With regulatory expectations regarding consumers. There are basically two primary considerations for monitoring your vendor's compliance
As a baseline, vendors should provide policies, procedures, training materials, and evidence of employee training. Your due diligence reports should detail your review and assessment of the following:
Privacy: The vendor has sufficient knowledge, processes, and controls to protect consumer privacy. Your vendor's risk assessment should have questions specific to privacy and permissible use of consumer data.
Consumer Protection Laws. There are numerous regulations meant to protect the consumer. Their application can vary depending on the product or service being provided. Your vendor must demonstrate awareness of regulations of any regulations that apply. Your vendor questionnaire should specifically ask about any regulatory findings or enforcement actions. Make sure all necessary licenses are current.
Consumer complaints. Don't forget to review the vendor's complaint management and resolution processes. Review the number and nature of complaints and resolution times and actions. Request the vendor's complaints management policy and complaints log.
You will be better able to follow the FDIC's recommendations if you consider privacy, compliance with consumer protection laws, and the treatment of consumer complaints in your due diligence and periodic risk reviews.
I hope that helps, but I would love to hear suggestions from other members.