Software

Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Overview
Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

VX LP Sequence USE FOR CORPORATE SITE-thumb
Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.

CREATE FREE ACCOUNT

Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 

Industries

Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

1.7.2020-what-is-a-third-party-risk-assessment-FEATURED
Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.

DOWNLOAD SAMPLES

Resources

Trends, best practices and insights to keep you current in your knowledge of third-party risk.

Webinars

Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars

 

Community

Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.

Subscribe

 

Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

resources-whitepaper-state-of-third-party-risk-management-2023
State of Third-Party Risk Management 2023!

Venminder's seventh annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.

DOWNLOAD NOW

Check which Control Assessments correspond to these regulations.

This page is designed for desktop use and does not work on smaller devices.

Industry
Location
Regulator
Industry
The industry that must comply with the specific regulatory requirement
Location
The location where the regulation and regulatory agency is based
Regulation
The standard, regulation, framework, or law
Regulator
The primary regulator or agency behind the standard, regulation, framework, or law
About the Regulation
Key points of the regulation and specific compliance area highlights
Educational Resource
An additional related resource to guide your organization as it evaluates compliance
Banking
U.S.
The Act requires insured financial institutions to notify their appropriate federal banking agency in writing of contracts or relationships with third parties that provide certain services to the institution.
Banking
U.S.
This guidance addresses performing proper due diligence when selecting computer software or a service provider.
Banking
U.S.
This interpretative guidance addresses developing and implementing a response program designed to address incidents of unauthorized access to sensitive customer information maintained by the financial institution or its service provider.
Banking
U.S.
The guidance describes potential risks associated with relationships with entities that process payments for telemarketers and other merchant clients.
Banking
U.S.
This bulletin discusses considerations for banks with regard to confirming appraisal management companies registration as part of sound third-party risk management.
Banking
U.S.
Guidance on managing risks that may arise from relationships with foreign-based third parties.
Banking
U.S.
Interagency Guidance: FDIC, OCC, The Fed
This guidance outlines how banks should manage risks associated with third-party relationships.
Banking
U.S.
Interagency Guidance: FDIC, OCC, The Fed
The guide covers six due diligence topics community banks can consider when evaluating fintech companies. Use of this guide is voluntary.
Banking
U.S.
Interagency Guidance: FDIC, OCC, The Fed
This statement describes the elements of an effective country risk management process, including outsourcing to foreign third parties.
Banking and Financial Services
Canada
OSFI expects federally regulated financial institutions to manage the risks related to all third-party arrangements and emphasizes that the federally regulated financial institution retains accountability for business activities, functions and services outsourced to a third party.
Banking and Financial Services
EU
The guidelines set out specific provisions for these financial institutions’ governance frameworks with regard to their outsourcing arrangements and the related supervisory expectations and processes.
Banking and Financial Services
EU
Details how financial instiutions should manage the information and communication technology (ICT) and security risks they're exposed to, including outsourced third-party relationships.
Banking and Financial Services
EU
Establishes a unified approach and framework for managing information and communication technology third-party risk.
Credit Unions
U.S.
This provides a list of compliance risk indicators that are part of the NCUA's Risk-Focused Examination program.
Credit Unions
U.S.
The questionnaire NCUA field staff will use to complete the evaluation of credit union third party relationships.
Credit Unions
U.S.
Outlines expectations for third-party relationships, including planning, due diligence, and risk controls.
Credit Unions
U.S.
Requires credit unions to report cyber incidents within 72 hours of its discovery, including third-party incidents.
Credit Unions
U.S.
Provides clarity on the use of third-party providers by federally insured credit unions (FICUs).
Credit Unions
U.S.
A non-exhaustive list of minimum procedures a credit union should follow during a due diligence review.
Energy
North America
Describes how a NERC entity should develop a supply chain cybersecurity risk management plan that identifies, assesses, and mitigates cyber risks.
Energy
North America
Details how an entity can identify, assess, and mitigate vendor cybersecurity risks and document their vendor risk management program.
Energy
North America
Frameworks for energy and utility companies operating with the Bulk Electric System to protect cyber assets, including security controls for supply chain risk management.
Financial Services
Canada
Payment service providers must identiy critical third parties and manage operational risks.
Financial Services
U.S.
The guidance provides considerations for financial institutions on conducting risk assessments and crafting and evaluating policies and procedures regarding social media.
Financial Services
U.S.
These procedures address outsourcing technology services and managing technology service providers.
Financial Services
U.S.
This requires member firms to have procedures like due diligence on third-party service provider arrangements.
Financial Services
U.S.
The notice reminds member firms to have procedures in place for supervising activities and functions performed by third-party vendors.
Financial Services
U.S.
Requires financial institutions under FTC jurisdiction to have measures in place to keep customer information secure. This includes service providers.
Financial Services
U.S.
Requires protection of the privacy and security of customers' non-public personal information, including safeguards on third-party access to data
Financial Services
U.S.
Guidance to help public companies prepared to report material cybersecurity incidents, including those of third-party vendors.
Financial Services
U.S.
Requires public companies to report materical cybersecurity incidents, including those of third-party vendors.
Financial Services
U.S.
The SEC details its fiscal year priorities, including information security and operational resiliency.
Financial Services
U.S.
The CFPB expects supervised banks and non-banks to oversee service provider relationships to ensure compliance with federal consumer financial law.
Financial Services
U.S.
Provides guidance to financial institutions when filing Suspicious Activity Reports (SARs) on activities related to third-party payment processors.
Financial Services
Australia
Requires identifying, assessing, and managing service provider risks, including a service provider management policy, formal agreements, and robust monitoring.
Financial Services
Australia
Outlines expectations for organizations to be resilient against information security incidents, including protecting data managed by third parties.
Financial Services
UK
Sets expectations for outsourcing and third-party risk management for financial market infrastructures.
Financial Services
UK
Expectations for how entities should manage third-party relationships and risks.
Financial Services
UK
Clarifies the requirements when outsourcing to the cloud and other third-party IT services.
Financial Services
UK
Provides a list of questions for a firm to consider as it prepares for the use of and evaluation of third-party technology providers.
Financial Services
UK
Outlines requirements for mitigating critical third-party risks.
Financial Services
UK
Outlines requirements for due diligence, contracting, and managing third parties.
Financial Services
Singapore
Sets expectations for sound practices on risk management of outsourcing arrangements.
Financial Services
Singapore
Ensures financial institutions have controls in place to minimize operational disruptions, including third-party disruptions.
Financial Services
Singapore
Principles and best practices for the financial sector to manage technology risks and maintain cyber resilience, including managing third-party services.
Financial Services
Singapore
Requirements for banks on protecting the confidentiality of customer information in all outsourcing arrangements.
Financial Services
Hong Kong - China
Guidelines for authorized institutions (Ais) on outsourcing arrangements, including contingency planning and data confidentiality.
Financial Services
India
Outlines how Regulated Entities (REs) should mitigate the risks of outsourcing IT services, including due diligence and outsourcing agreements.
General
International
Security requirements for organizations that process, store, or transmit credit card information. Vendors that perform payment processing on your behalf will need to comply.
General
International
An international standard for information security management systems.
General
U.S.
Requires insurance companies to establish internal controls and procedures to ensure accuracy and reliability of financial statements, which include managing third-party risks.
General
EU
Organizations will be required to report Scope 3 emissions, which are indirect emissions in an organization's supply chain.
General
EU
Provides legal measures to boost the overall level of cybersecurity in the EU, including security measures and incident notification requirements
General
U.S.
Prohibits direct corrupt payments to a foreign official to obtain business and indirect corrupt payments through third parties.
General
Canada
Obligates certain government institutions and private-sector entities to report on the measures taken to prevent and reduce the risk of forced labor or child labor in supply chains.
General
UK
Prohibits bribes made through third parties.
General
U.S. - California
Gives consumers more control over the personal information that organizations collect about them.
General
U.S. - California
Mandates organizations disclose how it verifies, audits, and certfies human trafficking and slavery risks in supply chains.
General
Singapore
Provides a baseline standard of protection for personal data in Singapore.
General
U.S.
Protects online privacy of children under 13, including standards for third-party websites or mobile apps.
General
U.S. - Colorado
Grants the right for Colorado consumers to access, delete, and correct their personal data, as well as opt out of the sale of their personal data.
General
U.S. - New York
Requires organizations develop, implement, and maintain safeguards to protect the security, confidentiality, and integrity of private information.
General
U.S. - New York
Details requirements on areas such as business continuity and disaster recovery plans, cybersecurity incidents, cybersecurity policies and procedures, and third-party cybersecurity.
General
U.S. - Utah
Provides Utah citizens' rights to their personal data and how it's used by organizations.
General
U.S. - Virginia
Provides Virginia citizens' rights to their personal data and how it's used by organizations.
General
U.S. - Connecticut
Provides Connecticut citizens' rights to their personal data and how it's used by organizations.
General
U.S. - Delaware
Provides Delaware citizens' rights to their personal data and how it's used by organizations.
General
U.S. - Indiana
Provides Indiana citizens' rights to their personal data and how it's used by organizations.
General
U.S. - Iowa
Provides Iowa citizens' rights to their personal data and how it's used by organizations.
General
U.S. - Kentucky
Provides Kentucky citizens' rights to their personal data and how it's used by organizations.
General
U.S. - Maryland
Provides Maryland citizens' rights to their personal data and how it's used by organizations.
General
U.S. - Minnesota
Provides Minnesota citizens' rights to their personal data and how it's used by organizations.
General
U.S. - Montana
Provides Montana citizens' rights to their personal data and how it's used by organizations.
General
U.S. – Nebraska
Provides Nebraska citizens' rights to their personal data and how it's used by organizations
General
U.S. - New Hampshire
Provides New Hampshire citizens' rights to their personal data and how it's used by organizations.
General
U.S. - New Jersey
Provides New Jersey citizens' rights to their personal data and how it's used by organizations.
General
U.S. - Oregon
Provides Oregon citizens' rights to their personal data and how it's used by organizations.
General
U.S. - Rhode Island
Provides Rhode Island citizens' rights to their personal data and how it's used by organizations.
General
U.S. - Tennessee
Provides Tennessee citizens' rights to their personal data and how it's used by organizations.
General
U.S. - Texas
Provides Texas citizens' rights to their personal data and how it's used by organizations.
General
UK
The UK's implementation of the General Data Protection Regulation. Outlines requirements for how organizations must protect personal data.
General
Australia
Regulates how government agencies and organizations handle personal information, including credit reporting, notifiable data breach schenes, health records.
General
South Africa
Guidelines on processing personal information in South Africa.
General
China
Outlines the creation, use, storage, transfer, and exploitation of data in China.
General
Germany
Requires due diligence on suppliers, including a risk analysis and assessment and documentation and reporting.
General
UK
Holds large organisations accountable for specific fraud crimes that benefited the organisation and was committed by employees or third parties if reasonable fraud prevention procedures weren’t in place.
General
U.S.
Bans products from entering the United States if the products have any links to the Xinjiang Uyghur Autonomous Region.
General
U.S.
A comprehensive data privacy law to protect how the data of EU citizens is collected and used. Any organization, regardless of location, that targets or collects data from EU citizen must comply.
Government
U.S.
Provides guidance to government agencies to manage cybersecurity risks, including third-party cybersecurity risk.
Healthcare
U.S.
Requires safeguards to protect the privacy of protected health information and sets limits and conditions on the uses and disclosures of it.
Healthcare
U.S.
Sets standards to protect individuals' electronic personal health information. Requires administrative, physical, and technical safeguards to protect data.