Vendor Due Diligence Checklist: What to Verify Before Onboarding

Why You Need a Vendor Due Diligence Checklist

Onboarding a new vendor without thorough due diligence is like hiring someone without checking references. You're accepting risk you haven't measured. A vendor due diligence checklist gives you a standardized, repeatable process. It verifies that every potential vendor meets your organization's risk appetite before they access your systems, sensitive data, or processes.

Regulatory bodies including the OCC, FFIEC, FCA, and EBA require documented vendor due diligence programs. Beyond compliance, a systematic due diligence checklist reduces onboarding delays and prevents surprises. It also sets clear expectations from the start of the vendor relationship. Without a structured vendor due diligence process, organizations face potential risks. These range from data breaches and regulatory fines to operational disruption and reputational risk.

The vendor due diligence process can be time-consuming, especially with large vendor portfolios. A risk-based approach keeps it manageable. Tier vendors by criticality and apply proportionate scrutiny. This maintains thoroughness without overwhelming your team.

The Complete Vendor Due Diligence Checklist

1. Corporate and Legal Verification

Before evaluating capabilities, confirm the vendor is legitimate and properly constituted:

• Legal entity verification — Confirm registered name, jurisdiction, company number, and active status through corporate registries (SEC EDGAR, Companies House, OpenCorporates)
• Ownership structure — Identify ultimate beneficial owners (UBOs) holding 10%+ ownership. Screen for sanctions, PEP status, and adverse media.
• Business licenses and permits — Verify industry-specific licenses required in the vendor's jurisdiction
• Litigation and regulatory history — Search court records and regulatory databases for material lawsuits, enforcement actions, or fines
• Insurance coverage — Confirm adequate professional liability, cyber liability, and general commercial insurance
• Corporate governance — Review board composition, management experience, and organizational structure

2. Financial Health Assessment

Financial instability is a leading cause of vendor failure. Your vendor risk management checklist should include:

• Audited financial statements — Review the last 2–3 years. Look for revenue trends, margin stability, and cash flow adequacy.
• Credit reports — Obtain Dun & Bradstreet, Experian, or equivalent scores
• Debt-to-equity ratio — Excessive leverage increases insolvency risk
• Customer concentration — Vendors dependent on a few clients face amplified risk if key relationships end
• Going concern opinions — Check whether auditors have flagged doubts about continued operations
• Banking references — Verify primary banking relationships and payment history

3. Compliance and Regulatory Due Diligence

Regulatory exposure from vendor non-compliance can be severe. Verify:

• Sanctions screening — Screen the vendor, key principals, and UBOs against OFAC SDN, EU consolidated list, UN sanctions, and other lists
• Anti-money laundering (AML) controls — For financial service vendors, confirm AML program adequacy and compliance officer designation
• Data protection compliance — GDPR, CCPA, HIPAA, or sector-specific requirements based on data types handled
• Anti-bribery and corruption — Confirm FCPA/UK Bribery Act programs, especially in high-corruption-risk jurisdictions
• Industry certifications — SOC 2 Type II, ISO 27001, PCI-DSS, HITRUST, or other relevant certifications
• Regulatory filings — Review recent filings and confirm good standing with authorities

4. Information Security and Cyber Risk

For vendors handling sensitive data or connecting to your infrastructure, data security is critical. A thorough vendor risk management audit program includes:

• Security certifications — SOC 2 Type II report, ISO 27001 certificate, penetration test results
• Data encryption — Standards for data at rest (AES-256) and in transit (TLS 1.2+)
• Access controls — Multi-factor authentication, role-based access, least-privilege principles
• Incident response plan — Documented IR procedures, notification timelines, and evidence of tabletop exercises
• Vulnerability management — Patch cadence, scanning frequency, and critical-vulnerability SLAs
• Subprocessor management — How does the vendor monitor its own third parties? This addresses fourth-party risk within your third-party risk management program.
• Data handling and retention — Classification, storage locations, retention periods, and secure deletion procedures
• History of data breaches — Request disclosure of past incidents, their scope, and remediation taken. Breach history is a key cyber risk indicator.

5. Reputational and Political Risk

A potential vendor's reputation directly affects yours. Assess:

• Adverse media screening — Search for negative news on fraud, lawsuits, regulatory actions, or labor disputes
• Politically Exposed Persons (PEP) — Determine if key personnel are PEPs or appear on law enforcement lists
• Consumer complaints — Check BBB, CFPB, and industry databases for patterns
• ESG track record — Environmental, social, and governance practices that could create reputational risk by association
• Social media presence — Monitor for red flags or controversial actions by company representatives

6. Operational Risk Review

Confirm the vendor can deliver what they promise and sustain performance through disruptions:

• Service delivery track record — Client references, case studies, and independent reviews
• Capacity and scalability — Can the vendor handle your volume and scale as needed?
• Key personnel — Who will manage your account? Assess their experience and tenure.
• Business continuity and disaster recovery — BCP/DR plans, RTO/RPO commitments, and testing evidence
• SLA commitments — Define uptime, response time, and performance metrics with measurable thresholds
• Change management — How are changes to services, systems, or personnel communicated?
• Exit and transition planning — Data portability, transition assistance, and wind-down procedures if the vendor relationship ends

7. Contractual Protections

Your vendor risk management policy should mandate specific contractual provisions:

• Right to audit — Your ability to audit the vendor's controls with reasonable notice
• Data breach notification — Maximum timeframe to notify you of an incident (typically 24–72 hours)
• Indemnification — Vendor responsibility for losses from their negligence or non-compliance
• SLA penalties — Financial consequences for missing agreed service levels
• Subcontracting restrictions — Prior approval required before the vendor engages subcontractors
• Termination provisions — Defined triggers, notice periods, and transition obligations
• Data return and destruction — Obligations to return or destroy your data upon termination
• Governing law and dispute resolution — Jurisdiction, arbitration clauses, and escalation procedures

Prioritizing the Checklist by Vendor Tier

Not every vendor needs every item on this checklist. A risk-based approach applies proportionality:

Implementation Tips

Digitize the process. Spreadsheet-based checklists don't scale. Use vendor risk management tools that automate distribution, evidence collection, and approvals.

Set clear ownership. Assign a vendor relationship manager to complete due diligence and maintain the vendor file. Procurement, IT security, legal, and compliance should contribute. But one person must own the outcome.

Define SLAs for your own process. Vendors won't wait forever for vendor onboarding approval. Set internal targets: 2 weeks for high-risk vendors, 1 week for standard, 2–3 days for low-risk.

Embed due diligence in your vendor management program. The checklist is one part of broader management programs. These should cover the full vendor lifecycle: risk assessment, selection, ongoing monitoring, renewal, and offboarding.

Reassess at renewal. The onboarding checklist is a starting point, not a one-time exercise. Repeat risk assessments at renewal and when material changes occur. This includes mergers, leadership transitions, new scope, or regulatory shifts.

Keep an exceptions register. Sometimes business urgency requires onboarding before full due diligence is done. Document the exception, the approving authority, residual risks accepted, and a timeline for completing open items.

Frequently Asked Questions

What is a vendor due diligence checklist?

A vendor due diligence checklist is a standardized document for evaluating a potential vendor. It covers financial stability, compliance posture, data security, operational capability, and reputational standing. The checklist ensures consistent risk assessment across all vendors and provides an audit trail for regulators.

When should you conduct vendor due diligence?

Conduct due diligence before onboarding any new vendor. Repeat it during contract renewals and when a vendor's scope or data access expands. Also reassess when significant changes occur, such as mergers, acquisitions, or reported data breaches. Continuous monitoring between formal assessments catches emerging risks that periodic reviews miss.

How does vendor due diligence differ from vendor risk management?

Vendor due diligence is the investigative phase. It's the upfront research you perform on a potential vendor. Vendor risk management is the broader, ongoing discipline. It includes due diligence, risk scoring, contract governance, continuous monitoring, and remediation throughout the vendor relationship lifecycle. Due diligence feeds into your vendor management program. It doesn't replace it.

What are the biggest risks of skipping vendor due diligence?

Without due diligence, organizations face potential risks. These include data breaches from vendors with weak information security, financial losses from insolvency, regulatory penalties for non-compliant relationships, and reputational damage from unethical vendors. Third-party risk management failures have caused some of the largest data breaches and compliance scandals in recent years.

From Checklist to Program

A vendor due diligence checklist is the foundation. But it works best when embedded in a broader vendor risk management policy. That policy should define roles, escalation paths, risk appetite, and continuous monitoring requirements. The checklist ensures consistency. The program ensures those risk assessments drive actual risk reduction across your vendor portfolio.