How to Conduct Vendor Due Diligence for AI Identity and Verification Providers

Identity and verification providers sit in a sensitive position. They handle PII at scale, they make threshold-driven recommendations that influence onboarding decisions, and they often subcontract pieces of the workflow to other vendors. The 2023 interagency third-party guidance is the framework.
Artificial Intelligence (AI)

What Makes These Vendors Different

Traditional identity verification vendors deliver a binary or scored output. Newer AI-enabled providers may apply more complex matching logic; use generative components to interpret unstructured documents; subcontract to multiple data sources without clear lineage; update their models on a faster cadence; process more PII at higher volume.

Each of these creates a specific due-diligence question. The Interagency Guidance on Third-Party Relationships (SR 23-4), issued jointly with OCC Bulletin 2023-17 and FDIC FIL-29-2023, sets the life-cycle framework: planning, due diligence, contract negotiation, ongoing monitoring, and termination. This playbook applies that framework to the specific risks these providers present.

Step 1. Understand What the System Actually Does

A common mistake is accepting marketing-level descriptions. The diligence questions are concrete: What documents and data does the system consume? What logic does it apply? What outputs does it produce? Where are the threshold decisions made? What is determined to be a match versus a non-match?

Demand specifics, not abstractions. Remember also that if the vendor's output feeds your customer identification program, the institution's obligations under 31 CFR 1020.220 do not transfer to the vendor.

Step 2. Map the Data Flow

Document where data goes from the moment the institution sends it: Where is it stored? Which subcontractors process it? In what jurisdictions? What retention applies? What deletion controls exist?

The data flow diagram is one of the most useful artifacts in a vendor file. It is also the artifact most vendors have never been asked to produce, which tells you something about the diligence they usually receive.

Step 3. Evaluate the Model

Apply MRM-aligned questions grounded in SR 11-7: What is the model's purpose, scope, and limitations? How is it validated by the vendor? How is performance monitored? How are changes managed? What false-positive and false-negative rates does the vendor report? What evidence supports those rates?

Vendor documentation is an input. The institution remains accountable. Note that the agencies issued revised, principles-based interagency model risk management guidance in April 2026 (SR 26-2), which reinforces these expectations for AI-based models.

Step 4. Evaluate Explainability

Identity and verification outputs influence customer onboarding decisions, which may be adverse to consumers. Explainability matters: Can the institution understand why a specific match or non-match occurred? Are the underlying signals reviewable? Is the output suitable to inform adverse-action reasons where required?

A system that cannot be explained may not be appropriate for use in decisions that have consumer-protection implications under CFPB Circular 2023-03, which addresses adverse action notification requirements under Regulation B.

Step 5. Evaluate the Privacy Posture

For identity and verification providers, privacy questions are central: Where in the pipeline is PII handled? What redaction, tokenization, or minimization is applied? Is customer data used for model training? What single-tenant or shared-infrastructure options exist? What deletion-on-demand capability exists?

A vendor that cannot answer these clearly is a vendor that creates regulatory exposure.

Step 6. Evaluate the Contract

Specific terms that matter: audit rights; data-use restrictions; retention limits and deletion obligations; breach notification timelines; material-change notification for model updates; subcontractor approval rights; termination assistance and exit data return.

If the contract does not give the institution the rights it needs, the diligence file is incomplete. The contract negotiation stage of the 2023 interagency guidance exists precisely because diligence findings without contractual rights are findings the institution cannot act on.

Step 7. Plan Ongoing Monitoring

The 2023 guidance emphasizes continuous oversight. For these vendors: periodic performance review; triggered review on material model changes; annual deep review; incident review when issues occur. The NIST AI Risk Management Framework provides a useful structure for the AI-specific portions of that monitoring program.

Common Red Flags

  • Inability to explain the model's behavior in any meaningful detail.
  • Customer data used for vendor model training as a default.
  • Subcontractor relationships that are not disclosed.
  • No material-change notification clause.
  • Output formats that do not support adverse-action documentation.
  • Validation evidence that consists of marketing claims rather than methodology.

How StandardC AI Approaches This

StandardC AI is designed to pass the diligence questions in this playbook. Architecture documentation, model documentation aligned to SR 11-7 expectations, deterministic processing evidence, the minimum data dictionary the inference layer sees, SOC reporting, subcontractor transparency, single-tenant deployment options, and contractual rights covering audit, data use, retention, breach notification, and material-change notification are part of the standard package.

Frequently Asked Questions

Should we accept marketing-level questionnaire responses?

No. Demand specifics, including data dictionaries, architecture diagrams, and validation methodology.

How do we evaluate a vendor that updates the model frequently?

The contractual right to material-change notification is the foundation. Pair it with a triggered review process so material updates receive formal evaluation.

What about smaller vendors that may not have full SOC 2 reports?

Evaluate the substance of the controls, not just the report format. Document any gaps and the institution's mitigation.

Authoritative Sources