Ghosted by a Vendor? Here’s How to Get Due Diligence Documents

You sent the request. You followed up. And now… silence.

When a vendor stops responding to your due diligence requests, it’s more than frustrating—it’s a red flag. Whether it’s an oversight, a resource issue, or something more serious, a lack of transparency puts your financial institution (FI) at risk. Regulators expect documented vendor oversight, and you can’t assess risk if the vendor doesn’t engage.

What should you do when a vendor ignores your request for due diligence documents? Here’s how to handle it—professionally, proactively, and in a way that keeps your third-party risk management program on track.

Learn More: Too busy to review due diligence documents? Let Ncontracts' TPRM Control Assessments do the heavy lifting.

Why a vendor may stop responding

If a vendor — especially a long-term third-party service provider (TPSP) — stops responding to requests, there are a few potential reasons. Perhaps your main point of contact left the company, and the new hires and existing team members are unfamiliar with your due diligence processes. Major company events, such as mergers and acquisitions (M&As), can also lead to communication delays.

Your FI can also review the documents you’ve already received from the vendor. Ask yourself if those are sufficient to rely on and consider what they reveal. For example, if the vendor’s audited financials indicate a decline in liquidity over time and they subsequently cease providing updates, that’s a potential warning warranting further review.

Regardless of the reason — whether it’s refusal, changing key roles, or evolving standards — your process should remain consistent. Continuity is key.

Tailoring your approach for large vs. small vendors 

Not all vendors are created equally, at least when it comes to your FI’s operations. That’s why tailoring your outreach approach to the vendor’s risk level and criticality is essential.

To determine a vendor’s importance, assess its role and impact on your organization. High-risk or critical vendors, such as those that could affect regulatory compliance, data security, or financial stability, require more rigorous due diligence. Low-risk or non-critical vendors typically require minimal documentation. Sometimes, alternative evidence, such as audit summaries or attestations from third-party auditors, is even sufficient.

It’s also worth noting that large companies (e.g., Google, Microsoft, and Apple) don’t readily provide detailed documentation. It’s up to your leadership team and board of directors to determine if the partnership is still worth pursuing.

Related: 3 Ways to Identify Critical Vendors for your Financial Institution

What to do when a vendor doesn’t respond (step-by-step)

It’s frustrating when a vendor won’t respond to your request for due diligence documents. Let’s suppose a vendor is not responding to your due diligence requests. Whether you ultimately decline the risk, accept it, transfer it, or share it, take these few key steps before you make your decision:

1. Escalate the issue internally. It’s essential to inform the relevant stakeholders when a vendor refuses to provide information. As a third-party risk manager, you should report this situation to the legal, compliance, or information security teams. You may also need to notify senior management or the board about the vendor’s refusal.
2. Document the vendor’s refusal. No matter the stage or status of your due diligence outreach, the most crucial part is to document everything. Record your efforts, communications, decisions, and approvals thoroughly. Later, the documentation will be vital in demonstrating your due diligence efforts to regulators, examiners, and auditors.
3. Prioritize critical vendors. Low-risk vendors may not require much documentation. However, critical vendors typically require Service Organization Control (SOC) 2 reports, audited financial statements, and business continuity plans.
4. Consider your options. Your next steps depend on which documents the vendor is refusing to provide. Fintechs, new companies, and organizations undergoing mergers or acquisitions often lack access to proper due diligence information. Other times, companies may simply refuse to share information.
5. Request alternative documents (optional): Compensating documentation may be acceptable depending on the vendor’s risk level and importance. If vendors are secretive or unwilling to share documents—even with an NDA in place—you might accept alternatives like executive summaries of audits, attestations from management or third-party auditors, or redacted reports.
6. Conduct a questionnaire or on-site visit (optional): Use questionnaires to collect information directly from the vendor, customer references, or certifications in place of formal documents. Another option is conducting on-site or virtual reviews to visually confirm controls, such as physical security and clean desk policies.
7. Establish contract provisions (optional). If the vendor still refuses to provide key documents, include provisions in your contracts to hold them accountable through penalties, fines, or liabilities.
8. Implement internal controls (as needed). Sometimes, vendors lack controls and, therefore, can’t provide documentation. In such cases, you can implement internal controls, like increasing monitoring frequency, adding performance clauses, tightening service level agreements (SLAs), or limiting the vendor’s access to your environment to reduce exposure.

While many of these steps are optional, your FI can also accept the risk. Doing so typically requires escalating the situation to the executive leadership and board, who ultimately decide whether the benefits of working with the vendor outweigh the risks.

How vendor management technology can improve due diligence

One of the benefits of using a vendor management solution is that many tasks associated with vendor due diligence, such as sharing policies and procedures, SOC 2 reports, and Statements on Standards for Attestation Engagements (SSAE) 18, can be completed directly within the web platform. This frictionless experience saves compliance teams time and human resources while maintaining high compliance rates.

Many vendor management solutions also offer services under a tri-party agreement, allowing them to engage with vendors on behalf of an institution to collect the requested documentation, particularly in cases where the vendor prefers to use its portals for document sharing.

Regardless of the reason—whether it’s refusal, changing key roles, or evolving standards—your process should remain consistent. Continuity is key.

Navigating vendor relationships is an ongoing process, and while you can do your best to mitigate risk and be proactive when it comes to due diligence, obstacles will appear from time to time. By establishing a process, tailoring your approach to the vendor, and leveraging tools and resources, you can enhance communication—ultimately leading to more effective and fruitful third-party partnerships in the future.

Explore the overlap between compliance and vendor management and best practices for mitigating the compliance risk of third-party vendors in our free whitepaper.