Welcome to this week’s Third Party Thursday! My name is Wendy Davis and I’m the Operations Manager here at Venminder.
Today we are going to talk about the due diligence guide or checklist. And first a note of caution, the word ‘checklist’ is a bit of a misnomer. While you might check items off the list, you do need to make sure that each item is adequately reviewed to ensure it meets the purpose for which you are gathering.
There are some basic items that you want to make sure you are always collecting, and while you might tailor this based on the type of product or service or even a risk based type of approach, there are certain things that you would normally gather for each and every new third party. These are certain foundational documents that should always be obtained.
There are 6, here we go:
- The articles of incorporation - so that you can understand what type of company it is and if it can do the job. For example, you wouldn’t expect your core processor to be a sole proprietorship or even an LLC.
- Business license and any other professional license required - This is particularly true of those in the payment card industry to make sure they are PCI compliant, and any attorneys you are doing business with to make sure they are a member of the bar association or have expertise in the particular type of activity in which you have them engaged.
- Their tax id number - again, so that you can understand some of the basic foundational items about them, what type of business is it and who is the ownership. You probably want to do an OFAC check or determine if the owners are a politically exposed person in a case of overseas activity.
- A reputation risk check - this is becoming increasingly important since the days of the CFPB complaint database. You can easily search the CFPB complaint database or do a Better Business Bureau check on them and when you find problems there you probably want to understand what their complaint management activities are.
- A secretary of state check - make sure they are good bill paying citizens in the state they are incorporated.
- A site tour or a picture of the facility - to make sure you are comfortable that they are who they say they are and they aren’t simply a store front for some other activity.
Now depending on the nature or product or service, you may want to gather some additional items:
- Policy and procedures - such as for call centers, you probably want to look at some of their underlying policies and procedures. This would be a good idea as well for any marketing or processing companies you are dealing with as well.
- A copy of their recent audit report - whether internal or external can often help you identify problems before they present a risk to your organization.
- The SSAE18 Report - the new SSAE18 standards that went into effect in May of 2017 are particularly helpful because they will help you understand who are their critical subservice providers.
- Network diagram and any penetration testing - depending on the type of processing data they are doing for you, you may want to look at their network diagram and any penetration testing that has been done to make sure that your data is always protected.
- Insurance certificates or business continuity plans - some other items you may want to consider in certain circumstances such as insurance certificates or business continuity plans or scripting in the case of call centers and IVR activity.
And that’s it, that a pretty good comprehensive list of some of the basic checklist of items you should be covering in vendor due diligence. Again, I’m Wendy and thanks for tuning in to this week’s third party Thursday; if you haven’t already done so, please subscribe to our series.