VENDOR & THIRD-PARTY INTEGRITY VETTING REPORT

The Vendor & Third-Party Integrity Vetting Report is the standard pre-onboarding (and periodic re-screening) integrity gate for a counterparty - supplier, subcontractor, distributor, agent/intermediary, reseller, JV partner, or service provider - that a client intends to engage. It verifies the entity is real, lawfully constituted, and beneficially owned by identifiable parties; screens it and its principals/owners against sanctions, watchlist, export-control, and debarment regimes; tests it for bribery/corruption (FCPA / UK Bribery Act) and politically-exposed/government nexus; checks financial viability, litigation/enforcement history, modern-slavery & ESG/supply-chain integrity, information-security/data-handling posture, and conflicts of interest with the client - each finding graded and rolled into a third-party risk rating and an explicit onboarding recommendation. This is a compliance-driven, repeatable, tier-scaled screen, not a bespoke investigation. It does not deliver the deep investigative, reputational, and financial reconstruction of the Third-Party & Vendor Due Diligence product in the Corporate Due Diligence node, the transaction-grade scrutiny of M&A Due Diligence, person-level employment vetting, source-of-wealth reconstruction on an owner (Source-of-Wealth Verification), or ongoing post-onboarding watch (Continuous Re-Vetting & Insider-Threat Monitoring). Where those needs surface, raise them as RFIs in §17 and escalate to the deeper product - do not perform them here.


Document Control

FieldValue
Report Reference[REF-YYYY-###]
Date of Report[YYYY-MM-DD]
Reporting Period / As-Of Date[YYYY-MM-DD]
Classification / Handling[CONFIDENTIAL - CLIENT / COMPLIANCE EYES ONLY / TLP:AMBER]
Client[CLIENT / CONTRACTING ENTITY]
Requesting Party[PROCUREMENT / COMPLIANCE / TPRM CONTACT - ENGAGEMENT REF]
Counterparty / Engagement[VENDOR LEGAL NAME - PRODUCT/SERVICE & CONTRACT REF]
Screening Tier[Tier 1 Basic / Tier 2 Standard / Tier 3 Enhanced - see §3]
Prepared By[ANALYST NAME / ID]
Reviewed By[REVIEWER NAME / ID]
Approving Officer[APPROVER NAME / ID]
Version[1.0]
Distribution[NAMED RECIPIENTS]

Handling: [Classification/TLP]. Disseminate only to the named authorized recipients (typically client procurement / compliance / legal). Reproduction or onward sharing prohibited without originator approval. May contain personal data on owners/officers - store and transmit per the client data-processing agreement.

Nature of this product (READ FIRST): This is a third-party integrity & compliance screening report on a business entity (and its associated principals where in scope). It is not a consumer report and is not prepared for any FCRA permissible purpose; where the counterparty is a sole proprietor or individual and the screen bears on a personal credit/employment-type decision, stop and route to the appropriate person product (07–09) under the correct legal regime. This report is one input to the client’s third-party risk-management (TPRM) and onboarding decision; it is not an audit opinion, a legal opinion, or a certification of compliance.

Regulatory framing: Screening is conducted to support the client’s obligations under applicable sanctions/export-control (OFAC / OFSI / EU / UN; BIS/EAR / ITAR where relevant), anti-bribery & corruption (US FCPA, UK Bribery Act 2010, and local ABAC law), AML/KYC/CDD, modern-slavery & supply-chain due-diligence (e.g., UK MSA 2015, Norway Transparency Act, German LkSG, EU CSDDD, US UFLPA), and data-protection (GDPR - incl. Art. 28 processor obligations / CCPA) regimes. The applicable regime set must be confirmed with client counsel per engagement.

Sanctions / restricted-party caveat: Any apparent sanctions, export-control, or debarment match is reported as a potential match requiring client confirmation and, where indicated, OFAC/competent-authority guidance before any dealing; [FIRM] does not authorize, license, or clear transactions. Do not act on a screening hit without the verification recorded in §6 and counsel sign-off.

Sourcing & verification: Findings derive from open and licensed sources current as of the as-of date and are graded (Annex A). Corporate-registry, ownership, and adverse data vary in completeness and timeliness by jurisdiction; absence of a finding is not assurance of absence. Findings are time-sensitive - re-verify before any consequential action.

Not legal advice: Permissible checks, ABAC thresholds, and onward use must be confirmed with client counsel for each jurisdiction.

Counterparty Snapshot

FieldValue
Legal Entity Name[Registered name]
Trading / Other Names[DBA / brands / transliterations]
Entity Type & Jurisdiction[e.g., LLC - Delaware, US / FZE - UAE]
Registration / ID No.[Company no. / LEI / tax ID]
Entity Resolution Confidence[Confirmed / Probable / Possible / Unresolved]
Role in Engagement[Supplier / Agent-intermediary / Subcontractor / Reseller / JV / Processor]
Inherent-Risk Tier[Tier 1 / 2 / 3 - see §3]
Beneficial Ownership Transparency[Clear / Partial / Opaque - see §7]
Sanctions / Watchlist Status[No match / Potential match / Confirmed match - see §6]
Material Red Flags[Count by severity: Crit / High / Med / Low]
Overall Integrity Risk & Onboarding Recommendation[APPROVE / APPROVE WITH CONDITIONS / ENHANCED DUE DILIGENCE REQUIRED / DECLINE - see §3 & §16]

Table of Contents

  1. BLUF
  2. Executive Summary
  3. Engagement Inherent-Risk Profile, Risk Rating & Onboarding Recommendation
  4. Priority Intelligence Requirements (PIRs)
  5. Legal Entity Verification & Corporate Structure
  6. Sanctions, Watchlist, Export-Control & Debarment Screening
  7. Beneficial Ownership & Control
  8. Politically-Exposed Persons (PEP) & Government Nexus
  9. Anti-Bribery & Corruption (ABAC) Assessment
  10. Financial Viability & Stability
  11. Litigation, Regulatory & Enforcement History
  12. Adverse Media & Reputational Screening
  13. Modern Slavery, Labor & ESG / Supply-Chain Integrity
  14. Information Security & Data-Protection Posture
  15. Conflicts of Interest & Relationship Mapping
  16. Verified Findings, Red Flags & Third-Party Risk Matrix
  17. Key Assumptions, Collection Gaps & RFIs
  18. Recommendations, Onboarding Conditions & Contract Safeguards
  19. Annex A - Sources & Methodology
  20. Annex B - Appendices

(Page numbers populate on export to Word/PDF.)


1. BLUF

2–3 sentences. Lead with the onboarding recommendation and the single most decision-relevant finding (e.g., a sanctions nexus, opaque ownership, ABAC exposure, or financial distress), then the overall integrity-risk tier and the required next action. State it so a procurement/compliance decision-maker can act on this line alone.

[BLUF]

2. Executive Summary

Triggering requirement and engagement context: who the counterparty is, what it will do for the client, contract value/duration, and why it was referred for vetting at this tier. Scope in/out (checks performed vs. deferred to §16/CDD or person products). Narrative of the key findings across the integrity dimensions, written to the ICD 203 floor - reporting separated from analytic judgment, uncertainty drivers named.

[EXECUTIVE SUMMARY]

3. Engagement Inherent-Risk Profile, Risk Rating & Onboarding Recommendation

This is the adjudication core and the threat-model anchor for the entire report - complete the inherent-risk profile FIRST, because it sets the screening tier and which sections below are mandatory vs. optional. Inherent risk is what the engagement exposes the client to before any findings; residual/integrity risk is what the findings reveal. The recommendation flows from the §16 matrix.

3.1 Inherent-Risk Drivers (defines the tier)

DriverProfile for this engagementRisk Contribution (L/M/H)
Spend / contract value & criticality[Annual value; single-source vs. substitutable; business-continuity criticality][ ]
Interaction with government / public officials[Does the vendor act for the client before governments, customs, regulators, on permits/tenders? - ABAC driver][ ]
Use as agent/intermediary / commission basis[Acts in client’s name? success-fee/commission? sub-agents? - corruption driver][ ]
Geographic footprint[Countries of operation/ownership vs. CPI / sanctions / conflict / high-risk jurisdictions][ ]
Data / systems / facility access[Access to client data (personal/regulated?), networks, or sites - drives §14][ ]
Supply-chain / labor exposure[Manufacturing, raw materials, sub-tier labor in forced-labor-risk regions - drives §13][ ]
Regulatory / sector sensitivity[Defense, finance, healthcare, export-controlled goods, critical infrastructure][ ]

Tier rule: aggregate the drivers to a screening tier - Tier 1 (Basic) identity + sanctions + adverse-media only; Tier 2 (Standard) + ownership, financial, litigation, ABAC screen; Tier 3 (Enhanced) full report incl. infosec, ESG/modern-slavery, conflicts, and any escalation to §16/CDD.

3.2 Onboarding Recommendation

RecommendationMeaning
APPROVENo material integrity findings; residual risk within client appetite; proceed under standard terms.
APPROVE WITH CONDITIONSOnboard subject to the controls/conditions in §18 (e.g., ABAC reps & warranties, audit rights, restricted scope, escrow, re-vet cadence).
ENHANCED DUE DILIGENCE REQUIREDMaterial unresolved risk or red flags; escalate to full Third-Party & Vendor Due Diligence and/or owner Source-of-Wealth before a decision.
DECLINEDisqualifying finding (e.g., confirmed sanctions match, established corruption, sham/undisclosed control by a prohibited party) - recommend against engagement.

Recommendation: [Selection] - Inherent tier [1/2/3]; residual integrity-risk score [n/25, band] - [one-line rationale tied to the §16 matrix and the governing red flag(s)].

4. Priority Intelligence Requirements (PIRs)

The collection-management spine, tailored to vendor integrity. State each PIR, the answer, key evidence, and analytic confidence (separate from likelihood). Summarize in the matrix.

  • PIR-1 - Identity & ownership: Is the entity real, in good standing, and who ultimately owns/controls it? [Answer / evidence / confidence]
  • PIR-2 - Restricted-party exposure: Is the entity, its owners, or principals subject to any sanctions, export-control, or debarment restriction? [ ]
  • PIR-3 - Corruption exposure: Does the engagement and the entity’s conduct present FCPA/UKBA bribery-corruption risk? [ ]
  • PIR-4 - Viability & integrity: Is the entity financially viable and free of disqualifying litigation, regulatory, labor, or reputational findings? [ ]
  • PIR-5 - Client-side risk: Does the entity have undisclosed conflicts, related-party ties, or data/security exposure affecting the client? [ ]
  • [Add engagement-specific PIRs.]
PIRAnswer (summary)ConfidenceKey Gap
PIR-1[ ][H/M/L][ ]
PIR-2[ ][H/M/L][ ]
PIR-3[ ][H/M/L][ ]
PIR-4[ ][H/M/L][ ]
PIR-5[ ][H/M/L][ ]

Confirm the entity exists and is what it claims. Registry verification (name, number, type, incorporation date, status/good standing, registered address vs. operating address), age/longevity, group/parent/subsidiary structure and corporate family tree, licenses/permits required for the service, and any indicators of a shell or front (no operating substance, virtual office, recent formation against a large contract, mismatch between claimed capability and footprint). State entity-resolution confidence and the identifiers matched.

AttributeFindingSource Grade
Registered name / number / type[ ][A–F/1–6]
Jurisdiction & incorporation date[ ][ ]
Status / good standing[ ][ ]
Registered vs. operating address[ ][ ]
Parent / group structure[ ][ ]
Licenses / permits for the service[ ][ ]
Substance / shell indicators[ ][ ]

6. Sanctions, Watchlist, Export-Control & Debarment Screening

Screen the entity, its parents/subsidiaries, beneficial owners, directors, and known principals against applicable lists - and apply the 50%-rule (or local equivalent) for ownership-by-sanctioned-parties. Record list versions/dates. Every hit is a potential match pending confirmation; document the disposition (true/false/inconclusive) and the discriminating identifiers.

Subject screenedLists / regimes (with version date)ResultDisposition & confirming identifiersGrade
[Entity][OFAC SDN/SSI; OFSI; EU; UN; BIS Entity/Denied; debarment - SAM.gov, World Bank, MDB cross-debarment][No / Potential / Confirmed][ ][ ]
[Owner/principal][Same][ ][ ][ ]

Export-control / dual-use note: [Where goods/tech are controlled, flag classification, end-use/end-user, and re-export exposure; route licensing questions to counsel.]

7. Beneficial Ownership & Control

Map ownership and control to the ultimate beneficial owners (UBOs). Layered/cross-border holding structures, nominee shareholders/directors, bearer instruments, trusts, and opacity that frustrates UBO identification are themselves risk findings. Identify control exercised by means other than equity (contracts, financing, dominant customer/supplier). Flag any UBO/controller link to a PEP (→ §8), sanctioned party (→ §6), or client insider (→ §15). State ownership-transparency rating and confidence.

UBO / controller% / nature of controlVerification basisPEP / sanctions / conflict flagConfidence
[Name][ ][Registry / disclosure / inferred][ ][Confirmed/Probable/Possible/Unresolved]

Transparency rating: [Clear / Partial / Opaque] - [drivers].

8. Politically-Exposed Persons (PEP) & Government Nexus

Identify PEP status of owners/principals (domestic, foreign, international-org; close associates and family), state ownership/control of the entity, and the engagement’s interface with government (sales to state entities, permitting, customs, regulated approvals). PEP status is not itself derogatory - it raises the corruption/conflict risk weighting and feeds §9. Note revolving-door ties to the client’s own government touchpoints.

Person / entityPEP type / government roleRelevance to engagementRisk weighting
[ ][ ][ ][L/M/H]

9. Anti-Bribery & Corruption (ABAC) Assessment

The core integrity dimension for agents/intermediaries and government-facing vendors. Assess corruption exposure against FCPA/UKBA risk factors: government/official interface, use as intermediary and basis of compensation (success fees, unusual commissions, cash, offshore payment routing), third-party-of-third-party (sub-agents), gifts/hospitality patterns, geography (CPI/known-corruption sector), and the vendor’s own ABAC program maturity (policy, training, prior enforcement, willingness to give reps/warranties and audit rights). Distinguish indicators from established conduct; reserve “established” for substantiated findings.

ABAC factorFinding / indicatorSeverity
Government / official interface[ ][ ]
Intermediary role & compensation basis[ ][ ]
Payment routing / offshore / cash[ ][ ]
Sub-agents / onward third parties[ ][ ]
Geographic / sector corruption risk[ ][ ]
Vendor ABAC program maturity[ ][ ]
Prior bribery/corruption findings[ ][ ]

10. Financial Viability & Stability

Vendor failure is an operational/continuity and integrity risk, not only a credit question. Assess solvency and going-concern signals (filings, credit/risk scores, judgments/liens, late-payment/insolvency indicators, sudden ownership or banking changes), dependence/concentration (is the client a disproportionate share of vendor revenue, or vice versa?), and any signals of financial distress that raise fraud/cut-corner/coercion risk. Defer full forensic financial reconstruction to §16/CDD or Source-of-Wealth.

IndicatorFindingSource Grade
Solvency / going-concern signals[ ][ ]
Credit / risk rating[ ][ ]
Judgments / liens / insolvency events[ ][ ]
Revenue concentration / dependence[ ][ ]
Distress indicators[ ][ ]

11. Litigation, Regulatory & Enforcement History

Material litigation (as plaintiff/defendant), regulatory actions, fines, license suspensions, and enforcement against the entity and its principals - focused on issues bearing on integrity, capability, and reliability (fraud, corruption, breach, safety, environmental, labor, data). State court/agency, status, and materiality; distinguish allegations from adjudicated outcomes.

MatterForum / DateStatusMaterialityGrade
[ ][ ][Pending/Settled/Judgment][ ][ ]

12. Adverse Media & Reputational Screening

Structured adverse-media screen (entity + principals + brands) across the integrity taxonomy - fraud, corruption, sanctions evasion, labor/human-rights, environmental, safety, organized-crime ties, product/quality failures. Bounded: this is a screen, not the deep reputational investigation of §16/CDD. Grade source reliability; separate substantiated reporting from rumor; note language/jurisdiction coverage limits.

ThemeSummarySubstantiationSource Grade
[ ][ ][Substantiated / Reported / Rumor][ ]

13. Modern Slavery, Labor & ESG / Supply-Chain Integrity

Required for Tier 3 and for goods/manufacturing/labor-intensive engagements. Assess forced-labor and human-rights exposure across the vendor’s own operations and its sub-tier supply chain (sourcing geography vs. forced-labor-risk lists incl. UFLPA scope; labor-broker use; audit history/certifications), plus environmental/health-safety integrity where material. Map to the client’s statutory due-diligence regime (UK MSA, LkSG, CSDDD, Norway Transparency Act). Note depth limits - sub-tier visibility is often partial.

DimensionFindingStatutory nexusSeverity
Forced-labor / human-rights exposure[ ][UFLPA / MSA / LkSG / CSDDD][ ]
Sub-tier supply-chain visibility[ ][ ][ ]
Audits / certifications[ ][ ][ ]
Environmental / H&S record[ ][ ][ ]

14. Information Security & Data-Protection Posture

Required where the vendor will access, process, store, or transmit client data, systems, or facilities. Assess security posture and data-protection obligations: certifications/attestations (e.g., ISO 27001, SOC 2 - verify currency), breach history, processor status and GDPR Art. 28 / CCPA obligations, sub-processor chain, data-residency/cross-border transfer, and any external attack-surface or exposure signals. This is a screening-level posture check; defer deep technical assessment to a dedicated Digital/Cyber product where warranted.

DimensionFindingGrade
Certifications / attestations (currency)[ ][ ]
Breach / incident history[ ][ ]
Processor status / Art. 28 obligations[ ][ ]
Sub-processors & data residency[ ][ ]
External exposure signals[ ][ ]

15. Conflicts of Interest & Relationship Mapping

Map ties between the counterparty (and its owners/principals) and the client’s own personnel, decision-makers, or other vendors - undisclosed related-party relationships, family/financial links to client insiders involved in the selection, common ownership with competitors, or collusion/bid-rigging indicators. Undisclosed conflict is itself a material red flag regardless of other findings.

RelationshipPartiesNature / basisDisclosed?Risk
[ ][ ][ ][Y/N][L/M/H]

16. Verified Findings, Red Flags & Third-Party Risk Matrix

16.1 Verified Findings Summary

#FindingStatusConfidenceMateriality
1[ ][Verified / Unverified / Contradicted][H/M/L][ ]

16.2 Red Flag Register

#Red FlagDimension (§)SeverityBasisDisposition
1[ ][ ][Crit/High/Med/Low][ ][Open/Mitigable/Disqualifying]

Severity definitions: Critical - disqualifying (confirmed sanctions/restricted-party, established corruption, sham/undisclosed prohibited control). High - material unresolved integrity risk requiring EDD or strong conditions. Medium - manageable with conditions. Low - note only.

16.3 Third-Party Risk Matrix (Inherent × Findings)

Residual integrity-risk score = Inherent-Risk level (§3, 1–5) × Findings-Severity level (worst-substantiated dimension, 1–5) = 1–25. This score drives the §3 recommendation. State the governing dimension.

Inherent risk (1–5)Findings severity (1–5)Residual score (1–25)BandGoverning dimension
[ ][ ][ ][Low 1–5 / Mod 6–10 / Elevated 11–15 / High 16–20 / Critical 21–25][ ]

17. Key Assumptions, Collection Gaps & RFIs

Light Key Assumptions Check (assumptions that, if wrong, flip the recommendation - e.g., disclosed ownership is the true UBO; registry data is current) plus collection gaps and RFIs. State where data was unavailable (opaque jurisdiction, no response to vendor questionnaire, unverifiable sub-tier) and the impact on the assessment.

Assumption / GapBasis / Why openImpact if wrong / unresolvedRecommended collectionPriority
[ ][ ][ ][ ][H/M/L]

18. Recommendations, Onboarding Conditions & Contract Safeguards

Translate the assessment into action: the onboarding decision (§3), specific conditions to attach if “approve with conditions,” recommended contract safeguards, and re-vetting cadence. Tailor to the governing risks - do not list generic boilerplate.

  • Decision: [APPROVE / APPROVE WITH CONDITIONS / EDD REQUIRED / DECLINE].
  • Conditions precedent / controls: [e.g., resolve sanctions hit with counsel; obtain UBO declaration; ABAC certification & training attestation; restrict scope/geography; payment-routing controls; escrow.]
  • Contract safeguards: [ABAC & sanctions reps and warranties; right-to-audit; books-and-records clause; subcontractor-flow-down; data-protection/Art. 28 addendum; termination-for-cause and step-in rights.]
  • Re-vetting cadence: [Tier-based interval; trigger events - ownership change, sanctions-list update, adverse media, contract scope increase. Route ongoing watch to Continuous Re-Vetting & Insider-Threat Monitoring.]
  • Escalations / RFIs: [Items routed to §16/CDD, Source-of-Wealth, or a cyber product.]

19. Annex A - Sources & Methodology

Collection methods and scope; the source register graded with the Admiralty two-axis code; the reference scales (below); statement of the likelihood-vs-confidence separation; coverage and currency limitations by jurisdiction.

Source reliability (Admiralty, A–F): A Completely reliable · B Usually reliable · C Fairly reliable · D Not usually reliable · E Unreliable · F Reliability cannot be judged.

Information credibility (Admiralty, 1–6): 1 Confirmed by other sources · 2 Probably true · 3 Possibly true · 4 Doubtful · 5 Improbable · 6 Truth cannot be judged. (Each sourced datum carries a two-character grade, e.g., B2.)

Estimative probability / likelihood (ICD 203): almost no chance / remote (01–05%) · very unlikely (05–20%) · unlikely (20–45%) · roughly even chance (45–55%) · likely (55–80%) · very likely (80–95%) · almost certain (95–99%).

Analytic confidence (evidence base - kept separate from likelihood): HIGH (multiple independent reliable sources, primary documentation, no significant contradiction) · MODERATE (some corroboration, gaps, minor unresolved inconsistency) · LOW (single/uncorroborated source, significant gaps, plausible alternatives open). Never combine a likelihood term and a confidence level in the same sentence.

Third-party risk scoring: Inherent risk (1–5) × Findings severity (1–5) = 1–25; key: 1–5 Low · 6–10 Moderate · 11–15 Elevated · 16–20 High · 21–25 Critical.

Entity-resolution confidence: Confirmed / Probable / Possible / Unresolved - with the matched identifiers (registration number, LEI, address, UBO) stated; disambiguation explicit, never assumed.

Screening-list governance: every list screened is recorded with its provider and version/as-of date; matches are dispositioned (true/false/inconclusive) with the discriminating identifiers.

20. Annex B - Appendices

  • Appendix A - Entity & Identifier Index: legal/trading names, registration numbers, LEI, addresses, principals/owners with matched identifiers.
  • Appendix B - Beneficial-Ownership Chart: ownership/control structure diagram pointer.
  • Appendix C - Full Source Register: every source, Admiralty grade, access date, URL/reference.
  • Appendix D - Screening-Hit Log: lists screened, versions/dates, hits and dispositions.
  • Appendix E - Vendor Questionnaire / Disclosures: copy or pointer to the vendor’s self-disclosure, ABAC/representations, certifications.
  • Appendix F - Glossary & Abbreviations.
  • Appendix G - Revision History.

END OF REPORT.

Verification disclaimer: This integrity-vetting report is a point-in-time screening based on open and licensed sources current as of the as-of date; it is not an audit, a legal opinion, or a guarantee. Screening hits (sanctions/export/debarment) are potential matches requiring client confirmation and, where indicated, competent-authority guidance before any dealing. Verify findings before any consequential onboarding, payment, or contracting action.

Document control footer: [REF-YYYY-### · Version · Classification/TLP · Prepared/Reviewed/Approved · Distribution].

Model wiring

Generated from cell frontmatter at publish time.