An integral compliance function for any business is performing due diligence on vendors. Due to a large number of regulations and security concerns in the financial industry, it is critical to properly investigate every vendor before allowing any kind of access. Ultimately, the goal of due diligence is to limit the risks of working with an outside vendor. There are many best practices for reviewing and onboarding vendors, but the amount of effort put into a review should match the exposure the vendor creates for a business. Simply put, the depth of due diligence must increase with more risk. Follow this vendor due diligence checklist.

Determine your vendor risk

Different vendor services create different kinds of risk. Before asking detailed questions of a potential vendor, you must be able to list the new risks.

Will this vendor require giving its employees access to your workspace? Do they require exchanges of member information outside the credit union? Must they have access to employees’ personal data? Will it put devices on your network?

A potential vendor must be able to answer how they will impact your business.


Vendor due diligence checklist

Due diligence can involve many steps depending on the risk of each vendor. The process may be straightforward, or it might be very time-consuming. Typically, most companies are prepared to quickly answer due diligence requests—even detailed and technical requests coming from businesses like credit unions.

To keep the process organized, it helps to use a checklist of areas to review. Let’s go through a good example of a vendor due diligence checklist suggested by Kirkpatrick Price:

  1. General company information
  2. Financial review
  3. Reputational risk
  4. Insurance coverage
  5. Information security technical review
  6. Policy review


1. General company information­:

This is the basic information about the vendor, such as contact names, addresses, and a summary of their business operations and history.  General information will confirm that the company is legitimate, licensed, capable of providing services, and has a valid performance record.

2. Financial review:

The financial state of a vendor might not seem important, but checking for stable finances can help determine if the vendor will be a reliable partner in the future. A business that has financial issues might also come under pressure to cut corners on the quality—or security—of its services.

3. Reputational risk:

Whenever a connection with a vendor is established, there is the risk of the association if negative press comes out. It is important to check the public history of the company, look for news stories where they are mentioned, and review their standing at the Better Business Bureau.


4. Insurance coverage:

Checking to make sure a vendor has adequate insurance is a requirement of due diligence. The type of insurance will vary based on the services they provide and the risks they are exposed to. Common types of insurance that may be essential for your vendors are general liability insurance and cyber insurance.

5. Information security technical review:

At credit unions (and most modern businesses), privacy and data security are absolutely critical. Ask for verification of any certifications or standards you require or the company claims to meet. You may also wish to ask for details on any past data breaches. Generally speaking, the more details and transparency a vendor offers, the more confident they are in their security.

6. Policy review:

This is a detailed look at the operations of a business. It is the vendor’s documentation of what their employees do and how they are instructed to do it. This can give you key insights into where potential security or liability issues may occur, and give you the opportunity to ask for operational changes to reduce your business risk.


Considering the vendor information

Up next on our vendor due diligence checklist: after requested information is provided, you must review it, consider whether it’s sufficient, and decide whether the vendor meets your standards.

If a vendor has serious risks and major operational issues—or simply refuses to answer important questions—you should not hesitate to eliminate them from your vendor search.

If you are fortunate to find several vendors that fit your needs and can pass your due diligence, the only thing you need to consider is which one offers the best solution.

In some cases, a vendor will seem excellent, but won’t quite meet all your current standards. If you still wish to work with them, consider making a guarantee to use them if they are capable of upgrading their policies to meet your needs. Vendors will often be willing to make some changes if they are certain it will get them new business.


Equips due diligence

Equips strongly recommends that our clients thoroughly review all of their vendors. If requested, we can even help you screen potential vendors with our additional experience, giving you in-depth background on each vendor you consider using. Since Equips works with our clients’ preferred vendors, our vendor list has grown to more than 500 companies across the country. This gives us unique industry expertise. If you have questions about vendor relationships and the impact of information security, please contact us. And if you are interested in learning how you can use Equips to support your staff by giving them the tools they need to tackle equipment maintenance, be sure to book a demo below. Thanks for reading!

Schedule a Demo to Learn More