Due Diligence and Ongoing Monitoring

 View Only
  • 1.  Foreign Vendors

    Posted 07-01-2024 03:54 PM

    How do you handle Foreign Vendors? Do you ask for additional due diligence documentation from them? If so, what do you ask for in additional to the typical standard due diligence?



  • 2.  RE: Foreign Vendors

    Posted 07-08-2024 11:03 AM

    In general, due diligence for foreign vendors will closely align with what you collect from domestic vendors. Having a risk-based due diligence strategy will help ensure that you're collecting appropriate documentation, regardless of where the vendor is located. This includes doing things like OFAC/PEP checks, reviewing the vendor's hiring practices, and requesting a list of all the locations that will support the product or service. Locations are especially important if the vendor is storing or transmitting any sensitive information, as you'll need to consider compliance with applicable privacy laws. You may also want to request documents like SOC 2 or ISAE 3000 reports, or conformance to ISO/IEC 27001.

    In addition to due diligence, I would also recommend thinking about contract considerations for foreign vendors. As it looks like you're in the credit union industry, I want to point out that the NCUA's guidance on third-party relationships doesn't mention foreign vendors, so I think it's worth reviewing the Interagency Guidance for this topic. The guidance states that organizations should consider "choice-of-law and jurisdictional provisions" in contracts with foreign-based third parties and it's recommended to seek legal advice in relation to privacy laws and "cross-border flow of information."

    I hope these suggestions are helpful and I'm interested to learn how other organizations are handling foreign vendors.