendors accountable.
Rely on Those with Special Expertise – You don’t want to put just anyone in charge of reviewing documents that require particular expertise and experience. For instance, you may need to outsource the review of legal documents pertaining to your third-party relationships to those with legal expertise.
Understand You Need a Dedicated Vendor Management Program – Many well-intentioned people confuse Enterprise Risk Management (ERM) with a dedicated vendor risk management program. Third-party due diligence requires collecting and reviewing many documents, whereas ERM is a system for managing risk holistically across your organization. Vendor management is one aspect of ERM that involves leveraging the necessary tools to collect and analyze dense legal documents.
Consistency is Key – Ensure your vendor management due diligence process is consistent across departments and individuals.
Nvendor Delivers a Vendor Due Diligence Solution
Nvendor gives your bank a convenient way to store, track, and manage the information and documentation throughout the lifecycle of each vendor. Our centralized communication system for vendor due diligence eliminates the hassle of tracking when to gather and collect the documents and information you need to monitor third-party relationships.