Your third parties should be ranked as Critical or Non-Critical for business disruption and ranked High, Medium or Low on all regulatory items.
What to Do With Critical Vendors
On your third parties that are critical, you need to:
- Do a deep dive on certain portions of their due diligence. For example: how will you notice if there is a business disruption or breach, change in leadership, change in financial condition?
- Complete a review of their business continuity plan
- Create an exit strategy
There are a wide range of interpretations on defining a critical vendor. The critical designation is up to the business unit to determine. Here are two that can help:
1. The OCC defines critical activities as significant functions (e.g., payments, clearing, settlements, custody), significant shared services (e.g., information technology) or other activities that…
- could cause an institution to face significant risk if the third party fails to meet expectations.
- could have significant customer impacts.
- require significant investment in resources to implement the third party relationship and manage the risk.
- could have a major impact on institution operations if the institution has to find an alternate third party or if the outsourced activity has to be brought in-house.
2. “Any service provider that could attract regulatory scrutiny or have an impact on the business, including the risk of loss in the event of a service disruption.”
American Banker, May 27, 2014
Chip MacDonald, a partner at the law firm Jones Day in Atlanta
When You Review a Vendor, Ask Yourself
As your institution decides on who your critical vendors are, here are some simple questions to help you see if they’re a critical vendor or not…1. Would the sudden loss of this third party cause a significant disruption to the business?
- How bad is it if they go down (core)?
2. Would the sudden loss impact customers/members?
- How bad is it if they are compromised? (internet banking/bill pay/cards)
- How bad is it if they fail to deliver? (network security provider)
3. Would the time to restore service without this third party be greater than a business day?
- What kind of data do they have and for how many consumers/employees? (payroll/benefits provider)
- Are there contractual protections built in surrounding breaches or loss of data?
Make sure your critical vendor contracts are in good shape, download our infographic.