[THIRD PARTY / VENDOR ENTITY] - Collection Map
OSINT-016 Third-Party & Vendor Due Diligence - collection workspace. Central topic = the third-party / vendor entity under TPRM onboarding review. Branches = data-point categories by risk domain. Drop each collected value as a child node; expand it with where it was found. Paste raw tool output into the node’s Notes. → feeds deliverable OSINT-016. This collection consumes OSINT-010 Integrity Vetting by reference and integrates with OSINT-013 Standard Corporate DD; do not re-perform deep integrity or full CDD work here - escalate gaps as RFIs.
00 · Collection Plan - PIRs & EEIs
The questions this TPRM collection must answer + essential elements of information (EEI) for each. Tick as satisfied. → drives §3 Key Judgments, §4 PIRs, §17 Verified Findings, §21 Collection Gaps, §22 Risk Assessment & Recommendations.
PIR-1 - Tier & Scope Calibration: What is the inherent-risk tier and does DD depth match?
- EEI: service/function the vendor provides to the client (nature, volume, criticality)
- EEI: data / system / premises access level (None / Limited / Sensitive / Privileged)
- EEI: client spend, % of category, and switching cost / substitutability
- EEI: geographic / jurisdiction risk indicators (sanctions exposure, corruption indices)
- EEI: regulatory sensitivity of the service (sector DD rules, licensing requirements)
- EEI: relationship type (direct supplier vs. agent/intermediary with flow-down exposure)
- EEI: Inherent-Risk Tier assigned (Critical / High / Medium / Low) with rationale
PIR-2 - Integrity & Compliance Baseline: Does the vendor present blocking or conditioning integrity findings?
- EEI: OSINT-010 Integrity Vetting report reference, date, and overall verdict (Clear / Conditional / Adverse)
- EEI: sanctions / restricted-party verdict and any near-matches requiring disposition
- EEI: ABAC / FCPA-UKBA exposure (direct + intermediary/agent chain)
- EEI: AML / counter-financing of terrorism (CFT) indicators
- EEI: beneficial-ownership (UBO) transparency (Clear / Partial / Opaque)
- EEI: integrity-relevant adverse media verdict from OSINT-010
- EEI: fresh integrity gaps identified here - RFI count for escalation back to OSINT-010
PIR-3 - InfoSec & Data Privacy Adequacy: Are controls commensurate with the data/system access level?
- EEI: SOC 2 Type II (or equivalent) - scope, period, and currency
- EEI: ISO 27001 or other recognized certifications - scope and validity
- EEI: security questionnaire (SIG / HECVAT / custom) responses and reliability grade
- EEI: breach / incident history (last 5 years) - severity, client-data impact, notification practice
- EEI: data residency and cross-border transfer controls (GDPR/UK GDPR/CCPA compliance)
- EEI: privileged-access controls, PAM tooling, logging and monitoring capability
- EEI: overall InfoSec & data-privacy posture verdict for the assigned access level
PIR-4 - Resilience & Concentration: Are there SPOFs or fourth-party concentrations creating unacceptable exposure?
- EEI: BCP / DR documentation, tested RTO/RPO commitments, and last exercise date
- EEI: single-points-of-failure - technical (hosting/cloud), geographic, and personnel
- EEI: critical fourth-party / subcontractor map (name, service, % of capability, risk notes)
- EEI: fourth-party concentration risks (shared upstream providers, geographic clusters)
- EEI: fourth-party register - maintained and contractually required to be shared?
- EEI: overall fourth-party / concentration risk rating
PIR-5 - Contractual Controls Sufficiency: Does the contract framework cover required controls for the tier?
- EEI: right-to-audit clause (security, data-processing, compliance) - present, scope, frequency
- EEI: security & data-protection addendum / DPA - present, current, adequate
- EEI: ABAC / compliance flow-down to subcontractors - contractual requirement present?
- EEI: SLA / service-performance provisions and remedies
- EEI: insurance minimums (cyber, E&O, professional liability) - currency and adequacy
- EEI: exit / termination assistance and data-return / destruction obligations
- EEI: overall contractual posture gap list and priority (H/M/L) for remediation before onboarding
PIR-6 - Lifecycle & Oversight Proportionality: What decision, cadence, and monitoring enrollment are warranted?
- EEI: recommended onboarding decision (Approve / Approve-with-conditions / Remediate-then-reassess / Reject / Offboard)
- EEI: re-DD cadence by tier (Critical ≈12 mo / High ≈18 mo / Medium ≈24–36 mo / Low ≈36+ mo)
- EEI: enrollment in OSINT-018 Continuous Counterparty Monitoring - tier and watch indicators
- EEI: event-driven triggers for accelerated re-assessment or offboarding
- EEI: offboarding / exit-assistance requirements if applicable
Collection gaps / RFIs (running)
- [open item] → route to [OSINT-010 / OSINT-014 / OSINT-017 / OSINT-018 / security-assessment / legal / procurement]
- [open item]
01 · Entity Identity
Who the third party is - uniquely resolved. Tie each identifier to a verified source. → feeds §5 Third-Party Profile & Relationship Context, §7 Entity Standing & Beneficial Ownership, Appendix A Entity & Identifier Index.
Legal / registration
- Legal name:
- Registration number(s):
- Jurisdiction(s) of incorporation / registration:
- Date of incorporation:
- Entity status (active / dissolved / in administration):
- Source (registry + URL):
- Grade:
Trading names & other identifiers
- DBA / trading name:
- Prior names / historical names:
- LEI (Legal Entity Identifier):
- D-U-N-S number:
- VAT / tax ID:
- Website / primary domain:
- WHOIS registrant / registrar:
- Notes / tool output: ← whois, crt.sh, SecurityTrails
Addresses
- Registered address:
- Principal place of business:
- Other operational addresses:
- Source / basis:
Entity-resolution confidence
- Confidence: [Confirmed / Probable / Possible / Unresolved]
- Discriminating identifiers matched:
- Same-name candidates identified & excluded:
02 · Corporate Structure
Parent / subsidiary / affiliate map and UBO chain. Integrate OSINT-013 Standard Corporate DD by reference; do not duplicate the full entity survey. → feeds §7 Entity Standing & Beneficial Ownership, Appendix B Beneficial-Ownership Chart.
Parent / ultimate parent
- [entity - e.g. ACME Holdings Ltd]
- Registration / jurisdiction:
- Ownership stake (%):
- Control type: [Direct / Indirect / Nominee]
- Source (registry + URL):
- Notes / tool output: ← OpenCorporates, national registries, Orbis/LexisNexis
- [entity 2]
Subsidiaries / affiliates in scope
- [entity - e.g. ACME Data Services LLC]
- Role in delivering the client service:
- Registration / jurisdiction:
- Client data / system access via this subsidiary:
- Notes:
- [entity 2]
Beneficial owners / UBOs
Clone per UBO. See OSINT-010 Integrity Vetting for deep UBO work; record the key outputs here.
- [UBO name - e.g. Jane Doe]
- Ownership stake (%):
- Control mechanism: [Direct shares / Nominee / Trust / Other]
- Jurisdiction of residence:
- PEP / sanctions / adverse flags: [None / See OSINT-010 REF]
- Source / grade:
- Notes / tool output: ← OpenCorporates, PSC register (UK), Orbis, national filings
- [UBO 2]
Recent ownership / control changes (last 3 years)
- [change event]
- Date:
- Nature:
- Significance to risk assessment:
03 · People - Directors, Officers & Key Personnel
Directors, officers, and client-facing / service-critical staff. Each person carries integrity and access-risk considerations. → feeds §7 Entity Standing & Beneficial Ownership, §8 Integrity & Compliance Screen (via OSINT-010 reference).
Directors / board members
- [name - e.g. J. Smith]
- Role / title:
- Nationality / jurisdiction:
- Other directorships (relevant flags):
- PEP / sanctions / adverse-media flags: [None / See OSINT-010]
- Source (Companies House / OpenCorporates / LinkedIn):
- Notes / tool output: ← OpenCorporates, national registries, LinkedIn
- [name 2]
Officers / C-suite
- [name]
- Role:
- Tenure:
- Flags:
- Source:
- [name 2]
Key client-facing / service-delivery personnel
- [name]
- Role in client-service delivery:
- Access level granted to client systems/data:
- Background-check status (per vendor’s process):
- Notes:
04 · Registrations & Filings
Licenses, regulatory filings, certifications, and statutory compliance required to lawfully provide the service. → feeds §6 Inherent-Risk Tiering, §12 Regulatory, Legal & Licensing Standing, Appendix C Tiering Worksheet.
Required licenses / authorizations for the service
- [license / authorization - e.g. FCA authorization, ISO 27001 certificate]
- Issuing body:
- Scope / activities covered:
- Validity / expiry date:
- Status: [Active / Expired / Suspended / Pending]
- Source (register URL):
- Grade:
- [license 2]
Statutory / annual filings
- Accounts / financial statements filed (most recent year):
- Filing date:
- Auditor:
- Going-concern language:
- Confirmation statement / annual return:
- Date:
Modern-slavery statement
- Statement published (Y/N):
- URL / reference:
- Period covered:
- Quality note:
Regulatory actions / enforcement (last 5 years)
- [action - e.g. FCA enforcement notice]
- Regulator / jurisdiction:
- Date:
- Nature / outcome:
- Source:
05 · Digital & Infrastructure
Domain, IP, email, and web infrastructure footprint. Supports InfoSec posture assessment and entity resolution. → feeds §10 Information Security & Data Privacy Posture, Appendix E Security/Data-Privacy Evidence Log.
Domains
- [domain - e.g. acme-vendor.com]
- Registrant / WHOIS:
- Registrar / registered date:
- Hosting / IP / ASN:
- SSL certificate / crt.sh history:
- Notes / tool output: ← whois, crt.sh, SecurityTrails, Shodan, Censys
- [domain 2]
Email infrastructure
- [email domain / MX record - e.g. @acme-vendor.com]
- Mail provider / MX hosts:
- SPF / DKIM / DMARC status:
- Corporate email addresses observed:
- Notes / tool output: ← MXToolbox, hunter.io, dnsdumpster
- [email 2]
Social media / corporate presence
- [platform - LinkedIn / Twitter-X / other]
- Handle / URL:
- Follower count / activity:
- Attribution confidence: [Confirmed / Probable / Possible]
- Notes:
Infrastructure exposure / known vulnerabilities
- [indicator - e.g. exposed RDP, outdated TLS, leaked credentials]
- Source (Shodan / GreyNoise / HaveIBeenPwned / dark-web):
- Date observed:
- Severity:
- Notes / tool output: ← Shodan, Censys, Qualys, GreyNoise, HaveIBeenPwned
06 · Financials
Financial health and viability signals visible from open and licensed sources. Not a forensic audit; defer to OSINT-014 EDD for deeper forensic work. → feeds §9 Financial Viability & Dependency / Concentration.
Credit / distress indicators
- [indicator - e.g. D&B credit score, Experian report, CCJs]
- Source:
- Date:
- Finding:
- Grade:
Accounts / financial statements (open-source summary)
- Most recent accounts year:
- Revenue / turnover:
- Net profit / loss:
- Total assets / net assets:
- Going-concern note:
- Source (Companies House / EDGAR / national registry):
Liquidity / insolvency indicators
- [indicator - e.g. winding-up petition, administration notice, CCJ, lien]
- Source:
- Date:
- Significance:
Concentration / dependency
- Estimated client spend (% of category):
- Estimated vendor revenue concentration on client:
- Switching cost / substitutability: [Low / Medium / High]
07 · Commercial Footprint & Relationship Context
The commercial relationship, delivery model, and third-party’s operational footprint relevant to the client engagement. → feeds §5 Third-Party Profile & Relationship Context, §6 Inherent-Risk Tiering & Scope Calibration.
Service / relationship
- Nature of service / product provided:
- Criticality to client operations: [Mission-critical / Important / Ancillary]
- Relationship duration & history:
- Engagement status: [Pre-onboarding / Active / Renewal / Offboarding]
- Recent material scope or access changes:
Client data / system / premises access
- Data sensitivity & volume:
- System access type (API, VPN, network, cloud-tenant):
- Premises / personnel access:
- Data access level assigned: [None / Limited / Sensitive / Privileged]
Operational locations (delivery-relevant)
- [location - e.g. primary delivery centre, data centre jurisdiction]
- Jurisdiction risk: [Low / Medium / High / Critical]
- Regulatory implications:
Customer / client references (if available)
- [reference]
- Source / basis:
08 · Legal, Regulatory & Sanctions
Regulatory and sanctions risk findings for this relationship. Integrity-specific deep work (sanctions, ABAC, AML, UBO) belongs in OSINT-010; record the verdict here. → feeds §8 Integrity & Compliance Screen, §12 Regulatory, Legal & Licensing Standing, §18 Red Flags, Appendix D Integrity-Screen Reference, Appendix H Screening-Hit Log.
Integrity screen reference (OSINT-010)
- OSINT-010 Integrity Vetting REF:
- OSINT-010 as-of date:
- Overall integrity verdict: [Clear / Conditional / Adverse]
- Key conditions / escalations from OSINT-010:
- Fresh gaps identified in this engagement (RFI back to OSINT-010):
Sanctions / restricted-party screening
- Lists screened (OFAC SDN, EU, UK, UN, DFAT, etc.):
- Screening as-of date:
- Result: [Clear / Potential match / Confirmed match]
- Discriminating identifiers used to dispose:
- Disposition (true / false / inconclusive):
- Notes / tool output: ← OFAC, EU Financial Sanctions, UN Consolidated List, World-Check/Dow Jones
ABAC / FCPA-UK Bribery Act (intermediary / agent risk)
- Intermediary / agent role? [Yes / No / Partial]
- ABAC flow-down contractual requirement: [Present / Absent / Gap]
- Key findings from OSINT-010:
Civil litigation & commercial disputes
- [matter - e.g. breach of contract claim, IP dispute]
- Court / jurisdiction:
- Role (claimant / defendant):
- Status / outcome:
- Source:
Debarment / government exclusion lists
- [list - e.g. US SAM.gov, EU EDES, World Bank]
- Status: [Clear / Excluded / Pending]
- Source:
09 · Reputation & Adverse Media
Reputation risk and adverse media relevant to the client relationship. Focus on operational, ESG, and reputational signals not covered in the OSINT-010 integrity screen. Deep reputational / field investigation escalates to OSINT-017. → feeds §9 Financial Viability, §13 ESG / Labor, §18 Red Flags.
Adverse media (reputational / operational)
- [outlet + date - e.g. FT 2024-03-10]
- Subject / headline:
- Domain: [ESG / labor / data-breach / fraud / product-failure / regulatory / other]
- Reliability (A–F) / Credibility (1–6):
- Significance for onboarding decision:
- Source (Factiva / Google / LexisNexis):
ESG / labor / modern-slavery adverse signals
- [indicator - e.g. modern-slavery statement absent, labor lawsuit, environmental violation]
- Source:
- Date:
- Materiality:
Breach / data incident adverse media
- [incident - e.g. reported data breach, ransomware incident]
- Date:
- Scope (data types, volume):
- Regulatory notification made: [Y/N/Unknown]
- Source:
- Notes:
10 · Network & Affiliations
Related entities, shared infrastructure, and material affiliations that affect risk (fourth parties, upstream providers, common ownership). → feeds §14 Fourth-Party / Subcontractor & Concentration Risk, §10 InfoSec & Data Privacy.
Critical fourth parties / subcontractors
Clone per subcontractor in scope for client-service delivery or data processing.
- [entity - e.g. AWS / Azure / Twilio]
- Service / component supplied to the third party:
- % of client-service capability:
- Data processed for client via this sub:
- Jurisdiction:
- Concentration / single-source risk: [Low / Moderate / Elevated / Critical]
- Flow-down controls contractually required: [Y/N/Partial]
- Source / basis:
- Notes / tool output: ← vendor questionnaire, SIG, SOC 2 sub-service carve-outs
- [entity 2]
Shared upstream infrastructure / common providers
- [provider - e.g. shared cloud region, shared CDN]
- Risk (geographic concentration, systemic risk):
- Notes:
Industry associations / trade-body memberships
- [membership - e.g. CREST, Cyber Essentials Plus, ISO consortium]
- Significance:
99 · Collection Admin
Working register - not a deliverable section, but the audit trail behind the report.
Source register
Every material datum traceable to a graded Admiralty two-axis code. Self-attestation from vendor graded C or lower unless corroborated.
- [S-1 - source e.g. Companies House UK registry]
- Type: [Primary / Secondary / Tertiary / Vendor self-attestation]
- Reliability (A–F) / Credibility (1–6):
- Date accessed:
- [S-2 - source e.g. OSINT-010 Integrity Vetting REF-YYYY-###]
- Type: [Integrated product]
- Reliability (A–F) / Credibility (1–6):
- Date accessed / as-of:
- [S-3]
Evidence archive
- [screenshot / capture ref + SHA-256 hash + URL + timestamp]:
- [SOC 2 report ref + issuer + validity period + hash]:
- [security questionnaire ref + date received + hash]:
Open gaps / verification pending
- [item - e.g. fourth-party register not received from vendor] → route to [procurement / legal / OSINT-010]
- [item - e.g. most recent audited accounts not filed] → route to [OSINT-014 EDD if material]
Screening-list governance log
- Lists screened:
- Provider / version / as-of dates:
- Hits dispositioned: