Chapter 36: Key Takeaways — Vendor Selection, Due Diligence, and Implementation Management
Core Insights
-
Vendor selection is a regulated activity, not a procurement event. DORA Articles 28-30, the FCA operational resilience framework, and the UK CTP regime all attach legal obligations to the process, documentation, and contractual outcomes of ICT vendor selection. Compliance must own this process, not merely approve it at the end.
-
Requirements must be complete before vendor conversations begin. Every conversation with a vendor before requirements are finalized is a conversation in which the vendor shapes your requirements in its own interest. Requirements define evaluation criteria; evaluation criteria without underlying requirements are preferences, not standards.
-
The contract signed on the way in is the contract lived with on the way out. The Procurement Trap is not set by malice but by asymmetric information. The vendor has executed the contract dozens of times; the compliance team, under deadline pressure, may be executing it for the first time. The provisions that cause the most pain — missing audit rights, absent exit assistance, uncapped price escalation — are the provisions least attended to in a rushed signing.
-
SLA remedies must include termination rights, not just credits. A service credit compensates the vendor for its own failure at a fraction of the actual cost. The right to terminate for persistent or material SLA failure is the only remedy that creates an enduring incentive for the vendor to perform.
-
Implementation budget should equal the license budget. Compliance teams consistently underestimate implementation costs. Integration, data migration, configuration, training, and testing for a Tier 1 platform typically cost as much as the first year's license fee. Budget for it explicitly or the implementation will be underfunded and the go-live will be compromised.
-
Post-implementation governance is not optional. The vendor relationship must be actively managed through formal quarterly reviews, annual assessments, and continuous SLA monitoring. The compliance capability built through a successful implementation deteriorates without deliberate ongoing governance.
-
Exit planning is implementation planning. The firm's ability to exit a vendor relationship cleanly — with its data, its documentation, and sufficient transition time — is a compliance risk management matter. It must be planned before the contract is signed, not when the vendor relationship has become untenable.
Vendor Evaluation Framework — Summary Table
| Phase | Activity | Key Output | Regulatory Anchor |
|---|---|---|---|
| Requirements | Define functional, non-functional, regulatory, integration, operational requirements | Signed requirements document | FCA operational resilience; DORA Art. 28 |
| Market Assessment | Long list (20-30), screening to short list (5-8) | Market assessment document | DORA Art. 28(2) concentration risk |
| RFP | Structured vendor questionnaire with weighted scorecard | RFP responses + initial scores | DORA Art. 28 documentation |
| Evaluation | PoC, reference calls, technical/regulatory/financial due diligence | Evaluation scorecard, due diligence report | DORA Art. 28(2); FCA CTP |
| Contract | Negotiation of non-negotiable provisions | Executed contract with all required provisions | DORA Art. 29-30; GDPR Art. 28 |
| Implementation | Mobilization, build/configure, UAT, go-live, hypercare | Implemented, tested, trained system | FCA PS21/3 operational resilience |
| Ongoing | Quarterly reviews, annual assessments, SLA monitoring | Documented governance evidence | DORA Art. 28; FCA ongoing oversight |
Contract Non-Negotiables — Rafael's Framework
The following provisions are non-negotiable for any Tier 1 RegTech vendor contract. Their absence is a red flag; their inadequacy is grounds for continued negotiation.
| Provision | Minimum Standard | Common Vendor Resistance |
|---|---|---|
| SLA Uptime | 99.9% (critical systems); 99.5% (important systems) | Offering 99.5% with inadequate remedy |
| SLA Remedy | Right to terminate for persistent failure, not just credits | Credits only; caps on remedy |
| Data Ownership | Explicit firm ownership; no vendor secondary use without consent | "Service improvement" use rights |
| Data Portability | Full export in documented format within 30 days of termination | "Commercially reasonable" format |
| Audit Rights | Direct or third-party audit; annual access to SOC 2 / pen test reports | Operational disruption concerns |
| Exit Assistance | Minimum 6-month transition period; specific documentation obligations | "Best efforts" without specifics |
| Price Escalation Cap | CPI or ≤5% annually; change order rate card | Uncapped; index-linked ambiguity |
| Subcontracting | Prior notification; right to object; GDPR Art. 28 chain | Blanket consent to all sub-processors |
| Business Continuity | Documented, tested BCP/DRP; notification obligations | No testing obligation; vague DRP |
| Regulatory Change | Vendor obligation to update platform; at own cost for core functions | Billable change order for all updates |
| Liability (Data Breach) | Uncapped or substantially higher cap | Annual fee cap only |
| Regulatory Fine Indemnity | Vendor indemnifies for fines causally linked to vendor failure | Complete exclusion |
Vendor Due Diligence Checklist
Technical Due Diligence
- [ ] Current SOC 2 Type II report (reviewed, not just attested)
- [ ] ISO 27001 certification (current certificate)
- [ ] Most recent third-party penetration test report and remediation status
- [ ] Data security architecture documentation
- [ ] Data residency and processing location confirmation
- [ ] Sub-processor list (current, complete)
- [ ] BCP/DRP documentation with last test date and results
- [ ] Incident history (material security incidents in past 3 years)
Regulatory Due Diligence
- [ ] Regulatory enforcement action history (vendor and clients)
- [ ] DORA/FCA CTP status or assessment
- [ ] Regulatory reporting output format validation (XBRL, MiFIR, etc.)
- [ ] Regulatory change management process documentation
- [ ] Audit right acceptance confirmed (in writing, pre-contract)
Financial Due Diligence
- [ ] Financial statements or funding documentation (last 2 years)
- [ ] Revenue concentration analysis (top 10 client %)
- [ ] Ownership and corporate structure (parent entities, investors)
- [ ] Change of control provisions reviewed
- [ ] Key person dependency assessment
Reference Due Diligence
- [ ] Three references at comparable size and regulatory profile
- [ ] References contacted independently (not only vendor-curated)
- [ ] Reference questions include: go-live timeline vs. plan; SLA performance; audit right experience; contract flexibility; data export experience
Implementation Phase Milestones Reference
| Phase | Typical Duration | Key Milestones | Go/No-Go Criteria |
|---|---|---|---|
| Mobilization | 4-8 weeks | Governance established; implementation plan baselined; data mapping complete; environments provisioned | All stakeholders confirmed; plan signed off; data mapping validated |
| Build/Configure | 8-16 weeks | Configuration complete; integrations built; initial testing passed; user documentation drafted | Integration test pass rate >95%; all mandatory requirements met |
| UAT | 2-4 weeks | All test cases executed; defects logged and classified; go/no-go decision | No Severity 1 defects open; Severity 2 defects remediated or accepted with plan |
| Go-Live | 1-2 weeks | Phased or full activation; production data migration validated; initial user support active | Migration validation passed; rollback plan in place; vendor hypercare confirmed |
| Hypercare | 30-90 days | Daily/weekly reviews; alert volume calibration; operational optimization; knowledge transfer complete | SLA performance within tolerance; user confidence assessed; open items tracked |
Rafael's Ten Rules — Quick Reference
- Requirements before conversations
- Three bids minimum
- Three references at comparable scale
- Read every word of the contract
- Audit rights are a must-have, not a nice-to-have
- Plan the exit before you sign the entry
- Own your data — verify the export capability
- SLA remedies must include the right to terminate
- Implementation budget equals the license budget
- Day-1 post-go-live governance is as important as implementation
Key Regulatory References
| Framework | Provision | Relevance |
|---|---|---|
| DORA (EU) 2022/2554 | Articles 28-30 | Third-party ICT risk management; contractual requirements; critical function oversight |
| FCA PS21/3 | Operational Resilience Policy | Important Business Services; impact tolerances; third-party dependencies |
| FSMA 2023 / CTP Regime | Part 8A | Critical Third Party designation; enhanced oversight for systemically important ICT providers |
| GDPR | Article 28 | Data processor obligations; sub-processor chain; DPA requirements |
| EBA Guidelines on ICT Risk | EBA/GL/2019/04 | Third-party risk management; contractual requirements; exit strategies |