casemark/managing-vendor-due-diligence-compliance
skills/finance/managing-vendor-due-diligence-compliance/SKILL.md
Structures regulatory vendor due diligence with risk assessment and ongoing monitoring requirements. Use when conducting vendor DD, assessing outsourcing risk, or managing third-party compliance.
$ install --global
skillsauthnpx skillsauth add casemark/skills managing-vendor-due-diligence-complianceInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 24, 2026, 3:45 AM49.9s1 file scanned
SKILL.md
- name:
- managing-vendor-due-diligence-compliance
- language:
- en
- description:
- Structures regulatory vendor due diligence with risk assessment and ongoing monitoring requirements. Use when conducting vendor DD, assessing outsourcing risk, or managing third-party compliance.
- author:
- casemark
Managing Vendor Due Diligence Compliance
When To Use
- Onboarding a new third-party vendor that will access customer data, perform regulated functions, or handle material outsourced activities
- Conducting periodic reassessment of existing vendor relationships (annual review cycles, contract renewals)
- Responding to a regulatory exam finding or audit deficiency related to third-party risk management
- Evaluating whether a vendor qualifies as "critical" or "significant" under applicable regulatory guidance (OCC Bulletin 2013-29, FDIC FIL-44-2008, Federal Reserve SR 13-19/CA 13-21, or Interagency Guidance on Third-Party Relationships) [VERIFY applicable framework for institution type]
- Assessing outsourcing arrangements for compliance with DORA, EBA Guidelines on Outsourcing, or equivalent non-US regimes [VERIFY jurisdiction]
Inputs To Gather
- Vendor identification: Legal entity name, jurisdiction of incorporation, ultimate beneficial ownership, DUNS/LEI numbers
- Service description: Exact functions being performed, whether the activity is customer-facing, and whether it involves access to NPI/PII or regulated data
- Criticality classification criteria: Institution's internal tiering framework (critical, high, moderate, low) and the factors driving classification (revenue impact, regulatory exposure, data sensitivity, substitutability)
- Existing documentation: Prior DD reports, SOC 2 Type II or equivalent audit reports, financial statements, insurance certificates, BCP/DR plans, information security policies
- Regulatory context: Which regulators oversee the institution, any open MRAs/MRIAs related to vendor management, consent order requirements
- Contract terms: Current or proposed SLA metrics, termination and transition provisions, subcontracting restrictions, audit rights, data handling obligations
Workflow
-
Classify vendor risk tier
- Apply the institution's criticality matrix against the service scope
- Determine whether the vendor performs a "critical activity" or "significant outsourcing" under applicable guidance [VERIFY definition thresholds]
- Document the rationale for the assigned tier — this drives the depth of remaining DD steps
-
Conduct financial and operational due diligence
- Review audited financial statements (minimum 2 years) for solvency indicators, going-concern qualifications, and material contingencies
- Obtain and evaluate SOC 2 Type II report (or SOC 1 if financially relevant processing); flag any qualified opinions or exceptions
- Assess BCP/DR capabilities: RTO/RPO commitments, testing frequency, last test results
- For critical vendors: request on-site or virtual assessment if audit reports are insufficient
-
Assess regulatory and compliance posture
- Confirm vendor holds required licenses, registrations, or certifications for the services provided [VERIFY by jurisdiction and service type]
- Screen against OFAC SDN list, BIS Entity List, and other applicable sanctions/debarment databases
- Review vendor's own compliance program: AML/BSA policies (if applicable), privacy program, information security framework (SOC, ISO 27001, NIST CSF alignment)
- Check litigation history and regulatory enforcement actions via PACER, state AG databases, and industry-specific registries
-
Evaluate information security and data privacy
- Map data flows: what data the vendor receives, stores, processes, and transmits
- Review vendor's incident response plan and breach notification commitments against contractual and statutory requirements (state breach notification laws, GLBA Safeguards Rule, GDPR Art. 33-34 if applicable) [VERIFY applicable data privacy regime]
- Assess fourth-party (subcontractor) risk: identify material subcontractors and confirm oversight controls
- Validate encryption standards, access controls, and penetration testing cadence
-
Establish ongoing monitoring framework
- Define monitoring frequency by risk tier (critical: quarterly metrics + annual full reassessment; high: semi-annual review; moderate/low: annual attestation)
- Specify trigger events requiring off-cycle reassessment: material breaches, financial deterioration, M&A activity, regulatory action against vendor, significant service failures
- Set SLA performance tracking mechanisms and escalation thresholds
- Schedule next periodic review date and assign responsible owner
-
Compile DD report and recommendations
- Summarize findings by risk category (financial, operational, regulatory, information security, reputational)
- Assign residual risk rating after accounting for mitigating controls and contract protections
- Identify open items requiring remediation, with responsible parties and target dates
- State approval recommendation: approve, approve with conditions, or reject
Output
The final deliverable is a Vendor Due Diligence Report containing:
- Executive summary: Vendor name, service description, risk tier, overall residual risk rating, and approval recommendation
- Criticality classification: Tier assignment with supporting rationale
- DD findings matrix: Organized by risk domain (financial, operational, regulatory, infosec, reputational) with finding severity (satisfactory / needs improvement / unsatisfactory)
- Open items tracker: Each item with owner, due date, and status
- Ongoing monitoring schedule: Frequency, metrics, trigger events, and responsible parties
- Appendices: Supporting documents reviewed, screening results, and any vendor-provided certifications
Quality Checks
- Confirm the criticality classification aligns with the institution's board-approved third-party risk management policy
- Verify that all required screening databases were checked and results documented with date stamps
- Ensure contract terms (audit rights, termination provisions, data handling) are cross-referenced against DD findings — flag gaps
- Validate that the monitoring cadence meets or exceeds the minimum frequency required by the institution's primary regulator [VERIFY regulatory minimum]
- Check that fourth-party/subcontractor risks are addressed, not just direct vendor risks
- Confirm that the residual risk rating accounts for both inherent risk and the effectiveness of mitigating controls
- Mark any data point sourced from vendor self-attestation (rather than independent verification) with [VERIFY]
Related Skills
casemark/skills/legal/automated-contract-summary
development
VerifiedTrustedCommunity
name: automated-contract-summary language: en description: Generates structured executive summaries of contracts using ML — captures key terms, party obligations, risk allocations, and compliance requirements in a standardized format. Optimized for high-volume review where speed and consistency matter. tags: - summarization - agreement - corporate --- # Automated Contract Summarization Produces standardized executive summaries of contracts using machine learning, capturing essential term
21SKILL.mdUpdated May 26, 2026
casemark/obligation-mapping
tools
VerifiedTrustedCommunity
Extracts regulatory obligations from dense regulations across jurisdictions. Breaks down multi-level regulations into clear article-level obligations, classifies applicability to a business, and prioritizes by risk level. Use when translating regulations into actionable compliance requirements.
21SKILL.mdUpdated May 25, 2026
casemark/horizon-scanning
development
VerifiedTrustedCommunity
Continuously monitors regulatory landscapes for changes relevant to a specific business. Ingests global regulatory updates, filters by relevance, summarizes impact, and produces an actionable change advisory. Use when tracking regulatory developments affecting a particular product or market.
21SKILL.mdUpdated May 25, 2026
casemark/gap-analysis
testing
VerifiedTrustedCommunity
Compares an organization's existing compliance controls, policies, and procedures against extracted regulatory obligations to identify coverage gaps. Produces a remediation plan with prioritized actions. Use when assessing compliance maturity or preparing for regulatory audits.
21SKILL.mdUpdated May 25, 2026