Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.


Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 


Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.



Trends, best practices and insights to keep you current in your knowledge of third-party risk.


Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars



Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.



Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

State of Third-Party Risk Management 2023!

Venminder's seventh annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.


Staying On Top of Vendor Risk Management News: Week of November 5

6 min read
Featured Image

We’ve had a little bit of everything as far as third party risk news this week – from new FFIEC information, cyber issues and, oh yes, an election causing gridlock. Read those articles and more below. 

Industry News for the Week of November 5

FDIC chief warns fintech companies to expect same level of regulatory scrutiny as banks: Read here

Drop in enforcement actions: Read here

ICBA warns core processors to keep up with consumer demands: Read here

FFIEC Releases Statement on OFAC Cyber-Related Sanctions

The Federal Financial Institutions Examination Council (FFIEC) members issued a joint statement alerting financial institutions to recent actions taken by the Department of Treasury’s Office of Foreign Asset Control (OFAC) under their Cyber-Related Sanctions Program and to the potential impact it may have on financial institutions’ risk-management programs.

The statement describes the issues a financial institution should consider regarding the effect of sanctions on the operations of the financial institution and the implications of the continued use of products or services provided by a sanctioned entity.

Since the program’s inception, OFAC has issued sanctions against entities that are responsible for, are complicit in, or that have engaged in, certain malicious cyber-enabled activities, and providing material and technological support to malicious cyber actors that have targeted U.S. organizations. Some sanctioned entities may offer services to financial institutions that operate in the United States. As a result of OFAC’s sanctions, all property and interests in property of the designated persons subject to U.S. jurisdiction are blocked, and U.S. persons are generally prohibited from engaging in transactions with them.

Financial institutions should refer to OFAC resources or the FFIEC’s Information Technology Examination handbook for information on requirements and expectations regarding OFAC-related compliance and operational risk management.

New rules for third parties in Massachusetts?: Read here

Make guidance into regulations?: Read here

This is important – cost and compliance: Read here

Managing Risk Under OFAC’s Cyber-Related Sanctions Program

Posted: 07 Nov 2018 02:00 AM PST
Written by Shari R. Pogach, NAFCU Regulatory Paralegal

Yesterday, members of the Federal Financial Institutions Examination Council (FFIEC) (including the National Credit Union Administration and the Bureau of Consumer Financial Protection) released a joint statement on actions taken by Treasury’s Office of Foreign Assets Control (OFAC) under its Cyber-Related Sanctions Program.  The statement notes these sanctions might impact a financial institution’s information technology and other operations, including the use of services of a sanctioned entity

OFAC’s program was implemented on April 1, 2015, due to the threat to the U.S. national security, foreign policy and economy from malicious cyber-related activities originated or directed by parties outside of the U.S. Since its inception, OFAC has issued sanctions against a number of entities either involved in or responsible for malicious cyber-enabled activities by providing material and technological support to parties targeting U.S. organizations.  Some of these sanctioned entities claim they are U.S. based and offer services to financial institutions.  If an institution continues to use products or services from a sanctioned entity, whether directly or indirectly through a service provider, it risks increased operational and OFAC compliance risk that may result in violations of law, civil money penalties, enforcement actions, and reputational damage.

In order to mitigate its risk, a financial institution should ensure its OFAC compliance and risk management processes can identify, assess and mitigate any risks resulting from possible interactions with a sanctioned entity.  OFAC compliance, fraud, security, IT, third-party risk management and risk functions within the institution should collaborate to assess any potential risk.  An institution’s sanctions screening system should be updated and its processes and procedures should be in place in order to comply with these sanctions.

According to the joint statement, prohibited transactions include trade or financial transactions and other dealings, which may be broadly interpreted to include technical transactions such as downloading a software patch from a sanctioned entity.  Continued use of software and technical services from a sanctioned entity may also increase cybersecurity risk for an institution.  An institution’s third-party service provider may have used, or continue to use, products and services of a sanctioned entity on its behalf.  In some cases, the sanctioned entity might be providing a critical service or control that cannot be immediately discontinued.  In such instances, an institution should identify and implement an alternative solution as quickly as possible. 

Due to the complexities of some third-party relationships and transactions relative to the sanctions or for any operational issues presented by the sanctions deadlines, impacted financial institutions are encouraged to contact OFAC, their legal counsel and/or their security offices for additional guidance. A financial institution may contact OFAC on its telephone hotline at 1-800-540-6322 or by email at

The following additional resources are also available:

1.4 million records breached in HSBC cyber incident: Read here

Gridlock: Read here 

Minimize vendor risk with these 24 best practices - download our infographic now.

how to minimize vendor risk

Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo