Vendor Due Diligence: 5 Things to Consider (and how Laven Tech can help)
Posted on 16 Mar 2021
The emergence of new technologies in the Financial Services space has resulted in firms relying on an ever-increasing number of third-party relationships to enhance and streamline their business activities. Yet with each new vendor relationship comes added risks, and firms must ensure that all regulatory and legal requirements are met. In regards to third-party vendors, these usually include considerations for GDPR, Money Laundering & Terrorist Financing.
Management of these risks is critically important, a point that the FCA has recently reaffirmed emphasising the importance of ‘Operational resilience’ to firms. This has become especially prevalent in light of the challenges presented by the COVID-19 pandemic.
The FCA and the Prudential Regulation Authority (“PRA”) have also taken action in this regard. For example, in 2019 R. Raphael & Sons plc received separate fines of £775,100 from the FCA and £1,112,152 from the PRA for failing to manage their outsourcing arrangements. Mark Steward, FCA Executive Director of Enforcement and Market Oversight stated this failure “exposed customers to unnecessary and avoidable harm and inconvenience” and that “there is no lower standard for outsourced systems and controls” than if they were managed inhouse.
It is clear, therefore, that firms need to ensure that they employ robust Vendor Due Diligence procedures that both demonstrate and document that their vendors are always operating to the highest practice standards.
To properly conduct vendor due diligence, firms must fully understand the information and process that is required. Below are five questions to answer when conducting Vendor Due Diligence and how Laven Tech can help your company to achieve these points.
If you would like to find out more about Laven Tech and its preloaded Vendor Due Diligence tools, click here to book a free 15 min call.
1. What is the objective of Vendor Due Diligence?
Understanding the objective of Vendor Due Diligence as the first step in this process is incredibly important as it facilitates the vendors gaining a better understanding of the risks that their companies face. This process begins by clearly identifying the role being carried out, ownerships, directors and the group structure of the vendor. As part of Laven Tech, we offer a Vendor Due Diligence module which makes this objective of the due diligence process clear through the automatic production of a written report can help to streamline and speed up the Vendor Due Diligence process.
2. What data should firms be requesting?
The Due Diligence process often requires the collection and management of large amounts of information and data. The documents required for vendor due diligence must be legitimate, complete and up to date and must therefore be checked on a periodic (at least annual) basis. The Vendor Due Diligence module on Laven Tech can help you with collating this information through its question-and-answer style format. This ensures that all compliance requirements and standards are being met as well as allowing you to identify any vulnerabilities that may exist.
3. What ongoing monitoring should I be performing?
As with most other compliance workflows, certain processes when completing Vendor Due Diligence require ongoing monitoring. The risk landscape is constantly changing, and companies should know how to adapt to it and respond to new threats. Key operational elements such as the HR, IT and Insurance policy requirements of vendors should be monitored to ensure that they are valid and suitable for their business. Depending on the regulatory status of vendors, they may also have compliance obligations that must be monitored.
The Laven Tech Vendor Due Diligence module ensures that the procedures and policies used by a company are up to the best practice standard at the time of completing the report. This is done by raising any immediate red flags and concerns based on answers given in the report.
4. How to verify vendors process?
Any information collected directly from the vendor during the due diligence process must be reliably checked against publicly available information for accuracy. Background checks should also be undertaken on key individuals and the company itself and any certifications they have received from reputable bodies should be catalogued. Laven Tech facilitates the documentation of this entire process into a clear and concise format.
5. What is the ongoing process?
Firms must keep their policies and procedures updated throughout the business relationship, to ensure their risk profile has not changed. This requires Vendor Due Diligence to be undertaken regularly, especially in times of operational upheaval where companies are having to facilitate remote working environments through the utilisation of third-party systems.
To remain up to date, a summary of the red flags and concerns found in Laven Tech can be used to prompt when any updates to its policies and procedures are required to meet best practice standards. Periodic reminders are sent out to the relevant members of staff when updates are due to help ensure that the workflow is followed correctly.
Vendor Due Diligence and Laven Tech
At Laven, our consultants are on hand to help identify the actions your firm needs to take to ensure you are compliant with the new regulation outlined in this report. Whether this is through assisting with new policies and procedures that need to be put in place or providing online/in-person training for staff to make them fully aware of the regulatory obligations.
Laven has also built Laven Tech, a unique Regulatory Technology (RegTech) solution that leverages advanced technology combined with our vast subject matter expertise. Our RegTech solution is designed to assist fund managers, service providers and investors to meet today’s growing demands.
The application is a Software-as-a-Service that leverages the Microsoft Azure Cloud solution for redundancy and business continuity. The application and its resources are configured with geo-redundancy.
It is built on a multi-region architecture to provide higher availability and mitigating outages by using regional pairing. If a regional outage affects the primary region, we failover to the secondary region. This architecture is based on Azure’s best practices for setting up an application for high availability.
The application runs on a secure HTTPS domain. Web traffic is routed via a leading web infrastructure security provider. By doing so, the IP addresses are masked to add an extra layer of security.
The database and document storage are encrypted at rest. The database is backed up approximately every 30 minutes. External experts perform periodic penetration tests on the application.