Vendor risk assessment methodology
Sigmodx records approve, reject, flag, and escalate decisions on vendors and counterparties without storing KYC documents or entity PII. Auditors verify period attestations using SIGMODX-VENDOR-[ORG]-[HASH] strings at /verify.
Input hashing
Hash entity reference, entity type, jurisdiction, requested credit limit, and risk score inputs. Your vendor master and screening tool data stays in your environment.
Sanctions auto-reject
When risk_subtype=sanctions_hit, the decision is forced to reject regardless of agent state. auto_rejected=true is set on the event record. This mirrors SOD auto-block in GL review. Missing sanctions hits trigger BLOCK when detection rate falls below 99%.
Risk subtypes
| Subtype | Meaning |
|---|---|
kyc_incomplete | KYC documentation incomplete |
sanctions_hit | Entity on sanctions list, auto-rejected |
adverse_media | Negative media coverage detected |
financial_risk | Financial health concerns |
concentration_risk | Over-reliance on single vendor |
regulatory_violation | Prior regulatory issues |
geographic_risk | Operating in high-risk jurisdictions |
beneficial_owner_unclear | Beneficial ownership not established |
duplicate_vendor | Possible duplicate of existing vendor |
Risk tiers
Tiers low, medium, high, and critical are recorded per decision. Critical tier automatically sets requires_human_approval. Review cards use tier color coding for queue prioritization.
Reliability signals
- Reviewer agreement rate: human agreed with agent decision
- False positive rate: flagged vendors cleared by reviewers
- Sanctions detection rate: sanctions hits correctly rejected
- Escalation rate: decisions escalated to compliance
- Approval accuracy: approved vendors confirmed by reviewers
BLOCK when sanctions detection rate below 99%. LIMIT when reviewer agreement below 90% or false positive rate above 10%.
Attestation format
Period attestations include total assessed, approved, rejected, flagged, escalated, and auto-rejected counts, risk subtype breakdown, risk tier breakdown, agent summaries, and sorted decision hashes. Methodology version: sigmodx-vendor-v1.