Vendor Onboarding Requirements
Vendor Onboarding Requirements
Global Trust Bank is required by regulation and internal policy to conduct thorough due diligence on all third-party vendors before entering into a commercial relationship. This article outlines the vendor onboarding process, required documentation, risk assessment criteria, and timelines. The process is managed by the Procurement team in collaboration with Compliance, Legal, and Information Security.
Scope
This procedure applies to all new vendors providing goods, services, or technology to any Global Trust Bank entity worldwide. It also applies to the renewal or material amendment of existing vendor contracts where the scope of services changes significantly.
Vendor Onboarding Process
- Vendor Registration Request — The business sponsor (the employee requesting the vendor) submits a Vendor Registration Form via SAP Ariba. The form captures the vendor's legal name, registered address, contact details, and nature of services.
- Due Diligence Questionnaire (DDQ) — Procurement sends the vendor a standardised DDQ covering financial stability, regulatory standing, data protection practices, business continuity, and insurance coverage.
- Compliance Screening — The Compliance team conducts sanctions screening (OFAC, EU, UN lists), politically exposed persons (PEP) checks, and adverse media screening on the vendor and its key principals.
- Risk Assessment — Procurement assigns a risk tier based on the vendor's criticality, data access, and regulatory exposure (see Risk Tiers below).
- Information Security Assessment — For vendors with access to GTB systems or data, the Information Security team conducts a security assessment, including review of ISO 27001 certification, SOC 2 reports, and penetration test results.
- Legal Review — The Legal Affairs team reviews the proposed contract terms, including liability, indemnity, termination, and data processing clauses.
- Approval and Activation — Once all checks are satisfactory, the vendor is approved and activated in SAP Ariba. A unique vendor code is assigned.
Risk Tiers
| Tier | Criteria | Due Diligence Level | Review Frequency |
|---|---|---|---|
| Tier 1 — Critical | Vendor provides services essential to business operations or has access to sensitive client data | Full due diligence + on-site audit | Annual |
| Tier 2 — Important | Vendor provides significant services or has limited access to Bank systems | Full due diligence | Every 2 years |
| Tier 3 — Standard | Vendor provides non-critical goods or services with no data access | Standard DDQ + screening | Every 3 years |
Required Documentation
Vendors must provide the following documents during onboarding:
- Certificate of incorporation or equivalent registration document
- Audited financial statements for the most recent two financial years
- Proof of professional indemnity insurance (minimum GBP 5 million for Tier 1 and Tier 2)
- Proof of public liability insurance (minimum GBP 10 million)
- Data processing agreement (where personal data is processed)
- Modern Slavery Act statement (for UK vendors with turnover exceeding GBP 36 million)
- ISO 27001 certificate or equivalent (for vendors with access to GTB systems)
- Business continuity and disaster recovery plan summary (Tier 1 vendors only)
Onboarding Timelines
| Tier | Expected Timeline |
|---|---|
| Tier 1 — Critical | 6–8 weeks |
| Tier 2 — Important | 4–6 weeks |
| Tier 3 — Standard | 2–3 weeks |
Business sponsors should plan vendor onboarding well in advance of the required service start date. Procurement cannot guarantee expedited processing.
Vendor Code of Conduct
All vendors are required to acknowledge and comply with the GTB Vendor Code of Conduct, which covers anti-bribery and corruption, labour standards, environmental responsibility, and data protection. The Code is distributed as part of the DDQ and must be signed by an authorised representative of the vendor.
Contact
For vendor onboarding queries, contact the Vendor Management team at vendor.management@globaltrust.com or extension 8310.