
How to Conduct Vendor Due Diligence for AI Identity and Verification Providers
What Makes These Vendors Different
Traditional identity verification vendors deliver a binary or scored output. Newer AI-enabled providers may apply more complex matching logic; use generative components to interpret unstructured documents; subcontract to multiple data sources without clear lineage; update their models on a faster cadence; process more PII at higher volume.
Each of these creates a specific due-diligence question. The Interagency Guidance on Third-Party Relationships (SR 23-4), issued jointly with OCC Bulletin 2023-17 and FDIC FIL-29-2023, sets the life-cycle framework: planning, due diligence, contract negotiation, ongoing monitoring, and termination. This playbook applies that framework to the specific risks these providers present.
Step 1. Understand What the System Actually Does
A common mistake is accepting marketing-level descriptions. The diligence questions are concrete: What documents and data does the system consume? What logic does it apply? What outputs does it produce? Where are the threshold decisions made? What is determined to be a match versus a non-match?
Demand specifics, not abstractions. Remember also that if the vendor's output feeds your customer identification program, the institution's obligations under 31 CFR 1020.220 do not transfer to the vendor.
Step 2. Map the Data Flow
Document where data goes from the moment the institution sends it: Where is it stored? Which subcontractors process it? In what jurisdictions? What retention applies? What deletion controls exist?
The data flow diagram is one of the most useful artifacts in a vendor file. It is also the artifact most vendors have never been asked to produce, which tells you something about the diligence they usually receive.
Step 3. Evaluate the Model
Apply MRM-aligned questions grounded in SR 11-7: What is the model's purpose, scope, and limitations? How is it validated by the vendor? How is performance monitored? How are changes managed? What false-positive and false-negative rates does the vendor report? What evidence supports those rates?
Vendor documentation is an input. The institution remains accountable. Note that the agencies issued revised, principles-based interagency model risk management guidance in April 2026 (SR 26-2), which reinforces these expectations for AI-based models.
Step 4. Evaluate Explainability
Identity and verification outputs influence customer onboarding decisions, which may be adverse to consumers. Explainability matters: Can the institution understand why a specific match or non-match occurred? Are the underlying signals reviewable? Is the output suitable to inform adverse-action reasons where required?
A system that cannot be explained may not be appropriate for use in decisions that have consumer-protection implications under CFPB Circular 2023-03, which addresses adverse action notification requirements under Regulation B.
Step 5. Evaluate the Privacy Posture
For identity and verification providers, privacy questions are central: Where in the pipeline is PII handled? What redaction, tokenization, or minimization is applied? Is customer data used for model training? What single-tenant or shared-infrastructure options exist? What deletion-on-demand capability exists?
A vendor that cannot answer these clearly is a vendor that creates regulatory exposure.
Step 6. Evaluate the Contract
Specific terms that matter: audit rights; data-use restrictions; retention limits and deletion obligations; breach notification timelines; material-change notification for model updates; subcontractor approval rights; termination assistance and exit data return.
If the contract does not give the institution the rights it needs, the diligence file is incomplete. The contract negotiation stage of the 2023 interagency guidance exists precisely because diligence findings without contractual rights are findings the institution cannot act on.
Step 7. Plan Ongoing Monitoring
The 2023 guidance emphasizes continuous oversight. For these vendors: periodic performance review; triggered review on material model changes; annual deep review; incident review when issues occur. The NIST AI Risk Management Framework provides a useful structure for the AI-specific portions of that monitoring program.
Common Red Flags
- Inability to explain the model's behavior in any meaningful detail.
- Customer data used for vendor model training as a default.
- Subcontractor relationships that are not disclosed.
- No material-change notification clause.
- Output formats that do not support adverse-action documentation.
- Validation evidence that consists of marketing claims rather than methodology.
How StandardC AI Approaches This
StandardC AI is designed to pass the diligence questions in this playbook. Architecture documentation, model documentation aligned to SR 11-7 expectations, deterministic processing evidence, the minimum data dictionary the inference layer sees, SOC reporting, subcontractor transparency, single-tenant deployment options, and contractual rights covering audit, data use, retention, breach notification, and material-change notification are part of the standard package.
Frequently Asked Questions
Should we accept marketing-level questionnaire responses?
No. Demand specifics, including data dictionaries, architecture diagrams, and validation methodology.
How do we evaluate a vendor that updates the model frequently?
The contractual right to material-change notification is the foundation. Pair it with a triggered review process so material updates receive formal evaluation.
What about smaller vendors that may not have full SOC 2 reports?
Evaluate the substance of the controls, not just the report format. Document any gaps and the institution's mitigation.
Authoritative Sources
- SR 23-4: Interagency Guidance on Third-Party Relationships, Risk Management
- OCC Bulletin 2023-17: Third-Party Relationships
- FDIC FIL-29-2023: Interagency Guidance on Third-Party Relationships
- SR 11-7: Supervisory Guidance on Model Risk Management (Federal Reserve)
- SR 26-2: Revised Interagency Guidance on Model Risk Management (April 2026)
- CFPB Circular 2023-03: Adverse Action Notification Requirements (Regulation B)
- 31 CFR 1020.220: Customer Identification Program Requirements for Banks
- NIST AI Risk Management Framework
.webp)

