Vendor Risk Assessments Q&A

During our recent three day Third-Party Risk Management Bootcamp, we had a lot of GREAT questions come in. It was quite impossible to get to them all during the live sessions, so we have worked with our speakers to compile the answers. Below you will find answers to questions posed during Day 1 - Session 2: Risk Assessment Workshop. 

Day 1 - Session 2 
Risk Assessment Workshop

This session was led by a Venminder expert \ who walked attendees through a risk assessment questionnaire and guided in how to think about the answers. He has kindly provided answers to the following questions. 

Q1: Aside from contract language, is there any regulation, law or statute that would compel a vendor to cooperate with due diligence requests?

Answer: “As Mike Moore said, it’s becoming more and more understood that it’s the cost of doing business with a financial institution. OCC Bulletins 29-2013, 7-2017, and 21-2017 pretty much spell it out, along with the FFIEC IT examination handbook and the CFPB’s pronouncement of supervisory authority over service providers.”

Q2: Looking at the assessment, I see a question around OFAC. If OFAC is in the contract, would this be a required question around the assessment?

Answer: “I believe it should be. Understanding the ownership and leadership structure and conducting an OFAC check are always prudent.”

Q3: What guidance can you provide if the vendor or their executives are a match on OFAC?

Answer: “Same as if a customer account turned up to be a potential OFAC hit – refer to your policies around BSA/AML. Generally speaking, that should be confidentially reported to your compliance officer or BSA Officer to verify the OFAC hit and determine appropriate steps.”

Q4: How often should an OFAC check be done and is one initial check acceptable?

Answer: “No, I recommend doing it annually as part of the due diligence process and whenever there is a change in ownership or leadership.”

Q5: Could you show us the scoring weight for each question?

Answer: “For the purposes of the tool specific to this session, they were all equally weighted. However, in our robust risk assessment section of our software, you can use the pre-assigned weights or customize as needed/desired.”

Q6: Some organizations require that the business unit who intends to work directly with the vendor complete the risk assessment questionnaire in order to bear the responsibility of doing business with the vendor. Who should ultimately complete the questionnaire?

Answer: “Best practice is to have the person most qualified to complete the questions do so – that could be multiple subject matter experts from around your organization, then reviewed and approved by the vendor risk manager.”

Q7: Is there a regulatory requirement that vendors must track complaints?

Answer: “Yes, FDIC FIL 44-2008, et al. and certainly the CFPB’s emphasis since the start of their existence that consumer complaints will be responded to should dictate it. Look no further than the fact that numerous enforcement actions have arisen from data derived from consumer complaints.”

Q8: How do you manage the workflow from the business area which have a NEED through contracts and vendor due diligence? It seems disjointed now as to who does the intake.

Answer: “Carefully map out how each person is responsible and put into a step by step workflow.”

Q9: Where is a good place to do consistent research about regulatory criticism, litigation of vendors, etc.?

Answer: “The prudential regulators’ websites, Google news alerts, Payment Law Advisor, just to name a few. Also ask the vendor to self-disclose and you can also run Lexis Nexis or Dun & Bradstreet reports as well to check for liens or bankruptcies.”

Q10: Are open searches viable to do research on a vendor?

Answer: “Yes, definitely include the CFPB complaint database, Better Business Bureau and Google news alerts.”

Q11: Is this questionnaire performed before or after the contract is executed? I would think before, but there was a question asking if the confidentiality language is in the contract or the NDA.

Answer: “Before the contract is executed, definitely… and what you learn or any gaps can then be addressed in the contract.”

Q12: Will GDPR impact the way how vendor management is being handled?

Answer: “Yes, definitely. Much more focus on any potential EU customer involvement, the restrictions of confidential data, any with European operations, should be asked for their policies on GDPR compliance.”

Q13: Regarding the question asking about third party review of the vendor's info sec program, is the SOC report considered a third party review?

Answer: “Depends on who prepared the SOC report, but generally speaking, as it’s typically prepared by a third party, yes.”

Q14: Some of the questions state... "Should the company be REQUIRED to do something...".  Is it better to ask… "DOES the company do something?"

Answer: “There are cases where the third party SHOULD be doing something but is not, thus the reason I phrase the question as should they be REQUIRED (said differently, they may very well be required to and not be fulfilling that obligation).”

Q15: Should all vendors be on the risk assessment, even your janitorial service?

Answer: “Yes, at least a cursory one… and the janitorial service definitely should as they represent some risk they have unescorted or after-hours access to your facility.”

Q16: What is a good length of time to allow for the completion of a SIG questionnaire?

Answer: “I generally would say 15 days, but may have to accommodate their staffing or need to research certain questions, as a full SIG can take a while.”

A key aspect of vendor risk management is the art of collaboration across multiple
lines of business. Learn how to collaborate and adequately assess and rate risk in your next risk assessment - download our infographic now.