I would say this is a good approach to focus your due diligence on domestic requirements. The vendor's headquarters in a different country generally wouldn't be considered in scope for TPRM unless you're working with them directly. Here are some suggestions on what to review during due diligence:
- Hiring policies – It's good to understand the vendor's hiring practices such as drug testing and background checks, which can give you better insight into the employees that may be interacting with your organization.
- OFAC/PEP checks – This would be important to identify the vendor's owners and management team and confirm they aren't affiliated with anyone on the sanctions list.
- Locations – The vendor should identify all of the locations that will directly support the product or service. This can help you understand any concentration risk that may exist so you can review their resiliency in each location. Locations are especially important to identify if the vendor is storing or transmitting any of your organization or customer's data because you'll need to consider different regulations around privacy.
These are just a few examples and there are many other items you may need to review, depending on the product or service.
I hope these suggestions are helpful and I'm interested to see what other members recommend in this situation.
Original Message:
Sent: 05-06-2024 06:27 PM
From: Neil Melms
Subject: Foreign Based Vendors with Headquarters Domestically.
Hello everyone,
Requesting some advice/guidance in your TPRM approach to vendors that have their main headquarters in a foreign country but have headquarters in your domestic country?
For example, if you have ACME vendor based in Canada and your organization is based in the US and ACME have sub headquarters in the US. Do you only collect vendor due diligence documents that pertain to your domestic requirement since they have headquarters domestically and you only work with the domestic side of the company?