Vendor Due Diligence Checklist: A Step-by-Step Framework for 2026
A tiered, regulatory-aligned checklist covering financial, legal, cybersecurity, AML, and operational risk. Built for compliance and procurement teams in regulated industries.
What is vendor due diligence?
Vendor due diligence (VDD) is the process of identifying and assessing risks associated with a third-party supplier or service provider before onboarding them, renewing their contract, or expanding their access to your systems and data. It covers financial stability, legal compliance, cybersecurity posture, operational resilience, reputational risk, and AML/sanctions exposure. The depth of the assessment depends on the vendor’s risk tier.
Table of Content
Last updated: May 2026 | Reading time: 18 minutes
Why vendor due diligence matters in 2026
Third-party vendor relationships have become the most exploited entry point in enterprise risk. According to Verizon’s 2025 DBIR, 30% of all data breaches now involve a third-party vendor, double the rate from the prior year. The average supply-chain breach costs $4.91 million and takes 267 days to detect, roughly 26 days longer than other attack vectors, because supply-chain attacks exploit trust relationships that security tools struggle to monitor.
The risk isn’t just cybersecurity. A vendor with undisclosed sanctions exposure, a beneficial owner connected to a politically exposed person (PEP), or a history of regulatory violations can create AML liability, reputational damage, and regulatory enforcement action for your organisation. Financial institutions that failed vendor due diligence have faced OCC enforcement actions where the vendor’s compliance failure was treated as the bank’s own.
Three changes have raised the stakes since 2023:
- Regulatory elevation. The OCC Interagency Guidance on Third-Party Relationships (2023) explicitly states that banks cannot outsource accountability. NIST CSF 2.0 moved cybersecurity supply-chain risk management into the Govern function, making it a board-level concern, not an IT checkbox.
- Shadow AI vendor sprawl. The average enterprise now uses hundreds of SaaS vendors, many adopted without security review. IBM’s 2025 data shows shadow AI tools added $670,000 to average breach costs. If your vendor DD process can’t scale, you’re assessing 40% of your vendors and hoping the other 60% are fine.
- Fourth-party risk. SecurityScorecard’s 2025 report found 4.5% of all breaches now originate from fourth-party sub-vendors. Your vendor’s vendors are now your risk.
Vendor due diligence is no longer a procurement formality. In regulated industries, it is a documented risk-control process directly tied to cybersecurity resilience, AML compliance, operational continuity, and board accountability.
Step 1: Risk-tier your vendors before running the checklist
A flat checklist applied to every vendor wastes compliance resources and frustrates high-value partners. Tiering solves both problems by calibrating assessment depth to actual risk exposure. Answer four questions before you send a single questionnaire:
- What data does this vendor touch? (customer PII, financial records, health data, none)
- What systems do they access? (production environments, internal networks, or air-gapped sandboxes)
- What breaks if they fail? (revenue, compliance posture, operational continuity)
- How replaceable are they within 30 days?
| Tier | Criteria | Assessment depth | Reassessment cycle |
|---|---|---|---|
| Critical (Tier 1) |
Touches customer data or regulated activities. Hard to replace. Production system access. | Full 6-domain assessment, evidence collection, AML/OSINT screening, on-site or virtual audit | Annually + continuous monitoring |
| High (Tier 2) |
Internal system access. Processes sensitive data. Not customer-facing. | Full 6-domain assessment, evidence collection, Enhanced IRDD screening | Annually |
| Medium (Tier 3) |
Limited data access. Replaceable within 60 days. | Short-form questionnaire: security, privacy, financial stability. Standard IRDD screening. | Every 18 months |
| Low (Tier 4) |
No data access. Commodity service. Easily replaceable. | Self-attestation, basic sanctions and adverse media check (Red Flag screening) | Every 2 years |
Reassessment should also be triggered by material events outside the cycle: contract renewal or expansion, a reported security incident, a change in the vendor’s ownership or senior leadership, or a new regulatory obligation (DORA, an updated state privacy law, a new SEC cyber rule).
The 6-domain vendor due diligence checklist
The six domains below reflect the areas where vendor failures most frequently cause financial, legal, and reputational harm. Each domain includes a capsule answer and tiered checklist items. Items marked All tiers apply to every vendor. Items marked Tier 1-2 apply to high and critical vendors. Items marked Tier 1 only apply to your most critical relationships.
US regulatory requirements for vendor due diligence
Vendor due diligence in the US is not simply good practice. Several regulatory frameworks make it a legal obligation, with enforcement consequences for failures that happen through a vendor relationship.
- OCC Interagency Guidance on Third-Party Relationships (2023) Applies to all national banks and federal savings associations. States explicitly that banks cannot outsource accountability: a vendor’s compliance failure is the bank’s regulatory violation. Requires due diligence commensurate with the risk and criticality of the third-party activity before contract signing.
- FinCEN CDD Rule Requires financial institutions to identify and verify the beneficial owners of legal entity customers. Extends to vendor relationships where the institution has a financial relationship. Failure to identify a beneficial owner with sanctions or AML exposure creates direct enforcement risk.
- NIST CSF 2.0 (GV.SC) NIST CSF 2.0 moved Cybersecurity Supply Chain Risk Management into the Govern function under GV.SC-01, making it a leadership and board-level accountability. NIST SP 800-53 Release 5.2.0 (August 2025) added 14 new controls covering access management, network segmentation, and supply chain security.
- SEC Cybersecurity Disclosure Rule Requires public companies to disclose material cybersecurity incidents, including those originating from third parties, within 4 business days of determining materiality. This makes vendor security posture a board-level and investor-disclosure concern.
- HIPAA Business Associate Requirements Any vendor handling protected health information must sign a Business Associate Agreement (BAA). HIPAA requires covered entities to assess business associates’ ability to meet security and privacy obligations. A vendor failure creates liability for the covered entity.
- DORA (EU, relevant for US multinationals) The Digital Operational Resilience Act (effective January 2025) applies to financial institutions operating in the EU and their ICT third-party providers. Requires detailed contractual provisions, regular resilience testing, and concentration risk assessment for critical ICT vendors. US multinationals with EU operations must comply.
The vendor due diligence process: step by step
A repeatable process prevents the gaps that ad-hoc vendor assessment leaves open. These five phases apply across all tiers, with depth adjusted by risk classification.
Phase 1: Scope and tier Classify the vendor using the 4-question tiering model above. Define the assessment scope, assign a process owner, and assemble the cross-functional team: procurement, legal, information security, compliance, and (for financial institutions) AML.
Phase 2: Pre-screen Before investing 20+ hours in a full assessment, spend 30 minutes checking obvious disqualifications. Sanctions and watchlist screening, adverse media search, and basic company registry verification can eliminate clearly unsuitable vendors quickly. Neotas’s Red Flag screening covers PEPs, sanctions, SOEs, adverse news, and social media for both individuals and entities at the entry level.
Phase 3: Document collection and evidence review Issue a tiered questionnaire appropriate to the vendor’s risk level. Collect and verify the documentation specified in each domain above. Store all documents in a centralised system of record with a full audit trail. Automated questionnaire workflows with email reminders reduce delays and maintain documentation completeness.
Phase 4: OSINT and enhanced investigation For Tier 1 and Tier 2 vendors, questionnaire responses alone are insufficient. Open-source intelligence (OSINT) investigation covers what vendors won’t disclose: adverse media across 40,000+ sources in 100+ countries, archived web coverage going back 15 years, social media behavioural analysis, network relationship mapping, and non-English jurisdiction checks. This is the stage where hidden beneficial ownership links, undisclosed enforcement actions, and risk-by-association are identified.
Phase 5: Risk decision and contracting Collate findings into a risk profile. Make a risk-based decision: approve, approve with mitigations, or reject. Document the decision rationale for your audit trail. If approved, ensure DD findings directly inform contract terms: liability clauses, data breach notification requirements, SLA penalties, subprocessor transparency, and audit rights all follow from what the DD process found.
Ongoing monitoring Due diligence is a point-in-time gate. Vendor risk management is continuous. Set up automated alerts for sanctions updates, adverse media, corporate structure changes, and security rating changes. Reassess on the cycle appropriate to the vendor’s tier. A vendor that passes initial assessment can acquire new liabilities, restructure under new ownership, or experience a security incident at any point in the relationship.
VDD vs vendor risk management vs TPRM
These three terms are used interchangeably but describe distinct activities.
| Vendor Due Diligence (VDD) | Vendor Risk Management (VRM) | Third-Party Risk Management (TPRM) | |
|---|---|---|---|
| Definition | Point-in-time assessment of a specific vendor before onboarding or at reassessment | Ongoing monitoring and management of vendor relationship risk post-contract | Enterprise-wide programme covering all external parties: vendors, contractors, partners, agents |
| Timing | Before contract signing; at renewal or reassessment intervals | Continuous throughout the vendor relationship lifecycle | Continuous; covers the full third-party lifecycle from onboarding to offboarding |
| Scope | Single vendor; defined risk domains | Portfolio of vendor relationships; performance and compliance monitoring | All third parties including fourth parties; supply chain; ESG risk |
| Output | Risk assessment report; go/no-go decision; contract terms | Performance dashboards; risk alerts; remediation tracking | Risk register; programme metrics; regulatory reporting; audit trail |
In short: VDD is the gate. VRM is what happens after you open it. TPRM is the programme that governs both.
Sell-side VDD: when the vendor commissions the report
In mergers and acquisitions, “vendor due diligence” carries a second meaning. Here, the entity being sold (the “vendor” in the transaction) commissions an independent third-party report on itself before approaching buyers. This sell-side VDD serves a different purpose from the third-party assessment checklist above.
| Sell-side VDD (M&A context) | Buy-side vendor assessment (TPRM context) | |
|---|---|---|
| Purpose | Seller presents their business transparently to potential buyers; accelerates buy-side due diligence | Buying organisation assesses a supplier before engaging them |
| Initiator | The entity being sold commissions the report | The organisation engaging the vendor |
| Prepared by | Independent third-party auditors appointed by the seller | Internal compliance team or an external DD provider |
| Timing | Before going to market; proactively addresses deal risks | Before contract signing; at reassessment intervals |
| Key benefit | Identifies and resolves issues before buyer discovery; supports valuation | Identifies risks before they enter your supply chain; informs contract terms |
Sell-side VDD benefits sellers by identifying issues that could devalue or delay a transaction, building buyer confidence, and potentially achieving a higher sale price by presenting a clean, documented business. For buyers, a credible sell-side VDD report reduces duplication of effort, though it does not replace independent verification for critical risk areas.
Frequently asked questions
Vendor due diligence (VDD) is the process of identifying and assessing risks associated with a third-party supplier or service provider before signing a contract or expanding their access to your systems and data. It covers financial stability, legal compliance, cybersecurity posture, operational resilience, reputational risk, and AML/sanctions exposure. The depth of assessment depends on the vendor’s risk tier.
A vendor due diligence checklist covers six domains: general business verification (incorporation, UBO, ownership structure), financial review (audited statements, credit, liabilities), cybersecurity assessment (SOC 2, ISO 27001, penetration testing, AI risk), legal and regulatory compliance (litigation, contracts, regulatory licences), reputational and AML screening (PEP, sanctions, adverse media, network links), and operational resilience (BCP, DRP, ESG). The depth of each domain is calibrated to the vendor’s risk tier.
Critical vendors should be reassessed annually with continuous monitoring in between. High-risk vendors require annual reassessment. Medium-risk vendors need review every 18 months. Low-risk vendors can use self-attestation every two years. Reassessment should also be triggered by material changes: contract renewal, vendor restructuring, a reported security incident, a change in ownership or leadership, or a new regulatory obligation.
Vendor due diligence is a point-in-time assessment conducted before onboarding a supplier or at reassessment intervals. Vendor risk management is the ongoing, continuous programme that monitors vendor performance, compliance, and risk exposure across the entire relationship lifecycle. Due diligence is the gate; vendor risk management is what happens after you open it.
Several US frameworks require it. The OCC Interagency Guidance on Third-Party Relationships (2023) states banks cannot outsource accountability for vendor failures. FinCEN’s CDD Rule requires financial institutions to identify and verify beneficial owners, including in vendor relationships. NIST CSF 2.0 elevated supply-chain risk management to the Govern function. The SEC cyber disclosure rule requires disclosure of material cybersecurity incidents from third parties. HIPAA requires business associate agreements and security assessments for healthcare vendors.
In TPRM contexts, vendor due diligence is conducted by a buying organisation on its suppliers to assess third-party risk before onboarding. Traditional sell-side due diligence (in M&A contexts) is commissioned by a seller to provide potential buyers with an independent view of their business. The purpose, initiator, and scope differ significantly. The buy-side TPRM checklist on this page addresses the first definition.
A vendor due diligence report contains: an executive summary of findings, financial stability assessment, legal and regulatory compliance review, cybersecurity posture evaluation, reputational and AML risk findings (sanctions, PEP, adverse media), operational resilience assessment, and risk recommendations. For high-risk vendors, the report includes OSINT findings, network relationship analysis, and a risk-rating with recommended mitigations or a rejection rationale.
AI and shadow AI risk is now a formal checklist item for Tier 1 and Tier 2 vendor assessments. IBM’s 2025 data shows that employees connecting AI tools to production systems without security review added $670,000 to average breach costs. When vetting SaaS vendors, assess which AI tools are embedded in their platform, whether your data is used to train public models, and whether IP ownership and portability of custom embeddings are contractually protected.
