Third-Party Oversight Implications of FDIC FIL-44-2008 Performance Monitoring Guidance
Implementing your own third-party oversight strategy.
Venminder's third party risk experts simplify points from one of the industry's best checklists and most prescriptive set of vendor oversight standards - the FDIC's FIL-44-2008. We'll discuss guidance on performance monitoring, and explain how to implement them into your own vendor oversight strategy.
Welcome to this week’s Third Party Thursday! My name is Branan Cooper and I’m the Chief Risk Officer here at Venminder.
Let’s talk a bit about third party oversight. What exactly does that mean?
Well, if you were to Google it, I’m betting you’ll first see the NCUA guidance from 2007 that perhaps began the notion that financial institutions needed to do some ongoing review of the companies with whom they have an outsourcing arrangement.
Little did I know at the time, but the need for oversight would later be baked into much more thorough expectations in regulatory guidance. The nature of the oversight should be dictated by the product or service provided.
Perhaps the best checklist or most prescriptive set of oversight standards was laid out in the FDIC’s FIL 44 2008 - though please note, if you’re doing business with a payment processor or merchant there are also some specific transaction monitoring standards identified in FIL 3 of 2012 but before we narrow the lens too much, let’s go back to 44 of 2008 and touch on each of the bullets, quoting directly from the guidance.
Performance monitoring should include, as appropriate, the following:
- Evaluate the overall effectiveness of the third-party relationship and the consistency of the relationship with the financial institution's strategic goals.
- Review any licensing or registrations to ensure the third party can legally perform its services.
- Evaluate the third party's financial condition at least annually. Financial review should be as comprehensive as the credit risk analysis performed on the institution's borrowing relationships. Audited financial statements should be required for significant third-party relationships.
- Review the adequacy of the third party's insurance coverage.
- Ensure that the third party's financial obligations to others are being met.
- Review audit reports or other reports of the third party, and follow up on any needed corrective actions.
- Review the adequacy and adherence to the third party's policies relating to internal controls and security issues.
- Monitor for compliance with applicable laws, rules, and regulations.
- Review the third party's business resumption contingency planning and testing.
- Assess the effect of any changes in key third party personnel involved in the relationship with the financial institution.
- Review reports relating to the third party's performance in the context of contractual requirements and performance standards, with appropriate follow-up as needed.
- Determine the adequacy of any training provided to employees of the financial institution and the third party.
- Administer any testing programs for third parties with direct interaction with customers.
So, there you have it, a perfect recipe, which you can customize as needed, for oversight of your third parties. Again, I’m Branan and thank you for watching! Don’t forget to subscribe to the Third Party Thursday series.
Subscribe to our Third Party Thursday Newsletter
Receive weekly third-party risk management news, resources and more to your inbox.