UC7: Vendor Risk Assessment Pre-Screening

The Problem

Banks procure goods and services from thousands of vendors. Each vendor must pass risk assessment,financial stability, sanctions compliance, adverse media, operational resilience, data security practices. Current process: procurement team issues questionnaire to vendor; risk team manually reviews responses against checklist; risk team pulls public data (financials, sanctions lists, news); generates 5-10 page risk report; management approves. Cycle time: 10-20 business days. Cost per vendor: 15-25 hours of risk analyst time. 200+ vendors assessed annually = 3000-5000 hours/year. False-negative rate (risky vendors approved): 5-8%.

What the Agent Does

Receives vendor questionnaire responses (uploaded form or PDF)
Parses responses and scores against standard risk criteria (financial solvency, insurance, compliance certifications, security controls, data protection, business continuity)
Generates data retrieval requests to public sources: corporate filings (SEC, Companies House), sanctions lists (OFAC, EU, UN), adverse media (news database), credit ratings (Moody's, S&P)
Compiles pre-screening report: questionnaire responses + external data + summary risk score
Flags red flags (failed sanctions screening, negative news, financial distress) for immediate escalation
Routes low-risk vendors (score <30) to fast-track approval path; medium/high-risk (score 30+) to full risk assessment by risk officer
Documents all sources and rationale for audit trail

Data Requirements

Data Sources:

Vendor Questionnaire Forms (uploaded PDFs or forms) , Financial info, compliance certifications, security practices, business continuity plans
SEC EDGAR / Companies House APIs , Public corporate filings, financial statements, ownership information
OFAC Sanctions Lists API , U.S. Treasury sanctions list screening
EU Sanctions Regulation Database , European Union sanctions list
UN Sanctions Lists , UNSC consolidated lists
Reuters/Bloomberg/LexisNexis APIs , Adverse media, news articles about vendor, litigation records
Moody's/S&P Credit Ratings APIs , Vendor credit ratings, financial risk scores
Internal Vendor Risk Policy Database , Risk criteria, scoring thresholds, approved certifications (ISO 27001, SOC 2, etc.)
Vendor Master File (Workday, SAP Procurement, or custom) , Prior vendor assessments, relationship history

Data Classification:

Public: Corporate filings (SEC, Companies House), sanctions lists (OFAC, EU, UN), news articles, credit ratings
Internal Structured: Vendor questionnaire responses, risk criteria, scoring logic, prior vendor assessments
Internal Unstructured: Vendor management notes, correspondence
External Third-Party: Reuters/Bloomberg feeds, Moody's/S&P ratings, news databases
Sensitive/Regulated: Vendor financial data (confidential), compliance certifications

Data Quality Requirements:

Questionnaire data completeness: 95%+ fields filled out by vendor (flags incomplete submissions). Sanctions list freshness: updated daily from OFAC/EU sources. Public data availability: 85%+ of vendors retrievable from at least one public source (some private/unlisted vendors may not have public data). Credit rating accuracy: sourced directly from Moody's/S&P (no manual adjustment).

Integration Complexity: Medium , Requires API integration with 5-7 data sources (corporate filings, sanctions lists, news/ratings databases). OCR or form parsing for questionnaire PDFs adds complexity if using unstructured documents (vs. structured forms). Questionnaire parsing may require rule-based extraction or ML model if format varies. Vendor master file integration depends on ERP system (SAP, Workday, Oracle).

Score Breakdown

Criterion	Weight	Score (1-5)	Weighted
Time Recaptured	15%	4	0.60
Error Reduction	10%	4	0.40
Cost Avoidance	10%	4	0.40
Strategic Leverage	5%	4	0.20
Data Availability	15%	4	0.60
Process Clarity	15%	4	0.60
Ease of Implementation	10%	3	0.30
Fallback Available	10%	5	0.50
Audience (Int/Ext)	10%	5	0.50
Composite	100%		4.20

Why It Scores Well

Questionnaire data is structured (bank provides template). Assessment criteria are explicit (vendor risk policy defines required criteria). Public data sources are accessible (OFAC, news APIs). High volume (200+ vendors/year). Clear gate: low-risk vendors bypass detailed assessment (saving 8-10 hours each). Fallback is straightforward: risk officer conducts full assessment manually. Internal audience. Clear value: faster vendor onboarding, reduced rework, better risk detection.

Regulatory Alignment

Third-Party Risk Management (MAS TM05, OCC Bulletin 2013-29): Agent supports vendor due diligence governance
Sanctions Compliance (OFAC, EU Sanctions Regs): Agent screens all vendors against sanctions lists
GLBA Safeguards Rule: Agent supports vendor security assessment

Sprint Factory Fit

Sprint 0 (2 weeks) + 3 build sprints (6 weeks)

Sprint 0: Vendor questionnaire template standardization, risk criteria codification, public data source API setup, risk scoring model design

Build Sprints 1-3: Questionnaire parsing (OCR/form recognition), public data retrieval, sanctions screening integration, risk scoring logic, escalation workflow, audit trail logging

Comparable Implementations

BNY Mellon: Uses AI for vendor pre-screening; 80% of low-risk vendors bypass detailed assessment; 6-week cycle reduced to 10 days
State Street: Deployed questionnaire parsing + public data retrieval; 70% faster vendor onboarding

Deploy This Use Case with the Sprint Factory

From zero to a governed, production agent in 6 weeks.

Sprint Factory Schedule a Briefing

Related Use Cases

On-Demand Compliance

Regulatory Change Monitoring & Impact Triage

Score: 4.5/5.0

On-Demand Operations/IT

Internal IT Service Desk Triage & Routing

Score: 4.45/5.0

On-Demand Credit/Risk

Credit Risk Memo Drafting

Score: 4.4/5.0

Governance Risks to Consider

Before deploying this use case, review these agentic AI risks from the Corvair Risk Catalogue. Each is scored on the DAMAGE framework and mapped to regulatory expectations.