Skip to main content
Editorial illustration of a procurement audit scorecard with four pillars (operational, compliance, commercial, continuity) and a 28-point checklist
Guide May 22, 2026 | 12 min read

BPO Vendor Due Diligence: The Procurement-Grade Checklist (2026)

A 28-point procurement-stage playbook for vetting a finalist call-center vendor before you sign: four pillars, seven deal-killing red flags, four compliance acts, and the math on what getting it wrong costs.

BPO due diligence is the procurement-grade evaluation of a finalist call-center vendor before you sign the contract. It is not the same thing as selecting a vendor. Selection narrows a longlist of fifteen to a shortlist of three. Due diligence is what you do to the one you plan to sign. It covers compliance scope (TCPA, HIPAA, FDCPA, PCI), financial stability, SLA enforceability, attrition benchmarking, sub-contracting risk, exit clauses, and security posture. Typical effort: 90 minutes to 8 hours of structured evaluation against a written scorecard.

If you are still narrowing your shortlist, read how to choose a BPO partner first. This piece is for procurement, COO, or finance leaders running the formal evaluation after the shortlist is set. The 28-point playbook, the seven red flags, and what the wrong pick actually costs.

The 4 ways procurement gets BPO selection wrong

Most BPO deals do not fail at selection. They fail at the diligence stage that procurement teams skip because the deal already feels closed. Four failure modes repeat on almost every post-mortem.

Trusting the sales deck. Vendors front-load 12-month case studies; back-end attrition data lives elsewhere. The shortlist deck is the most heavily edited document in the deal.

The shortlist deck is the most heavily edited document in the deal.

Skipping the compliance audit. TCPA, HIPAA, FDCPA, and PCI scope gets confirmed verbally and never written down. The BAA template, recording retention policy, and FCC offshore disclosure should be reviewed line by line by counsel.

No SLA back-pressure. Buyers accept the vendor's SLA template as-is. The real test is whether the SLA has financial teeth (service credits, exit triggers) and a remediation clock measured in business days, not quarters.

The vendor's vendor. Many BPOs sub-contract overflow, after-hours, or specialty queues to a second BPO. The buyer signs with vendor A and gets agents from vendor C, often with the hidden fees buried in BPO contracts covering the markup. This must be disclosed in writing.

Each failure has a checklist counter-measure. Framework next, then all 28 items.

The 4 pillars of procurement-grade BPO diligence

Procurement-grade diligence is not a vibe check. It is a four-pillar framework borrowed from McKinsey's TCO model and ISG's Buyers Guide scoring, scoped to call-center procurement. Each pillar gets a written score (Green, Yellow, Red) before the deal moves to legal review.

Operational fit

Does the vendor's team structure (fronter or closer perimeter, queue depth, ramp curve) match your campaign type? Sub-questions: (a) attrition rate in months 3 to 12 by cohort; (b) training tenure to license-ready or compliance-ready, in days; (c) escalation tree with a named supervisor. The structure question matters enough that we wrote a separate piece on how fronter or closer team structure affects vetting.

Compliance posture

Is regulatory scope provable on paper, not verbally? Sub-questions: (a) BAA on file (HIPAA), (b) FCC offshore disclosure verbatim in the consent script (TCPA), (c) named compliance officer with a direct line and one-business-day response window. Generic "our compliance team will handle it" is a deflection.

Commercial transparency

Is the price you see the price you pay? Sub-questions: (a) all-in per agent-hour pricing with every line item enumerated, (b) escalators through year three bounded (CPI plus X percent), (c) published change-order rate card. The transparency lift is why how CFG pricing works (no markups) lives as a standalone page.

Continuity risk

What happens when the vendor stumbles? Sub-questions: (a) financial stability (12 months runway minimum, bank letter or audited statement), (b) BCP and DR plan with a named alternate site, (c) sub-contracting disclosed in writing with a no-sub default.

If you want this rigor without the 8 hours of internal lift, the $497 Vendor Vetting Audit packages all four pillars into a 90-minute founder-led working session plus an 8-page memo. It is a paid deliverable, not a sales call.

The 28-point vendor vetting checklist

Each item maps to one of the four pillars. Score Green, Yellow, or Red. Three Reds in any pillar disqualifies the finalist. A Green sweep is rare; one or two Yellows on commercial or operational is normal.

Operational (items 1 to 7)

  1. SLA template includes financial service credits, with a remediation clock in business days.
  2. Escalation tree names a specific supervisor with a direct email and Slack or Teams handle.
  3. Attrition rate in months 3 to 12 of agent tenure is disclosed in writing, with cohort definition.
  4. Training tenure to license-ready (Medicare) or compliance-ready (FDCPA) is documented in days.
  5. Recording retention policy specifies storage location, encryption (AES-256 at rest), and retention window.
  6. QA scorecard is shared in advance and matches the vendor's internal calibration.
  7. Agent assessment uses your call recordings, not generic role-play audio.

Compliance (items 8 to 14)

  1. TCPA applicability is confirmed: consent records, DNC scrubbing cadence, manual-vs-ATDS classification.
  2. HIPAA applicability is confirmed: BAA on file, named privacy officer, breach notification window.
  3. FDCPA applicability is confirmed for debt vendors: mini-Miranda script, time-zone gating, Regulation F.
  4. PCI DSS scope is confirmed when taking card data: SAQ level, attestation date, tokenization vendor.
  5. FCC offshore disclosure language appears verbatim in the consent script when agents are non-US.
  6. Named compliance officer answers a direct call within one business day, not via a ticket queue.
  7. Independent SOC 2 Type II report is current (within 12 months) and shared under NDA on request.

For a deeper version, read the full call center compliance checklist.

Commercial (items 15 to 21)

  1. Pricing is all-in per agent-hour, with every line item enumerated (seat, technology, license).
  2. Hidden-fee enumeration covers ramp surcharges, holiday premium, after-hours, and live-transfer fees.
  3. Ramp curve is documented week by week through week 12.
  4. Minimum commit (hours, seats, months) is explicit. Shortfall penalties are disclosed.
  5. Escalator clauses for years two and three are bounded (CPI plus X percent).
  6. Change-order math is governed by a published rate card.
  7. Exit clauses include data return format, transition assistance window, and a named offboarding contact.

Continuity (items 22 to 28)

  1. Financial stability: 12 months runway minimum, disclosed via bank letter or audited statement.
  2. Key-man risk: if the founder left tomorrow, the second-in-command is named and reachable.
  3. Sub-contracting is disclosed in writing, with a no-sub clause as the default.
  4. BCP and DR plan names a specific alternate site, with a documented cutover RTO.
  5. Data residency is confirmed in writing (country, region, sub-processor list).
  6. Parent-company conflicts (your vendor's parent serving a competitor) are disclosed.
  7. References at scale: three current customers of similar size who will take a 20-minute call.

Three Reds in any pillar is a finalist-killer. Next: what to do with the Reds you find.

7 red flags that should kill a BPO deal

If any of the following surfaces during diligence, pause the deal. These are not negotiation items. They are deal-breakers.

  1. No SOC 2 and no plan to get one. A vendor handling regulated data without SOC 2 Type II is signaling that audit posture is not a priority. For most enterprise buyers, an outright disqualifier.
  2. Sub-contracting refused as a topic. If "we use sub-contractors when we need to" is treated as off-limits, walk. The buyer is entitled to know who actually staffs the queue.
  3. No named compliance officer. Generic "our compliance team" is a deflection. You need a name, a title, a phone line, and a calendar invite with a one-business-day response SLA.
  4. Attrition data refused in writing. Verbal benchmarks are not auditable. Refusal to put attrition in the contract is the single most reliable tell that the number is bad.
  5. SLA without financial teeth. "We will make it right" is not an SLA. Service credits with named percentages, a remediation clock in business days, and exit triggers are.
  6. Founder or CEO unavailable for the diligence call. Any vendor under 200 seats whose founder will not take a 30-minute diligence call has scaling problems.
  7. References declined. Three references of similar size is the floor. Refusal, substitution of small references, or "we will get back to you" is a deflection.

Refusal to put attrition in the contract is the single most reliable tell that the number is bad.

Catch one of these in a finalist evaluation and the founder-led procurement audit has already paid for itself. The 8-page memo names red flags line by line, with mitigation language you can take into renegotiation or into the decision to walk.

The 4 compliance acts every BPO buyer must verify

Compliance is the most under-treated section in BPO diligence. Buyers default to trusting vendor assertions because the regulatory reading is dense. The four acts below cover roughly 90 percent of regulated BPO scope in the US market.

TCPA (Telephone Consumer Protection Act)

Covers consent for outbound calls and texts. Compliant means: signed consent records, DNC scrubbing on a published cadence, manual-vs-ATDS classification documented per campaign. Evidence to request: a redacted sample of the consent record format. See TCPA compliance for outsourced call centers and the FCC TCPA reference.

HIPAA (Health Insurance Portability and Accountability Act)

Covers any vendor handling PHI. Compliant means: BAA on file, named privacy officer, documented breach notification protocol. Evidence to request: BAA template and the privacy officer's direct contact. See HIPAA-compliant call center outsourcing and the HHS HIPAA reference. A vendor who cannot produce a BAA template within one business day has not built the posture.

FDCPA and Regulation F

Covers debt vendors. Compliant means: mini-Miranda script in writing, 7-in-7 contact frequency documented, time-zone gating per state. Evidence to request: the actual call script with the mini-Miranda highlighted. Regulation F is the current operative rule; see the CFPB Regulation F reference.

PCI DSS

Covers any vendor taking card data, even one-off. Compliant means: documented SAQ level, current attestation, tokenization vendor named in writing. Evidence to request: most recent AOC (Attestation of Compliance). Current standard at the PCI Security Standards Council reference.

The 90-minute audit scores all four against your finalist's actual posture, with evidence requests pre-built and the 8-page memo flagging gaps line by line. Walk through the audit deliverables.

$497 vs $60,000: the math on getting the diligence wrong

The wrong BPO pick costs the average 10-seat program $60,000 to $84,000 in year-one churn, ramp drag, and re-contracting (see the full breakdown on the cost of call center attrition). The figure is anchored on ContactBabel attrition benchmarks, where 25 to 40 percent annual agent attrition is the published mid-range.

The cost stack: Re-RFP (legal plus internal time) lands at $8,000 to $15,000. Ramp drag on a re-launched 10-seat program runs 6 to 8 weeks of degraded productivity, conservatively $20,000 to $30,000. Compliance remediation, if a TCPA or FDCPA breach surfaces, adds $15,000 to $40,000. Re-training internal stakeholders is another $5,000 to $10,000 in soft cost. Conservative floor: $60,000. Realistic mid-band: $72,000.

The $497 audit versus $60K of year-one churn is a 120x ratio at the floor. One finding that would have cost you $60,000 closes the math. If fewer than three findings surface, CFG refunds $497 in full and you keep every deliverable. Bounded refund, unbounded upside.

Bounded refund, unbounded upside.

The Vendor Vetting Audit: done-for-you diligence in 90 minutes

Full disclosure: CFG is a BPO vendor. The audit is structured so the deliverable lands whether you hire CFG or not.

The Vendor Vetting Audit is a 90-minute live session with CFG's founder. The four pillars get scored against your specific finalist in real time. You leave with the scorecard filled in, the TCO model built, and the compliance gaps surfaced. An 8-page memo follows within 5 business days, covering: pricing benchmark (CFG's all-in rate plus three published competitive ranges), attrition gap versus ContactBabel benchmarks, TCPA / HIPAA / FDCPA / PCI compliance scoring, SLA gap analysis, fronter-or-closer perimeter analysis, the 28-point checklist scored, three named next moves, and a CFG fit assessment if applicable.

Most audits do not end in a CFG pilot, by design. Three common outcomes: stay with the incumbent (with tightened contract language we draft for you), replace with a different vendor (we name who is worth talking to), or pilot a 10-seat replacement with CFG. The audit work gets paid either way.

Book the Vendor Vetting Audit. Founder's calendar, $497, refund-protected, 8-page memo within 5 business days.

FAQ: procurement-grade BPO diligence

  1. What is the difference between selecting a BPO and vetting one? Selection narrows a longlist of 15 to a shortlist of three. Vetting is what you do to the finalist before you sign. Selection is exploratory; vetting is gatekeeping. Selection happens in marketing; vetting happens in procurement and legal.
  2. Is the Vendor Vetting Audit only for buyers who plan to hire CFG? No. The audit is a paid deliverable that lands whether the recommendation is stay, replace, or pilot with CFG. Most audits do not end in a CFG pilot, by design. Buyers in regulated verticals like Medicare use the audit because HIPAA posture is hard to read from a sales deck.
  3. What if I want to DIY the diligence? Use the 28-point checklist above plus the Pilot Blueprint (free PDF), which covers procurement-side framing for the four pillars. Plan on 6 to 8 hours of evaluation plus 2 to 4 hours of reference calls.
  4. How long does the audit take to complete? 90-minute live session with the founder, plus an 8-page memo within 5 business days. Total elapsed time from booking to memo: 7 to 10 business days.
  5. What is in the 8-page memo? Pricing benchmark, attrition gap analysis, TCPA / HIPAA / FDCPA / PCI compliance scoring, SLA gap analysis, fronter-closer perimeter analysis, 28-point checklist scored, three named red flags, three recommended next moves, and a CFG fit verdict if applicable.

Two paths from here

Procurement-grade diligence is the cheapest insurance on a multi-year BPO contract. The worst version of this work is doing it after the deal is signed.

DIY path: download the Pilot Blueprint (free PDF) and run the 28-point checklist against your finalist. Done-for-you path: book 90 minutes with the founder for $497 and walk away with the 8-page memo. Either way, the diligence happens before the contract, not after.

Get updated

Subscribe to our newsletter & get the latest BPO insights

No spam, ever. Unsubscribe anytime.

$497 Founder-Led Audit

Done-for-you BPO due diligence

90-minute working session with CFG's founder, the 28-point checklist scored against your finalist, plus an 8-page memo within 5 business days. Book the audit or grab the free Pilot Blueprint to DIY.

Refund if fewer than 3 findings 8-page written memo Credits any pilot in 60 days

Pre-scoped pilot programs

Skip the discovery call. Get a written quote in 60 seconds.

Each pilot ships with a vertical-specific intake form, pre-set seat counts, and a 24-hour quote turnaround. Or grab the free 48-hour Pilot Blueprint.

Free Pilot Blueprint › Medicare AEP › Debt Collection › B2B SDR › Solar › Home Services ›