Chapter 36 Quiz — Vendor Selection, Due Diligence, and Implementation Management

Instructions: Select the best answer for each question. The answer key with explanations follows the final question.

Question 1

Under DORA Article 28, before entering a contractual arrangement with an ICT third-party service provider, a financial entity must conduct a risk assessment that specifically considers which of the following?

A. The vendor's marketing reputation and industry awards B. Whether the arrangement creates a concentration risk, and whether the service supports a critical or important function C. Whether the vendor has at least five years of trading history D. The vendor's registered office location within the European Economic Area

Question 2

DORA Article 29 specifies mandatory content for contracts with ICT third-party service providers. Which of the following is NOT listed among the mandatory provisions under Article 29?

A. Service levels, including quantitative and qualitative performance metrics B. Data portability and data location requirements C. The right to audit the ICT third-party service provider D. A requirement that the vendor be headquartered in an EU member state

Question 3

Under the FCA's Critical Third Party (CTP) regime, introduced by the Financial Services and Markets Act 2023, which of the following is true?

A. The CTP regime applies only to cloud service providers B. CTP designation means the third party is directly subject to FCA, PRA, and Bank of England oversight C. Financial entities are not required to document their use of CTPs D. The CTP regime replaces DORA for UK-regulated firms

Question 4

Rafael Torres classifies RegTech vendors into three tiers. Which of the following correctly describes a Tier 1 vendor?

A. A vendor providing a compliance training platform with no direct integration into regulated processes B. A vendor supporting a function that, if it failed, would breach the firm's impact tolerance for an Important Business Service C. A vendor providing regulatory news feeds and policy management tools D. Any vendor whose annual contract value exceeds £500,000

Question 5

When drafting an RFP, which of the following represents a correctly formulated functional requirement for a transaction monitoring system?

A. "The system should be good at detecting financial crime" B. "The system must detect layering typologies across correspondent banking flows in USD, EUR, and GBP, with configurable thresholds by customer segment, and generate draft SAR narratives in the format required by the NCA's SARs Online portal" C. "The system should have an industry-leading detection engine" D. "The system must monitor transactions for suspicious activity"

Question 6

In a vendor evaluation, a financial firm is designing an RFP scorecard. The firm is procuring a Tier 1 AML transaction monitoring platform and wants the evaluation to reflect the regulatory compliance importance of the platform. Which weighting structure is most appropriate?

A. Pricing (50%), Functional Capability (20%), Technical Architecture (15%), Everything else (15%) B. Functional Capability (25%), Regulatory Compliance (20%), Technical Architecture (15%), Implementation Approach (15%), Financial Stability (10%), Pricing (10%), Contract Flexibility (5%) C. Contract Flexibility (50%), Pricing (25%), Functional Capability (25%) D. All criteria weighted equally at approximately 14% each

Question 7

A financial firm is running a proof of concept (PoC) for a new market surveillance platform. Which of the following represents best practice for the PoC design?

A. Allow the vendor to select the test data and scenarios to demonstrate the platform's strengths B. Run the PoC for one week to keep the evaluation timeline efficient C. Use real or realistic synthetic data representative of the firm's actual transaction profiles, with pre-defined acceptance criteria, run for a minimum of four weeks D. Limit PoC participation to the technology team to avoid biasing compliance staff before full evaluation

Question 8

When conducting reference calls as part of vendor due diligence, which approach is most consistent with best practice?

A. Accept the vendor's three curated reference clients and ask each one for a general satisfaction rating B. Ask only about implementation experience; post-implementation issues are not relevant to the selection decision C. Require references at comparable size and regulatory profile; ask specific questions about go-live timeline accuracy, SLA performance, audit right experience, and data export experience; pursue independent references beyond the vendor's curated list D. Reference calls are optional for Tier 1 vendors if the PoC was satisfactory

Question 9

A vendor's standard contract includes a 99.5% uptime guarantee with a remedy of 10% of the monthly service fee for any SLA failure. Which of the following is the most accurate assessment of this provision?

A. This is industry-standard and fully adequate for a Tier 1 compliance platform B. The uptime guarantee permits up to 43.8 hours of downtime per year, and a 10% monthly fee credit is not a meaningful remedy; the minimum acceptable remedy for serious or repeated failures should include termination rights C. The uptime guarantee is too strict; 99.0% is sufficient for most compliance platforms D. The remedy is acceptable because the vendor bears the cost of the credit

Question 10

Under GDPR Article 28, when a data processor (a RegTech vendor) wishes to engage a new sub-processor, which of the following must occur?

A. The sub-processor must be approved by the relevant data protection authority B. The data controller (the financial firm) must be notified in advance, with the right to object; if the firm objects and the vendor proceeds, the firm should have the right to terminate without penalty C. The vendor must simply update its privacy notice within 90 days D. Sub-processors of data processors are not governed by GDPR Article 28

Question 11

At Cornerstone Financial Group, the compliance team is planning the implementation of a new regulatory reporting platform. Which of the following best describes the appropriate go/no-go criterion for User Acceptance Testing (UAT)?

A. The system has been operational in the test environment for at least one business day without crashing B. The project team is satisfied with the overall look and feel of the interface C. No Severity 1 defects are open; all Severity 2 defects are remediated or have accepted remediation plans; all mandatory requirements are validated by actual users D. The vendor's project manager has confirmed that the system is ready for production

Question 12

Rafael's Rule 9 states that "the implementation budget should equal the license budget." What is the primary rationale for this rule?

A. Regulators require that implementation costs be at least equal to license costs B. Implementation costs — integration, data migration, configuration, training, and testing — for a complex Tier 1 platform typically equal the first year's license fee, and underestimating them leads to underfunded implementations and compromised go-lives C. License fees are typically overstated by vendors; implementation costs reveal the true market value of the product D. This ratio ensures that the vendor has sufficient financial incentive to complete the implementation successfully

Question 13

In post-implementation governance, which of the following describes the purpose of the annual vendor assessment?

A. An opportunity for the firm to renegotiate the contract price based on market conditions B. A comprehensive review covering financial health, security and incident history, contractual compliance, market alternatives, and concentration risk — providing documented evidence of ongoing third-party ICT risk oversight for regulatory purposes C. A courtesy review for the vendor to present its product roadmap D. Required only if the vendor has experienced a security incident during the year

Answer Key

Question 1 — Correct Answer: B

DORA Article 28(2) specifies that before entering a contractual arrangement, the financial entity must assess whether the arrangement creates concentration risk and whether the ICT service supports a critical or important function. Vendor marketing reputation, years of trading history, and registered office location are not the primary considerations under DORA's framework, though they may be relevant to commercial and financial due diligence. The formal determination of whether a function is critical or important is a legal requirement under DORA, not an informal judgment.

Question 2 — Correct Answer: D

DORA Article 29 lists mandatory content for ICT third-party service provider contracts. This list includes service levels (A), data portability and location (B), and audit rights (C). There is no requirement under Article 29 that the vendor be headquartered in an EU member state. DORA applies to the financial entity's contractual obligations, not to a geographic restriction on vendor domicile. Non-EU vendors serving EU financial entities must still comply with the contractual requirements that Article 29 imposes.

Question 3 — Correct Answer: B

The FCA's Critical Third Party regime, enacted through FSMA 2023, subjects designated critical third parties directly to oversight by the FCA, PRA, and Bank of England. This is distinct from existing vendor management obligations, which impose obligations on financial entities regarding their third-party relationships. The CTP regime is not limited to cloud providers (A) — it applies to any systemically important ICT or data service provider. Financial entities using CTPs have enhanced documentation and due diligence obligations (C is wrong). The CTP regime is a UK regime and does not replace DORA, which applies to EU financial entities (D is wrong).

Question 4 — Correct Answer: B

A Tier 1 vendor is one whose failure would breach the firm's impact tolerance for an Important Business Service (under FCA operational resilience terminology) or who provides a critical or important function under DORA Article 28. A compliance training platform with no direct integration (A) is typically Tier 3. Regulatory news and policy management tools (C) are Tier 3. Contract value alone (D) does not determine tier classification — the operational and regulatory criticality of the function is the determining factor.

Question 5 — Correct Answer: B

A correctly formulated functional requirement is specific, measurable, and outcome-oriented. Option B specifies the exact transaction types (correspondent banking), the exact currencies, the configurability requirement, and the exact output format (NCA SARs Online portal format). Options A, C, and D are vague aspirational statements that do not define what the system must actually do. A well-formed functional requirement traces to a specific regulatory obligation and defines the acceptance criterion by which the requirement will be tested in UAT.

Question 6 — Correct Answer: B

For a Tier 1 AML transaction monitoring platform, regulatory compliance capability (20%) is a primary criterion alongside functional capability (25%). Pricing alone is insufficient as the dominant criterion because the regulatory and operational risks of choosing an inadequate platform far exceed the cost difference between vendors. Option A's 50% pricing weight is inappropriate for a critical compliance platform. Option C's 50% weight on contract flexibility, while important, ignores the substance of what the system must do. Equal weighting (D) does not reflect the relative importance of different criteria for a compliance-critical platform.

Question 7 — Correct Answer: C

Best practice for a PoC requires the firm to control the data and scenarios (not the vendor, as in A), run for sufficient time (minimum four weeks — one week in B is inadequate for meaningful results), and establish pre-defined acceptance criteria. Limiting participation to the technology team (D) is incorrect — actual compliance users must be involved because usability and operational fit are critical evaluation dimensions that technology teams cannot assess on behalf of compliance users. Pre-defined acceptance criteria prevent the "good enough" judgment that allows inadequately performing systems to proceed to go-live.

Question 8 — Correct Answer: C

Effective reference checks require comparable references (similar size and regulatory profile), specific and probing questions (not just satisfaction ratings), and independent reference identification beyond the vendor's curated list. Vendor-curated references (A) are selected because they will give positive responses — they are a starting point, not the complete reference universe. Limiting questions to implementation experience (B) ignores the post-implementation issues that are often the most telling indicators of vendor performance. Reference calls are never optional for a Tier 1 vendor (D) — they are one of the most valuable elements of the evaluation process.

Question 9 — Correct Answer: B

99.5% uptime mathematically permits 43.8 hours of downtime per year (0.5% × 8,760 hours). For a transaction monitoring or market surveillance platform, this level of downtime represents significant operational and regulatory risk. A 10% monthly fee credit — on, say, a £30,000 monthly contract — is a £3,000 remedy for what may be a multi-hundred-thousand-pound regulatory exposure. The right to terminate for persistent or material SLA failure is the only remedy that creates a meaningful incentive for the vendor to perform. 99.5% is below the minimum acceptable uptime guarantee for Tier 1 compliance platforms (C is wrong), and the cost of a credit to the vendor is not the measure of its adequacy (D is wrong).

Question 10 — Correct Answer: B

GDPR Article 28(2) requires that where a processor uses a sub-processor, it must obtain the controller's prior written authorization (general or specific). The controller's right to object — and the ability to terminate without penalty if the vendor proceeds despite objection — is a standard regulatory expectation. There is no requirement for data protection authority approval of sub-processors (A). A privacy notice update alone (C) does not satisfy Article 28's requirements. Sub-processors of processors are directly governed by the Article 28 chain of responsibility (D is wrong — sub-processors must be bound by equivalent data protection obligations).

Question 11 — Correct Answer: C

UAT acceptance criteria must be objective, pre-agreed, and based on the firm's actual compliance requirements. No open Severity 1 defects, remediated Severity 2 defects, and validation by actual users (not just project team members) are the appropriate go/no-go elements. System stability for one business day (A) is trivially insufficient for a compliance platform. Interface satisfaction (B) is subjective and does not assess compliance functionality. Vendor confirmation of readiness (D) is a conflict of interest — the vendor is always ready to proceed; the firm must make its own determination based on its own testing results.

Question 12 — Correct Answer: B

The implementation budget = license budget heuristic exists because integration, data migration, configuration, training, and testing are consistently underestimated costs. When implementation is underfunded, it is under-resourced; when it is under-resourced, timelines compress; when timelines compress, UAT is shortened and training is reduced; when UAT and training are inadequate, post-go-live failures follow. Regulators do not specify cost ratios (A). Implementation costs do not reveal vendor overpricing (C). The ratio does not affect vendor incentives in the way D describes — vendor incentives are governed by the contract.

Question 13 — Correct Answer: B

The annual vendor assessment is the primary vehicle for ongoing third-party ICT risk oversight documentation under DORA and the FCA's operational resilience framework. It must be comprehensive (financial health, security, contractual compliance, market alternatives, concentration risk) and documented, because it is the evidence that regulators will request when examining DORA Article 28 compliance. It is not primarily a price renegotiation exercise (A), a courtesy review (C), or triggered only by incidents (D) — it must occur annually regardless of incident history, because its purpose is proactive oversight, not reactive response.