Understanding and Achieving Vendor Compliance

Vendor compliance plays a huge role in the success or failure of your third-party risk management process. In essence, if your vendor has compliance problems, so too does your organization, especially in the eyes of an auditor or regulatory examiner. However, the term "compliance" is used broadly to cover different concepts. Let's take a closer look at the different types of vendor compliance and the risks associated with each.

Overview of Vendor Compliance Risk 

Vendor compliance risk comes in three flavors – external, internal, and contractual. Each type has its specific risks:

• External compliance requires that vendors observe and comply with all laws and regulations that apply to the products and services they provide to your organization. Vendors may also need specific licenses to perform activities within a defined jurisdiction. Vendors who don’t comply with laws and regulations can negatively impact your operations, reputation, and bottom line, and regulators can hold your organization accountable for the compliance failures of your vendors.
• Internal compliance requires that vendors abide by your organization's internal rules, requirements, and processes as a condition of being your vendor. This includes following all third-party risk management requirements, such as completing vendor risk questionnaires and submitting due diligence documents on time. It can also apply to invoicing, change management, issue remediation, or any of your organization's internal requirements and processes. Non-compliant vendors create audit and exam issues, needlessly lengthen process cycle times, and cause friction and rework for your employees.
• Contractual compliance means the vendor must meet specific terms, conditions, and requirements documented in the contract. All contractual obligations require your vendor's compliance, such as meeting specific service level agreements (SLAs) or notifying your organization of a data breach within a specific timeframe. Contractual requirements usually document external and internal compliance expectations for the vendor. Moreover, they can be sued, fined, or lose their contract if they fail to comply. Nevertheless, if your vendor fails to comply with its contractual obligations, your organization will also suffer negative consequences. 

4 Ways to Verify Vendor Compliance 

When asked, every vendor will claim compliance. However, third-party risk management practices dictate that your organization must verify vendor's compliance practices and controls.

To verify vendor compliance, do the following: 

1. 1. Before engaging a vendor, review their reputation. Do they have any regulatory actions, excessive customer or consumer complaints, or negative vendor news? A pattern of compliance violations is a red flag and can’t be ignored.
   2. During the due diligence process, it’s important to request and review the following:
      
      • The vendor's compliance policy
      • Proof that employees have regulatory and compliance training 
      • The vendor's third-party risk management practices, including how they manage their vendors' compliance and proof of risk assessment and monitoring.
      • Current inventory of all required licenses (for products and services requiring them)
      • Any regulatory enforcement actions
      • The vendor's customer/consumer complaints and resolutions log
   3. During risk reassessment, review and validate the vendor's risk assessment questionnaire to ensure that it’s current. Also gather updated due diligence documentation for formal review.
   4. During ongoing monitoring, stay aware of compliance issues and trends within your vendor's industry and your own. Be sure to keep your eyes open for any negative vendor news. Risk monitoring and alert services can be instrumental in helping your organization determine if there have been external vendor compliance failures.

The Path to Vendor Compliance

Identifying and understanding the risks of vendor non-compliance is essential, but how do you and your organization compel compliance? Here are the best ways to ensure vendor compliance:

• Clearly state your expectations, both verbally and in writing. Summarize verbal conversations in an email and send it to the vendor, asking them to confirm their understanding.
• Provide written documentation detailing specific internal requirements or processes to be met.
• Include all compliance requirements in the contract.
• Require your vendor to disclose any of their third parties (your fourth parties) critical to delivering your products and services. 
• Practice risk monitoring and management. Look for any changing, new, or emerging compliance risks and address them immediately.
• Vendor performance management matters and you should identify and address any possible compliance failures early before an incident occurs.
• Document any law or regulation changes and send them to the vendor in writing. Request that they acknowledge the changes and provide a documented response stating whether they’ll be able to comply or if changes are necessary for them to meet compliance.
• Pay attention to your vendor's industry, looking for any trends or changes that might affect your vendor's compliance (external, internal, or contractual).
• Take firm and immediate action when your vendor has a compliance failure. At a minimum, you must document the issue and require a remediation plan and timeline from the vendor. In severe cases, contract termination may be the best plan.

The responsibility of maintaining vendor compliance lies with your organization, whether it's internal, external, or contract-related. You must do your homework before entering a relationship with a vendor to ensure that the tools, practices, and controls are in place to comply with laws and regulations.

Furthermore, documenting your compliance expectations and requirements for the vendor, in the contract and otherwise, is always recommended. Monitoring your vendor's risk profile and performance are good ways to spot potential compliance issues before they become major problems.