Skip to content
RiskTemplates · The Daily Brief Thursday, July 9, 2026
Wire CFPB's New Enforcement Principles: What the Bilt Case Tells You About How the Bureau Intends to Police Consumer Finance JUN 22

Template Guide Third-Party Risk Template Guide

Vendor Due Diligence Questionnaire Guide

How to structure a third-party risk questionnaire for financial services vendors: tiering, SOC reports, BCP, AI use, subcontractors, data, and evidence.

Built for financial services risk teams Practitioner methodology Updated May 2026

◆ Quick answer

A vendor due diligence questionnaire should include service scope, risk tier, data access, security evidence, privacy controls, business continuity, incident notification, subcontractors, financial condition, AI use, compliance obligations, and approval conditions.

Guide vs. template

This guide explains what belongs in the template. The paid template gives you the editable working files so you're not rebuilding from a blank page.

Paid template includes

  • Vendor risk tiering methodology
  • Due diligence questionnaire
  • Vendor risk scorecard
  • Contract risk review checklist

What is this template for?

A third-party risk questionnaire is the evidence collection tool used to decide whether a vendor can safely support your business. A good questionnaire is risk-tiered: critical vendors get deeper questions about security, business continuity, subcontractors, AI, data, financial condition, and regulatory exposure; low-risk vendors get a lighter review.

◆ Audience

Who needs this.

  • You are onboarding a new vendor that touches customer data, payments, operations, compliance, or core infrastructure.
  • A bank partner or examiner asked how you assess critical vendors.
  • Your vendor review process is the same for every vendor and creates too much noise.
  • You need to document why a vendor was approved, conditionally approved, or rejected.

◆ Implementation roadmap

How to roll this out.

01

Tier vendors before sending the questionnaire

Owner · Third-party risk or procurement lead

Output · Critical/high/medium/low tier with rationale

02

Send only the sections that match the tier

Owner · Vendor owner

Output · Right-sized questionnaire instead of one giant form for everyone

03

Review evidence, not just yes/no answers

Owner · Security, compliance, legal, and business reviewers

Output · Evidence-backed approval memo

04

Document residual risk and conditions

Owner · Vendor owner + risk reviewer

Output · Conditional approval, remediation items, or rejection rationale

05

Set ongoing monitoring cadence

Owner · Third-party risk owner

Output · Annual review, SOC refresh, SLA monitoring, incident escalation path

◆ Ready to use it?

Download the Third-Party Risk Management (TPRM) Kit.

Use the guide to understand the structure, or buy the editable template to move faster.

◆ FAQ

Frequently asked questions.

What should a vendor due diligence questionnaire include?

It should cover service scope, data access, security controls, privacy, business continuity, incident notification, subcontractors, financial condition, compliance obligations, AI use, and approval conditions.

Should every vendor complete the same questionnaire?

No. Use risk tiering. Critical and high-risk vendors need deeper evidence; low-risk vendors should not get the same exhaustive questionnaire as a core processor or customer-data vendor.

What is the difference between third-party risk and vendor management?

Vendor management handles contracts, performance, and relationship operations. Third-party risk focuses on the risks created by relying on that vendor and the controls needed to manage those risks.

Immaterial Findings · Newsletter

The brief, in your inbox.

Enforcement of the week, a framework breakdown, and the prompts that are actually worth running. Delivered to your inbox. Free.