Due Diligence and Ongoing Monitoring

Hello,
I am not real familiar with third party relationships and have only been somewhat connected to them at my FI for about a year now. I know that we monitor due diligence within our Compliance Department (me) and we monitor the risk side, contracts, etc. within our Vendor Management. I am learning that the Compliance side might should have its own risk assessment as well to correspond with the due diligence? Does this sound correct? I am also wondering what the difference is between the two. I know that vendor management does not due due diligence checklists, but they do review all vendors annually. I do review contracts and SOC reports to complete my checklists, but I am also learning that with some vendors we may not need to request such documents. Any help, tips, or advice is appreciated! 

Thank you! 

#1 Tip - Sign up for Venminder webinars on any topic - the content is always great and you will learn a lot.

In our FI, Compliance is looped in only when a (potential) vendor will be processing transactions that are regulated or we will rely on the (potential) vendor to keep us in compliance with a regulation.  Contracting is between the business owner and the attorneys with input from vendor management as needed, and the rest of vendor management is handled by vendor management.  Compliance, Vendor Management, and the attorneys are all in the Legal department and at any given time, all three groups are generally aware of what is going on in the other groups.

Save yourself a headache and have everyone use the same risk assessment for each vendor.  Some vendors will be riskier in compliance than others but you will all benefit from having a consistent evaluation for all of your vendors.

When you say VM does "review all vendors annually" it sounds like they are doing annual due diligence but maybe just calling it something different? How much due diligence you (or they) are doing should be based on the risk assessment.  You are correct that not all vendors require the same level of due diligence.  "Janitors or landscapers" are not "core systems."  

So our vendor management reviews annually to ensure we are still using the vendor and completes the risk assessment/rating for all vendors. Compliance (me) is responsible for the due diligence checklists. We Have our vendor management files separate from third party, so I do not always have access to the risk ratings. Last year, I did a due diligence checklist on everyone that we considered to the a "third party' for compliance. (I am not sure how we came to this conclusion as last year was the first year I have been connected with this). This year, I was able to refine the data down to only critical vendors, new vendors, and/or those who will have contact with our customers. I just feel like I am going to miss a contract that the risk ratings say I need or maybe not complete a due diligence checklist since we have them separated, and I wanted to make sure I was understanding the differences and doing what is required by regulators from the compliance side of things.