During our recent three day Third Party Risk Management Bootcamp, we had a lot of GREAT questions come in. It was quite impossible to get to them all during the live sessions, so we have worked with our speakers to compile the answers. Below you will find answers to questions posed during Day 2 - Session 2: Defining Proper Vendor Due Diligence Requirements.
Day 2 - Session 2
Defining Proper Vendor Due Diligence Requirements
Chief Risk Officer
This session was led by Branan Cooper at Venminder where he discussed what the regulatory guidance calls for in due diligence, the common pitfalls of document gathering, best practices in creating a risk based program, misconceptions and how to clear the “we’ve never been asked this before” hurdle. He has kindly provided answers to the following questions.
Q1: Do you do due diligence on a vendor level or engagement state of work (SOW) level?
Answer: “Product or statement of work.”
Q2: You've mentioned examples of vendor types that may be excluded from the program and oversight. What would be a consistent BASIS for excluding a vendor? What specific question(s) should be asked?
Answer: “Here’s an example:
Scope and Coverage. This Program is intended to apply to all third party relationships entered into by EveryBank, as communicated to the third party risk management department, including but not limited to: affiliated and unaffiliated vendors, service providers, processors, business partners, program managers and marketers and other third parties, with whom the Company or Bank contract for purposes of obtaining products or services, or who collaborate with the Bank in providing products and services in the marketplace.
The program is not intended to cover the following relationships:
- Relationships with customers or members or account-holders of the Bank;
- Relationships with third party providers of goods or products (or their sub-providers) which may reasonably be considered incidental to EveryBank's operations or lines of business and are therefore not material to EveryBank's third-party risk profile.
- Relationships with government regulatory agencies.
- Relationships with payment card licensing networks (currently, Discover, MasterCard, VISA, and American Express) as the Bank cannot reasonably exercise any rights to audit or remediate concerns on what may be a financial services systemic matter.
- Relationships with affiliates pursuant to intracompany service agreements to the extent such agreements are principally intended to document intracompany financial agreements for financial allocation purposes and do not include any scope of work materially related to functions of the Bank or Company from a third-party risk management perspective.”
Q3: Do you have different request lists for the different levels of risk/due diligence?
Answer: “Yes, definitely, risk based.”
You can find our due diligence checklist for low, medium and high risk vendors here.
Q4: What resources are out there to research and determine if my company is required to comply with vendor management?
Answer: “Refer to FFIEC IT examination handbook and your prudential regulator’s third party risk management guidance as well.”
Q5: What should you do if the vendor shows up on the OFAC list after a few years of having a business relationship?
Answer: “Follow the same procedures as if a customer showed up on OFAC list. Refer to your BSA/AML policy. Generally, confidentially report to compliance officer or BSA Officer for determination of next steps.”
Q6: Do we need to do OFAC for non-vendors? The ones who are not providing products/services for the Bank's operations, but hotels, tax authorities, etc.?
Answer: “I generally don’t think so, but I suggest checking with your BSA Officer for better guidance."
Q7: Do you consider onsite reviews a component of due diligence? And how do you determine which vendors should have an onsite review?
Answer: “Yes, they can definitely be a form of due diligence and often very helpful to confirm items that they will not share otherwise. For expense reasons, will likely be only your most mission-critical or perhaps new large volume vendors (core processors, etc.).”
Q8: Assuming technology is involved (SAAS or Cloud), what’s a reasonable processing time to complete review (assume documents received)?
Answer: “I've generally said 30 days but have seen it take as much as 90.”
Q9: A question on contracts – any suggestion how to handle contract with foreign entity who wants governing law and jurisdiction to be local, which could put the bank at risk of not able to address the compliance for U.S laws and regulations?
Answer: “Consult local counsel or engage a law firm like Ballard Spahr with vast experience in dealing with international companies.”
Q10: How deep should your due diligence be for marketing firms that are receiving email addresses (NPI) only?
Answer: “Same as any other receiving any form of NPI – info sec and review of privacy policies, in particular.”
Q11: You said, "regardless of who they are, ask," and used the good example of Apple. Many IT companies simply have greater leverage in negotiations and won't provide this. How should we document their unwillingness to provide something?
Answer: “Document the request, document the business need, follow the exception process in your institution and show where and when senior management was involved in the decision making / exception. Create strong documentation to be able to assert that you didn’t simply give them a pass based on the name.”
Q12: In regard to a data breach like Equifax, we reviewed their SOC reports and info security policies and audits and found no concerns yet there was still a data breach. What else is there to do if all of the due diligence shows satisfactory controls?
Answer: “Document what steps you’re taking to protect customers or recognize potential ID theft.”
Q13: Should we collect bylaws or resolutions to document authorized signers?
Answer: “Yes, if they will share. Very rare that they would, most likely.”
Q14: Do you recommend due diligence for all vendors or just for critical vendors?
Answer: “All third parties, regardless of risk level.”
Q15: What due diligence would you perform on a sole proprietorship vendor who performs work on/has access to your alarm systems? Is a business license required? How/should a background check be performed? General liability insurance?
Answer: “Standard due diligence including all of the normal items, Google news search, Better Business Bureau, professional references and general liability insurance.”
Q16: What’s the importance of ensuring certain third parties have workers compensation insurance on file?
Answer: “I’d recommend simply making sure they have general liability insurance to cover possibility of an accident on premises, it’s up to them to manage their workers comp issues, I would hope.”
Q17: What do you consider "standard" due diligence questions?
Answer: “Please see the slide in the deck on due diligence (e.g., articles of incorporation, secretary of state check, business license, ownership structure, tax ID, reputation risk check, etc).”
Q18: What due diligence should be required for on-premises software?
Answer: “Standard due diligence plus information security, business continuity, change management procedures and SSAE 18.”
Q19: What do we do for third and fourth party vendors?
Answer: “Generally same due diligence procedures would apply for both.”
Q20: When you look at how a vendor would disrupt the business "significantly" - how do you determine that? Is it based off that the business would loose X number of dollars per min? Per hour? I’m really looking for a definition around “significant”.
Answer: “This is subjective based on the type of business. Generally, I have done it on normal productivity hours lost.”
Q21: For hired CPAs/auditors be considered critical vendors?
Q22: Do you do another risk assessment to evaluate residual risk?
Answer: “Yes, once you have determined inherent risk, you determine what steps can be taken to control/mitigate that risk and depending on the effectiveness of those controls, derive the inherent risk.”
Q23: Can you recap resources to investigate a vendor's complaint volume and enforcement action?
Answer: “CFPB complaint database, Better Business Bureau rating, RipOffReport.com, Enforcement actions: Payment Law Advisor, Google news search, prudential regulators’ websites.”
Q24: Does the vendor management program have to write out what the mitigating controls are in place?
Answer: “Yes, it should generally identify them, not necessarily every possible one but at least high level.”
Q25: “What is the standard or best practice GRC tool to use for Risk Assessments?
Answer: “We can set up a demo of our risk assessment platform if you’d like. Numerous others out there, but I believe ours is among the very best.”
Q26: Perspective on the risk mitigating effectiveness of contract language.
Answer: “I believe a well-written and enforced contract is one of the best mitigating controls there is. Gathering items dictated in the contract can solve nearly every routine issue.”
Q27: We don't have business continuity in our vendor management program, it’s in our data security program. Does it matter where it needs to be?
Answer: “I would at least cross reference it in your vendor program where you describe the interrelation with other bank policies (not doing so could lead to a criticism in your FFIEC or regulatory IT exam).”
Q28: I have typically seen a vendor risk controls assessment rated 0-5 instead of low, moderate, high as on your assessment. Is this also common practice? Also, do you have an example of a criticality assessment?
Answer: “Yes, I have seen numerous different ratings scales. I prefer three levels as opposed to too many splits of a hair. Criticality assessment is asking the three questions I covered in the presentation and if you answer “yes” to any of them, it is a Critical third party.”
Q39: How do you handle foreign vendors require the contracts to subject to local laws?
Answer: “Consult local counsel, if needed or a law firm (such as Ballard Spahr) that has significant experience in dealing with international clients.”
As you know, it’s important to do initial due diligence prior to signing a contract and then ongoing due diligence during the course of the relationship. Continue to stay abreast of regulatory expectations - download our infographic to help guide you through the process step by step.