What is vendor due diligence?

Vendor due diligence (VDD) is the process of evaluating a vendor’s financial crime risks before entering into a business relationship with it. 

Working with third-party vendors is an essential operational element in many sectors, from established financial institutions (FIs) partnering with FinTechs or foreign counterparts, to shipping companies involved in complex supply chains. 

Across the increasingly interconnected world of global finance, these relationships are set to come under greater regulatory scrutiny. As explored in our State of Financial Crime 2025, governments and regulators are seeking to crack down on the sanctions evasion risks posed by intermediary firms; Chinese companies transacting with Russian entities are one likely area of focus for sanctions enforcement. 

In today’s highly interconnected global economy, vendor due diligence (VDD) should, like the customer due diligence (CDD) process,  form an essential part of your anti-money laundering and countering the financing of terrorism (AML/CFT) compliance program. 

What are the objectives of vendor due diligence?

As with CDD, the purpose of VDD is to establish any AML risks a business relationship with a given vendor may create. This allows you to decide whether to proceed with the relationship and, if so, take steps to mitigate them. 

For AML purposes, these risks will typically be: 

• Trade-based money laundering (TBML), especially with the use of shell companies. 
• Sanctions evasion. 
• Third-party money laundering. 

Without VDD in place, your business risks regulatory action if you are inadvertently involved in third-party money laundering or doing business with criminals or sanctioned entities. Regulatory enforcement can result in financial and legal penalties, as well as reputational damage among consumers. 

The State of Financial Crime 2025

Read our fifth annual state-of-the-industry report, built around a global survey of 600 senior compliance decision-makers.

Download your copy

The vendor due diligence process

The VDD process involves these key stages: 

1. Data gathering: This refers to collecting information about a vendor. Sources for this data can include public databases, company records, and risk intelligence maintained by RegTech vendors.
2. Data verification: The legitimacy and relevance of this information must then be established. Sophisticated compliance solutions can automatically cross-reference data to make sure it is accurate, reliable, and up-to-date. 
3. Risk scoring: This allows firms to weigh the risks of a business relationship against their overall risk appetite. 

To complete these steps, you must understand what information is required and how it should be collected. This includes:

• Basic identifying information such as the vendor’s location, legal status, and registration details.
• Ultimate beneficial ownership (UBO) data.
• Information on the types of clients the vendor serves and any third-party relationships it maintains. 
• The vendor’s AML compliance policies and procedures, as reviewed by a third-party audit. 

To evaluate a vendor’s AML risk level, you should use this information to determine the following: 

• Sanctions and other restrictions placed against the company or its beneficial owners by governments and international authorities.
• Regulatory action taken against the vendor. 
• Political connections that may expose the target company to a higher risk of money laundering and would require enhanced due diligence (EDD). 
• AML risks specific to the company or the industry in which it operates. These can include geographic risks, product and service risks, and client risks. 

Best practices for vendor due diligence

While VDD must always involve the steps outlined above, it should not be reduced to a superficial, box-checking exercise. Instead, you can optimize your due diligence processes by tailoring them to your business profile and adopting appropriate, specialist AML software. This will allow you to: 

• Understand the red flags to look for: A vendor operating in certain jurisdictions or with a client base consisting of certain professions should be rated as higher-risk and inform your decision to conduct EDD. Indicators that a vendor is actually a shell company, such as difficulty obtaining UBO data, inconsistencies in its business profile, or an inability to demonstrate AML compliance, should also be treated as red flags. 
• Screen in depth at onboarding: You should have solutions in place for sanctions, watchlist, politically exposed person (PEP), and adverse media screening. Combining screening processes via a single platform can efficiently provide a comprehensive view of risks while using data that updates in real-time minimizes risk exposure. You should make sure your screening measures extend to all the vendor’s UBOs. 
• Develop dynamic risk scoring: To mitigate risk while streamlining the due diligence process, you can use automated risk scoring models that use the data you have collected. Like CDD, VDD should be an ongoing process: firms must be checked continually throughout the sales process and subsequent business relationship to ensure their risk profile has not changed. 
• Document partnerships with vendors: You should keep detailed records of all third-party relationships and your AML compliance policies regarding these relationships, especially given increased regulatory scrutiny in this area. 

Market-leading risk intelligence to upgrade due diligence 

Effective VDD depends on access to high-quality, integrated data and sophisticated technological tools to analyze that data for risks. Businesses worldwide look to ComplyAdvantage to provide these AML compliance solutions. 

For example, before partnering with ComplyAdvantage, global shipping firm Hafnia struggled to obtain UBO data from other industry players but can now carry out efficient and accurate screening checks. 

With access to ComplyAdvantage’s proprietary data, your firm can protect itself against third-party risks with: 

• Sanctions and watchlist screening: Importantly for VDD, given that sanctions targets often try to use other entities to act on their behalf, our platform includes additional sanctions-related data, going beyond the names of listed entities to include other entities they are linked to. 
• PEP screening: Ensure full compliance with regulatory requirements with up-to-the-minute data collection on PEPs and their relatives and close associates (RCAs). Our expert curation and linguistic identity matching increases the accuracy of screening. 
• Adverse media screening: Enhanced by machine learning (ML), our negative news screening tool means you don’t have to rely on manual checks or keyword-based searches, creating more operational capacity for your compliance team.