Vendor Due Diligence Checklist: US Third-Party Risk Assessment Guide

Vendor due diligence is the structured process of evaluating a supplier, contractor, or third-party service provider before entering a commercial relationship or renewing an existing contract. In the United States, vendor due diligence obligations arise from a layered federal and state framework: the Bank Secrecy Act (BSA), 31 U.S.C. §§ 5311–5336, FinCEN's Customer Due Diligence Final Rule (31 CFR Part 1010), OFAC sanctions regulations, the Corporate Transparency Act (CTA, 2021), and applicable state privacy laws including the California Consumer Privacy Act (CCPA).

This article is for procurement managers, BSA/AML officers, and legal teams at US businesses who need a practical framework for vendor risk assessment. It is informational only and does not constitute legal, financial, or regulatory advice.

What Is Vendor Due Diligence and Why Does It Matter for US Businesses?

Vendor due diligence is a risk assessment carried out before engaging a vendor. It confirms the vendor's legal existence, beneficial ownership, financial health, regulatory standing, and reputational profile. For financial institutions covered by the BSA, vendor due diligence is part of a mandatory AML compliance program — not a best practice.

FinCEN's CDD Final Rule (effective May 11, 2018) established four core requirements for covered financial institutions: (1) customer identification and verification; (2) beneficial ownership identification for legal entity customers at the 25% threshold; (3) understanding the nature and purpose of the business relationship; and (4) ongoing monitoring for suspicious activity (FinCEN CDD Rule, 31 CFR § 1010.230). These requirements extend to vendor relationships where a vendor processes financial transactions, handles customer data, or acts as an intermediary.

The scope of vendor due diligence has expanded significantly in 2024–2026. The Corporate Transparency Act (January 2024) created FinCEN's Beneficial Ownership Information (BOI) registry, requiring most non-exempt US companies to self-report their ultimate beneficial owners. The FFIEC BSA/AML Examination Manual — the definitive guidance for examiners assessing vendor due diligence in the financial sector — was updated in 2024 to reflect CTA implementation (FFIEC BSA/AML Examination Manual).

Our platform analysis of 45,000+ vendor files shows 14.2% contain blocking errors — expired documents, EIN mismatches, or missing beneficial ownership records. These errors are flagged automatically by CheckFile before any contract is executed.

The 5 Types of Vendor Due Diligence

The scope of vendor due diligence depends on the relationship type, transaction volume, and regulatory exposure of the vendor.

The Complete Vendor Due Diligence Checklist

Step 1: Legal and Corporate Verification

Legal due diligence confirms the vendor's legal existence, governance structure, and absence of undisclosed liabilities. In the US, corporate information is maintained at the state level — unlike a single national registry.

Documents to collect:

• Secretary of State (SOS) filing: articles of incorporation or organization, registered agent name and address, current status (active/dissolved/revoked), officer and director information — searchable on each state's SOS website
• Operating agreement, bylaws, or shareholder agreements
• Material contracts — customer, supplier, employment — including change-of-control provisions
• Schedule of current and threatened litigation, including a PACER federal court search and state court docket review
• Intellectual property: USPTO trademark and patent registrations, domain ownership records
• Corporate Transparency Act (CTA) compliance: since January 1, 2024, most US companies (excluding large operating companies and 23 other exemptions) must file beneficial ownership information (BOI reports) with FinCEN (31 U.S.C. § 5336)

Under the CTA, non-exempt companies that fail to file or update BOI reports with FinCEN face civil penalties of $591 per day and criminal penalties up to $10,000 and 2 years imprisonment (31 U.S.C. § 5336(h)). Requiring a vendor to confirm CTA compliance is a reasonable part of vendor onboarding.

A practical note: US practitioners consistently identify change-of-control clauses in customer contracts as the most frequently missed item in vendor legal due diligence — provisions that can void key agreements or trigger renegotiation following a corporate restructuring.

Step 2: Financial and Tax Due Diligence

Financial due diligence validates the vendor's solvency and ability to deliver on contractual obligations. It also identifies tax liabilities that could affect the vendor's operational continuity.

Priority checks:

• Adjusted EBITDA and normalized free cash flow analysis (at least 3 years for SMEs; 5 years for strategic vendors)
• EIN (Employer Identification Number) verification — the primary tax identifier for US businesses, issued by the IRS. An EIN mismatch between a W-9 form and other documents is a significant red flag
• IRS compliance: federal corporate income tax returns (Form 1120 or 1120-S), state income tax filings, payroll tax filings (Form 941), and any open IRS examinations
• UCC filing search: search Uniform Commercial Code lien records at the Secretary of State to identify outstanding secured interests or collateral claims against the vendor's assets
• Federal tax lien search: check the IRS database and the vendor's county courthouse for outstanding tax liens
• D-U-N-S number: Dun & Bradstreet's 9-digit identifier, widely used for US vendor qualification and credit scoring — request a D&B Business Credit Report for high-value vendors

IRS audit data shows that businesses with assets over $10 million face examination rates of 0.9–8.8%, with transfer pricing being the most common adjustment trigger for international vendors (IRS Data Book 2024).

Step 3: BSA/AML and OFAC Compliance Screening

For businesses regulated under the BSA — including banks, credit unions, money services businesses (MSBs), broker-dealers, and insurance companies — vendor due diligence in the context of AML compliance is a statutory requirement enforced by FinCEN and federal banking regulators (OCC, FDIC, Federal Reserve).

The five pillars of a BSA/AML vendor compliance assessment:

1. Identity verification: confirm the vendor's legal name, EIN, and registered address against official SOS and IRS records
2. Beneficial ownership: identify and verify all individuals owning 25% or more of the vendor entity — collect and verify government-issued ID for each UBO
3. OFAC SDN screening: screen the vendor, its principals, and its UBOs against OFAC's Specially Designated Nationals (SDN) and Consolidated Sanctions List before contract execution and on an ongoing basis
4. PEP screening: check whether any vendor principals or UBOs are Politically Exposed Persons (PEPs) — foreign PEPs trigger mandatory Enhanced Due Diligence under 31 U.S.C. § 5318(i)
5. Adverse media screening: structured review of negative news, enforcement actions, and regulatory sanctions

OFAC screening is legally distinct from BSA/AML due diligence but must be integrated operationally. All US persons and entities are prohibited from transacting with OFAC-designated parties regardless of whether they are BSA-covered institutions. Civil penalties for OFAC violations range from $325,000 to over $1 million per transaction (OFAC Enforcement Information).

Three tiers of customer/vendor due diligence apply under FinCEN's risk-based approach:

1. Standard CDD: identity verification, UBO identification, relationship purpose — baseline for most vendor relationships
2. Simplified procedures: for documented low-risk vendors with limited financial exposure — written risk rationale required
3. Enhanced Due Diligence (EDD): mandatory for foreign financial institution correspondents (31 CFR § 103.176), vendors in high-risk jurisdictions, and any vendor deemed high-risk by the institution's risk assessment

The FFIEC BSA/AML Examination Manual is the authoritative guidance used by federal examiners when assessing whether a financial institution's vendor due diligence meets regulatory expectations. Compliance teams should reference the Manual's Third-Party Service Provider chapter when building their vendor risk framework.

Automated document verification reduces KYC processing time by 60–80% compared to manual review. CheckFile automates identity document verification, corporate record cross-checks, and beneficial ownership confirmation in line with FinCEN CDD requirements.

For a comprehensive overview of AML program obligations, see our anti-money laundering compliance guide.

Step 4: Data Privacy and Cybersecurity Assessment

Vendors that process personal data or provide technology services require a specific privacy and cybersecurity layer of due diligence. The US privacy landscape is fragmented across federal sector-specific laws and a growing patchwork of state privacy statutes.

Key checks:

• Data Processing Agreement (DPA): vendor agreement governing the handling of personal data, including sub-processor disclosure, data subject rights, breach notification (72 hours for GDPR-covered data; varying timelines under US state laws)
• State privacy law compliance: CCPA/CPRA (California), VCDPA (Virginia), CPA (Colorado), CTDPA (Connecticut) — note that requirements vary significantly by state, particularly around consumer opt-out rights and data sale definitions
• SOC 2 Type II report: the standard third-party attestation for data security, availability, processing integrity, confidentiality, and privacy — request reports no older than 12 months
• Cybersecurity incident history: previous data breaches, regulatory enforcement actions (FTC, state AGs), and current security posture assessments
• FTC Act compliance: the FTC enforces unfair or deceptive data practices against businesses under Section 5 of the FTC Act — vendor privacy policies should be reviewed for material misrepresentations

The FTC took 14 enforcement actions related to data security failures in 2024, with penalties ranging from $100,000 to $520 million in consent agreements (FTC Enforcement Actions). A vendor's poor security posture can create direct liability for the contracting business.

Step 5: FCPA and Anti-Bribery Compliance

For vendors involved in international operations, the Foreign Corrupt Practices Act (FCPA) creates specific due diligence obligations. The FCPA prohibits US businesses and their agents from bribing foreign government officials to obtain or retain business.

FCPA vendor due diligence checklist:

• Documented anti-bribery policies and third-party due diligence procedures
• FCPA risk assessment for vendors in high-risk jurisdictions (per DOJ/SEC FCPA Resource Guide, 2nd ed.)
• Training records confirming vendor staff have received anti-bribery training
• Vendor contract representations and warranties regarding FCPA compliance
• Review of any prior FCPA enforcement history or DOJ/SEC investigations

The DOJ and SEC brought 26 FCPA enforcement actions in 2024, with total corporate fines exceeding $1.9 billion (DOJ FCPA 2024 Year in Review). FCPA liability attaches even where the bribe was paid by a third-party vendor without the company's explicit authorization — making thorough vendor due diligence a legal necessity for businesses with international operations.

Vendor Due Diligence by Relationship Type

How to Automate Vendor Due Diligence

The most common question from US compliance teams is: How do we scale vendor due diligence without adding headcount?

The answer combines secure vendor portals with automated document verification. CheckFile verifies document authenticity (fraud detection, intelligent OCR, cross-document consistency checks) and integrates with existing procurement and ERP workflows via API. The platform automatically flags EIN mismatches, expired certificates, and UBO gaps before the vendor onboarding workflow advances.

An internal benchmark across 150 vendor due diligence files processed via CheckFile showed an average 72% reduction in document collection and verification time compared to a standard manual process.

For an overview of documentation standards in compliance programs, see our document compliance guide. For the foundational overview of all document verification requirements, see our complete verification guide. Additional context on third-party risk management is available in our TPRM guide.

Explore our offerings on the pricing page or contact us for a demo tailored to your organization's vendor risk framework.

Frequently Asked Questions

What is the difference between vendor due diligence and customer due diligence (CDD) under the BSA?

Customer due diligence (CDD) under FinCEN's CDD Rule applies to a financial institution's own customers — the legal entities and individuals opening accounts or initiating transactions. Vendor due diligence applies to the businesses a company engages as suppliers or service providers. In BSA-covered institutions, high-risk vendors that process payments or access customer data may require CDD-equivalent scrutiny. The FFIEC BSA/AML Examination Manual addresses both in its Third-Party Service Provider chapter.

Does the Corporate Transparency Act apply to foreign vendors operating in the US?

Foreign companies registered to do business in any US state are "foreign pooled investment vehicles" or "foreign reporting companies" under the CTA and must file BOI reports with FinCEN unless they qualify for an exemption. The 23 CTA exemptions include large operating companies (20+ employees, $5M+ US revenue, physical US presence) and regulated entities. Compliance teams should confirm whether a foreign vendor has filed its required BOI report before contract execution.

How often should vendor due diligence be refreshed?

FinCEN's CDD Rule requires covered financial institutions to update customer information — including vendor beneficial ownership data — on a risk-based schedule. For standard vendors, annual refresh is generally considered appropriate. For high-risk vendors or those in sanctioned or high-risk jurisdictions, quarterly or event-driven refresh is recommended. OFAC screening should be continuous or at minimum monthly, not limited to onboarding.

What records must be retained for BSA/AML vendor due diligence?

Under the BSA, covered financial institutions must retain records of customer identification for 5 years from account closure and beneficial ownership records for 5 years from the date last obtained (31 CFR § 1010.230(i)). SAR-related records: 5 years from filing. AML program documentation, training records, and audit reports: 5 years. For FCPA purposes, the DOJ recommends retaining third-party due diligence records for a minimum of 7 years.

What are the penalties for OFAC sanctions violations?

Civil penalties for OFAC violations range from $325,000 per count to over $1 million per transaction depending on the sanctions program involved. Criminal penalties for willful violations can include up to 20 years imprisonment and fines up to $1 million per violation. In 2024, OFAC issued over $1.5 billion in total civil penalties across all enforcement actions (OFAC Civil Penalties and Enforcement Information). Strict liability applies — a good-faith mistake is not a defense, though it may mitigate penalties.

---

This article is for informational purposes only and does not constitute legal, financial, or regulatory advice. For jurisdiction-specific guidance, consult a qualified attorney, CPA, or BSA/AML compliance specialist. CheckFile supports compliance teams with automated document verification — visit our pricing page or contact us to learn more.