The Advisory Hub
Vendor Risk
How a Pakistani company controls the risk that arrives with its vendors — counterparty verification, contract remedies that survive sections 73 and 74 of the Contract Act, 1872, data and confidentiality exposure, AML and beneficial-ownership screening, and the concentration nobody mapped.
Companies check their customers' credit, audit their own compliance, and let vendors in through a purchase order and a phone call. Yet a vendor relationship is one of the few places where money, data, and dependence all flow outward at once — and where another company's failures become yours by operation of law and contract. This page sets out how a Pakistani business puts structure around that exposure, written for the CFO or director who owns the question, as of July 2026.
Vendor failure is a legal event
It helps to list the ways a vendor actually hurts you, because each has a different legal shape. Non-performance is the obvious one, and the least dangerous: it is a contract claim, if the contract was built to support one. Insolvency is worse — your advance payment becomes an unsecured claim in a queue. A data or confidentiality leak is worse again, because the liability to your customers stays with you while the cause sits outside your control. Then there is contamination: as a withholding agent under the Income Tax Ordinance, 2001 you are responsible for deducting tax on vendor payments at rates that depend on the vendor's Active Taxpayers List status, and your input tax claims under the Sales Tax Act, 1990 can fail on the strength of a supplier's own registration and conduct [INPUT TAX DISALLOWANCE CONDITIONS — TO BE VERIFIED BY REVIEWING LAWYER]. Finally there is association: paying a proscribed or sanctioned counterparty, even unknowingly, creates exposure no contract clause repairs.
Managing vendor risk means addressing all five, in order: verify before you sign, contract for remedies that work, control the data, screen the ownership, and never let one counterparty become irreplaceable.
Know the counterparty before the contract
Verification in Pakistan is cheap and mostly public, which makes skipping it hard to defend. For a company, pull the SECP record: existence, status, directors, registered office, and charges over its assets — a vendor whose receivables and equipment are fully encumbered is a vendor whose failure leaves nothing to claim against. For partnerships and sole proprietorships, sight the deed and registrations, and know that you may be contracting with individuals personally. Check the NTN and the Active Taxpayers List before commercial terms are agreed, because the withholding cost of a non-filer belongs in the price. For vendors above your significance threshold, take a beneficial-ownership declaration and screen the names — the entity, its owners, its directors — against the proscribed lists maintained under the Anti-Terrorism Act, 1997 framework and the sanctions expectations your own bank applies. A litigation search and two reference calls complete the picture for anything critical. None of this takes a week, and all of it costs less than the first day of a dispute.
Remedies that work under the Contract Act, 1872
Most vendor contracts in Pakistan are drafted as if damages were a vending machine: breach in, money out. Sections 73 and 74 of the Contract Act, 1872 say otherwise, and the gap between the drafting and the law is where companies lose. Section 73 gives compensation for loss actually caused and proved, flowing naturally from the breach — remote and speculative losses are out, and proof is your burden. Section 74 governs the liquidated damages clause every template contains: the named sum is a ceiling on recovery, not an automatic entitlement, and courts award reasonable compensation within it, generally still expecting evidence of real loss. A clause that reads as a penalty invites the court to cut it down. Add the practical layer — civil recovery through Pakistani courts is measured in years — and the drafting lesson becomes clear.
Do not design remedies that depend on winning a lawsuit. Design remedies that reverse the burden: security deposits and bank guarantees you hold; holdbacks and milestone payments, so the money at risk is theirs; service credits applied against invoices, so underperformance prices itself without litigation. Where a liquidated damages figure is genuinely needed, build it as a documented pre-estimate of loss and keep the working papers — that record is what persuades a court the figure is compensation rather than punishment. Put termination rights in writing, for cause and for convenience, and attach exit obligations that survive termination. And attend to formation: a signed contract, stamped under the applicable provincial schedule of the Stamp Act, 1899, in place before performance starts. An unstamped agreement invites an admissibility objection at exactly the moment the relationship has failed.
Data and confidentiality travel with the vendor
Every commitment your company has made about data — to customers, to foreign partners, to regulators — follows the data into your vendors' systems, while the liability stays home. Pakistan's protections are thin: confidential information is guarded by contract rather than by a dedicated statute, the Prevention of Electronic Crimes Act, 2016 addresses unauthorised access in criminal terms, and comprehensive data-protection legislation remains a moving target to be checked at the date of reliance [STATUS — TO BE VERIFIED BY REVIEWING LAWYER]. So the contract carries the whole load. For any vendor touching personal or commercially sensitive data: a flow-down of every commitment you have given upstream, access limited to named purposes, prompt breach notification, audit rights you occasionally use, return or destruction on exit in a format you can actually reuse, and subcontracting only with consent. Take confidentiality undertakings from the individuals doing the work as well as the entity — in a services economy, the person is the risk.
Concentration: the vendor you cannot lose
The most dangerous vendor in the portfolio is usually the best one — the single supplier, the sole logistics partner, the developer who built the platform and hosts it. Dependence converts every contractual right into theory: you will not terminate a counterparty you cannot replace, and both sides price accordingly. The legal work here happens early, while alternatives still exist: exit-assistance clauses with teeth, data and materials returned in usable form, source code or tooling in escrow with defined release events, step-in rights for critical services, and where the economics allow, a second source kept genuinely warm. Then measure it: an annual map of single points of failure across the vendor base, presented to the board alongside the top exposures. Concentration is never chosen; it accretes, one renewal at a time, until the option to negotiate has quietly expired.
Running vendor risk as a system
A company of any size cannot run this vendor by vendor on instinct. The workable system has five parts. Tiering — dependence, spend, and data access decide the depth of diligence and the strength of paper each vendor gets. A gate — no purchase order issues until the tier's checks are passed and the contract is signed; the gate is procurement's, but the standard is counsel's. Templates — tiered contract forms embodying the remedy structure above, so the protection does not depend on negotiating each deal from scratch. A register — every vendor, its tier, its contract, its expiry dates, its guarantees and insurance, its last screening date. And a cycle — annual re-screening and re-tiering, with the concentration map and the top vendor exposures reported into the company's legal risk register and, through it, to the board. None of this is exotic. It is the same discipline the company already applies to credit, pointed in the direction the money leaves.
The Checklist
Vendor onboarding and review checklist
The verification, contracting, and monitoring steps for taking on and keeping vendors, tiered by dependence.
- Tier the vendor base by dependence, spend, and data access before deciding how much diligence each tier deserves.
- Verify a corporate vendor's existence and status against the SECP record; for firms and sole traders, sight the partnership deed or proprietorship registrations.
- Confirm the vendor holds an NTN and appears on the FBR's Active Taxpayers List before pricing is agreed — withholding rates and input tax both turn on status.
- Obtain a beneficial-ownership declaration from significant vendors and screen the names against the proscribed-persons lists before award.
- Run a litigation and reputation check on every critical vendor before the contract, not after the failure.
- Sign the contract before work, money, or data moves — no operations on unexecuted drafts.
- Stamp the contract under the applicable provincial stamp schedule so it can be used in the forum it names.
- Structure remedies you can actually collect — security deposits, holdbacks, milestone payments, and service credits — rather than relying on penalty clauses.
- Where a liquidated damages figure is used, build it as a genuine pre-estimate and keep the working that produced it.
- Take a bank guarantee or deposit against high-value performance obligations, sized to the realistic cost of failure.
- Write termination rights for cause and for convenience, with exit-assistance obligations that survive termination.
- Flow every data and confidentiality commitment you have given your own customers down into each vendor contract that touches the data.
- Prohibit subcontracting without consent, and make the vendor answerable for anyone it brings in.
- Take confidentiality undertakings from the vendor entity and from the named individuals actually doing the work.
- Require insurance certificates where a vendor failure could injure third parties, and diarise their expiry.
- Map single-source dependencies once a year and keep a tested exit plan for each critical vendor.
- Put source code, designs, or tooling in escrow wherever the vendor's disappearance would strand the business.
- Re-screen and re-tier the whole vendor base annually, record the review, and report the top dependencies to the board.
Questions, Answered
What clients ask most.
Not as written. Section 74 of the Contract Act, 1872 treats a sum named in the contract as a ceiling, not an entitlement: the court awards reasonable compensation not exceeding that sum, and in practice expects the claimant to show actual loss. A clause drafted as punishment invites reduction. The drafting consequence is to hold money rather than claim it — deposits, holdbacks, and service credits applied to invoices work because they reverse the burden of going to court.
Usually the obligation reaches you indirectly. The Anti-Money Laundering Act, 2010 framework binds banks and other reporting entities, and their customer-due-diligence standards flow down: your bank asks about your counterparties, and payments to opaque or listed parties can freeze your own banking relationship. Whether your company is itself a reporting entity depends on its sector [STATUS BY SECTOR — TO BE VERIFIED BY REVIEWING LAWYER]. Separately, dealing with a proscribed person or entity is a direct legal exposure regardless of your status — which is why the screening step is not optional for significant vendors.
Because your exposure does not come from a Pakistani data statute; it comes from everywhere else. The confidentiality and data commitments in your customer contracts follow the data into your vendors' hands, and you remain the party liable when a vendor leaks. The Prevention of Electronic Crimes Act, 2016 adds criminal exposure around unauthorised access. And dedicated data-protection legislation has been in draft for years and should be checked as at the date you rely on this [LEGISLATIVE STATUS — TO BE VERIFIED BY REVIEWING LAWYER]. The contract is the protection precisely because the statute book is thin.
Tier it. For low-spend, low-access vendors: existence, Active Taxpayers List status, and a signed purchase order with standard terms. For significant vendors: add beneficial-ownership declarations, list screening, and a litigation check. For critical vendors — those holding your data, your production, or a single point of failure: full diligence, negotiated contract, insurance, exit plan, and an annual review. The failure mode to avoid is uniform process: heavy paper on the stationery supplier and a handshake with the company hosting your customer database.
That your remedies are worthless against a counterparty you cannot afford to sue or lose. When one vendor carries your production, logistics, or platform, termination rights are theoretical, damages are slow, and the vendor knows both — which shows up at renewal as pricing power. The legal response is structural, agreed while you still have alternatives: exit assistance, data return in usable form, escrow, step-in rights, and a genuine second source. Concentration is measured annually because it accumulates silently.
Prepared by The First Counsel · As of 2026-07-12 · Pending professional review — statements flagged in the text are being verified
This publication is provided for general information only. It is not legal advice, and neither reading it nor corresponding with the firm about it creates a lawyer–client relationship. The position stated must be verified against current law before it is relied upon.
