Understanding Supply Chain Due Diligence Practices

Introduction

Every payment processor, KYC vendor, core banking platform, and cloud infrastructure provider your fintech company relies on represents a potential compliance liability. Most financial services companies underestimate how far their due diligence obligations actually extend — and regulators are no longer willing to accept ignorance as a defense.

The 2023 interagency guidance from the OCC, FDIC, and Federal Reserve made this explicit: using third parties does not remove a bank's or fintech's responsibility to operate safely and soundly. For licensed financial entities, supply chain due diligence isn't a best practice — it's a compliance obligation.

What follows is a practical breakdown of what supply chain due diligence requires — and what it takes to build a program that holds up when regulators come looking.

TL;DR

  • Supply chain due diligence covers financial, legal, environmental, and social risk across all vendor and third-party relationships.
  • US, UK, and EU regulators hold fintechs and banks accountable for their entire third-party ecosystems, not just internal operations.
  • Enforcement actions against Evolve, Blue Ridge, and Cross River Bank illustrate exactly what non-compliance looks like in practice.
  • Due diligence is ongoing — not a one-time onboarding checklist.
  • Early-stage fintechs can build compliant programs without a full-time hire using fractional compliance leadership.

What Is Supply Chain Due Diligence?

Supply chain due diligence is the systematic process of identifying, assessing, preventing, and mitigating actual and potential risks across a company's supplier and third-party relationships. It covers ethical, financial, legal, and operational dimensions — and it applies to the full network of relationships, not just direct vendors.

The OECD Due Diligence Guidance for Responsible Business Conduct defines the framework as helping enterprises "identify, prevent, mitigate and account for" actual and potential adverse impacts in their operations, supply chains, and business relationships.

Two points define where this practice stands today:

Now a legal obligation, not a choice. Due diligence was historically framed as corporate responsibility. Major regulations across the EU, UK, and US now mandate formal programs, with penalties for non-compliance ranging from fines to exclusion from public contracts.

An ongoing requirement, not a one-time check. Vendor risk profiles change. Ownership structures shift. Regulatory actions emerge. A due diligence program that only operates at vendor onboarding creates blind spots that regulators — and increasingly, sponsor banks — will find.

The 4 Types of Supply Chain Due Diligence

Most compliance programs need to address all four categories. Each targets a distinct risk exposure, and gaps in any one area can create liability across the others.

Financial Due Diligence

Financial due diligence examines a supplier's financial health — cash flow, solvency, ownership structure, and financial track record. The core question: can this vendor reliably fulfill its obligations, and could its financial instability create downstream risk for your business?

For fintechs, this matters most with critical infrastructure providers:

  • Core banking platforms
  • Payment processors
  • BaaS partners whose failure could interrupt your own operations or harm your customers

Legal Due Diligence

Legal due diligence reviews contracts, licenses, litigation history, regulatory sanctions, and compliance records. This review confirms whether a vendor adheres to applicable laws — AML, anti-bribery, data privacy — and whether engaging with them creates legal exposure for your firm.

Key frameworks that inform this category:

  • BSA/AML obligations requiring financial institutions to assess vendor compliance posture
  • GDPR Article 28, which requires written contracts with processors and authorization for sub-processors
  • UK Bribery Act, which lists due diligence as one of its six core compliance principles

Environmental Due Diligence

For EU-regulated firms, environmental due diligence is a legal obligation — not a best practice. The EU Corporate Sustainability Due Diligence Directive (CSDDD) and the Sustainable Finance Disclosure Regulation (SFDR) both create obligations for regulated financial undertakings to assess and disclose sustainability-related risks.

This covers a supplier's environmental practices: waste management, emissions, and resource use.

Social Due Diligence

Social due diligence evaluates labor practices, human rights standards, and working conditions within a supplier's operations. This covers forced labor, child labor, wage violations, and unsafe environments — risks that carry both legal consequences and severe reputational damage.

The UK Modern Slavery Act requires commercial organizations with annual turnover of £36 million or more to publish annual transparency statements on steps taken to prevent slavery and human trafficking in their supply chains.

Why Supply Chain Due Diligence Matters for Fintech and Financial Services

Financial services companies face a compliance reality that most other industries don't: their "supply chain" is made up entirely of regulated — or closely regulated — relationships.

Your vendors likely include:

  • Payment processors and KYC/KYB providers
  • Core banking platforms and data aggregators
  • Cloud infrastructure providers
  • Banking and sponsor bank partners

Every one of these relationships can introduce financial crime risk, operational risk, or regulatory liability if not properly managed.

Regulators Treat Third-Party Risk as Your Risk

The June 2023 interagency guidance from the OCC, FDIC, and Federal Reserve is unambiguous: third-party use does not transfer regulatory responsibility. The guidance covers the full lifecycle — planning, due diligence, contracting, ongoing monitoring, and termination.

EU DORA, which has applied since January 17, 2025, requires EU financial entities to manage ICT third-party risk as part of their overall ICT risk framework. The FCA's operational resilience rules required firms to be operating within impact tolerances by March 31, 2025 — with mapping of third-party dependencies explicitly required.

Sponsor Banks Are Tightening the Bar

The pressure on fintechs seeking or maintaining sponsor bank relationships has increased sharply. Federal agencies issued a joint statement in 2024 specifically on risks from bank arrangements with third parties delivering deposit products and services. As a16z noted in their fintech newsletter, partner banks are now requiring more compliance staff and procedures to oversee fintech customers, driving longer due diligence and review timelines.

A fintech's vendor due diligence program has become a direct factor in whether they can secure and maintain a banking partnership — not just a box to check for regulators.

Enforcement Actions Illustrate the Stakes

The consequences of weak third-party risk management aren't theoretical. Recent enforcement actions tell the story:

Institution Regulator Issue
Evolve Bank & Trust Federal Reserve, 2024 Deficiencies in AML, risk management, and consumer compliance tied to fintech partnerships
Blue Ridge Bank OCC, 2024 Required written TPRM program; paused new fintech relationships pending OCC approval
Cross River Bank FDIC, 2023 Unsafe practices tied to fair-lending compliance; restricted new third-party credit agreements
Lineage Bank FDIC, 2024 TPRM weaknesses; required onboarding controls and contingency plans for fintech partners

Four fintech bank enforcement actions comparison table with regulator and compliance issues

Each of these actions targeted the bank's oversight of fintech partners — meaning your compliance posture is directly visible to your banking partner's regulator.

Key Regulatory Requirements Shaping Supply Chain Due Diligence

EU: Corporate Sustainability Due Diligence Directive (CSDDD)

The CSDDD requires in-scope companies to identify, prevent, and mitigate adverse human rights and environmental impacts across their chains of activities. It explicitly includes regulated financial undertakings — credit institutions, investment firms, insurers, and crypto-asset service providers.

Amended timeline (per Directive EU 2025/794):

  • Transposition deadline: July 26, 2027
  • First wave (companies with 3,000+ employees and €900M+ net worldwide turnover): July 26, 2028
  • All other in-scope companies: July 26, 2029

EU CSDDD compliance timeline three-phase rollout from 2027 to 2029

For financial firms, the chain of activities covers upstream business partners but excludes downstream recipients of financial products and services — meaning the focus is on your vendors and suppliers, not your customers.

UK: Modern Slavery Act and FCA Requirements

The UK Modern Slavery Act Section 54 requires covered commercial organizations with annual turnover of £36 million or more to publish annual supply-chain transparency statements covering steps taken to prevent slavery and trafficking.

UK financial firms also face direct regulatory obligations from two additional instruments:

  • FCA PS21/3: Requires firms to map important business services and third-party dependencies, with full impact tolerance requirements in place from March 2025
  • PRA SS2/21: Sets explicit expectations for outsourcing and third-party risk management, covering data security, business continuity, and exit planning

US: BSA/AML and Interagency TPRM Guidance

The BSA requires financial institutions to maintain procedures that ensure compliance and assess the compliance posture of key vendors and counterparties. The 2023 interagency TPRM guidance — issued jointly by the OCC, FDIC, and Federal Reserve — covers the full third-party relationship lifecycle for all supervised banking organizations. Key scope elements include:

  • Vendor risk assessments at onboarding and on a recurring basis
  • Contractual requirements for data security and incident notification
  • Exit planning and concentration risk monitoring for critical third parties

Across all three jurisdictions, obligations are tightening and enforcement is active. "We relied on our vendor" is not a defense regulators accept.

How to Build a Supply Chain Due Diligence Program: Step-by-Step

Step 1: Map Your Vendor Ecosystem

Create a comprehensive inventory of all suppliers, vendors, and third-party partners. Tier them by risk level:

  • Critical / Tier 1: Vendors whose failure or non-compliance would directly impact your regulated operations (payment processors, core banking platforms, KYC providers)
  • High Risk: Vendors with access to customer data or financial flows
  • Standard: Peripheral service providers with limited regulatory exposure

For each tier, identify which categories of due diligence apply. Not every vendor requires full environmental and social screening. Every vendor with a compliance-relevant function needs legal and financial review at minimum.

Three-tier fintech vendor risk classification framework from critical to standard

Step 2: Build a Risk Assessment Framework

Define the criteria you'll use to evaluate each supplier category. The framework should cover:

  • Financial stability indicators (solvency, ownership structure)
  • AML and sanctions compliance posture
  • Cybersecurity controls and data privacy practices
  • Labor and human rights standards (for social due diligence)
  • ESG credentials (for environmental and social requirements)
  • Regulatory sanctions history and litigation record

Align this framework with your regulatory obligations and your sponsor bank's expectations.

Step 3: Screen at Onboarding, Monitor Continuously

Screen all vendors at onboarding against:

  • OFAC Sanctions List
  • UK Sanctions List (GOV.UK)
  • EU Financial Sanctions Files
  • Beneficial ownership registries (FinCEN CDD requirements apply here)

Due diligence doesn't stop at onboarding. Perpetual monitoring (ownership changes, new regulatory actions, financial deterioration, adverse media) mirrors the ongoing KYC model financial institutions apply to their own customers. The same logic applies to vendors.

Step 4: Build Remediation and Escalation Procedures

When screening or monitoring surfaces a red flag, you need clear procedures:

  1. Escalate to the appropriate compliance or risk owner based on severity
  2. Assess the specific risk (sanctions hit, labor issue, financial distress) with documented analysis
  3. Request corrective action from the vendor with a defined timeline
  4. Suspend or disengage if remediation is insufficient, with documented rationale

Four-step vendor risk remediation and escalation process flow infographic

Every decision — and the reasoning behind it — must be documented. Regulators expect to see a paper trail, not just an outcome.

Step 5: Document, Report, and Review

Maintain records of all due diligence activities for a minimum of five years, aligned with:

Maintain records of all due diligence activities for a minimum of five years, consistent with:

  • BSA record retention requirements under FFIEC Appendix P
  • UK Money Laundering Regulations 2017 (Regulation 40)
  • FCA SYSC 9 requirements

Report to senior leadership and the board periodically. Conduct annual program reviews to reflect regulatory changes, new business relationships, and emerging risk categories.

For fintech startups and scale-ups without a dedicated compliance function, building and maintaining this program doesn't require a full-time hire. Fraxtional's fractional compliance model provides named CCO, BSA Officer, MLRO, and CRO roles that include vendor management policy development and third-party risk oversight — giving you director-level program ownership without the cost of a permanent executive.

Common Challenges and How to Address Them

Supply Chain Opacity

McKinsey's supply chain risk survey found that 95% of organizations had visibility into Tier 1 supplier risks, but only 42% had visibility into Tier 2 or beyond. For most early-stage fintechs, even Tier 1 visibility is incomplete.

Supply chain visibility statistics chart showing tier one versus tier two supplier oversight gap

Start where the risk is highest. Full supply chain mapping from day one isn't realistic — and it isn't required. A risk-based approach that begins with critical infrastructure partners, payment relationships, and any vendor with access to customer financial data will address the majority of your regulatory exposure.

Resource and Expertise Constraints

Supply chain due diligence requires legal, compliance, and operational knowledge that most seed or Series A fintech companies don't have in-house. Building a full internal team is expensive and slow.

The fractional model directly addresses this gap. Rather than hiring a full-time CCO or BSA Officer, early-stage companies can access director-level compliance leadership with expertise across:

  • Vendor risk management and third-party due diligence
  • Sponsor bank requirements and partnership readiness
  • Regulatory program design tailored to fintech operating models

This typically deploys faster and costs far less than a full-time hire.

Keeping Due Diligence Current

Regulatory requirements evolve. Vendors get acquired, face enforcement actions, or shift their operational model. A due diligence program that treats vendor onboarding as a one-time event will accumulate blind spots quickly.

Ongoing monitoring needs to be systematic, not manual. That means defined triggers — such as a vendor enforcement action, ownership change, or material contract amendment — that automatically escalate for review, rather than waiting for the next scheduled audit cycle.

Frequently Asked Questions

What is due diligence in supply chain management?

Supply chain due diligence is the process of systematically identifying, assessing, and mitigating risks across suppliers and third-party partners — covering financial, legal, environmental, and social dimensions. The goal is to ensure compliance, protect business continuity, and limit liability from relationships outside your direct control.

What are the 4 types of due diligence?

The four types are financial, legal, environmental, and social due diligence. Each addresses a distinct risk category: financial instability, legal non-compliance and regulatory exposure, environmental harm and ESG obligations, and labor or human rights abuses. Effective programs integrate all four rather than treating them as separate workstreams.

Is supply chain due diligence legally required?

For many companies, yes. The EU CSDDD, UK Modern Slavery Act, and BSA/AML obligations in the US make formal due diligence legally required — with the regulatory trajectory moving firmly toward mandatory compliance across all markets. Licensed financial entities face the most extensive obligations, but requirements are expanding across sectors and jurisdictions.

What is the difference between supply chain due diligence and vendor due diligence?

Vendor due diligence evaluates individual suppliers before engagement. Supply chain due diligence takes a broader view across the entire network, covering upstream suppliers and downstream partners, and is often required by regulation. For financial services firms, regulators expect both: individual vendor assessment and systemic oversight of the third-party ecosystem.

How often should supply chain due diligence be conducted?

Initial due diligence should be completed before entering any new supplier relationship. Ongoing monitoring should be triggered by material changes — new ownership, regulatory actions, financial distress, or sanctions hits. Annual program reviews ensure the overall framework stays current with evolving regulations and business operations.

What risks does supply chain due diligence help identify for fintech companies?

For fintechs, the most material risks include sanctions and AML exposure through vendor relationships, financial instability among technology or banking partners, data privacy gaps from KYC or data providers, and reputational harm from non-compliant third parties. Sponsor bank relationships add another layer: your vendor risk program directly affects your banking partner's own regulatory standing.