[THIRD PARTY / VENDOR ENTITY] - Collection Map

OSINT-016 Third-Party & Vendor Due Diligence - collection workspace. Central topic = the third-party / vendor entity under TPRM onboarding review. Branches = data-point categories by risk domain. Drop each collected value as a child node; expand it with where it was found. Paste raw tool output into the node’s Notes. → feeds deliverable OSINT-016. This collection consumes OSINT-010 Integrity Vetting by reference and integrates with OSINT-013 Standard Corporate DD; do not re-perform deep integrity or full CDD work here - escalate gaps as RFIs.

00 · Collection Plan - PIRs & EEIs

The questions this TPRM collection must answer + essential elements of information (EEI) for each. Tick as satisfied. → drives §3 Key Judgments, §4 PIRs, §17 Verified Findings, §21 Collection Gaps, §22 Risk Assessment & Recommendations.

PIR-1 - Tier & Scope Calibration: What is the inherent-risk tier and does DD depth match?

  • EEI: service/function the vendor provides to the client (nature, volume, criticality)
  • EEI: data / system / premises access level (None / Limited / Sensitive / Privileged)
  • EEI: client spend, % of category, and switching cost / substitutability
  • EEI: geographic / jurisdiction risk indicators (sanctions exposure, corruption indices)
  • EEI: regulatory sensitivity of the service (sector DD rules, licensing requirements)
  • EEI: relationship type (direct supplier vs. agent/intermediary with flow-down exposure)
  • EEI: Inherent-Risk Tier assigned (Critical / High / Medium / Low) with rationale

PIR-2 - Integrity & Compliance Baseline: Does the vendor present blocking or conditioning integrity findings?

  • EEI: OSINT-010 Integrity Vetting report reference, date, and overall verdict (Clear / Conditional / Adverse)
  • EEI: sanctions / restricted-party verdict and any near-matches requiring disposition
  • EEI: ABAC / FCPA-UKBA exposure (direct + intermediary/agent chain)
  • EEI: AML / counter-financing of terrorism (CFT) indicators
  • EEI: beneficial-ownership (UBO) transparency (Clear / Partial / Opaque)
  • EEI: integrity-relevant adverse media verdict from OSINT-010
  • EEI: fresh integrity gaps identified here - RFI count for escalation back to OSINT-010

PIR-3 - InfoSec & Data Privacy Adequacy: Are controls commensurate with the data/system access level?

  • EEI: SOC 2 Type II (or equivalent) - scope, period, and currency
  • EEI: ISO 27001 or other recognized certifications - scope and validity
  • EEI: security questionnaire (SIG / HECVAT / custom) responses and reliability grade
  • EEI: breach / incident history (last 5 years) - severity, client-data impact, notification practice
  • EEI: data residency and cross-border transfer controls (GDPR/UK GDPR/CCPA compliance)
  • EEI: privileged-access controls, PAM tooling, logging and monitoring capability
  • EEI: overall InfoSec & data-privacy posture verdict for the assigned access level

PIR-4 - Resilience & Concentration: Are there SPOFs or fourth-party concentrations creating unacceptable exposure?

  • EEI: BCP / DR documentation, tested RTO/RPO commitments, and last exercise date
  • EEI: single-points-of-failure - technical (hosting/cloud), geographic, and personnel
  • EEI: critical fourth-party / subcontractor map (name, service, % of capability, risk notes)
  • EEI: fourth-party concentration risks (shared upstream providers, geographic clusters)
  • EEI: fourth-party register - maintained and contractually required to be shared?
  • EEI: overall fourth-party / concentration risk rating

PIR-5 - Contractual Controls Sufficiency: Does the contract framework cover required controls for the tier?

  • EEI: right-to-audit clause (security, data-processing, compliance) - present, scope, frequency
  • EEI: security & data-protection addendum / DPA - present, current, adequate
  • EEI: ABAC / compliance flow-down to subcontractors - contractual requirement present?
  • EEI: SLA / service-performance provisions and remedies
  • EEI: insurance minimums (cyber, E&O, professional liability) - currency and adequacy
  • EEI: exit / termination assistance and data-return / destruction obligations
  • EEI: overall contractual posture gap list and priority (H/M/L) for remediation before onboarding

PIR-6 - Lifecycle & Oversight Proportionality: What decision, cadence, and monitoring enrollment are warranted?

  • EEI: recommended onboarding decision (Approve / Approve-with-conditions / Remediate-then-reassess / Reject / Offboard)
  • EEI: re-DD cadence by tier (Critical ≈12 mo / High ≈18 mo / Medium ≈24–36 mo / Low ≈36+ mo)
  • EEI: enrollment in OSINT-018 Continuous Counterparty Monitoring - tier and watch indicators
  • EEI: event-driven triggers for accelerated re-assessment or offboarding
  • EEI: offboarding / exit-assistance requirements if applicable

Collection gaps / RFIs (running)

01 · Entity Identity

Who the third party is - uniquely resolved. Tie each identifier to a verified source. → feeds §5 Third-Party Profile & Relationship Context, §7 Entity Standing & Beneficial Ownership, Appendix A Entity & Identifier Index.

  • Legal name:
  • Registration number(s):
  • Jurisdiction(s) of incorporation / registration:
  • Date of incorporation:
  • Entity status (active / dissolved / in administration):
    • Source (registry + URL):
    • Grade:

Trading names & other identifiers

  • DBA / trading name:
  • Prior names / historical names:
  • LEI (Legal Entity Identifier):
  • D-U-N-S number:
  • VAT / tax ID:
  • Website / primary domain:
    • WHOIS registrant / registrar:
    • Notes / tool output: ← whois, crt.sh, SecurityTrails

Addresses

  • Registered address:
  • Principal place of business:
  • Other operational addresses:
    • Source / basis:

Entity-resolution confidence

  • Confidence: [Confirmed / Probable / Possible / Unresolved]
  • Discriminating identifiers matched:
  • Same-name candidates identified & excluded:

02 · Corporate Structure

Parent / subsidiary / affiliate map and UBO chain. Integrate OSINT-013 Standard Corporate DD by reference; do not duplicate the full entity survey. → feeds §7 Entity Standing & Beneficial Ownership, Appendix B Beneficial-Ownership Chart.

Parent / ultimate parent

  • [entity - e.g. ACME Holdings Ltd]
    • Registration / jurisdiction:
    • Ownership stake (%):
    • Control type: [Direct / Indirect / Nominee]
    • Source (registry + URL):
    • Notes / tool output: ← OpenCorporates, national registries, Orbis/LexisNexis
  • [entity 2]

Subsidiaries / affiliates in scope

  • [entity - e.g. ACME Data Services LLC]
    • Role in delivering the client service:
    • Registration / jurisdiction:
    • Client data / system access via this subsidiary:
    • Notes:
  • [entity 2]

Beneficial owners / UBOs

Clone per UBO. See OSINT-010 Integrity Vetting for deep UBO work; record the key outputs here.

  • [UBO name - e.g. Jane Doe]
    • Ownership stake (%):
    • Control mechanism: [Direct shares / Nominee / Trust / Other]
    • Jurisdiction of residence:
    • PEP / sanctions / adverse flags: [None / See OSINT-010 REF]
    • Source / grade:
    • Notes / tool output: ← OpenCorporates, PSC register (UK), Orbis, national filings
  • [UBO 2]

Recent ownership / control changes (last 3 years)

  • [change event]
    • Date:
    • Nature:
    • Significance to risk assessment:

03 · People - Directors, Officers & Key Personnel

Directors, officers, and client-facing / service-critical staff. Each person carries integrity and access-risk considerations. → feeds §7 Entity Standing & Beneficial Ownership, §8 Integrity & Compliance Screen (via OSINT-010 reference).

Directors / board members

  • [name - e.g. J. Smith]
    • Role / title:
    • Nationality / jurisdiction:
    • Other directorships (relevant flags):
    • PEP / sanctions / adverse-media flags: [None / See OSINT-010]
    • Source (Companies House / OpenCorporates / LinkedIn):
    • Notes / tool output: ← OpenCorporates, national registries, LinkedIn
  • [name 2]

Officers / C-suite

  • [name]
    • Role:
    • Tenure:
    • Flags:
    • Source:
  • [name 2]

Key client-facing / service-delivery personnel

  • [name]
    • Role in client-service delivery:
    • Access level granted to client systems/data:
    • Background-check status (per vendor’s process):
    • Notes:

04 · Registrations & Filings

Licenses, regulatory filings, certifications, and statutory compliance required to lawfully provide the service. → feeds §6 Inherent-Risk Tiering, §12 Regulatory, Legal & Licensing Standing, Appendix C Tiering Worksheet.

Required licenses / authorizations for the service

  • [license / authorization - e.g. FCA authorization, ISO 27001 certificate]
    • Issuing body:
    • Scope / activities covered:
    • Validity / expiry date:
    • Status: [Active / Expired / Suspended / Pending]
    • Source (register URL):
    • Grade:
  • [license 2]

Statutory / annual filings

  • Accounts / financial statements filed (most recent year):
    • Filing date:
    • Auditor:
    • Going-concern language:
  • Confirmation statement / annual return:
    • Date:

Modern-slavery statement

  • Statement published (Y/N):
    • URL / reference:
    • Period covered:
    • Quality note:

Regulatory actions / enforcement (last 5 years)

  • [action - e.g. FCA enforcement notice]
    • Regulator / jurisdiction:
    • Date:
    • Nature / outcome:
    • Source:

05 · Digital & Infrastructure

Domain, IP, email, and web infrastructure footprint. Supports InfoSec posture assessment and entity resolution. → feeds §10 Information Security & Data Privacy Posture, Appendix E Security/Data-Privacy Evidence Log.

Domains

  • [domain - e.g. acme-vendor.com]
    • Registrant / WHOIS:
    • Registrar / registered date:
    • Hosting / IP / ASN:
    • SSL certificate / crt.sh history:
    • Notes / tool output: ← whois, crt.sh, SecurityTrails, Shodan, Censys
  • [domain 2]

Email infrastructure

  • [email domain / MX record - e.g. @acme-vendor.com]
    • Mail provider / MX hosts:
    • SPF / DKIM / DMARC status:
    • Corporate email addresses observed:
    • Notes / tool output: ← MXToolbox, hunter.io, dnsdumpster
  • [email 2]

Social media / corporate presence

  • [platform - LinkedIn / Twitter-X / other]
    • Handle / URL:
    • Follower count / activity:
    • Attribution confidence: [Confirmed / Probable / Possible]
    • Notes:

Infrastructure exposure / known vulnerabilities

  • [indicator - e.g. exposed RDP, outdated TLS, leaked credentials]
    • Source (Shodan / GreyNoise / HaveIBeenPwned / dark-web):
    • Date observed:
    • Severity:
    • Notes / tool output: ← Shodan, Censys, Qualys, GreyNoise, HaveIBeenPwned

06 · Financials

Financial health and viability signals visible from open and licensed sources. Not a forensic audit; defer to OSINT-014 EDD for deeper forensic work. → feeds §9 Financial Viability & Dependency / Concentration.

Credit / distress indicators

  • [indicator - e.g. D&B credit score, Experian report, CCJs]
    • Source:
    • Date:
    • Finding:
    • Grade:

Accounts / financial statements (open-source summary)

  • Most recent accounts year:
    • Revenue / turnover:
    • Net profit / loss:
    • Total assets / net assets:
    • Going-concern note:
    • Source (Companies House / EDGAR / national registry):

Liquidity / insolvency indicators

  • [indicator - e.g. winding-up petition, administration notice, CCJ, lien]
    • Source:
    • Date:
    • Significance:

Concentration / dependency

  • Estimated client spend (% of category):
  • Estimated vendor revenue concentration on client:
  • Switching cost / substitutability: [Low / Medium / High]

07 · Commercial Footprint & Relationship Context

The commercial relationship, delivery model, and third-party’s operational footprint relevant to the client engagement. → feeds §5 Third-Party Profile & Relationship Context, §6 Inherent-Risk Tiering & Scope Calibration.

Service / relationship

  • Nature of service / product provided:
  • Criticality to client operations: [Mission-critical / Important / Ancillary]
  • Relationship duration & history:
  • Engagement status: [Pre-onboarding / Active / Renewal / Offboarding]
  • Recent material scope or access changes:

Client data / system / premises access

  • Data sensitivity & volume:
  • System access type (API, VPN, network, cloud-tenant):
  • Premises / personnel access:
  • Data access level assigned: [None / Limited / Sensitive / Privileged]

Operational locations (delivery-relevant)

  • [location - e.g. primary delivery centre, data centre jurisdiction]
    • Jurisdiction risk: [Low / Medium / High / Critical]
    • Regulatory implications:

Customer / client references (if available)

  • [reference]
    • Source / basis:

Regulatory and sanctions risk findings for this relationship. Integrity-specific deep work (sanctions, ABAC, AML, UBO) belongs in OSINT-010; record the verdict here. → feeds §8 Integrity & Compliance Screen, §12 Regulatory, Legal & Licensing Standing, §18 Red Flags, Appendix D Integrity-Screen Reference, Appendix H Screening-Hit Log.

Integrity screen reference (OSINT-010)

  • OSINT-010 Integrity Vetting REF:
  • OSINT-010 as-of date:
  • Overall integrity verdict: [Clear / Conditional / Adverse]
  • Key conditions / escalations from OSINT-010:
  • Fresh gaps identified in this engagement (RFI back to OSINT-010):

Sanctions / restricted-party screening

  • Lists screened (OFAC SDN, EU, UK, UN, DFAT, etc.):
  • Screening as-of date:
  • Result: [Clear / Potential match / Confirmed match]
    • Discriminating identifiers used to dispose:
    • Disposition (true / false / inconclusive):
    • Notes / tool output: ← OFAC, EU Financial Sanctions, UN Consolidated List, World-Check/Dow Jones

ABAC / FCPA-UK Bribery Act (intermediary / agent risk)

  • Intermediary / agent role? [Yes / No / Partial]
  • ABAC flow-down contractual requirement: [Present / Absent / Gap]
  • Key findings from OSINT-010:

Civil litigation & commercial disputes

  • [matter - e.g. breach of contract claim, IP dispute]
    • Court / jurisdiction:
    • Role (claimant / defendant):
    • Status / outcome:
    • Source:

Debarment / government exclusion lists

  • [list - e.g. US SAM.gov, EU EDES, World Bank]
    • Status: [Clear / Excluded / Pending]
    • Source:

09 · Reputation & Adverse Media

Reputation risk and adverse media relevant to the client relationship. Focus on operational, ESG, and reputational signals not covered in the OSINT-010 integrity screen. Deep reputational / field investigation escalates to OSINT-017. → feeds §9 Financial Viability, §13 ESG / Labor, §18 Red Flags.

Adverse media (reputational / operational)

  • [outlet + date - e.g. FT 2024-03-10]
    • Subject / headline:
    • Domain: [ESG / labor / data-breach / fraud / product-failure / regulatory / other]
    • Reliability (A–F) / Credibility (1–6):
    • Significance for onboarding decision:
    • Source (Factiva / Google / LexisNexis):

ESG / labor / modern-slavery adverse signals

  • [indicator - e.g. modern-slavery statement absent, labor lawsuit, environmental violation]
    • Source:
    • Date:
    • Materiality:

Breach / data incident adverse media

  • [incident - e.g. reported data breach, ransomware incident]
    • Date:
    • Scope (data types, volume):
    • Regulatory notification made: [Y/N/Unknown]
    • Source:
    • Notes:

10 · Network & Affiliations

Related entities, shared infrastructure, and material affiliations that affect risk (fourth parties, upstream providers, common ownership). → feeds §14 Fourth-Party / Subcontractor & Concentration Risk, §10 InfoSec & Data Privacy.

Critical fourth parties / subcontractors

Clone per subcontractor in scope for client-service delivery or data processing.

  • [entity - e.g. AWS / Azure / Twilio]
    • Service / component supplied to the third party:
    • % of client-service capability:
    • Data processed for client via this sub:
    • Jurisdiction:
    • Concentration / single-source risk: [Low / Moderate / Elevated / Critical]
    • Flow-down controls contractually required: [Y/N/Partial]
    • Source / basis:
    • Notes / tool output: ← vendor questionnaire, SIG, SOC 2 sub-service carve-outs
  • [entity 2]

Shared upstream infrastructure / common providers

  • [provider - e.g. shared cloud region, shared CDN]
    • Risk (geographic concentration, systemic risk):
    • Notes:

Industry associations / trade-body memberships

  • [membership - e.g. CREST, Cyber Essentials Plus, ISO consortium]
    • Significance:

99 · Collection Admin

Working register - not a deliverable section, but the audit trail behind the report.

Source register

Every material datum traceable to a graded Admiralty two-axis code. Self-attestation from vendor graded C or lower unless corroborated.

  • [S-1 - source e.g. Companies House UK registry]
    • Type: [Primary / Secondary / Tertiary / Vendor self-attestation]
    • Reliability (A–F) / Credibility (1–6):
    • Date accessed:
  • [S-2 - source e.g. OSINT-010 Integrity Vetting REF-YYYY-###]
    • Type: [Integrated product]
    • Reliability (A–F) / Credibility (1–6):
    • Date accessed / as-of:
  • [S-3]

Evidence archive

  • [screenshot / capture ref + SHA-256 hash + URL + timestamp]:
  • [SOC 2 report ref + issuer + validity period + hash]:
  • [security questionnaire ref + date received + hash]:

Open gaps / verification pending

  • [item - e.g. fourth-party register not received from vendor] → route to [procurement / legal / OSINT-010]
  • [item - e.g. most recent audited accounts not filed] → route to [OSINT-014 EDD if material]

Screening-list governance log

  • Lists screened:
  • Provider / version / as-of dates:
  • Hits dispositioned: