Due Diligence Checklist for New Vendor Selection

Recommended Reading

The ARM space is heavily regulated and must adhere to strict compliance standards to protect the rights of consumers and maintain the integrity of the financial system. A streamlined process for new vendor selection is important to ensure compliance, manage risk, promote consistency, and improve efficiency. Following a structured process helps to ensure that all new vendor evaluations are conducted consistently. Below-mentioned steps can help you avoid potential risks that may result in working with vendors that are not the best fit for your business.

Ensure there’s a well-thought-out selection process put in place

When it comes time to make a selection, you should have a vendor vetting process in place. Having one of these processes is another critical step in ensuring that you make the right selection of a third-party vendor for your organization. That said, making the correct perceived selection should only be a starting process, rather than the end all be all. During this vetting process, you may want to consider points such as comparing certain vendors to relevant competitors, issuing requests for proposals (RFP), and completing due diligence tasks such as completing a risk assessment as dictated by your policies.

Develop structured vendor onboarding processes

Just as you have an onboarding process for new employees to make them aware of your corporate policies, it is important to develop a standardized onboarding process for your vendors. In your onboarding process, you’ll want to make sure vendors understand your information security standards/compliance policies and have agreed to adhere to those standards.

Establish expectations during onboarding. Vendor management doesn’t stop once the contract is signed. Rather, that’s when most of it begins. Your vendor management program must address what happens post-contract.

Mention all requirements in service-level agreements

Once a vendor is chosen, it’s necessary to clearly define your expectations from the vendors. While the boilerplate service level agreement (SLA) can cover your broad expectations, you must include vendor-specific agreements that dig into the details to prevent issues down the line. Doing so will help you set the right benchmarks and reduce risks related to vendor performance and compliance. Common themes that most SLAs miss are vendors’:

  • User authentication policies (password policies, access control processes, and multi-factor authentication to access the data you share with the vendor)
  • Subcontracting (fourth party) terms (something that can greatly impact your vendor’s operation, ultimately affecting you)
  • Disaster recovery and incident response plans (you should have your disaster recovery plans, and so should your vendors)
  • Incident Logging and audit patterns (vendor’s incident logging and compliance audits directly impact their risk profiles)
  • Employee conduct review (part of due diligence should require the vendor to review the risks their employees – from senior management to entry-level – may pose to your data)
  • Cybersecurity controls (your vendors need to align with your cybersecurity stance. You need to define your risk management requirements to avoid liability for their data breach)

To work collaboratively with vendors, you must share information and priorities as part of your agreement. So, if you haven’t done so, revise your service-level agreements so that they define product delivery, compliance requirements, and cybersecurity requirements in the minutest details. You must explain everything from the vendor’s access level to the data breach notification schedule to protect your business. This way, you can revisit the document and evaluate performance against clearly stated, agreed-upon terms.

Maintain a strong third-party audit program (including monthly operational assessments)

Continuous evaluation through timely audits and operational assessment (including transactional testing) is just as necessary as the new vendor due diligence and selection program. Keep up with your vendor performance reviews on an ongoing, sometimes monthly basis. Several assessments should be conducted and completed for each vendor before your first SLA expires with them, including reviews of compliance risk and information security. A clear history of performance data will also give you leverage for negotiations when it’s time to renew contracts.

Parting Words: By taking proactive steps to identify and mitigate potential vendor risks, you can minimize the impact of regulatory fines and data security incidents, align with CFPB compliance, and ensure the continuity of your business operations. To help you dig deep into the steps mentioned above and how each tip ties back to vendor management, we have compiled a comprehensive vendor compliance management guide. To download your copy, click here