0 of 41 items completed 0%
Initial Screening Define the business problem and use case the vendor must address Establish minimum eligibility criteria (e.g., regulatory licences, minimum AUM, geographic coverage) Confirm the vendor has a live product — not just a roadmap or prototype Verify the vendor has at least two reference customers in financial services Check for any public regulatory sanctions, enforcement actions, or material litigation Confirm the vendor's financial stability (funding, revenue, burn rate if applicable) Assess whether the vendor's business model is aligned with your institution's interests
Product & Technical Evaluation Request a product demonstration tailored to your specific use case Evaluate the depth and breadth of the product's core functionality Assess the quality and completeness of API documentation Review integration options and compatibility with your existing technology stack Evaluate the vendor's data model and how it maps to your data architecture Assess scalability — can the product handle your transaction volumes and growth projections? Review the vendor's product roadmap and release cadence Evaluate the quality of the vendor's technical support and documentation Request a proof of concept or sandbox environment for technical testing
Security & Compliance Review Confirm the vendor holds relevant security certifications (ISO 27001, SOC 2 Type II, etc.) Review the vendor's data encryption standards (at rest and in transit) Assess the vendor's vulnerability management and penetration testing programme Review the vendor's incident response and breach notification procedures Confirm compliance with relevant data privacy regulations (GDPR, CCPA, etc.) Assess the vendor's approach to data residency and sovereignty Review the vendor's business continuity and disaster recovery plans Confirm the vendor's regulatory compliance posture in your jurisdiction Assess fourth-party risk — who are the vendor's critical sub-processors?
Commercial Terms Obtain a detailed commercial proposal with all fees clearly itemised Understand the pricing model (per seat, per transaction, per API call, etc.) Negotiate SLAs with meaningful financial remedies for breaches Confirm the contract includes audit rights and right to inspect Review data ownership and portability clauses Confirm exit provisions — data return, transition support, and notice periods Assess the vendor's approach to price increases and contract renewals Review intellectual property ownership and licensing terms
Reference Checks & Due Diligence Speak with at least two reference customers in a similar context to yours Ask references specifically about implementation experience and support quality Ask references about any product gaps or limitations discovered post-implementation Conduct a site visit or senior leadership meeting with the vendor Review the vendor's financial statements or funding history Assess the vendor's key person dependency risk Confirm the vendor's approach to regulatory change management Complete your institution's standard third-party risk assessment questionnaire