Most organizations nail the initial vendor assessment, then watch their due diligence efforts quietly decay over time. Financial conditions shift, ownership changes hands, cybersecurity gaps emerge — and suddenly that thoroughly vetted partner becomes a regulatory liability. First International Bank & Trust’s Mandy Cooper dissects the misconceptions that undermine even well-intentioned oversight efforts, from the false security of lengthy questionnaires to the dangerous assumption that big-name vendors are inherently safe.
Third-party risk is a moving target. It’s complex and evolves quietly, often in ways that catch even the most prepared organizations off-guard. For compliance professionals, the stakes are high: Unchecked vendor vulnerabilities can lead to regulatory breaches, reputational damage and operational disruptions.
Many organizations conduct thorough initial assessments but struggle with ongoing oversight. The real challenge, though, is maintaining visibility into those risks as they evolve. Vendor relationships, financial conditions, regulatory environments and operational capabilities all change over time, often in ways that aren’t immediately apparent.
Effective third-party risk management requires looking beyond the primary vendor to understand subcontractor relationships, maintaining regular oversight throughout the partnership and ensuring contracts provide the foundation for sustained accountability. Organizations also need to recognize common misconceptions that can undermine even well-intentioned due diligence efforts.
Asking the right questions
Successful due diligence starts with focusing on the essentials:
- Financial stability: Thoroughly assess the financial health of any potential third-party partner. Unstable partners may default on obligations or suddenly fold, risking operational disruption.
- Regulatory and legal standing: Review litigation history, regulatory compliance and enforcement actions to avoid costly penalties and reputational harm.
- Information security: Require robust cybersecurity controls and validated incident response plans. Weaknesses here can lead to breaches, ransomware and loss of trust.
- Operational resilience: Insist on proof — not just promises — of business continuity and disaster recovery readiness through scenario tests and ongoing evaluation.
- Performance and integrity: Look beyond references to identify patterns of litigation, underperformance or ethical lapses that may signal hidden risks.
- Ownership and subcontractors: Map out ownership structures and subcontractor relationships to expose hidden dependencies or unmanaged exposures.
- Contractual clarity: Ensure contracts clearly spell out deliverables, compliance obligations, data use and exit strategies for enforceable accountability and recourse.
The EU Has Taken Another Step Toward Unified AML Supervision; Are Your Processes Ready?
Regulators want to see that firms’ policies work in the real world
Read moreDetailsWatching for red flags
Many failures in third-party risk management stem from common misconceptions. One is that lengthy questionnaires guarantee security. In reality, the effectiveness of due diligence depends on asking relevant, tailored questions and verifying responses. Vendors can easily complete long forms without revealing critical gaps, so depth and quality matter far more than volume.
Another misconception is that risk ends once a vendor is onboarded. Third-party risk is dynamic and can change quickly due to shifts in ownership, leadership, financial health, staffing or regulatory environments. Assuming risk is static leads to blind spots.
It’s also naive to assume well-known or widely used vendors are inherently low-risk. Even large organizations can face data breaches, operational failures or compliance lapses, especially if they grow too fast or become prime targets for attacks. Watch for red flags like outdated policies, lack of transparency around subcontractors and vendors who only address problems reactively.
As business migrates online, cybersecurity and data privacy become paramount third-party risks. Any organization handling sensitive data must have strong, modern protection and effective incident response capabilities.
Weak or outdated defenses quickly become your vulnerabilities. Cloud concentration adds another layer of risk. Many businesses rely on a small handful of cloud providers, creating potential single points of failure if one of those organizations experiences an outage or breach. Many will remember the December 2021 AWS outage and its vast multi-industry impact.
Lessons from the field
Several financial institutions have faced regulatory action, such as consent orders, due to weak oversight of third-party vendors and internal compliance failures. In response, these organizations strengthened oversight capabilities, updated policies and controls and invested in skilled compliance staff to enhance third-party risk management.
Sustained remediation has allowed some institutions to resolve these issues and lift consent orders. While remediation is resource-intensive, these cases underscore that proactive investment in a robust risk management framework and knowledgeable staff is far less costly than the consequences of compliance failures after the fact.
Effective due diligence extends beyond vendor reputation or size; it requires probing questions, concrete evidence and ongoing vigilance. Ultimately, organizations that view risk management as a continuous process are better equipped to respond quickly, meet evolving compliance expectations and build resilience.
Mandy Cooper is head of payments risk management at First International Bank & Trust. She is an accomplished leader and subject matter expert with more than 25 years of experience in financial services, compliance and risk management. Directing risk and compliance strategy for FIBT’s Kotapay division, Mandy oversees all compliance related matters within the payments division, ensuring compliance with applicable laws, regulatory requirements, policies and procedures, as well as establishing and implementing effective compliance standards throughout the organization. Prior to Kotapay, Mandy worked at various industry leading payment issuers, recently serving as executive vice president, chief risk officer at central payments where she led the enterprise risk teams including AML/BSA, regulatory compliance, enterprise risk, third party risk and information security. 
