Due Diligence and Ongoing Monitoring

 View Only

  • 1.  Contract Language for Supplier Due Diligence

    Posted 11-30-2022 12:22 PM
    Hello - Does anyone have contract language that can be shared for supplier contracts regarding due diligence requirements?  

    Much appreciated!  

    Thank you,
    Mollie


  • 2.  RE: Contract Language for Supplier Due Diligence

    Posted 11-30-2022 01:29 PM
    Here is the contract language I use as a starting point for third party contracting.  I pull some of the language in or out based on the nature of the good/service being provided:

    Due Diligence. X shall have the right at its sole discretion, at no additional cost to X and not more frequently than once per twelve (12) month period, to perform reasonable due diligence on the Company pursuant to (insert applicable guidance/regulation) including but not limited to requesting: annual financial statements, insurance coverage/certificate, SSAE18 report inclusive of User Entity controls, external penetration testing results, data encryption procedures, business continuity/resumption plans and disaster recovery testing results. The Company its officers and employees shall provide information and reasonably cooperate with X in connection with any due diligence request.  Failure to provide such information within ninety (90) days will be grounds for termination of the Agreement.
      1. As specially permitted by law or regulation, X shall be permitted, at its own expense, to audit the Company's performance of this Agreement during normal business.
      2. Model Risk Management. Company shall:
        1. Provide information clearly explaining the product design, theory and logic;
        2. Provide information clearly explaining the product assumptions, limitations and where product use may be problematic;
        3. Provide information clearly explaining the product modifications and updates over time;
        4. Provide appropriate testing results that show the product works as expected such as, but not limited to, independent model validation results, certifications and/or disclosures and
        5. Take reasonable steps to accommodate model risk management requests by X consistent with regulatory requirement objectives such as, but not limited to, (insert applicable guidance/regulation)


        ------------------------------
        Shelly Chase
        AVP Operational Risk
        ------------------------------

        Original Message