When determining your level of oversight on a vendor, you’ll clearly want to determine the criticality first - whether the vendor is critical or non critical. This is an essential and ongoing process for mitigating vendor risk. Listen to this podcast to help guide you through the process.
Hello everyone and thank you for joining me today for our Third Party Thursday podcast. I’m Steve Greenfield, Director of Third Party Risk here at Venminder.
The question submitted was: Other than criticality, what drivers do you believe drive the level of oversight you exercise over a third party? This is a great question, and I was thankful that I had the opportunity to answer it for the listener. Often times in vendor risk management, I think we fall foul on 2 behaviors:
In many cases, your vendor will fall under the same regulatory requirements as the financial institution so it’s important to recognize that each vendor have a robust compliance management framework. The rule of thumb for your internal vendor risk management team is that they understand regulatory compliance and how each regulation applies to the different vendor types. Examples may include Sub-servicing and ECOA, an AMC and Appraisal Independence Requirements or a Credit Reporting Agency and the Fair Credit Reporting Act.
Outside of criticality and regulatory compliance - data security of your consumers NPPI data will really force your organization to drill down on not only your internal controls but that of your third and fourth party vendors. With data breaches being traced back to a third party 63% of the time, this highlights that data privacy risk is everywhere. In some regards, I think this levels the playing field in terms of risk among many vendor types. Even a non critical vendor may be accessing NPPI and should the vendor suffer a data breach, you will be left with managing through a very messy process of root cause analysis and answering to your board and the examiners.
As a final thought on an additional driver, I would highlight the fact that assessment findings can help in determining the actual frequency of the oversight practice. Critical and high risk rated vendors should have a minimum annual assessment which covers financial BCP, DR, information security and based on the findings and remediation required, the frequency could actually increase. Use SLA performance data and first line of business feedback to help determine where your focus needs to be. By doing so, you’ll have developed an oversight program based on fundamental best practices and common sense. Do not overthink it.
I hope you found this podcast helpful. If you haven’t already done so, please subscribe to our Third Party Thursday series. I am Steve Greenfield, Director of Third Party Risk at Venminder. Until next time, trust but verify.