In my mind security comes first. In the vendor isn't up to required levels, I'd r-route the consumer but if they have to log in twice, they will get upset.
In the past it was a known problem to have a banks homepage spoofed with the online banking logon there, and the scammers would capture the credentials. I don't recall all the specifics but IT should be involved to avoid problems.
My opinions are not necessarily my employers.
Rules and Regs minus Relationships equals Resentment and Rebellion. John Maxwell