A payments company switches on a new KYC vendor on a Monday. By Friday, the vendor has quietly rerouted customer data through a subcontractor in a sanctioned jurisdiction, the compliance team never saw. The payments company is now the one answering questions from the regulator, not the vendor.
This is the scenario vendor due diligence exists to prevent. It is also the scenario that most third-party risk programmes still fail to catch, because they check cybersecurity boxes but never ask the AML questions that matter for financial institutions.
This guide walks through vendor due diligence end to end: what it is, why it matters, the five categories of vendor risk, the five-step process, how to tier vendors, when to trigger a review, what a working checklist looks like, and the AML and KYC-specific checks that turn a generic TPRM exercise into something a regulator will respect. It closes with what India’s RBI expects from FIs outsourcing to technology and service vendors.
If you want to layer sanctions, PEP, and UBO screening into your own vendor onboarding, you can start with HyperVerge’s AML stack.
What is Vendor Due Diligence?
Vendor due diligence (VDD) is the process of evaluating a third-party vendor’s fitness to serve your organisation, before you sign a contract and continuously throughout the relationship. It answers a simple question with layered evidence: is this vendor safe to rely on, and if the relationship breaks, can we recover without harm to customers, regulators, or revenue?
VDD Definition
VDD is the disciplined collection and evaluation of evidence about a vendor’s financial health, legal standing, operational capacity, security posture, and reputation. It is not a one-time screening. It is a lifecycle activity that starts at shortlisting and continues through offboarding, with the depth of evidence scaled to the vendor’s criticality.
VDD in the Context of TPRM
Third-Party Risk Management (TPRM) is the umbrella programme that governs every external relationship an organisation has, from a cloud host to a stationery supplier. VDD is the investigative layer inside TPRM. TPRM sets the policies, risk appetite, and ownership. VDD does the actual digging on each vendor against those policies.
The distinction matters because organisations often have one without the other. A TPRM policy with no real due diligence is paperwork. Due diligence without a policy produces inconsistent decisions. Both fail in an audit.
That is the frame. Next, why it is worth the effort.
Why Vendor Due Diligence Matters
Skipping VDD rarely causes a problem on day one. It causes the problem months later, when a vendor incident becomes your incident.
Regulatory and Compliance Exposure
Regulators treat a vendor’s compliance failure as the principal organisation’s failure. If your KYC vendor is not screening against the right sanctions lists, the regulator does not sanction the vendor. It sanctions you. This is true for banking, insurance, payments, and increasingly for any regulated fintech. VDD is what lets your compliance team say, with evidence, that the vendor was assessed and monitored against the relevant rules.
Operational and Reputational Risk
A vendor outage at the wrong moment becomes your outage. A vendor data breach involving your customers becomes your breach in the headlines. A vendor insolvency in a critical dependency becomes a scramble to migrate under pressure. Each of these can be modelled in advance, not eliminated, but cushioned, with the right VDD checks before signing.
Fourth-Party Risk
Your vendor has vendors. Those vendors have vendors. The risk does not stop at your direct counterparty. A subcontractor your KYC vendor uses for OCR might store data in a jurisdiction you have explicitly told customers you do not use. VDD should require the vendor to disclose material subcontractors and, for the highest-tier relationships, to allow you to approve or veto them. Without that, you inherit the vendor’s choices silently.
These risks, taken together, are why VDD has hardened from a procurement task into a board-level discipline. The next step is classifying what you are actually looking for.
The 5 Categories of Vendor Risk
Most VDD frameworks organise risk into five categories. The labels are industry standard. The evidence you collect under each is where the real work lives.
Financial Risk
Financial risk asks whether the vendor will still be around next year. Look at audited financial statements, burn rate for private vendors, insurance coverage, and your own dependence ratio. A vendor that cannot absorb a bad quarter is a vendor that may cut corners, or disappear, on yours.
Legal and Regulatory Risk
Legal and regulatory risk covers licensing, sanctions exposure, data-protection alignment, litigation history, and whether the vendor operates lawfully in every jurisdiction you touch. A vendor unlicensed in your market, or recently fined by a regulator in an adjacent one, is carrying risk that will leak into your file.
Operational Risk
Operational risk is about continuity. Can the vendor meet its SLAs when volume spikes? What is its disaster-recovery posture? How concentrated is your dependency on any single team, data centre, or cloud region inside the vendor’s stack? A dependency concentration that looks tidy on a diagram can collapse a service when one node fails.
Cyber / IT Security Risk
Cybersecurity risk covers certifications (SOC 2 Type II, ISO 27001, PCI DSS where relevant), breach history, penetration-test cadence, encryption of data in transit and at rest, and the vendor’s attack surface. For vendors that touch customer data or transact on your behalf, this is often the most detailed part of the questionnaire.
Reputational / ESG Risk
A vendor’s reputation becomes an extension of yours. Public controversy, ESG misalignment, political exposure, and involvement of directors or UBOs in adverse media all feed into this. What looks like a PR issue today can become a regulatory issue tomorrow, especially in markets where ESG disclosures are now enforced.
Knowing what you are measuring is half the job. The other half is the sequence in which you measure it.
The 5-Step Vendor Due Diligence Process
Most mature VDD programmes follow the same five steps. Skipping any of them creates a gap that shows up at the wrong moment.
Step 1 — Initial Assessment
Define the need, shortlist candidate vendors, and send a baseline questionnaire. The goal is to eliminate vendors that fail obvious screens before you invest time in deep evaluation. Baseline questions cover entity details, core services, jurisdictions, certifications, and any self-reported regulatory actions in the last three years.
Step 2 — Risk Categorisation
Classify each surviving vendor by criticality and data access. A vendor processing customer PII is not in the same tier as a vendor supplying office coffee, and the VDD depth should reflect that. This step also decides who owns the vendor relationship internally and what level of signoff is required to proceed.
Step 3 — Deep Evaluation
For higher-tier vendors, run the deep dive: audited financials, security questionnaire, penetration-test reports, regulatory filings, reference calls with existing customers, and, where the stakes justify it, an on-site or virtual site visit. For AML-sensitive vendors, this is also where sanctions, PEP, and UBO checks run on the vendor entity and its directors.
Step 4 — Decision and Onboarding
Based on the evidence, decide whether to proceed, proceed with conditions, or decline. For conditional approvals, insert controls into the contract: audit rights, security addenda, data-residency clauses, breach-notification windows, and exit-assistance obligations. Onboarding is the last chance to encode controls cleanly. Retrofitting them later is always harder.
Step 5 — Ongoing Monitoring
The day the vendor goes live is not the day VDD stops. Schedule periodic reviews by tier, annual for critical vendors, less often for low-risk ones, and wire up continuous monitoring signals: sanctions list changes, adverse media, financial distress alerts, and breach disclosures. Trigger events, covered later in this guide, force an out-of-cycle review.
The process is cleanest when vendors are grouped sensibly. That is what tiering does.
Vendor Risk Tiering
Tiering is how a VDD team keeps itself sane. A company with 400 vendors cannot run a deep evaluation on each one every year. Tiering decides which vendors deserve the hours.
Critical Vendors
Critical vendors are service-critical, data-critical, or revenue-critical. If they fail, the business degrades or stops. A core banking provider, a primary cloud host, a KYC vendor at the top of the onboarding funnel, and a payments processor are typical examples. They get the deepest due diligence, the most frequent reviews, and the strictest contractual controls.
High-Risk Vendors
High-risk vendors handle sensitive data or touch regulatory workflows but are not single points of failure. Marketing automation tools holding customer PII, analytics platforms, and non-critical SaaS with access to internal systems fit here. They get a full security questionnaire and annual review, but not usually a site visit.
Low-Risk Vendors
Low-risk vendors are non-sensitive and substitutable. Office supplies, building services, and generic tools without customer data access. They get a baseline entity check, basic financial screen, and a light periodic review. Trying to apply critical-vendor rigour here wastes the programme’s capacity on the wrong targets.
Tiering decides depth. Timing decides frequency. Both should be explicit in your policy.
When to Conduct Vendor Due Diligence: Trigger Points
VDD has four natural trigger points. Well-run programmes treat all four as mandatory, not optional.
New Vendor Onboarding
The pre-contract evaluation is the baseline. Everything downstream in the relationship is built on the evidence captured here. Compressing this step to meet a procurement deadline is a common source of trouble later.
Contract Renewal or Scope Change
Any material change, a renewal, a new module, a new data category, a new geography, should re-baseline the vendor. A vendor you cleared two years ago for one workflow may be a different risk today if you are now routing customer transactions through them.
Incident or Breach
A security breach, a regulatory action, negative adverse media, a senior management change, or a change in beneficial ownership should all force an out-of-cycle review. This is where continuous monitoring earns its keep: the alert arrives, and the team does not have to wait for the next annual cycle to act.
Periodic Review
Even in a quiet year, critical vendors deserve an annual review, high-risk vendors semi-annually or annually by policy, and low-risk vendors on a longer cycle. The review does not have to be a full rebuild. It has to be rigorous enough to catch drift.
Timing and depth are policy. The checklist is where it all becomes operational.
The VDD Checklist and Questionnaire
A working VDD checklist is not a 200-question spreadsheet. It is a tiered set of questions that vendors can realistically answer and that your team can realistically verify.
Core Checklist Items
At the baseline, collect entity verification (registration, tax ID, directors, UBOs), last two years of audited financials where available, insurance certificates, material subcontractor list, data-protection registrations, licenses where applicable, and a list of any regulatory actions or litigation in the last three years. These items are non-negotiable for any vendor above low-risk.
Security Questionnaire Essentials
For any vendor with systems access or customer-data exposure, cover access controls (least privilege, MFA), encryption in transit and at rest, incident response runbook and notification windows, backup and disaster-recovery posture, certifications (SOC 2 Type II, ISO 27001, PCI DSS where applicable), penetration-test cadence and remediation evidence, and employee-security practices including offboarding.
AML/KYC-Specific Questions
For any vendor inside an AML or KYC workflow, standard TPRM questions are not enough. Ask for the vendor’s sanctions-screening policy, the lists it consults and the cadence it refreshes them, its PEP screening methodology, how it handles UBO discovery for corporate customers, jurisdictions it operates in and any heightened-risk exposures, and its track record of regulatory findings. This is where a customer due diligence mindset pays off: the vendor should be able to document the same evidence about itself that it helps you collect about your customers.
Checklists surface issues. The next section explains how to think about them in an AML-regulated business.
AML/KYC-Specific Vendor Due Diligence
This is the lane that general TPRM guides do not cover well. For financial institutions, a KYC or payments vendor is not just an operational dependency. It is a regulatory extension of your compliance function. Your obligations travel with it.
Sanctions and Watchlist Screening on Vendors
Screen the vendor entity, its parent company, its directors, and its ultimate beneficial owners against OFAC, UN, EU, HMT, and any jurisdiction-specific lists you are bound by. This is not a one-time check. Lists update constantly, and corporate structures change. Build a re-screening cadence, typically monthly for critical vendors, that runs without human intervention. Our guide to sanctions screening goes deeper on list coverage and false-positive handling.
PEP Screening and Adverse Media
Politically Exposed Persons (PEPs) among a vendor’s directors or UBOs are not automatic disqualifiers, but they raise the due-diligence bar and require documented rationale for proceeding. Adverse media monitoring on the same population catches reputational and regulatory risk that does not yet show up on a sanctions list. For method detail, see our PEP screening process explainer.
UBO Identification for Corporate Vendors
Many vendors sit inside layered corporate structures. Identify the natural persons who ultimately control the vendor, typically the 25%-plus ownership threshold used in most jurisdictions, and document your evidence. A vendor that cannot or will not disclose its UBOs in a regulated AML relationship is a vendor you should not onboard.
AML-Heightened Categories
Some vendors carry inherent AML risk: vendors operating in high-risk geographies, vendors touching customer funds or acting as agents of record, and vendors whose business model depends on opaque jurisdictions. These deserve enhanced due diligence akin to what you apply to high-risk customers. Treating them the same as a low-risk SaaS vendor is how blind spots form. For a wider view of the regulatory picture, see our overview of AML compliance.
With the AML layer in place, the remaining piece is geography. India has its own expectations, and they are specific.
VDD in India: RBI and SEBI Expectations for FIs
For Indian financial institutions, vendor due diligence is not only a risk practice. It is a regulatory one, with named rules that supervisors check.
RBI Outsourcing Guidelines
The Reserve Bank of India’s Directions on Managing Risks and Code of Conduct in Outsourcing of Financial Services require a Board-approved outsourcing policy, explicit identification of material outsourcing arrangements, and due diligence on each service provider proportionate to the risk. The directions list the key risks explicitly, strategic, reputation, compliance, operational, legal, exit-strategy, counterparty, country, contractual, access, concentration, and systemic, and they require at least an annual review of each service provider’s financial and operational condition. NBFCs are explicitly required to retain the right to intervene, and to continue business without prohibitive expense if a vendor relationship terminates unexpectedly. You can read the full RBI directions on outsourcing on the RBI site.
SEBI Cloud Framework Expectations
SEBI-regulated entities using cloud services are held to similar principles: demonstrable data residency where applicable, audit rights on the cloud provider, clear exit clauses, and governance over subcontractors. In practice, this means your VDD for a cloud vendor must verify where customer data physically sits, who else can access it in the provider’s chain, and how you recover the data if the relationship ends.
What to Check in an Identity Verification Vendor
For fintechs choosing a KYC or AML vendor specifically, the VDD checklist gets sharper. Verify the vendor’s KYC compliance posture against your regulator’s expectations. Confirm the vendor’s sanctions-list coverage, PEP screening methodology, UBO capabilities, and how it handles model updates for deepfake and liveness defences. Ask for references in your regulator’s jurisdiction, not someone else’s. And for any vendor that will touch your customer onboarding funnel, be explicit about uptime commitments, incident disclosure windows, and exit assistance in the contract itself.
FAQs
What is the difference between vendor due diligence and customer due diligence?
Customer due diligence (CDD) is the investigation a regulated entity runs on its customers to meet KYC and AML obligations. Vendor due diligence (VDD) is the investigation the same entity runs on its third-party suppliers. CDD is about the people and businesses you serve. VDD is about the people and businesses you depend on. Both fall under broader risk management, and both can carry regulatory consequences if done poorly. For a primer on the customer side, see our guide on customer due diligence.
What are the 5 steps of vendor due diligence?
The five steps are initial assessment, risk categorisation, deep evaluation, decision and onboarding, and ongoing monitoring. Each step scales in depth to the vendor’s risk tier, and ongoing monitoring runs continuously rather than only at review cycles.
What documents are needed for vendor due diligence?
At minimum, certificate of incorporation and tax registration, last two years of audited financial statements where available, insurance certificates, relevant licenses and registrations, security certifications such as SOC 2 Type II or ISO 27001, data-protection registrations, UBO and director information, and disclosures of any regulatory action or material litigation in the last three years.
When should vendor due diligence be conducted?
Before any new vendor contract, at every renewal or material scope change, immediately after any incident or breach, and on a periodic cycle set by the vendor’s risk tier (typically annually for critical vendors).
What is a vendor due diligence questionnaire?
A VDD questionnaire is a structured set of questions a vendor answers about its business, financials, security, compliance, and subcontractors. It forms the backbone of the evidence file. Mature programmes maintain tiered questionnaires so low-risk vendors are not burdened with the same questions as critical ones.
How do you tier vendors by risk?
Classify by criticality (what breaks if they fail), data sensitivity (what they access), and regulatory exposure (what rules apply to the workflow they sit inside). Three tiers, critical, high-risk, and low-risk, are the most common structure. Depth of due diligence and review frequency both scale with the tier.
What is fourth-party vendor risk?
Fourth-party risk is the risk carried by your vendors’ vendors. If your KYC provider outsources OCR to a subcontractor, any failure at the subcontractor level flows back to you. VDD should require disclosure of material subcontractors and, for critical vendors, a right to approve them.
What happens if you skip vendor due diligence?
You inherit whatever risk the vendor carries, financial, compliance, operational, security, or reputational, without having the evidence to manage it. In regulated sectors, the absence of documented VDD on a material vendor is itself a finding, even if nothing has gone wrong yet. Regulators want to see the homework, not just the outcome.
Ready to Strengthen Your Vendor Due Diligence?
If you are running VDD inside a regulated AML or KYC programme, the hardest part is not the checklist. It is the ongoing layer: sanctions re-screening, PEP alerts, adverse-media monitoring, and UBO checks on the vendor entities and their directors, running in the background without drowning the team in false positives.
That is what HyperVerge’s AML and identity stack is built to do for your customers, and what you can point at your vendors too. Sign up to explore the HyperVerge platform and see what it looks like applied to both sides of the risk equation.
