Vendor Due Diligence Material

Every critical and high-risk vendor must have their fundamental business information gathered. Community financial institutions can use this information to assess if the vendor complies with any relevant local laws and regulations, as well as to spot any potential future performance problems.

An essential element in the vendor risk management lifecycle is due diligence. In many businesses, conducting due diligence on each vendor is not just a good business practice but also regulated by the law. There are baseline or foundational documents that should be gathered to further examine the majority of vendor engagements, even though not all vendor relationships pose the same risks to a financial institution.

Collecting, reviewing and storing vendors’ due diligence materials is a vital part of the vendor management process. Vendors are required to present certain documents as proof of their internal risk management as part of the due diligence procedure. The vendor should be able to provide documents that are a crucial part of evaluating the vendor’s risk and the controls they have in place. Whether it’s a SOC report to confirm information security processes, internal compliance guidelines, or even a business continuity plan and testing.

After collecting and reviewing the vendor’s due diligence material, the financial institution should have a central location to store these documents securely and also receive notification when due diligence material needs to be collected again or is missing.  Strunk’s vendor management software, Vendor Manager, can assist with your financial institution’s vendor due diligence process and provide a streamlined process. Visit to learn more.

Why is vendor management a hot topic in the world of financial institutions today?

Why is vendor management a hot topic in the world of financial institutions right now? It’s because regulatory organizations including the Federal Financial Institutions Examination Council, Office of Foreign Assets Control, and Federal Trade Commission are focusing on how financial institutions are managing the vendors they outsource to. The Federal Deposit Insurance Corporation (FDIC) has declared that an institution can “outsource a service, but cannot outsource the duty,” making it very apparent that the responsibility for compliance rests with the financial institutions. Various regulators refer to vendor management using various terms. Even though they all ultimately want the same thing, they approach it differently.  For regulators, third-party risk is a sensitive subject. There are many different types of risk that might be introduced when a bank outsources a task to a third-party. Assessing, evaluating, monitoring, and controlling those risks is the core of vendor management.

The importance of vendor management is something Strunk constantly think about, just like it is for the FIs we support. We take great pride in offering a vendor manager software and services that let our clients have an effective vendor management program.  Components of Strunk’s effective vendor management program:

  • Risk Assessments- Assist the financial institution in assess the risk level of the activity the vendor performs.
  • Surveys- Vendor questionnaires to elevate the controls that each vendor has for the emerging risk of the vendor.
  • Contract- Contract assessment, a place to capture and store the contract and its information.
  • Service-Level agreements (SLAs)- tracking SLAs to make sure that the vendor is sticking to the agreement and not being fraudulent.
  • Review- Reevaluating the risk the vendor has while also identify any concerns with the performance of the vendor.
  • Due Diligence- central location to store and evaluate due diligence material from the vendor.

In conclusion, a properly managed vendor relationship can result in greater quality, better service, lower costs, and happier clients.

The Importance of Impartial Vendor Reviews

Vendor Reviews provide an impartial view that allows users to evaluate vendor performance and situation since they allow users to; share expectations with vendors, be clear about the vendor performance metrics that are most important and assess the vendors’ track record of value delivery.

A vendor review should always cover core performance such as:

Efficiency of Business – Working with troublesome vendors frustrates workers and costs time and money. Assess vendors’ processes and systems, as well as how easy the vendor is to work with.

Regulatory Compliance- Many businesses rely on vendors to fulfill a range of third-party compliance requirements and regulatory standards. Vendors have a key role in assuring compliance with these standards, which are expanding quickly. Include them in vendor reviews and mandate that vendors monitor and report on their adherence to these standards.

Improvement- Regular new ideas should be brought to the table by the most strategic vendors. They are knowledgeable about their field and ought to be aware of the state of the companies they do business with. The better vendors will seek for opportunities to enhance a company’s operations through changes in their sector. These factors ought to be in the review as well.

Financials- How successfully vendors assist in controlling expenses in two areas is another factor to consider when choosing vendors. First, does the seller honor the agreed-upon rate in the contract? Second, does the vendor offer fresh suggestions for cutting the cost of the partnership moving forward? Great vendors search for methods to assist in cutting costs through things like alternative products, better use of technology, or better inventory management. Good vendors offer a product or service for the price to which they have agreed. Both should be evaluated.

Align expectations and get greater value from providers by using a vendor review. Keep these things in mind to get the most out of the vendor review process. Contact Strunk at to see how Vendor Manager can assist with this process.

The risks of working with vendors that have been sanctioned by the Office of Financial Assets Control (OFAC)

Do you understand the risks of working with vendors who have been sanctioned by the Office of Financial Assets Control (OFAC)? How does this affect the way you manage your vendors?

The Treasury Department’s Office of Foreign Assets Control is known as OFAC. OFAC is in charge of managing economic and trade sanctions as part of the U.S. government’s effort to implement anti-money laundering/counter-terrorism funding laws. These sanctions are aimed at nations, people, or organizations who have participated in dishonorable behavior. In other words, they maintain a list of people and organizations that you should avoid doing business with. Because OFAC imposes trade and economic sanctions on foreign people and organizations that employ cyberattacks to endanger American foreign policy, national security, or financial stability, it has a strong following among security and risk management experts.

It is important to track your vendor’s OFAC report because it is yet another tool in the arsenal of . Here are a few pointers will help you get started:

  • Make sure to always verify key fundamental aspects to make sure you’re doing business with a legitimate vendor.
  • Perform an OFAC check on any new vendor you start a relationship with.
  • Include this check in your initial due diligence procedure and ongoing reevaluations.
  • Examine contracts to make sure that the necessary clauses are present.

Not only is it a good idea, but you should start doing an OFAC check on your vendors. For more information on Strunk’s Vendor Manager solution, contact us at

Understanding your critical vendors

Knowing who your most crucial vendors are, also known as your most significant vendors, is a fundamental element of a risk-based vendor management program. The idea that a “critical vendor” and a “high-risk vendor” are interchangeable is a prevalent misconception. When establishing your program, it’s crucial to distinguish between the two because they are not the same thing.

Not only is it a smart practice, but many industries have regulations requiring you to identify your critical vendors. Despite minor differences in definitions among regulatory agencies, critical vendors do have a few traits in common that are always relevant:

· The product or service provided by the vendor is vital for your day to day operations.

· If the vendor doesn’t deliver the goods or service as specified, it will have a significant impact on your business or your customers.

When interacting with your critical vendors, exercise caution. Avoid taking shortcuts since they could leave hidden or unaddressed risks that could jeopardize the security of your business.

However, regardless of how important they are to your business’ operations, a high-risk vendor poses a higher amount of danger to your business. A typical illustration is a vendor who handles, keeps, or has access to your non-public data. The fact that these vendors have access to your data makes them more dangerous, but the services they actually offer might not be vital to your business.

Knowing your own key activities clearly is the first step in defining which vendors are critical and which vendors are high risk. To prevent serious threats to your business it is important to identify who your critical vendors are and what role they play inside of the company’s operations. Critical vendors are essential to your business’s day-to-day operations despite their dangers. You’ll build a strong and enduring partnership by exercising diligence and adhering to the greatest vendor risk management techniques.

Vendor Manager Contracts

A significant chunk of an organization’s operations are made possible through connections with third-party vendors, and the strength of these ties has a direct impact on revenue. Contracts with vendors may be just as significant in this system as those with clients. There are many differences in how businesses handle the acquisition of goods and services. While a fragmented and ineffective system might have the opposite and damaging effect, one that centralizes data and streamlines workflows can significantly enhance outcomes and enable more profitable long-term third-party relationships.

With Strunk’s Vendor Manager software and a vendor contract management plan in place you may mitigate potential risks and increase the value of your vendor relationships. Having a central area to store your vendor contract information is crucial for effective vendor management. Having access to this information will make your procurement process more efficient. Using Strunk’s Vendor Manager software has several advantages, including helping you arrange your vendor contracts, summarizing the significance of each contract, and assisting you in producing alerts and notices of Renewals.

Strunk’s Vendor Manager software also provides a place for you to store your vendor’s contract and most importantly their due diligence material. A contract scorecard is also included in the vendor management software from Strunk. This scorecard will assist you in locating any gaps in your contract and provide a space for you to record proposed improvements. The scorecard in Strunk’s vendor management software allows our clients to assign a service score for each provision by using a master service level agreement to include clauses that are common in vendor contracts. Organizations can guarantee that each step of the contract lifecycle takes place automatically based on a set process by automating their vendor contract management and compliance using a contract tracking system like Strunk’s.


How can vendor risk tiering improve vendor risk management?

Understanding which providers represent the greatest “threat criticality” is an essential feature of any effective vendor risk management program, which is necessary to reduce risk and preserve business continuity. Vendor tiering allows for the implementation of this rating system that classifies vendors and doing so also imposes tighter security requirements on them.

You may improve your vendor risk management program, increase security, and build a more resilient business with the aid of vendor tiering. Vendor risk tiering improves vendor security and compliance. It makes it possible for your vendor management team to identify the vendors that offer the most risk and devote more time and effort to enhancing compliance. This enables them to streamline vendor risk management and concentrate on the areas that need the most attention, all the while making sure that any vendors you engage with adhere to the controls that need to be put in place.

Vendor risk tiering will also improve the onboarding process by incorporating vendor risk management in the onboarding process. Vendor risk tiering is essential for achieving your goals because it gives organizational structure and makes it simpler to evaluate vendors and guarantees that an efficient vendor risk management is in place.


How Can Strunk’s Vendor Manager software help you understand which vendors receive customer data and what type of data they receiv

Vendor Management has been a concerning issue for financial institutions for some time.  Regulatory agencies such as the Federal Trade Commission, the Office of Foreign Assets Control, and the Federal Financial Institutions Examination Council are scrutinizing how financial institutions (FIs) manage their outsourced vendors.

The Federal Deposit Insurance Corporation (FDIC) has declared that an institution can “outsource a service, but not the duty,” implying that financial institutions have the responsibility for compliance.  Because of this, it makes proper vendor management a critical duty for financial institutions, which must hold vendors to certain requirements.  It is important to understand which vendors that you engage with will have access to your customers data and what type of data will they have access to.

Risk is always present, recognizing and controlling the hazards associated with the vendor with whom a financial institution does business necessitates regular monitoring and review.  Strunk has created an area to capture what type of data that each one of your vendors collect.  Strunk’s Vendor Manager software also helps you mitigate your exposure by capturing the threat, likelihood of the threat, risk, and what control does the vendor have for that risk.  Monitoring these areas effectively will help prevent from operational disruptions, reputational loss, matters requiring attention, consent orders, litigations, and fines.

Overdraft Privilege Provides a Solution for Charging Multiple NSF Fees

When a merchant transaction is presented for payment from a consumer account and is refused due to the customer’s insufficient funds to cover the transaction, financial institutions typically charge an NSF fee. When a merchant tries to present the same transaction again in order to recover the denied funds, he or she may be charged a re-presentment NSF fee. If a depository institution receives this type of repeated merchant payment transaction more than once, the depository institution may levy multiple NSF fees. If an Automated Clearing House (ACH) or other item is presented for payment and is denied owing to insufficient funds, certain financial institutions will levy an NSF fee for both the original presentment and each subsequent representation.

In recent class action lawsuits against financial institutions, the removal of key clauses pertaining to the assessment of representation fees was considered to be a violation of contract. Some lawsuits have been settled, with customers receiving refunds and legal fees.  Additionally, state, and federal financial regulators are reviewing DDA agreements searching for potential legal, regulatory and UDAP risks. With these potential risks it is important to review your deposit disclosures and contract language to ensure the way NSF fees are charged is being communicated clearly and consistent to what a consumer could reasonably expect.

This is a great time to make sure that you review your accounts and all of your customers/members that are eligible for Overdraft Privilege should be added to the ODP program unless they have opted out of the program.  By doing this it will minimize your risk for NSF fees being represented, because if your customers/members have an Overdraft limit their items will be considered for payment instead of returned.  Paying the item instead of returning it will ensure that the financial institution minimizes its risk for NSF re-presentments because the item is not returned.  Also, overdraft privilege provides a better service to your customers/members because they will not be faced with potential late fees, retailer fees and damage to their credit from returned items.

The Importance of an Inherent Risk Survey

One of the most crucial and challenging parts of vendor management is managing the risk associated with each of your vendors.  There are numerous risks that may arise from a financial institution’s use of vendors.  Understanding the vendors inherent risk will help your financial institution to categorize and differentiate the risk for each of your vendors.

Inherent Risk represents internal and external risk to which the financial institution is exposed to because of the business activities in which it engages and the external environment in which the activities take place.  Inherent Risk results from the processes, activities, or transactions in which the financial institution is involved, including risk that exists as the financial institution enters new businesses or activities with the vendor.  There are several factors that impact the determination of the inherent risk of the vendor.

Strunk’s Vendor Manager software has compiled these factors into a Vendor Risk Assessment (Inherent Risk Survey), which enables financial institutions to present an accurate portrayal of the overall inherent risk with any vendor.  Having an accurate portrayal of the inherent risk that each of your vendor has, will allow the financial institution to lay a solid foundation for what oversight that will be assigned to the vendor based on the inherent risk rating.  Strunk’s inherent risk rating will classify the financial institutions vendors into four categories based on their inherent risk rating, which is calculated based on the risk exposure the product or service provided may expose to the financial institution.  The inherent risk rating of a vendor will drive the frequency of the ongoing due diligence monitoring of the vendor.  Based on the inherent risk rating the financial institution should determine how effective the vendor has implemented controls to help manage their risk which will mitigate potential risk exposure.  Understanding each of your vendors’ inherent risk is the first step for setting up the proper foundation for your vendor manger program.