3 Questions To Ask A Vendor Before Signing Anything

3 questions to ask your bank vendor

Here’s a scenario that should haunt the dreams of every community financial institution executive: someone has breached your security system and leaked the information for hundreds, or even thousands of account holders.

If Facebook is any measure, a breach can happen to any company, regardless of size, or technological prowess. When news broke that Cambridge Analytica had accessed the information for millions of Facebook users without their consent, the public and Congress took notice.

Facebook should have asked these 3 vendor questions

The whole fiasco begs the question: if Facebook had performed thorough due diligence on Cambridge Analytica before it gave them access to their platform, would they have averted the entire scandal? Hard to say for sure. However, it’s definitely made everyone here at Kasasa thankful for the rigorous due diligence process that our third-party vendors must undergo.

In fact, we spoke with Diane Christensen, AAP, our Senior Finance Project Manager and point person for all things “due diligence,” to learn what questions she asks vendors before any paperwork is signed.


  • Will the vendor have access to ANY non-public information — either Kasasa’s, our clients’, or consumers’? Under current regulations, even a personal email address classifies as “non-public information” that must be protected (business emails are exempt from this designation).
  • Will the vendor have access to any of our code, or our system?
    If they have access to the code, can they write a backdoor? Does that system give them access to our databases?
  • If the company suddenly went out of business, could it cause us to suffer a reputational or financial loss?


If the answer to any of these three questions is “yes” then your next step should be to perform a thorough due diligence process. And eventually, the answer to one, or all, of these questions will be “yes.”

Some institutions have outsourced the due diligence process to yet another vendor, which can be a wise move considering the amount of time and expertise required to investigate multiple vendors successfully.

And according to Diane, smaller institutions rely on a dynamic that counter-intuitively puts them at higher risk: trusting to relationships at the cost of due diligence. For instance, the CEO may have a long-time working relationship with somebody at a local IT consulting firm, and he may approve a contract on the strength of that connection, without requiring due diligence.

The issue with this scenario isn’t a “lack of paranoia,” but a failure to adhere to the Russian proverb (popularized by Ronald Reagan): “Trust, but verify.”

By performing due diligence on a vendor you are not only seeking to eliminate unqualified partners but to give yourself the information and resources to plan contingencies and measure risk. Asking the right questions at the outset can save you a lot of headache on the backend. Just ask Mark Zuckerberg.

Zac Garver

Zac didn’t realize that Copywriter was an actual job when he earned his degree in Creative Writing. He’s been fortunate to make a living as a professional writer since 2010; although people still think he gets paid to put copyright symbols on things (sigh). A devoted family man and Maker, Zac saves money by fixing and building the things he doesn’t want to buy.

3 Questions for Zac:

  1. What was your very first job?

    I worked as a dishwasher in a local pizza shop. It was a wonderful job for a 15-yr old, lots of grease, soap and free pizza.

  2. What's the weirdest food you've ever eaten on purpose?
    I put mint-chocolate-chip ice cream on homemade rhubarb pie and refused to admit how disgusting it was.

  3. What would people be surprised to know is on your iPod?

    An entire album of humpback whale songs.