Due Diligence Documentation: 9 Common Mistakes
Vendor due diligence is a regulatory requirement of the vendor management process. Financial institutions are required to collect and review due diligence documentation before signing a contract and throughout the duration of the third-party vendor relationship.
How? Here are nine of the most common due diligence documentation mistakes.
MISTAKE #1: Not classifying vendors correctly. Due diligence is based on risk. Third-party vendors that provide critical bank functions or have access to sensitive data require greater scrutiny and should be identified as critical, significant, or high-risk vendors (terminology depends on the regulator).
When a vendor isn’t properly classified, due diligence efforts may not align with due diligence requirements. There is no foundation for due diligence.
|IF YOU…||YOU MIGHT…|
|Classify a low-risk vendor as a high-risk vendor||Waste valuable time and resources requesting and reviewing unneeded documentation.|
|Classify high-risk vendors as a moderate or low-risk vendor||Fail to ask your vendor for sufficient documentation.|
|Fail to classify vendors||Complete either too much or too little vendor due diligence (and possibly both).|
MISTAKE #2: Assuming you need the same documentation from every vendor. You don’t need a SOC report from every vendor. Critical vendors, like those with access to sensitive data, require in-depth reviews while a property insurance company wouldn’t need that. Classifying your vendors, and doing so correctly, lets you know what level of documentation is needed.
MISTAKE #3: Assuming the vendor will know what you need. If you tell vendors you need due diligence documents, there is no telling what you might get, especially with smaller vendors. They might send you every policy and procedure they have, from data security to vacation request policies. Be specific and focus on areas like information security, business resiliency and disaster recovery, employee training, incident response, regulatory compliance, and independent testing.
MISTAKE #4: Not being able to identify relevant reports. Even when an FI classifies its vendor correctly, it may not be able to identify the exact documentation it needs. Many vendor portals have hundreds or even a thousand different reports, and just a handful of them will be relevant to your needs.
MISTAKE #5: Getting the wrong SOC report. FIs regularly download the wrong SOC reports, not realizing that the product they use isn’t included within the scope of the report.
MISTAKE #6: Not recognizing outdated or inapplicable documents. Are the vendor due diligence documents you have up-to-date? Do they apply to the products your FI uses? Third-party vendors offer a large range of products and services. Not every document will apply to every offer. Your FI shouldn’t waste time reviewing reports about a data server in India if the vendor is keeping all your data on U.S. servers.
MISTAKE #7: Wasting time on fourth-party documentation. Not every one of your vendor’s critical vendors will impact your institution. Vendors may have documentation on 20 vendors when only a handful of them really matter to your operations. Only spend time on fourth parties that can critically impact your operations.
MISTAKE #8: Expecting vendors to complete questionnaires. Requesting that a vendor complete a questionnaire seems like a simple task, but it’s not—especially for larger vendors. Imagine if every one of your customers or members asked you to complete a questionnaire on data security or privacy. It would be an onerous burden. You’d most likely just steer those customers to your published policies and procedures. Third-party vendors do the same thing.
MISTAKE #9: Expecting a quick turnaround from vendors. Some large vendors have thousands of clients. It can take them weeks to respond to requests for due diligence documentation. Be realistic when making requests and know that it may take a few months. It might even require asking more than once. Don’t save due diligence for the last minute.