Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.


Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 


Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.



Trends, best practices and insights to keep you current in your knowledge of third-party risk.


Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars



Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.



Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

State of Third-Party Risk Management 2023!

Venminder's seventh annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.


TPRM and the Safeguards Rule: How Your Organization Can Comply

5 min read
Featured Image

As part of the Federal Trade Commission’s (FTC) recently updated Safeguards Rule, financial institutions such as auto dealerships, will be required to follow new guidelines for developing, implementing, and maintaining information security programs.

While the original due date required that the covered institutions comply with the amendments by December 2022, there has been a six-month extension. Reports detailed that smaller institutions might have had a challenging time meeting the original December deadline from factors such as a lack of qualified experts needed to implement the information security programs and difficulties obtaining proper equipment resulting from supply chain disruptions.

Covered institutions will be required to comply by the new deadline: June 09, 2023.

What Is the FTC Safeguards Rule?

The FTC first created the Safeguards Rule in 2003 for the purpose of protecting consumer information. However, as technology has advanced significantly since its inception, the Safeguards Rule was updated in 2021 with amendments to account for core data security principles that any FTC covered entity needs to implement.

One of the most notable changes made was a requirement for employee training programs and third-party audits to verify whether a vendor complies with these guidelines.

Through these amendments, the Safeguards Rule applies to covered financial institutions such as the following:
  • Account servicers
  • Automobile dealers
  • Check cashers
  • Collection agencies
  • Credit counselors and other financial advisors
  • Finance companies
  • Investment advisors that are not required to register with the SEC.
  • Mortgage brokers
  • Mortgage lenders
  • Non-federally insured credit unions
  • Payday lenders
  • Tax preparation firms
  • Wire transferors

safeguards rule tprm

Requirements for an Information Security Program

To properly comply with the Safeguards Rule, the following elements must be included into an information security program, as described by Section 314.4:

  1. A “qualified individual” who is responsible for overseeing and implementing the information security measures. This individual will also report their findings and activities to the Board of Directors
  2. A process for using a risk assessment to assess potential risks
  3. Controls for mitigating any risks identified in the risk assessment
  4. Ongoing monitoring and control testing plans
  5. Regular employee awareness training and refresher courses
  6. A process for assessing and updating the information security practices on a regular basis
  7. Effective third-party risk management programs to ensure vendor and subcontractor compliance
  8. An incident response plan

FTC safeguards rule

The Role of Third-Party Risk Management

Under the Safeguards Rule, covered institutions will be required to oversee their vendors. By following best practices for third-party risk management and following the vendor risk lifecycle, the process can be more easily streamlined.

Safeguards Rule Requirement Vendor Risk Management Lifecycle Activities  Lifecycle Stage
1. Select and keep service providers that maintain appropriate safeguards for customer information;
  • Risk Assessment
  • Due Diligence
  • Onboarding
2. By contract, require your service providers to implement and maintain such safeguards; and
  • Contracting
  • Onboarding
3. Assess your service providers on an ongoing basis based on the level of risk they bring to your organization and the continued adequacy of their safeguards
  • Ongoing Monitoring
  • Periodic Risk Re-Assessment
  • Refreshed Due Diligence
  • Monitoring


By implementing best practices for third-party risk management and following the steps of the vendor risk lifecycle, your team can start off on the right foot for complying with the requirements set out by the Safeguards Rule.

Remember: It’s important to ensure that your processes are easily repeatable, so that your team can repeat the process and assess every vendor and third-party provider that they use in the future. This includes using a standardized risk questionnaire, performing thorough due diligence, and documenting any issues that arise during the assessments.

Third-party risk management activities such as ongoing monitoring and assessments are more than just regulatory requirements. They are critical to protecting your institution from any risks that emerge during the vendor relationship.

Financial institutions covered by the FTC will need to take the proper steps and ensure that they comply with the amendments to the Safeguards Rule by June 2023. As part of these amendments, institutions will need to follow third-party risk management best practices for assessing their vendors, identifying potential risks, and developing controls that are capable of protecting their private information and customer data. While third-party risk management can be difficult and expensive, especially for smaller organizations, having a sufficient and repeatable process is essential to protect against vendor risks and severe threats.

Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo