Hi!
How about something like, "Does the vendor perform transaction processing activities on our behalf?" Something to capture if they're involved in input/processing/output activities which feed into your organization. As for compliance in general, I usually ask whether or not we rely on the third party in some way in order to remain in compliance with any particular regulation. NPI data sharing usually also impacts the compliance risk, but is often more effectively covered under other risk categories (like operational/cyber or data).
These are just a couple possible examples, does anyone else have some feedback on how to capture materiality applicable to financial reporting?