For CISOs, risk leaders, compliance teams, and internal audit stakeholders at credit unions and community banks, vendor due diligence is one of the most heavily scrutinized stages of the third-party lifecycle. Examiners want documented evidence that your institution understood the risk before signing the contract, and that you keep understanding it for as long as the relationship lasts. As banks and credit unions onboard more cloud-hosted platforms, fintech partners, and AI-enabled vendors, leadership needs a reliable way to identify who has access to what, who owns each relationship, what controls apply, and how that risk is monitored over time.
Key takeaways from this article:
Automate your vendor due diligence and SOC report reviews.
Vendor due diligence is the structured process of evaluating a third-party provider’s business standing, cybersecurity posture, regulatory exposure, operational resilience, and contractual terms, before and throughout the relationship. In financial services, it is less about producing a one-time onboarding file and more about establishing a defensible system of record for every vendor that touches member or customer data, connects to your network, or supports a material business function.
That aligns with NCUA Letter 07-CU-13 on evaluating third-party relationships and the Interagency Guidance on Third-Party Relationships: Risk Management issued jointly by the OCC, FDIC, and Federal Reserve. Both documents make clear that institutions are responsible for understanding the risk of every third-party relationship across its full lifecycle, regardless of vendor size or product category.
For credit unions and community banks, the scope should usually go beyond core processors and cloud-hosted platforms. It should also include fintech partners, AI-enabled vendors, marketing and member-communication platforms, and any subcontractor with material access to nonpublic information. The agencies’ third-party risk guidance reinforces that outsourced technology does not remove your institution’s oversight obligation.
Most industries treat vendor due diligence as a procurement formality. In financial services, it is a regulated function with explicit examiner expectations and documented enforcement history. The NCUA's 2026 Supervisory Priorities reference third-party risk management as an examiner focus area, particularly where lending, payment, or operational functions are outsourced to vendors, and the agency has separately updated its AI resources to address how existing third-party guidance applies to AI-enabled vendors.
A mature due diligence program also makes executive communication easier. Instead of trying to answer ad-hoc questions about where your biggest vendor risks live, leadership can report on vendor inventory by tier, residual risk, control maturity, and remediation status. That moves third-party risk out of the abstract and into a form the board, audit committee, examiners, and senior management can actually work with.
In practice, a strong program means three things: risk-rank vendors before you assess them and match the depth of due diligence to the tier; cover information security, financial health, compliance, operational resilience, and contractual protections, not just cybersecurity; and treat due diligence as a continuous obligation, not a one-time onboarding step. For more context, see our guide on FDIC and NCUA vendor management requirements.
A useful checklist should be practical enough for procurement and business teams to complete and structured enough for risk, security, and audit functions to rely on. The six categories below cover the documentation examiners expect to see in a defensible vendor file.
Not every vendor needs the same level of scrutiny. Before you collect a single document, assign the vendor a risk tier based on access to nonpublic member or customer information, connectivity to core systems or networks, criticality to a member-facing service, concentration and substitutability, and geographic or regulatory exposure. A critical-tier core processor warrants a full-scope review. A printing vendor that never touches NPI does not. Document the tier and the rationale, examiners will ask.
Collect baseline documentation that the vendor is a real, financially viable business that will still be operating in three years. Items typically include:
If a vendor cannot or will not produce audited financials, that itself is a finding.
This is the heart of due diligence for any vendor that touches data or systems. Scope should scale to the tier, but the controls below should be evaluated for any vendor with meaningful access:
Cybersecurity is not the only regulatory line examiners care about. Evaluate the vendor against BSA/AML and OFAC screening, GLBA and consumer protection obligations (FCRA, UDAAP, Regulation E, EFAA where the vendor touches lending, deposits, or member communications), state privacy laws (CCPA, CPRA, and the growing patchwork), litigation and enforcement history, CFPB complaint volume, and negative news or reputational signals.
Your vendor’s vendors are now your problem too. The Interagency Guidance is explicit that financial institutions are expected to understand subcontracting arrangements. Confirm:
Our breakdown of third-party versus fourth-party risk goes deeper on this distinction.
Due diligence findings are only as good as the contract that reflects them. Before signing, confirm a right-to-audit clause with reasonable notice and access to controls evidence; breach notification timelines in writing, with the contractual timeline aligned to your institution's regulatory reporting obligations; banks supervised by federal banking regulators are generally subject to a 36-hour standard, while federally insured credit unions face a 72-hour reporting window under NCUA's Part 748; subcontracting consent or notification requirements; data return and destruction obligations at termination, with certification; service-level agreements tied to operational risk tolerance; termination rights for material change of control, cybersecurity events, and regulatory action; and indemnification and limitation of liability sized to realistic exposure.
Learn more about AI governance solutions from Rivial Security.
Automate your vendor due diligence and SOC report reviews.
Most institutions already have more vendor exposure than they realize. Before formalizing a checklist, build a complete inventory from procurement records, accounts payable, security questionnaires already issued, business unit interviews, and known integrations. The goal of the first pass is coverage, not elegance.
Risk-tiering lets institutions apply proportionate due diligence without losing control. A vendor that processes member transactions is not the same risk as a vendor that prints marketing flyers. Tiering also gives examiners a defensible answer to the question of how you decide how deep to go.
A checklist becomes useful when no new vendor can move forward without it. That means connecting due diligence to procurement reviews, security reviews, contract sign-off, and renewal cycles, not running it as a parallel exercise in a separate spreadsheet.
Examiners do not grade you on the file you assembled at onboarding. They grade you on whether you have kept it current. Build periodic re-attestation requests sized to the tier, continuous security signal monitoring for high-tier vendors, incident escalation drills that exercise the contractual notification path, and an annual board or committee report summarizing material vendor risk changes.
Every checklist item should have an evidence location, the SOC 2 report, the signed contract, the latest tabletop summary, the committee approval. If evidence is scattered across email threads, shared drives, and personal folders, the program becomes hard to defend regardless of how complete the checklist looks.
If due diligence is done only at onboarding and never refreshed, the institution loses sight of changes in the vendor’s control environment, financial health, or subcontractor footprint. Strong programs build refresh cadences into the calendar and tie them to the vendor’s risk tier.
A vendor security questionnaire is one signal, not a complete due diligence file. Programs that focus only on cybersecurity miss financial deterioration, compliance issues, and fourth-party concentration risk, all of which examiners now expect to see covered.
For many institutions, the larger near-term exposure is in the subcontractors their vendors rely on, not the vendors themselves. Missing that layer creates a false sense of completeness.
When SOC 2 reports, signed agreements, and review notes live in five different systems, the inventory cannot be trusted. Examiners ask for the file, not the explanation of where the file might be.
A checklist that produces a binary pass/fail tells the board very little. Strong programs translate due diligence findings into residual risk ratings and, where possible, dollar-quantified loss exposure that integrates with the institution’s overall cyber risk picture.
For CISOs and risk leaders at credit unions and community banks, vendor due diligence is valuable because it creates visibility before vendor adoption outpaces oversight. A strong program helps institutions identify where third-party exposure lives, who owns each relationship, what risks each vendor introduces, what controls apply, and where evidence lives when audit, exam, or board questions come up. NCUA and FDIC guidance support this approach, and the agencies’ supervisory direction is clear: vendor relationships should be documented, governed, and aligned with broader security, privacy, and risk management processes.
If your team is still running vendor due diligence out of spreadsheets, shared drives, and email threads, there is a better way forward. Schedule a demo to see how Rivial Security’s AI-powered vendor security reviews can automate the due diligence process, centralize vendor risk evidence, and support a more audit-ready approach to third-party risk management.
Automate your vendor due diligence and SOC report reviews.