Vendor Due Diligence Checklist: Step-by-Step Third-Party Risk Guide

Vendor due diligence is the structured, documented process of evaluating a supplier or third-party service provider before contracting and at regular intervals throughout the relationship. It covers financial health, legal compliance, cybersecurity posture, ESG practices and supply chain exposure. In the United Kingdom, vendor due diligence has shifted from best practice to legal obligation: the Money Laundering Regulations 2017, the FCA Handbook, the Modern Slavery Act 2015, the Digital Operational Resilience Act (DORA — effective January 2025 for UK-regulated entities with EU operations) and UK GDPR each impose distinct requirements that frequently overlap for the same vendor relationship.

This article is for informational purposes only and does not constitute legal, financial, or regulatory advice. For advice on your specific situation, consult a qualified professional.

What Is Vendor Due Diligence?

Vendor due diligence (VDD) is a formal, risk-based assessment of a third party — supplier, outsourced service provider, technology partner or subcontractor — designed to identify, measure and document the risks that party introduces to the commissioning organisation. It goes beyond administrative checks to cover the full risk profile of the vendor across financial, legal, operational, technological and ethical dimensions.

VDD sits within the broader framework of Third-Party Risk Management (TPRM). For a comprehensive overview of the TPRM lifecycle, see our dedicated article: Third-Party Risk Management — Complete TPRM Guide.

Conflating an administrative supplier onboarding process with structured due diligence is the single most common source of regulatory exposure for UK firms — it creates the document gaps that FCA supervisors and MLR reviewers identify first during inspections.

UK Regulatory Framework for Vendor Due Diligence

Five primary frameworks govern vendor due diligence obligations for UK organisations in 2026, each with distinct scope and enforcement mechanisms.

Money Laundering Regulations 2017 (MLR 2017)

The MLR 2017 require all regulated businesses — including financial institutions, accountants, solicitors, estate agents and high-value dealers — to conduct customer due diligence and, where relevant, supply-chain due diligence on their counterparties. Regulation 28 sets out the minimum customer due diligence measures; Regulation 33 specifies enhanced due diligence requirements for high-risk situations including transactions involving high-risk third countries.

Regulation 28(2) MLR 2017 requires that identity is verified on the basis of documents, data or information obtained from a reliable and independent source — a standard that courts and the FCA have interpreted strictly, including for corporate counterparties where beneficial ownership must be confirmed (MLR 2017, legislation.gov.uk).

FCA Handbook — Third-Party and Outsourcing Requirements

The FCA Handbook sets operational and governance requirements for third-party risk management applicable to all FCA-authorised firms. Firms must maintain a register of material outsourcing arrangements, conduct pre-engagement due diligence and monitor vendor performance and resilience on an ongoing basis.

The FCA expects firms to identify, assess and manage risks arising from reliance on third parties, including concentrations of risk where multiple firms rely on the same provider (FCA, Third-Party Outsourcing).

Modern Slavery Act 2015

The Modern Slavery Act 2015 requires commercial organisations with an annual turnover of GBP 36 million or more that supply goods or services in the UK to publish an annual Modern Slavery Statement. This statement must describe the steps taken to ensure that slavery and human trafficking are not occurring in the organisation's own business or supply chains.

In practice, this creates a vendor due diligence obligation: organisations must actively assess their suppliers' labour practices, particularly for supply chains extending into higher-risk geographies or sectors (Modern Slavery Act 2015, legislation.gov.uk).

DORA (Regulation EU 2022/2554) — Financial Entities

DORA applies to EU-regulated financial entities and their ICT service providers. UK firms with EU operations, subsidiaries or cross-border service arrangements fall within its scope from January 2025. Article 28 requires documented due diligence before engaging any ICT third-party service provider, with mandatory assessment of the provider's security standards, sub-outsourcing arrangements, business continuity plans and exit strategies.

From January 2025, DORA requires financial entities to maintain a complete register of ICT third-party service providers with documented risk assessments and contractual provisions covering audit rights, data security and exit plans (DORA, EUR-Lex).

UK GDPR

Where a vendor processes personal data on behalf of the commissioning organisation, UK GDPR Article 28 requires that only processors providing sufficient guarantees regarding appropriate technical and organisational measures are engaged. Pre-engagement due diligence must cover the processor's data security practices, sub-processor arrangements and incident response capability (ICO, UK GDPR).

Our platform analysis of 45,000+ vendor dossiers shows 14.2% contain blocking errors — expired documents, UBO identity mismatches, or forged attestations — that manual review processes fail to catch in more than 40% of cases due to time constraints and inconsistent checker training.

7-Step Vendor Due Diligence Checklist

This checklist covers the complete vendor assessment cycle from initial onboarding through ongoing monitoring. It is applicable across sectors and should be calibrated to the risk tier assigned to each vendor. For a broader checklist covering all business due diligence scenarios, see: Due Diligence Checklist for Businesses — Complete Guide.

Step 1 — Identity Verification and Initial Qualification

• Collect legal identity documents: Companies House filing, Certificate of Incorporation, registered address confirmation
• Identify and verify all Ultimate Beneficial Owners (UBOs) holding 25% or more — cross-reference against Companies House PSC register
• Confirm no active insolvency proceedings via Companies House and Gazette filings
• For foreign vendors: collect equivalent incorporation documents and directorship register

Step 2 — Legal and Regulatory Compliance Checks

• Verify current status on Companies House — confirm filing history is up to date
• Obtain most recent audited accounts or financial statements
• Check for County Court Judgements (CCJs), statutory demands or winding-up petitions
• Confirm sector-specific licences and registrations where applicable (FCA authorisation, SRA, HMRC AML supervision)

Step 3 — Sanctions, PEP and Adverse Media Screening

• Screen all directors and UBOs against UK financial sanctions list (OFSI), OFAC and UN consolidated list
• Check Politically Exposed Person (PEP) status for all directors, significant shareholders and UBOs
• Run adverse media search covering past 5 years: fraud, bribery, money laundering, regulatory sanctions
• Check FCA Register for any regulatory censures or prohibitions on key individuals

Step 4 — Financial Health Assessment

• Review three most recent sets of annual accounts: profit and loss, balance sheet, cash flow statement
• Calculate key ratios: current ratio, debt-to-equity, EBITDA margin, days sales outstanding
• Assess customer concentration risk — flag if single customer exceeds 25% of revenue
• Check for significant charges, debentures or fixed/floating charges registered at Companies House

Step 5 — Operational and Technology Risk Assessment

• Review Business Continuity Plan (BCP) and Disaster Recovery (DR) documentation
• Verify ISO 27001, SOC 2 Type II, Cyber Essentials Plus or equivalent for vendors handling sensitive data
• Map sub-contractors and sub-processors — identify concentration where a single sub-supplier underpins multiple critical vendors
• For ICT vendors under DORA: review exit plan, data portability provisions and notification procedures

Step 6 — ESG and Modern Slavery Assessment

• Obtain signed supplier code of conduct or equivalent ethical trading policy
• Review Modern Slavery Statement (mandatory for vendors with turnover exceeding GBP 36m)
• Assess supply chain geography for elevated risk of forced labour, child labour or unsafe conditions
• Collect environmental policy or carbon reporting documentation where relevant to procurement criteria

Step 7 — Scoring, Documentation and Ongoing Monitoring

• Assign an overall risk tier (Low / Medium / High / Critical) based on evidence from Steps 1–6
• Assemble a timestamped vendor dossier with all collected documents, check results and scoring rationale
• Set review frequency: annually for medium-risk, semi-annually for high-risk, event-triggered for critical
• Configure monitoring alerts for material trigger events: director changes, insolvency filings, new sanctions, data breaches

Organisations that formalise these 7 steps in a documented process reduce average per-file processing time by 60% and reduce audit-identified non-conformities by a factor of three, based on aggregated data from our platform at CheckFile.

Key Risk Categories in Vendor Assessment

Every vendor presents a composite risk profile. The table below maps the principal risk categories, key alert indicators and relative priority by type of commissioning organisation.

For entities subject to DORA, ICT and concentration risk have been reclassified as critical-priority categories since January 2025, with a mandatory documentation requirement and exit plan for vendors designated as critical ICT providers (DORA Art. 28).

A weighted scoring matrix template, calibrated for UK regulatory requirements, is available in our Document Verification Guide.

Automating Vendor Due Diligence

Automation of vendor due diligence addresses three simultaneous pressures: the increasing volume of vendors requiring assessment, the growing complexity of overlapping regulatory frameworks, and the need for an auditable evidence trail that can withstand FCA or HMRC scrutiny.

Our analysis of 45,000+ vendor dossiers shows 14.2% contain blocking errors on our platform — expired certificates, discrepancies between declared UBO information and Companies House PSC records, or documents bearing indicators of tampering. Manual review processes, constrained by time and inconsistent checker training, fail to identify these errors in more than 40% of cases.

CheckFile automates the verification layer at each step of the checklist: OCR extraction of identity and registration data, cross-document consistency checks, cryptographic validation of official certificates, and daily-refreshed sanctions and PEP screening. The platform produces a timestamped, electronically signed vendor dossier that serves directly as audit evidence during FCA inspections, MLR reviews or Modern Slavery Act reporting periods.

For lending, leasing and asset finance teams processing high volumes of vendor and borrower dossiers, our dedicated module at /solutions/financement-leasing reduces per-file processing time by an average of 78%. Technical details on our security infrastructure are available at /securite. Review plans and pricing at /tarifs.

Automation does not remove human accountability from the final risk decision — it redirects compliance officer time from manual data gathering to analysis of complex, high-risk cases where professional judgement is genuinely needed.

Common Questions from Procurement and Compliance Teams

"We have over 600 active vendors. We cannot conduct full due diligence on all of them — where do we start?"

Segment first by criticality and inherent risk. Plot your vendor population on two axes: operational impact if the vendor fails (revenue loss, service disruption, regulatory breach), and regulatory exposure (vendors processing personal data under UK GDPR, ICT providers under DORA, intermediaries under MLR 2017). Vendors scoring high on both axes require enhanced due diligence as an immediate priority. Low-criticality, low-risk vendors can be managed with a streamlined automated check. This segmentation concentrates human resource where material risk is concentrated — and gives auditors a defensible rationale for your coverage decisions.

"One of our long-standing vendors has been with us for over eight years. Do we really need to re-run due diligence?"

Yes — and failing to do so is one of the most common gaps identified in FCA third-party management reviews. Relationship longevity does not neutralise risk; in some cases it increases it, as organisations can develop over-reliance on vendors whose risk profile has materially changed. A director appointment, an acquisition, a significant cyber incident or a new sanctions listing can transform a historically clean vendor into a critical risk exposure overnight. FCA guidance and DORA both expect annual re-assessment for high-risk and critical vendors, regardless of relationship tenure. An event-triggered review protocol — automatically flagged when Companies House, OFSI or FCA register data changes — is the practical implementation.

Frequently Asked Questions

What is vendor due diligence and why is it required in the UK?

Vendor due diligence is a structured assessment of a supplier covering its financial, legal, regulatory and operational standing. In the UK, it is required by multiple overlapping frameworks: MLR 2017 for AML-regulated businesses, the FCA Handbook for authorised firms, the Modern Slavery Act 2015 for large commercial organisations, DORA for financial entities with EU operations, and UK GDPR where vendors process personal data. Failure to conduct and document adequate due diligence exposes organisations to regulatory sanctions, civil liability and reputational damage.

What is the difference between standard and enhanced vendor due diligence?

Standard due diligence (CDD) covers the baseline checks: legal identity verification, financial standing, sanctions screening and Companies House confirmation. Enhanced due diligence (EDD) is triggered by elevated risk indicators — vendors in high-risk FATF jurisdictions, PEP-connected directors, high-value contracts, or sectors with elevated money laundering exposure. EDD adds deeper UBO verification, source of wealth analysis, more frequent reviews and additional documentation requirements.

How often should vendor due diligence be renewed?

Review frequency depends on the risk tier assigned to the vendor and applicable regulatory obligations. Under DORA, annual reassessment is required for critical ICT providers. FCA guidance on outsourcing expects ongoing monitoring with formal periodic review. In practice, most compliance programmes apply semi-annual reviews for high-risk and critical vendors, annual reviews for medium-risk vendors, and event-triggered reviews for all vendors when material changes occur (director change, acquisition, security incident, sanction).

What documents should be collected as part of vendor due diligence?

The minimum document set for a UK vendor includes: Companies House filing (within 3 months), Certificate of Incorporation, PSC register or UBO declaration, most recent audited accounts, valid professional indemnity and public liability insurance certificates, and any sector-specific licences. For ICT vendors subject to DORA, add: business continuity plan, most recent penetration test report, ISO 27001 certificate or equivalent, and sub-processor list. For all vendors processing personal data, add a signed Data Processing Agreement (DPA).

How do we demonstrate that due diligence was completed to an FCA or HMRC inspector?

The audit trail must be in a dossier format: each document dated at collection, all verification check results recorded with timestamps, the risk score and scoring rationale, and a log of periodic reviews and their conclusions. An incomplete dossier — even where checks were actually performed — is treated by regulators as equivalent to no check having been done. Platforms such as CheckFile generate this documentation automatically in a format aligned with FCA and HMRC inspection expectations.