Vendor Management Checklist

Capture what the vendor will touch — client PII, account numbers, custodian data feeds, market data, internal financials, or comms. Data scope drives the risk tier and the depth of diligence required, so this is the first decision the operations and compliance teams make together.

High: vendor handles client NPI/PII or has production system access (custodian integration, CRM, comms archive, trading). Moderate: limited PII or business-confidential. Low: no sensitive data. Tier drives diligence depth, contract terms, and review cadence — and triggers the on-site assessment branch later in this workflow.

Shortlist 3-5 vendors for any material service. Put data-handling expectations, SOC 2 Type II requirement, BCP/RTO requirements, and breach-notification SLA in the RFP up front so vendors who can't meet them self-deselect.

Use a scoring matrix — capability (40%), security posture (25%), price (20%), references (15%) is a reasonable starting weight. Document the scoring; the SEC, FINRA, or your bank examiner will look for evidence of an objective vendor selection process during the next exam.

Type I is point-in-time and not sufficient for a critical vendor — insist on Type II covering a 6- or 12-month operating-effectiveness review. Read the auditor's qualifications and any exceptions noted in the report; an unqualified opinion with no material exceptions is the bar for a High-tier vendor.

Pull audited statements for public vendors or D&B / Experian Business for private. A vendor near insolvency that hosts your CRM or comms archive is a continuity risk. For BD-side counterparties, also check FOCUS reports where available.

Screen the entity, principals, and any 25%+ beneficial owners using Refinitiv World-Check, LexisNexis Bridger, or your firm's tool. Save the screen output with date and result to the vendor folder; rerun annually as part of the monitoring cycle.

Request the most recent BCP / DR test report. Confirm RTO and RPO match your firm's tolerance — four hours might be fine for a CRM, but it is not acceptable for a trading platform or comms archive subject to books-and-records review.

High-tier vendors warrant a physical or live remote walkthrough — server access controls, employee security training, change management, incident response runbooks. Pull from FFIEC TPRM guidance or NIST 800-161 if you need a structured script for the visit.

Three outcomes: Approve, Conditional approval (proceed with documented remediation), or Reject. CCO sign-off is required for any High-tier vendor regardless of outcome. File the rationale memo with the vendor folder — examiners want to see the decision logic, not just the outcome.

List the gaps the vendor must close before go-live or within a defined window post-go-live. Tie each condition to an evidence requirement and a target date. Track each item to closure in the vendor scorecard; an open remediation item past its date escalates to the CCO.

Pricing tiers, auto-renewal language, termination-for-convenience window, and early-termination fees. Avoid auto-renewals longer than one year on any High-tier vendor — re-tiering or replacement gets harder when you are locked in.

Uptime: 99.9% is standard for hosted services; 99.95%+ for anything trading-adjacent. Response: P1 within 30 minutes, P2 within 2 hours, P3 within one business day. Tie service credits to breaches so the SLA has teeth — credits the vendor never has to pay are not a real SLA.

Beyond uptime: ticket resolution time, security incident count, BCP test results, employee turnover on your account team. Quarterly reporting for High-tier; annual for Low. Bake the reporting requirement into the contract — a side-letter promise drifts within a year.

GLBA, state breach laws, and the SEC cyber-disclosure rule require timely notification. Pin a number — 72 hours from the vendor's awareness of suspected unauthorized access to NPI. Do not accept "reasonable" or "prompt"; that language fails on the day you need it.

Legal reviews liability caps, indemnification, and IP. CCO reviews data, regulatory, supervisory, and Reg S-P provisions. Both signatures before execution; archive the fully executed copy in the vendor folder under records retention.

30-minute check-in with the vendor account team. Cover SLA performance, open incidents, security events, and upcoming changes (new sub-processors, infrastructure migrations). Calendared on a fixed quarterly cadence so it does not slip when the operations team gets busy.

Track SLA breach count, ticket aging, and incident severity. Three or more P1 breaches in a quarter triggers an escalation memo to the CCO and a re-tier review. The scorecard becomes the artifact for the annual vendor risk committee.

SOC 2 reports expire — most cover 12 months. E&O and cyber insurance certs also lapse on annual cycles. Set 30-day-before-expiry reminders; missing or expired certs are one of the most common findings in third-party-risk audits.

Annual deep-dive for High-tier vendors: refreshed SOC 2 review, BCP test results, OFAC re-screen, sub-processor changes, security incident summary. Moderate-tier can be a questionnaire-based review; Low-tier can be confirmation-of-status only.

Re-tier annually based on monitoring data. A vendor that started Moderate but had two security incidents may move to High; one with stable performance and shrinking data scope may move down. The new tier drives next year's diligence cadence.

Cover data return / destruction, system access cutover, client communication where applicable, and contract wind-down. Critical vendors typically need a 60-90 day transition; commodity vendors a week. Note any contractual notice period in the plan.

Coordinate with IT to disable user accounts, API keys, SFTP credentials, VPN access, single sign-on entitlements, and any vendor-issued certificates. Document the revocation timestamps; orphaned vendor credentials are a routine pen-test finding.

Per the contract: receipt of data back via encrypted media or SFTP, or written attestation of destruction (NIST 800-88 method preferred). For NPI, the attestation goes in the vendor file alongside the executed contract under records retention.

If the vendor handled client NPI and the change materially affects how data is held or who handles it, Reg S-P notice may be required. CCO determines the threshold; default to notification when the vendor was the sole processor of a sensitive data category.

Termination memo, final scorecard, data destruction attestation, final OFAC screen, and contract archive. Records retention applies — typically 5-7 years post-termination for BD/RIA per books-and-records, longer for bank/CU regulated records.