Chapter 5: Vendor Due Diligence
Making the Right Choice
This chapter addresses vendor due diligence for end users and resellers. It's about understanding the potential regulatory and operational implications of your vendor choice and ensuring the selection aligns with regulator expectations and your compliance needs.
For End Users
Regulatory Perspective: Assess how regulators might view your vendor choice. Consider the vendor's history with compliance, the accuracy of their data, and overall reliability. For example, have the vendor’s users been subject to enforcement action because of problems with the vendor’s screening system? This is a major red flag that should disqualify the vendor from the selection process.
Assessing Vendor Credibility: Investigate the vendor's reputation in the industry, focusing on their track record in data accuracy and compliance.
Real World Impact: In 2022, OFAC issued a finding of violation against a US-based bank for processing transactions on behalf of individuals sanctioned by the US. The bank processed over 30 transactions on behalf of the sanctioned individuals within six hours of the customers being designated by OFAC. The bank was only notified by their screening system vendor that the customers were sanctioned 14 days later. Ensuring your screening vendor has the most updated data can avoid similarly costly and time-consuming violations.
For Resellers
Value Beyond Cost: Articulate the worth of the chosen data set. It's not just about being cost-effective; it's about the data's quality, comprehensiveness, and regulatory alignment.
Communicating Quality to End Users: Be prepared to explain how your chosen data set stands out regarding real-time updates, coverage, and regulatory compliance.
Cost vs. Value
In our knowledge base article, What Should I Screen? The Five Tiers Of Compliance Data, we outline the varying levels of compliance data available to organizations, each with distinct features and purposes. We’ll focus on why it’s crucial to avoid screening systems that rely on low-quality or limited data sets and what to ask to spot it.
Scrutinize Inexpensive Solutions
In evaluating cost-effective compliance solutions, first ask why they may be priced lower. While affordability is appealing, these solutions often do not meet regulators’ standards. The risks associated with incomplete or outdated information far outweigh the initial savings of a cheaper solution.
Avoid Open-Source Projects and Government Sites
These data sources are ideal for researchers, students, and journalists, where regulatory compliance isn't a concern. However, they are not suitable for meeting your legally mandated compliance requirements.
Open-source projects can be more vulnerable to security issues, lacking the prioritized patches and updates crucial in compliance-sensitive environments. Similarly, unenriched, unorganized data from government sites will challenge your compliance team regarding coverage and false positives generated.
Remember, regular and prompt maintenance of these systems, critical for security, often falls to the end user, adding to the operational burden. Keeping the software up-to-date and ensuring its compatibility with other systems also falls on the end user, adding to complexity and cost.
This is a lot to remember, but we’ve got you covered. Download our screening system buyer’s checklist to keep track of it all when you’re assessing vendors.
