The Basics of Vendor Due Diligence

Video Transcript

Welcome to this week’s Third Party Thursday! My name is Branan Cooper and I’m the Chief Risk Officer here at Venminder.

Today we’re going to be talking about the Basics of Due Diligence. You must know with whom you are doing business. Think of it this way... You are required to verify ID of each new customer, that threshold should apply to all business relationships.

Due diligence is both a science and an art. By that, I mean there are times when not everything will be available and you have to get creative. 

But let’s think about the basic facets of due diligence. First, starting at the bottom of the wheel in this case and then work clockwise:

1. It should be risk based and reasonable – For example, if one of your service providers is the guy who mows the lawn, you obviously aren’t going to ask him for his SSAE 16 report (or in May 2017, SSAE 18 report)– well, you could but the response likely would not be appropriate for repeating.
   
   
2. The request list and the nature of the items should match the service provided – one element of due diligence may well lead you to ask for others – for example, if you’re looking for a call center’s compliance policies and they refer to training materials, you’re likely going to need those as well.
   
   
3. The due diligence should be done, at least as much as possible, pre-contract – that means well before the contract (mention 90 day standard), not in a frantic effort to get things done to hit a supposed contract date. There will be times that you cannot complete due diligence prior to the contract – some items you may even have to contractually oblige them to provide, but make sure you document it and commit them to supply as soon as reasonably possible. A few examples are things like evidence of audits, financials, customer records – all understandable that they want to hold on to but at the same time, if you need them, make sure the contract provides you the avenue to obtain.
   
   
4. Due diligence must be timely – this is a common pitfall that we turned into a best practice. One of the things that is easy to get stale dated is the financial reports. If you simply lock due diligence on a particular month on the calendar, you could be looking at financials that are a year old. So, we changed and set it up so that we initiated the due diligence cycle 90 days after their fiscal year end, so we would be certain to always have the most updated information.
   
   There may be times, from a workload standpoint that you have to – especially if there are hundreds or even thousands of third parties to review but we tried to get financials as the most timely item…. And it paid off several times.
   
   
5. Due diligence must be thorough – easy to cut corners but that can lead to ugly surprises, particularly if you follow a checklist mentality and just obtain the document without adequately reviewing it.
   
   
6. Due diligence must be ongoing – this became an actual requirement in 2013 when the OCC issued its updated guidance but its always been a sound business practice – this doesn’t mean everything has to constantly be being updated, but it should be tracked so major documents and major milestones are not missed. The lifecycle approach to due diligence can be kind of a grind, as this diagram shows, but it can also be a well oiled machine.

So, to recap...

• Your due diligence should be risk-based and reasonable
• The request list and the nature of the items should match the service provided
• Do as much due diligence pre-contract as you can
• Due diligence must be timely
• Due diligence must be thorough

And

• Due diligence must be ongoing

Again, I’m Branan and thank you for watching! Don’t forget to subscribe to the Third Party Thursday series.