Due Diligence: A Credit Union's Guide to Obtaining Vendor Documents
For many credit unions, the due diligence process can be challenging. It can be time-consuming to collect necessary documents before you even begin to validate and review the vendor's due diligence. This blog will cover some of the basics of successfully collecting vendor due diligence documents. In addition to being a regulatory requirement, it's also a necessary process that helps protect your credit union from vendor risk.
Best Practices for Collecting Documents
As with all third-party risk management activities, you must ensure that the due diligence process is consistent and effective. Here are some best practices to keep in mind:
- Make sure your due diligence is risk-based – Keep in mind that due diligence should always be based on the vendor's inherent risk and criticality. You should generally have higher standards and more robust due diligence for high-risk or critical vendors.
- Start obtaining and reviewing paperwork well before the anticipated signing or renewal of a contract – A rushed process may cause you to overlook important details or prevent you from having enough time to resolve any issues you discover.
- Use nondisclosure agreements – Vendors may be reluctant to provide confidential information without assurance that the information will be protected. Nondisclosure agreements (NDAs) are tools for protecting both parties' information.
- Document everything – You must document all due diligence collection issues or any variations in your usual process to prove your efforts to obtain the required documents. It's essential to document alternative methods used if your vendor controls can’t be validated using the requested documentation.
Due Diligence Requests: 7 Common Challenges
A vendor may not always be willing or able to provide everything you require. It may take some extra effort, but you can try a few other options to obtain the appropriate information or acceptable alternatives. Here are some common scenarios you may face and some suggestions for working around them:
1. The vendor won't provide their business continuity and disaster recovery documents
- Set up a virtual call to review the plan without keeping a physical file.
- Request a heavily redacted copy.
2. The vendor won't provide the written results of their business continuity test
- Set up an interview with the vendor's BCP managers to discuss the information verbally.
3. The vendor won't share their financial documentation
- First, discuss it with your credit union's CFO and then potentially host a conversation between your team and their financial team.
- Request an accountant's statement.
- Ask about their revenue, cash ratios, capital planning, debt to worth and other related information.
- If the vendor is publicly traded, remind them that they’re required by law to share their financials.
4. The vendor won't provide their policies and procedures
- Set up a virtual meeting instead to review and discuss the contents of the policy and procedures.
- Ask for the policy document outline or table of contents and confirm when the documents were last reviewed or updated.
- Consider a site visit to review the physical documents.
- Document your requirements and ask the vendor to provide a signed attestation stating the appropriate controls are in place.
5. The vendor won't provide a SOC report
- Ask them to complete a control environment questionnaire and provide supplemental documents supporting their answers.
- Arrange a call between your information security expert and the vendor's CIO or another senior information security representative to review required protocols, data protection standards, network diagrams, testing, incident response and other necessary details.
6. The vendor is a large company (i.e., Microsoft or AWS) and won't respond to your due diligence requests
- Large companies aren’t resourced to respond to individual requests. That doesn't mean your institution is off the hook regarding due diligence. A simple way to get around this obstacle is to go to the company's website or do a basic web search. You'll likely be able to find certifications, post-SOC documents or public versions of their internal policies and more.
7. The vendor won't compromise despite multiple requests and valid reasoning
- Challenge them to suggest alternatives for evidencing the required controls.
- Work with your risk committee to determine if forgoing the due diligence is acceptable.
Remember: Most vendors understand the importance of due diligence. They should be willing to work with you to find alternative methods to validate their controls. Be wary of those vendors who cannot provide a legitimate business reason for not providing documentation. In some cases, that vendor's hesitancy may be a red flag and signal your institution to move on.
How to Prevent the Issue from Reoccurring
Now that you know some common challenges and recommendations to work around them, let's review a few tips to prevent these issues from reoccurring.
- Determine the scope of your vendor engagment. Not every vendor will require the same amount of due diligence. Asking too much from low-risk vendors or too little from high-risk vendors will ultimately cost you valuable time in the long run as you sort out what you need.
- Obligate the vendor to provide documentation through the contract. By having your due diligence requirements stated in the contract, you'll likely receive better cooperation from your vendor.
- Include a "right to audit" clause in the contract. This approach will ensure that you can collect certain documents in the future, as needed. Risks associated with vendors can change throughout the relationship, so your institution needs to have access to data and due diligence information covering a wide range of risk factors.
Collecting and reviewing vendor due diligence is just one component of an effective third-party risk management strategy. As credit unions continue to rely on third parties to provide essential products and services, it's important to validate and monitor vendor controls to protect your institution from risk. Remember that outsourcing a product or service doesn't mean that you're outsourcing the risk!
Zogo helps credit unions educate, engage and attract young people. Backed by behavioral science research at Duke University, its gamified financial literacy app teaches sound financial fundamentals and rewards users for learning. Their mission is to make personal finance fun, simple, and social. Founded by Gen Zers, Zogo understands what it takes to reach the younger generation.