Due Diligence and Ongoing Monitoring

 View Only
  • 1.  Due diligence on referred vendors

    This message was posted by a user wishing to remain anonymous
    Posted 02-28-2022 01:36 PM
    This message was posted by a user wishing to remain anonymous

    We have an arrangement in which we refer commercial customers to a credit card processing vendor - the vendor and the customer then enter into a contract and we are not involved in that agreement.  How would you handle due diligence?  The vendor has provided us with the basics (W9, financials, COI, etc), but they don't have an SOC - TSYS would hold that since that's who actually processes the information.  The relationship between us and the vendor would be considered low risk, since we provide them with public information, but I feel like reputation risk is greater here.  If anyone has suggestions for how to handle this type of vendor, I would gladly take it.


  • 2.  RE: Due diligence on referred vendors

    Posted 03-16-2022 03:11 PM

    Even though the risk seems low, it is good practice to vet all vendors properly, even those that work on a referral basis. You must consider the duty of care when making such a referral. That means that your organization is confident that the referred organization can safely manage your customer's data and privacy before you refer them. This also applies to situations when the customer supplies the information to the referred vendor). So conducting appropriate due diligence based on the vendor's access to data is essential. Even if the information you provide is publicly available, misusing that data can negatively affect your customers and put your reputation at risk.

    If you can't access more reliable documents (a SOC for example), you can still ask your SME to review what you have. In some cases, a phone call or virtual meeting with the vendor's Information Security/Privacy team can provide additional assurance.

    I hope that is helpful, but I would love to hear from other members.