Vendor Selection and Management

Understanding the vendor landscape:

Vendor Ecosystem:

DIGITAL ASSET TREASURY VENDOR ECOSYSTEM:

┌─────────────────────────────────────────────────────────────┐
│                    CORPORATE TREASURY                        │
│                           │                                  │
│         ┌─────────────────┼─────────────────┐               │
│         │                 │                 │               │
│         ▼                 ▼                 ▼               │
│   ┌──────────┐     ┌──────────┐     ┌──────────┐          │
│   │ CUSTODY  │     │   ODL    │     │ EXCHANGE │          │
│   │ PROVIDER │     │ PROVIDER │     │(if needed)│          │
│   └────┬─────┘     └────┬─────┘     └────┬─────┘          │
│        │                │                │                  │
│        └────────────────┼────────────────┘                  │
│                         │                                   │
│                    [XRP LEDGER]                             │
└─────────────────────────────────────────────────────────────┘

SUPPORTING VENDORS:
├── Market data providers
├── Integration/middleware platforms
├── Compliance/AML services
├── Tax reporting solutions
└── Audit and assurance firms

VENDOR CATEGORIES EXPLAINED:

1. CUSTODY PROVIDERS

2. ODL PROVIDERS

3. EXCHANGES (If direct XRP purchase needed)

4. MARKET DATA PROVIDERS

5. INTEGRATION PLATFORMS

Risk profiles by vendor type:

Risk Assessment Framework:

VENDOR RISK ASSESSMENT:

CUSTODY PROVIDER RISKS:

Financial Risk:
├── Company solvency
├── Insurance adequacy
├── Segregation of assets
└── Severity: CRITICAL (total loss possible)

Operational Risk:
├── Security breach
├── Key management failure
├── System availability
└── Severity: HIGH

Regulatory Risk:
├── License maintenance
├── Compliance failures
├── Enforcement actions
└── Severity: HIGH

Concentration Risk:
├── Single provider dependency
├── Sub-custodian exposure
└── Severity: MEDIUM-HIGH

ODL PROVIDER RISKS:

Transaction Risk:
├── Failed transactions
├── Settlement delays
├── Rate execution
└── Severity: MEDIUM (per-transaction exposure)

Availability Risk:
├── System downtime
├── Corridor unavailability
├── Liquidity constraints
└── Severity: MEDIUM

Counterparty Risk:
├── Provider solvency
├── Pre-funding requirements
└── Severity: MEDIUM-HIGH (if prefunding required)

EXCHANGE RISKS (If applicable):

Counterparty Risk:
├── Exchange solvency
├── Fund segregation
├── Withdrawal availability
└── Severity: HIGH (FTX example)

Market Risk:
├── Liquidity depth
├── Price manipulation
└── Severity: MEDIUM

Operational Risk:
├── System availability
├── Order execution quality
└── Severity: MEDIUM

RISK SCORING MATRIX:

Vendor Type Financial Operational Regulatory Overall
────────────────────────────────────────────────────────────
Custody CRITICAL HIGH HIGH CRITICAL
ODL Provider MEDIUM MEDIUM MEDIUM MEDIUM
Exchange HIGH MEDIUM MEDIUM HIGH
Market Data LOW LOW LOW LOW
Integration LOW HIGH LOW MEDIUM
```

Understanding ecosystem relationships:

Dependency Analysis:

VENDOR INTERDEPENDENCY MAP:

DIRECT DEPENDENCIES:

ODL Provider → Custody (often)
├── ODL may require custody relationship
├── Or may provide bundled custody
└── Understand the structure

ODL Provider → Liquidity Sources
├── Exchanges used for XRP conversion
├── Not always visible to customer
└── Ask about liquidity partners

Custody Provider → Sub-custodians
├── Some use third-party custody
├── Insurance may differ
└── Verify actual custody structure

INDIRECT DEPENDENCIES:

Banking Relationships:
├── All crypto vendors need banking
├── Banking partner failures affect vendors
├── Silvergate/Signature impact was widespread
└── Ask about banking relationships

Technology Providers:
├── Cloud infrastructure (AWS, GCP)
├── Security services
├── Single points of failure
└── Understand technology dependencies

QUESTIONS TO ASK:

1. Who provides your custody services (if not self-custodied)?
2. Which exchanges provide your liquidity?
3. Who are your banking partners?
4. What cloud infrastructure do you use?
5. Do you have any material vendor dependencies?

DEPENDENCY RISK MITIGATION:
├── Prefer vendors with diverse dependencies
├── Avoid vendors with concentrated exposure
├── Understand downstream dependencies
└── Consider backup vendors for critical services

---

Detailed criteria for custody selection:

Custody Evaluation Framework:

CUSTODY PROVIDER EVALUATION (100 points total):

SECURITY (35 points):
├── Key management architecture (10 pts)
│   ├── HSM usage
│   ├── Multi-signature support
│   └── Key generation procedures
├── Physical security (10 pts)
│   ├── Data center security
│   ├── Geographic redundancy
│   └── Access controls
├── Cybersecurity (10 pts)
│   ├── Penetration testing
│   ├── Bug bounty programs
│   └── Incident history
└── Operational security (5 pts)
    ├── Employee vetting
    └── Segregation of duties

REGULATORY COMPLIANCE (25 points):
├── Licensing status (10 pts)
│   ├── Qualified custodian status
│   └── Relevant jurisdiction licenses
├── Compliance program (10 pts)
│   ├── AML/KYC program
│   ├── SOC 2 Type II
│   └── Third-party audits
└── Regulatory standing (5 pts)
    ├── No adverse findings
    └── Good regulatory relationships

INSURANCE (15 points):
├── Coverage amount (5 pts)
│   ├── Adequate for potential exposure
│   └── Per-client limits
├── Coverage scope (5 pts)
│   ├── Theft, hack, internal
│   └── Exclusions acceptable
└── Carrier quality (5 pts)
    ├── Rated carriers
    └── Policy verification

OPERATIONS (15 points):
├── Transaction capabilities (5 pts)
│   ├── Transaction speed
│   └── API quality
├── Reporting (5 pts)
│   ├── Position reporting
│   └── Transaction history
└── Support (5 pts)
    ├── Availability
    └── SLA commitments

FINANCIAL STABILITY (10 points):
├── Company financials (5 pts)
│   ├── Balance sheet strength
│   └── Funding status
└── Business stability (5 pts)
    ├── Customer base
    └── Track record

SCORING GUIDE:
90-100: Excellent—preferred provider
80-89: Good—acceptable provider
70-79: Adequate—acceptable with noted risks
Below 70: Not recommended

Criteria for ODL provider selection:

ODL Evaluation Framework:

ODL PROVIDER EVALUATION (100 points total):

CORRIDOR CAPABILITY (25 points):
├── Required corridors available (15 pts)
│   ├── Current corridor support
│   └── Volume capacity
└── Corridor performance (10 pts)
    ├── Success rate history
    └── Settlement times

PRICING AND ECONOMICS (25 points):
├── Transaction pricing (15 pts)
│   ├── Competitive fees
│   ├── Spread transparency
│   └── Volume discounts
└── Total cost of ownership (10 pts)
    ├── Implementation costs
    └── Ongoing costs

OPERATIONAL CAPABILITY (20 points):
├── System reliability (10 pts)
│   ├── Uptime history
│   └── Incident response
├── API and integration (5 pts)
│   ├── API quality
│   └── Documentation
└── Support quality (5 pts)
    ├── Response times
    └── Technical expertise

COMPLIANCE AND RISK (20 points):
├── Regulatory compliance (10 pts)
│   ├── Licenses held
│   └── Compliance program
├── Risk management (5 pts)
│   ├── Volatility handling
│   └── Rate guarantees
└── Insurance/protection (5 pts)
    ├── Error coverage
    └── Service guarantees

COMPANY STABILITY (10 points):
├── Financial health (5 pts)
│   ├── Funding and profitability
│   └── Balance sheet
└── Market position (5 pts)
    ├── Customer base
    └── Growth trajectory

SCORING GUIDE:
90-100: Preferred partner
80-89: Strong candidate
70-79: Acceptable with conditions
Below 70: Not recommended

Structured due diligence for vendor selection:

Due Diligence Protocol:

VENDOR DUE DILIGENCE PROCESS:

PHASE 1: INITIAL SCREENING (Week 1)

Document Collection:
□ Company overview and history
□ Product/service documentation
□ Licensing and registration proof
□ Initial pricing information
□ Customer references (general)

Initial Assessment:
□ Meets minimum requirements?
□ Serves required jurisdictions?
□ Within budget range?
□ No disqualifying factors?

Output: Short list (2-4 vendors)

PHASE 2: DETAILED EVALUATION (Weeks 2-3)

Document Request:
□ SOC 2 Type II report (full report)
□ Insurance certificate and policy summary
□ Financial statements (if available)
□ Security documentation
□ Sample contracts
□ Detailed pricing proposal

Technical Evaluation:
□ API documentation review
□ Integration complexity assessment
□ Demo/proof of concept
□ Technical architecture review

Compliance Evaluation:
□ License verification
□ Regulatory history check
□ AML program review
□ Legal review of agreements

Output: Scored evaluation

PHASE 3: REFERENCE AND VERIFICATION (Week 4)

Reference Checks:
□ Contact 3+ customer references
□ Prepared questions covering:
│   ├── Operational experience
│   ├── Issues encountered
│   ├── Support quality
│   └── Recommendation status
□ Document feedback

Background Verification:
□ Company registration verification
□ Key executive background
□ News/media search for issues
□ Litigation history check
□ Regulatory filing review

Insurance Verification:
□ Contact insurance carrier directly
□ Verify coverage is active
□ Confirm coverage scope
□ Understand claims history

Output: Verified assessment

PHASE 4: FINAL SELECTION (Week 5)

Selection Analysis:
□ Compile all evaluation data
□ Complete scoring matrix
□ Risk/benefit analysis
□ Final pricing negotiation
□ Contract term negotiation

Selection Decision:
□ Recommendation document
□ Steering committee review
□ Final selection decision
□ Backup vendor identification

Output: Selected vendor(s)

---

Essential terms for digital asset vendor contracts:

Contract Framework:

CRITICAL CONTRACT TERMS:

1. SERVICE LEVEL AGREEMENTS (SLAs)

Availability:
├── Target: 99.9% uptime
├── Measurement: Monthly, excluding maintenance
├── Remedy: Service credits or fee reduction
└── Example: 0.1% unavailability = 10% fee credit

Performance:
├── Transaction processing time: <X minutes
├── Settlement time: <X hours
├── API response time: <X ms
└── Measurement and remedy defined

Support:
├── Response time: P1 issues <1 hour
├── Resolution time: P1 issues <4 hours
├── Coverage: 24/7 for critical issues
└── Escalation path defined

1. INSURANCE REQUIREMENTS

Minimum Coverage:
├── Crime/theft: $X million minimum
├── E&O: $X million minimum
├── Cyber: $X million minimum
└── Per-occurrence and aggregate minimums

Maintenance:
├── Coverage must be maintained throughout term
├── Notice of material changes within X days
├── Right to verify coverage annually
└── Certificate provided upon request

Your Rights:
├── Named as additional insured (if possible)
├── Notice of cancellation: X days
├── Waiver of subrogation
└── Primary coverage (not excess)

1. LIABILITY AND INDEMNIFICATION

Vendor Liability:
├── Uncapped for gross negligence, fraud, willful misconduct
├── Uncapped for breach of confidentiality
├── Cap for other matters: Greater of $X or annual fees
└── No limitation for customer fund loss due to vendor failure

Indemnification:
├── Vendor indemnifies for IP infringement
├── Vendor indemnifies for breach of security
├── Vendor indemnifies for regulatory violations
├── Mutual indemnification for breach of agreement

1. TERMINATION RIGHTS

For Cause:
├── Material breach uncured after X days notice
├── Insolvency or bankruptcy
├── Regulatory action affecting service
├── Change of control (if concerning)
└── Immediate termination without cure period

For Convenience:
├── X days notice (recommend 90+)
├── No penalty or minimal wind-down fee
└── Flexibility to exit if relationship not working

1. DATA AND TRANSITION

Data Ownership:
├── Customer owns all customer data
├── Right to export data in usable format
├── Data retention requirements
└── Data destruction upon termination

Transition Assistance:
├── Vendor provides reasonable transition support
├── Duration: X days minimum
├── Data export assistance
├── Knowledge transfer
└── Costs: Reasonable, capped

1. REGULATORY COMPLIANCE

Vendor Obligations:
├── Maintain required licenses
├── Comply with applicable laws
├── Provide compliance certifications
├── Notify of regulatory inquiries affecting customer
└── Cooperate with customer audits

Approach to vendor negotiations:

Negotiation Framework:

NEGOTIATION STRATEGY:

PREPARATION:

Know Your Leverage:
├── Size of opportunity (volume, fees)
├── Competitive alternatives available
├── Timeline flexibility
├── Reference value (brand name client)
└── Expansion potential

Know Their Priorities:
├── Revenue (price less flexible for startups)
├── Growth metrics (volume commitments)
├── Reference customers (brand value)
├── Market position (strategic corridors)
└── Efficiency (standard vs. custom terms)

Prioritize Your Terms:
├── Must-have: Non-negotiable requirements
├── Important: Strongly preferred but flexible
├── Nice-to-have: Would like but can concede
└── Trade: Items you can offer

NEGOTIATION APPROACH:

Start with Non-Commercial:
├── SLAs and performance standards
├── Insurance requirements
├── Liability terms
├── Termination rights
└── These set expectations before price

Then Commercial:
├── Pricing structure
├── Volume commitments (if any)
├── Implementation fees
├── Ongoing support costs
└── Payment terms

COMMON NEGOTIATION POINTS:

Insurance—They'll Push Back:
├── Their position: "Our standard coverage is adequate"
├── Your response: "We require verification of coverage
│ adequate for our exposure"
├── Compromise: Accept their coverage if adequate,
│ require notification of changes

Liability Caps—They'll Push Back:
├── Their position: "Cap at 12 months fees"
├── Your response: "Uncapped for fund loss and security breach"
├── Compromise: Higher cap, carve-outs for critical failures

Termination—They'll Push Back:
├── Their position: "12-month notice for convenience"
├── Your response: "90-day notice with no penalty"
├── Compromise: 90-180 days, minimal wind-down fee

Pricing—They'll Push Back:
├── Their position: "Standard pricing, volume discounts at tier X"
├── Your response: "Competitive pricing needed; other providers offer Y"
├── Compromise: Better initial pricing with volume commitment,
│ or MFN clause
```

Final contract review before signing:

Review Checklist:

CONTRACT REVIEW CHECKLIST:

TERM                           ACCEPTABLE?    NOTES
────────────────────────────────────────────────────────
GENERAL:
Term length                    □ Yes □ No    ________
Renewal terms                  □ Yes □ No    ________
Governing law/jurisdiction     □ Yes □ No    ________

SERVICES:
Service scope clear            □ Yes □ No    ________
SLAs defined                   □ Yes □ No    ________
SLA remedies adequate          □ Yes □ No    ________
Change process defined         □ Yes □ No    ________

COMPLIANCE:
Insurance requirements         □ Yes □ No    ________
License maintenance            □ Yes □ No    ________
Audit rights                   □ Yes □ No    ________
Regulatory cooperation         □ Yes □ No    ________

RISK:
Liability caps appropriate     □ Yes □ No    ________
Carve-outs for critical issues □ Yes □ No    ________
Indemnification balanced       □ Yes □ No    ________
Force majeure reasonable       □ Yes □ No    ________

TERMINATION:
For cause rights adequate      □ Yes □ No    ________
For convenience available      □ Yes □ No    ________
Transition assistance          □ Yes □ No    ________
Data return obligations        □ Yes □ No    ________

DATA:
Data ownership clear           □ Yes □ No    ________
Confidentiality adequate       □ Yes □ No    ________
Data security requirements     □ Yes □ No    ________
Breach notification            □ Yes □ No    ________

COMMERCIAL:
Pricing acceptable             □ Yes □ No    ________
Fee increase limits            □ Yes □ No    ________
Payment terms acceptable       □ Yes □ No    ________

LEGAL REVIEW:
Legal counsel reviewed         □ Yes □ No    ________
Legal issues resolved          □ Yes □ No    ________

FINAL APPROVAL:
Authorized signatory identified □ Yes □ No    ________
Authority verified             □ Yes □ No    ________

---

Ongoing vendor performance tracking:

Monitoring Framework:

VENDOR PERFORMANCE MONITORING:

CUSTODY PROVIDER METRICS:

Metric Target Alert Frequency
────────────────────────────────────────────────────────
System availability 99.9% <99.5% Monthly
Transaction success 99.9% <99% Monthly
Reconciliation accuracy 100% <100% Daily
Support response (P1) <1 hour >2 hours Per incident
Insurance valid Yes Expired Quarterly
SOC 2 current Yes >12 months Annual

ODL PROVIDER METRICS:

Metric Target Alert Frequency
────────────────────────────────────────────────────────
Transaction success 98% <95% Monthly
Settlement time <4 hours >8 hours Weekly
Rate execution ±0.5% >±1% Per transaction
System availability 99.5% <99% Monthly
Corridor availability 99% <95% Monthly
Support response <4 hours >8 hours Per incident

PERFORMANCE DASHBOARD:

Monthly Vendor Scorecard:
┌──────────────────────────────────────────────────────┐
│ Vendor: ________________ Period: ________________ │
│ │
│ Metric Target Actual Status │
│ ───────────────────────────────────────────────── │
│ Availability 99.9% ____% _______ │
│ Transaction success 98% ____% _______ │
│ Settlement time <4 hr ___ hr _______ │
│ Support response <4 hr ___ hr _______ │
│ │
│ Overall Status: □ Green □ Yellow □ Red │
│ │
│ Issues This Period: │
│ _________________________________________________ │
│ │
│ Actions Required: │
│ _________________________________________________ │
└──────────────────────────────────────────────────────┘
```

Ongoing vendor relationship activities:

Relationship Framework:

VENDOR RELATIONSHIP MANAGEMENT:

REGULAR TOUCHPOINTS:

Weekly (Operational):
├── Operational contact check-in (if issues)
├── Issue resolution follow-up
├── Upcoming activity coordination
└── Time: 15-30 minutes as needed

Monthly (Tactical):
├── Performance review
├── Issue trend analysis
├── Upcoming needs discussion
├── Product/service updates
└── Time: 30-60 minutes

Quarterly (Strategic):
├── Formal business review
├── Performance scorecard review
├── Roadmap and strategy discussion
├── Contract/commercial review
├── Executive participation
└── Time: 1-2 hours

Annual (Strategic):
├── Comprehensive relationship review
├── Contract renewal discussion (if applicable)
├── Strategic alignment assessment
├── Pricing and commercial review
└── Time: Half day

ESCALATION PATH:

Issue Level Your Contact Their Contact
────────────────────────────────────────────────────────
Operational Treasury Analyst Support Team
Technical IT Lead Technical Lead
Commercial Treasury Manager Account Manager
Strategic Treasury Director VP/Director
Executive CFO C-Level

DOCUMENTATION:

Maintain vendor file including:
├── Contract and amendments
├── Performance reports
├── Meeting notes
├── Issue log
├── Correspondence
└── Insurance certificates
```

Ongoing vendor risk assessment:

Risk Monitoring Framework:

VENDOR RISK MONITORING:

CONTINUOUS MONITORING:

Financial Health Indicators:
├── News monitoring for financial issues
├── Funding announcements
├── Leadership changes
├── Customer wins/losses
└── Trigger: Any negative indicator

Regulatory Indicators:
├── License status verification
├── Enforcement action monitoring
├── Regulatory news
├── Industry regulatory trends
└── Trigger: Any regulatory concern

Operational Indicators:
├── Service performance trends
├── Incident frequency and severity
├── Support quality changes
├── Staff turnover signals
└── Trigger: Declining trends

PERIODIC ASSESSMENT:

Quarterly Risk Review:
├── Update risk scorecard
├── Review any incidents
├── Assess trend direction
├── Determine if action needed

Risk Scorecard Update:
┌──────────────────────────────────────────────────────┐
│ Vendor Risk Assessment │
│ Vendor: ________________ Date: ________________ │
│ │
│ Risk Category Previous Current Trend │
│ ───────────────────────────────────────────────── │
│ Financial Low/Med/Hi ________ ↑/→/↓ │
│ Operational Low/Med/Hi ________ ↑/→/↓ │
│ Regulatory Low/Med/Hi ________ ↑/→/↓ │
│ Concentration Low/Med/Hi ________ ↑/→/↓ │
│ │
│ Overall Risk: Low/Med/Hi ________ │
│ Action Required: ________________________________ │
└──────────────────────────────────────────────────────┘

EARLY WARNING TRIGGERS:

Financial:
├── Layoffs announced
├── Funding difficulties reported
├── Major customer losses
├── Bankruptcy rumors
└── Action: Immediate assessment, consider transition plan

Operational:
├── Major service outage
├── Security breach
├── Key personnel departure
├── Repeated SLA misses
└── Action: Escalate, assess alternatives

Regulatory:
├── License suspension
├── Enforcement action
├── Significant fine
├── Business restriction
└── Action: Legal review, assess continuity

---

Preparing for potential vendor transitions:

Exit Planning Framework:

EXIT PLANNING:

PRINCIPLE: Always have an exit plan before you need one

PRE-NEED PREPARATION:

Backup Vendor Identification:
├── Identify backup for each critical vendor
├── Complete initial qualification
├── Establish relationship (can be dormant)
├── Understand onboarding timeline
└── Document in contingency plan

Contract Exit Provisions:
├── Ensure adequate termination rights exist
├── Transition assistance included
├── Data portability requirements
├── Reasonable wind-down period
└── No excessive termination penalties

Internal Readiness:
├── Document all integrations
├── Maintain independent records
├── Know data export requirements
├── Staff trained on alternatives
└── Procedures documented

EXIT TRIGGERS:

Planned Exit (For Convenience):
├── Better alternative identified
├── Strategic direction change
├── Cost optimization
├── Service consolidation
└── Timeline: 90-180 days typically

Unplanned Exit (For Cause):
├── Material breach
├── Service failure
├── Financial distress
├── Regulatory issue
└── Timeline: As fast as possible

Emergency Exit:
├── Imminent vendor failure
├── Security breach
├── Regulatory shutdown
├── Fraud or misconduct
└── Timeline: Immediate
```

Managing vendor transitions:

Transition Framework:

VENDOR TRANSITION PROCESS:

PHASE 1: DECISION AND PLANNING (Weeks 1-2)

Decision Documentation:
├── Document exit rationale
├── Obtain necessary approvals
├── Determine timing
└── Communicate internally

Planning:
├── Activate backup vendor relationship
├── Develop detailed transition plan
├── Assign transition team
├── Establish communication plan
└── Identify critical milestones

PHASE 2: NEW VENDOR SETUP (Weeks 2-6)

New Vendor Onboarding:
├── Complete contracting (expedite if needed)
├── Complete KYC/AML requirements
├── Technical integration setup
├── Testing and validation
└── Staff training

Parallel Operation Preparation:
├── Configure for parallel running
├── Establish monitoring
├── Define cutover criteria
└── Document rollback procedures

PHASE 3: TRANSITION EXECUTION (Weeks 6-10)

Parallel Operation:
├── Run both vendors in parallel
├── Compare results
├── Resolve any discrepancies
├── Build confidence in new vendor
└── Duration: 2-4 weeks typical

Cutover:
├── Final parallel validation
├── Execute cutover
├── Intensive monitoring
├── Issue resolution
└── Old vendor wind-down begins

PHASE 4: WIND-DOWN (Weeks 10-14)

Old Vendor Exit:
├── Migrate remaining items
├── Extract all data
├── Close accounts
├── Final reconciliation
├── Terminate contract
└── Archive documentation

Lessons Learned:
├── Document transition experience
├── Update procedures
├── Update contingency plans
└── Share knowledge

TRANSITION TIMELINE (TYPICAL):

Week 1-2 3-4 5-6 7-8 9-10 11-12 13-14
────────────────────────────────────────────────────────────────
Decision/Planning ████
New vendor setup ████████████
Testing ████████
Parallel operation ████████
Cutover ████
Wind-down ████████
```

Handling urgent vendor situations:

Emergency Framework:

EMERGENCY VENDOR CONTINGENCY:

SCENARIO: VENDOR SUDDENLY UNAVAILABLE

Trigger Events:
├── Vendor announces insolvency
├── Regulatory shutdown
├── Major security breach
├── Operational collapse
└── Executive order or sanctions

IMMEDIATE ACTIONS (Hours 1-4):

Assessment:
├── Confirm situation is real
├── Assess impact on operations
├── Determine asset exposure
├── Contact vendor for information
└── Engage legal counsel

Communication:
├── Notify executive sponsor
├── Notify steering committee
├── Prepare internal communication
├── Do NOT make external statements yet
└── Designate spokesperson

Asset Protection:
├── Attempt to withdraw assets (if custody)
├── Document current positions
├── Verify on-chain holdings
├── Assess recovery options
└── Engage recovery specialists if needed

SHORT-TERM ACTIONS (Days 1-7):

Operations:
├── Halt new transactions with vendor
├── Activate backup vendor
├── Implement manual workarounds
├── Prioritize critical operations
└── Communicate with counterparties

Recovery:
├── Participate in creditor processes
├── Document all claims
├── Engage legal for recovery
├── Monitor regulatory communications
└── Assess insurance claims

LONGER-TERM ACTIONS (Weeks 1-4):

Transition:
├── Complete transition to backup
├── Implement permanent solution
├── Update risk controls
└── Document lessons learned

Review:
├── Post-incident review
├── Vendor management improvements
├── Contingency plan updates
└── Board/audit committee reporting

CONTINGENCY CONTACTS:

Role Name Phone
────────────────────────────────────────────────
Executive sponsor __________ __________
Legal counsel __________ __________
Backup custody __________ __________
Backup ODL __________ __________
External PR (if needed) __________ __________
Insurance broker __________ __________

---

✅ Vendor due diligence matters: FTX, Celsius, and other failures affected customers who didn't adequately vet vendors

✅ Contract terms protect interests: Companies with strong termination rights and transition provisions fare better in vendor issues

✅ Ongoing monitoring catches problems: Early warning indicators give time to respond before crisis

✅ Backup vendors are essential: Companies with pre-qualified alternatives transition faster when needed

⚠️ Vendor viability predictions: Even thorough due diligence can't guarantee vendor survival

⚠️ Insurance recovery: Actual recovery from insurance claims in crypto custody losses is limited precedent

⚠️ Regulatory direction: How regulations will affect vendor landscape

⚠️ Market consolidation: Which vendors will survive industry maturation

🔴 Single vendor dependency: No backup provider identified is high-risk

🔴 Weak contract terms: Accepting vendor-favorable terms limits your options

🔴 Set-and-forget relationships: Vendors change; ongoing monitoring is essential

🔴 Ignoring warning signs: Early indicators often precede failures

Digital asset vendors require more rigorous selection and ongoing management than traditional banking relationships due to younger companies, less regulation, and faster-moving industry dynamics. Thorough due diligence, strong contract terms, ongoing monitoring, and prepared exit strategies are essential. The goal isn't to avoid all vendor risk—that's impossible—but to enter relationships with clear understanding, adequate protections, and prepared contingencies.

---

Assignment: Develop a comprehensive vendor management framework for your organization's digital asset treasury vendors.

Requirements:

Part 1: Vendor Inventory and Risk Assessment (25%)

VENDOR INVENTORY:

CURRENT/PLANNED VENDORS:

Category: Custody
├── Vendor: _________________________________
├── Status: Current / Planned / Backup
├── Criticality: Critical / High / Medium / Low
├── Contract expiry: _________________________
├── Risk assessment: Low / Medium / High
└── Backup identified: Yes / No

Category: ODL Provider
├── Vendor: _________________________________
├── Status: Current / Planned / Backup
├── Criticality: Critical / High / Medium / Low
├── Contract expiry: _________________________
├── Risk assessment: Low / Medium / High
└── Backup identified: Yes / No

[Continue for all vendor categories]

RISK SUMMARY:

Total vendors: ____
Critical risk: ____ vendors
High risk: ____ vendors
Without backup: ____ vendors
```

Part 2: Evaluation Scorecard (25%)

VENDOR EVALUATION SCORECARD:

Vendor: _________________________________
Category: _______________________________
Evaluation Date: ________________________

SCORING:

Criteria Weight Score(1-5) Weighted
────────────────────────────────────────────────────
Security ___% ____ ____
Compliance ___% ____ ____
Insurance ___% ____ ____
Operations ___% ____ ____
Financial stability ___% ____ ____
────────────────────────────────────────────────────
TOTAL 100% ____

RECOMMENDATION:
□ Approve without conditions
□ Approve with conditions: ___________________
□ Do not approve: ___________________________

REVIEWER: _________________________________
```

Part 3: Contract Term Requirements (25%)

CONTRACT TERM REQUIREMENTS:

MUST-HAVE TERMS:
├── SLA: _________________________________
├── Insurance minimum: ____________________
├── Liability: ___________________________
├── Termination for convenience: __________
└── Data transition: _____________________

IMPORTANT TERMS:
├── _____________________________________
├── _____________________________________
└── _____________________________________

1. ______________________________________
2. ______________________________________
3. ______________________________________

Part 4: Performance Monitoring Plan (15%)

PERFORMANCE MONITORING:

METRICS TO TRACK:

Metric Target Alert Frequency
────────────────────────────────────────────────────

---

---

---

REVIEW CADENCE:
├── Weekly: ______________________________
├── Monthly: _____________________________
├── Quarterly: ___________________________
└── Annual: ______________________________

RESPONSIBLE PARTY: _______________________
```

Part 5: Exit Strategy (10%)

EXIT STRATEGY:

FOR EACH CRITICAL VENDOR:

Vendor: _________________________________
├── Backup vendor: _______________________
├── Onboarding time: _____________________
├── Exit trigger criteria: ________________
├── Transition time estimate: _____________
└── Key risks during transition: __________

EMERGENCY CONTACTS:
├── Internal: ____________________________
├── Backup vendor: _______________________
├── Legal: _______________________________
└── Insurance: ___________________________

- Completeness of vendor inventory (20%)
- Quality of evaluation framework (25%)
- Thoroughness of contract requirements (25%)
- Practicality of monitoring plan (20%)
- Realism of exit strategy (10%)

**Time investment:** 4-5 hours  
**Value:** This deliverable provides the vendor management infrastructure needed for professional digital asset treasury operations—essential for risk management and operational continuity.

---

1. Vendor Due Diligence:

During custody provider evaluation, what document provides the most reliable evidence of operational controls?

A) Marketing brochures describing security features
B) SOC 2 Type II report from independent auditor
C) Customer testimonials on the company website
D) Insurance certificate showing coverage amount

Correct Answer: B

Explanation: SOC 2 Type II reports are conducted by independent auditors and assess controls over an extended period (typically 6-12 months). They provide third-party verification of security, availability, processing integrity, confidentiality, and privacy controls. Marketing materials (A) are promotional. Testimonials (C) are selected by vendor. Insurance certificates (D) show coverage exists but don't verify operational controls.

---

2. Contract Negotiation:

A custody provider offers a contract with liability capped at 12 months of fees. For a $10M custody relationship with $50,000 annual fees, why is this problematic?

A) The cap is too high and unfair to the vendor
B) The cap is too low relative to asset exposure ($10M vs. $50K)
C) Liability caps are never appropriate in custody contracts
D) Only uncapped liability is acceptable in any vendor contract

Correct Answer: B

Explanation: A $50,000 liability cap against $10M in custodied assets creates massive risk mismatch. If the custody provider fails and assets are lost, you can only recover $50,000 of $10M exposure. Appropriate negotiation would seek uncapped liability for asset loss due to provider failure, or significantly higher caps. Option A is incorrect (cap favors vendor). Option C is too absolute (some caps may be acceptable for certain issues). Option D is unrealistic (caps are standard for some matters).

---

3. Vendor Risk Monitoring:

A treasury team notices their ODL provider's transaction success rate declined from 98% to 94% over three months. According to the monitoring framework, what is the appropriate response?

A) No action needed—94% is still acceptable
B) Document the trend and discuss at next quarterly review
C) Immediately terminate the relationship
D) Escalate, assess root cause, and consider backup activation

Correct Answer: D

Explanation: A declining trend from 98% to 94% (below the 95% alert threshold) warrants immediate attention. The response should be: (1) Escalate internally, (2) Engage vendor to understand root cause, (3) Assess whether the issue is systemic or temporary, (4) Consider backup vendor if issue persists. Option A ignores a concerning trend. Option B delays too long. Option C is premature without understanding the cause.

---

4. Exit Planning:

Why should backup vendors be pre-qualified before an exit situation occurs?

A) To get better pricing through competitive pressure
B) To reduce transition time when an exit becomes necessary
C) Because regulators require backup vendors
D) To avoid the need for ongoing vendor monitoring

Correct Answer: B

Explanation: Pre-qualifying backup vendors means onboarding paperwork, initial due diligence, and relationship establishment are already complete. When an exit becomes necessary (especially in emergency situations), this dramatically reduces transition time. Without pre-qualification, you must complete full onboarding while potentially in crisis mode. Option A is a side benefit, not primary reason. Option C is not generally a regulatory requirement. Option D is incorrect—monitoring is still needed.

---

5. Vendor Dependencies:

A treasury team discovers their ODL provider uses the same custody solution as their primary custody provider. Why is this a risk management concern?

A) It indicates the ODL provider lacks sophistication
B) It creates concentration risk if the custody provider fails
C) It violates best practice to use the same custody twice
D) It suggests the vendors are colluding on pricing

Correct Answer: B

Explanation: If both your direct custody relationship and your ODL provider's custody use the same underlying custodian, you have concentrated custody risk. A single custody provider failure affects both your directly held assets AND your ODL operations. This is vendor interdependency risk that should be identified during due diligence and managed through diversification or enhanced monitoring.

---

For Next Lesson:
Gather financial data about your current cross-border payment costs and treasury operations before Lesson 11, where we'll examine how to build the business case for digital asset treasury operations.

---

End of Lesson 10

Total words: ~6,500
Estimated completion time: 55 minutes reading + 4-5 hours for deliverable