Establish, implement, and maintain supply chain due diligence standards.

Business Processes


This Control directly supports the implied Control(s):
  • Third Party and supply chain oversight, CC ID: 08807

This Control has the following implementation support Control(s):
  • Provide management support for third party due diligence., CC ID: 08847
  • Commit to the supply chain due diligence process., CC ID: 08849
  • Establish, implement, and maintain internal accountability for the supply chain due diligence process., CC ID: 08851
  • Establish, implement, and maintain supply chain due diligence requirements., CC ID: 08853
  • Document and maintain records of supply chain transactions in a transaction file., CC ID: 08858
  • Cross-check the supply chain due diligence practices against the supply chain management policy., CC ID: 08859
  • Assign the appropriate individuals or groups to oversee and support supply chain due diligence., CC ID: 08861
  • Develop and implement supply chain due diligence capability training program., CC ID: 08862
  • Determine if additional supply chain due diligence processes are required., CC ID: 08863
  • Review transaction files for compliance with the supply chain audit standard., CC ID: 08864
  • Provide additional documentation to validate and approve the use of non-compliant materials., CC ID: 08865
  • Define ways a third party may be non-compliant with the organization's supply chain due diligence requirements., CC ID: 08870
  • Calculate and report the margin of error in the supply chain due diligence report., CC ID: 08871


  • In considering, renegotiating or renewing an outsourcing arrangement, an institution should subject the service provider to appropriate due diligence processes to assess the risks associated with the outsourcing arrangements. (5.4.1, Guidelines on Outsourcing)
  • assessing the service provider's ability to employ a high standard of care in performing the outsourced service and meet regulatory standards as expected of the institution, as if the outsourcing arrangement is performed by the institution; (5.3.1 (c), Guidelines on Outsourcing)
  • An institution should assess all relevant aspects of the service provider, including its capability to employ a high standard of care in the performance of the outsourcing arrangement as if the service is performed by the institution to meet its obligations as a regulated entity. The due diligence s… (5.4.2, Guidelines on Outsourcing)
  • procedures for the identification, assessment, management and mitigation of potential conflicts of interest, in accordance with Section 8; (4.7 42(c)(v), Final Report on EBA Guidelines on outsourcing arrangements)
  • Formalise the supplier relationship management process for each supplier. The relationship owners should liaise on customer and supplier issues and ensure the quality of the relationship based on trust and transparency (e.g., through SLAs). (DS2.2 Supplier Relationship Management, CobiT, Version 4.1)
  • Is there an established process for engaging service providers, including proper due diligence prior to engagement? (§ 12.8.3, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance; Card-not-present Merchants, All Cardholder Data Functions Fully Outsourced, Version 3.1)
  • The organization shall have documented procedures that preclude purchasing products from suppliers who repeatedly fail to detect or avoid fraudulent or counterfeit parts or fail to exercise due diligence in detecting and avoiding these parts. (§ 4.2.2 ¶ 1.c, SAE AS6081, Fraudulent/Counterfeit Electronic Parts: Avoidance, Detection, Mitigation, and Disposition - Distributors)
  • Assess service providers consistent with the enterprise's service provider management policy. Assessment scope may vary based on classification(s), and may include review of standardized assessment reports, such as Service Organization Control 2 (SOC 2) and Payment Card Industry (PCI) Attestation of… (CIS Control 15: Safeguard 15.5 Assess Service Providers, CIS Controls, V8)
  • The organization has a formal program for third-party due diligence and monitoring. (DM.ED-7.1, CRI Profile, v1.2)
  • The organization has a formal program for third-party due diligence and monitoring. (DM.ED-7.1, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • The due diligence measures shall include an independent private sector audit of the annual report. (§ 1502(b)(p)(1)(A)(i), PUBLIC LAW 111-203, July 21 2010)
  • Management should oversee outsourced operations through the following: - Appropriate due diligence in third-party research, selection, and relationship management. - Contractual assurances for security responsibilities, controls, and reporting. - Nondisclosure agreements regarding the institution'… (II.C.20 Oversight of Third-Party Service Providers, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • A review process of third-party providers to ensure that each relationship supports the institution's overall business objectives and strategic plans. (App A Objective 12:14 c., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Financial institutions should establish and maintain effective vendor and third-party management programs because of the increasing reliance on nonbank providers. Financial institutions must understand the complex nature of arrangements with outside parties and ensure adequate due diligence for the … (Vendor and Third-Party Management, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • If the institution uses a technology service provider, determine whether it performed appropriate due diligence prior to engagement and has appropriate contractual agreements governing the relationship. Determine whether the institution monitors compliance with the governing contract. Determine if t… (App A Tier 1 Objectives and Procedures Objective 8:4, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • The adequacy of due diligence performed on the technology service provider. (App A Tier 1 Objectives and Procedures Objective 11:2 Bullet 1, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • If the financial institution accepts RCCs from retail business customers or payment processing customers, assess the appropriateness of, and adherence to, policies and procedures regarding customer due diligence, customer contracts, third-party service provider's due diligence, and activity/transact… (App A Tier 2 Objectives and Procedures M.4, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Proper documentation and reporting of the third party Risk Management process typically includes due diligence results, findings, and recommendations. ("Documentation and Reporting" Bullet 3, Third-Party Relationships Risk Management Guidance, OCC bulletin 2013-29, October 30, 2013)
  • due diligence processes used to evaluate the adequacy of cybersecurity practices of such Third Party Service Providers; and (§ 500.11 Third Party Service Provider Security Policy (a)(3), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies)