A fundamental question people often wrestle with is, “what constitutes appropriate vendor due diligence?” Or, “what are vendor due diligence reviews”? As with any question, the official answer can be found in regulatory guidance – in this case, let’s turn to FDIC Financial Institution Letter 44-2008 for this excerpt:
Comprehensive due diligence involves a review of all available information about a potential third party, focusing on the entity's financial condition, its specific relevant experience, its knowledge of applicable laws and regulations, its reputation, and the scope and effectiveness of its operations and controls.
What Does That Vendor Due Diligence Excerpt Even Mean?
Translating that back into plain everyday talk, essentially that means learning as much as you can about a company prior to engaging in a business relationship.
Due diligence is both a science and an art – there are times where you can follow a routine checklist and gather everything, but there are times where a company can’t or won’t share information with you – that’s when you need to get creative.
Perhaps you can come up with an alternative (e.g., a privately held company won’t share financials – that’s understandable – but maybe you can meet with their finance officer or get a letter from their accountant or pull a business credit report) or perhaps you can contractually commit them to provide it to you later.
- Due diligence should be risk based – that basically means tailor the extent of what you’re asking for to the level of risk associated with the product or service – in other words, don’t expect your landscaping firm to furnish you with the same information as your core processor.
- Due diligence absolutely must be timely and ongoing – let’s face it, there’s no way to rush everything just to hit a contract date, so start ahead of time. Documents expire or grow stale (e.g., financial reports, insurance certificate, PCI compliance, SOC reports – they all have dates on them) so be sure to refresh them as needed.
- Please be careful not to follow a checklist mentality – certainly, you can use a checklist but as you gather documents, make sure to subject them to the appropriate analysis (and document the results of that analysis)! Believe me, I’ve had the unfortunate experience (more than once) of gathering and filing only to realize later that I just gathered and filed without reading the details and later found very nasty surprises.
Effects of Vendor Due Diligence
What you determine in the course of due diligence may cause you to re-think doing business with a company – that may sound like a negative, and perhaps it is in the short term – but you’d be surprised how much that short term pain may turn into avoiding long term damage. It’s far easier to unwind a relationship before it starts than it is when ugly surprises happen down the road.
Vendor Due Diligence Logistics
I've seen all sorts of models of due diligence – from a standardized questionnaire sent to all companies to a highly customized series of questionnaires that may require multiple rounds of answering – either one is fine but you need to establish a process that is appropriate for your institution and follow it carefully.
You also need a path for approving due diligence when you can’t gather everything – there are certainly going to be times where “no” is the final answer. In those cases, involve your senior management team and the board to determine the appropriate action and make sure it's firmly documented in meeting minutes to evidence the discussion.
Due diligence is a fundamental pillar of vendor management in every piece of the regulatory guidance. It can be difficult at times but done well, due diligence is an exercise that can protect your institution, consumers, data and members/shareholders.
To learn tips on collecting due diligence documents, download our infographic.
