(270) 506-5140 CONTACT US
Due Diligence

Who Is a Critical Vendor?

Oct 4, 2017 by Branan Cooper

Your third parties should be ranked as Critical or Non-Critical for business disruption and ranked High, Medium or Low on all regulatory items.

What to Do With Critical Vendors 

On your third parties that are critical, you need to:

  • Do a deep dive on certain portions of their due diligence. For example: how will you notice if there is a business disruption or breach, change in leadership, change in financial condition?
  • Complete a review of their business continuity plan
  • Create an exit strategy

Useful Definitions

There are a wide range of interpretations on defining a critical vendor. The critical designation is up to the business unit to determine. Here are two that can help:

1. The OCC defines critical activities as significant functions (e.g., payments, clearing, settlements, custody), significant shared services (e.g., information technology) or other activities that…

  • could cause an institution to face significant risk if the third party fails to meet expectations.
  • could have significant customer impacts.
  • require significant investment in resources to implement the third party relationship and manage the risk.
  • could have a major impact on institution operations if the institution has to find an alternate third party or if the outsourced activity has to be brought in-house.

2. “Any service provider that could attract regulatory scrutiny or have an impact on the business, including the risk of loss in the event of a service disruption.”

American Banker, May 27, 2014
Chip MacDonald, a partner at the law firm Jones Day in Atlanta

When You Review a Vendor, Ask Yourself

As your institution decides on who your critical vendors are, here are some simple questions to help you see if they’re a critical vendor or not…

1. Would the sudden loss of this third party cause a significant disruption to the business? 
  • How bad is it if they go down (core)? 

2. Would the sudden loss impact customers/members?

  • How bad is it if they are compromised? (internet banking/bill pay/cards)
  • How bad is it if they fail to deliver? (network security provider)

3. Would the time to restore service without this third party be greater than a business day?
  • What kind of data do they have and for how many consumers/employees? (payroll/benefits provider)
  • Are there contractual protections built in surrounding breaches or loss of data?

Make sure your critical vendor contracts are in good shape, download our infographic.

Regulatory Developments Impact Your Next Vendor Management Exam eBook

Branan Cooper

Written by Branan Cooper

Branan Cooper is the Chief Risk Officer at Venminder. Branan has nearly 30 years of experience in the financial services industry with a focus on the management of operational and regulatory processes and controls—most notably in the area of third party risk and operational compliance. Branan leads the Venminder delivery team as the third party risk management subject matter expert in residence. Branan also serves as an industry thought leader. He's a member of InfraGard and the Professional Risk Management Industry Association (PRMIA). And, he was selected in 2018 as an advisor to the Center for Financial Professionals (CEFPro) and board member for the Global Sourcing Resource Network (GSRN).

Follow Branan Cooper

Subscribe to the Venminder Blog