Hi everyone, below are due diligence related questions - we want your thoughts. Last week, Venminder had their Third Party Risk Management Bootcamp! It was three days, 6 sessions and 11 presentations long, covered by nine experts. Needless to say, a lot of great information was shared. There were also a lot of great questions that came in during those live sessions. The team thought it would be helpful to share what those questions were and provide answers as well. Chime in if you have further answers for any of these or any further comments. And, if you're interested in viewing the recordings, you'll find the link on the Program Improvement library page.
Q: Can you provide the enforcement action website?
A: Paymentlawadvisor.com and you can also look at each of the prudential regulators' websites and their monthly enforcement action publications.
Q: I have several third parties that do not provide thorough due diligence. They will only provide table of contents to their policies or procedures. How do you overcome this barrier?
A: It depends on what you're looking for. In some cases, you really want to make sure you're drilling down and asking for very specific items and explaining why it's needed. In that case, create some sort of dialogue between yourself, your senior management and the vendor's senior manager explaining why these items are non-negotiable. It's important in a business relationship to make sure that you're not going to have compliance issues, financial issues, information security issues and more prior to entering the relationship. The table of contents simply isn't enough to address anything more than the surface level of the issue. You need to dig deeper to get a real understanding. Therefore, I would prep a memo or letter that lays out exactly what you're looking for. If they aren't willing to provide it, follow an escalation chain where you say what you asked for, when and why they wouldn't provide it, the creative solutions you offered to them to obtain the information, etc. This way senior management can decide if they're willing to accept this exception.
Q: How do you recommend vendor risk management assess/monitor vendors where we do not have a contract? Some are fourth parties.
A: In some cases, you need to rely on your third party and ensure that they're upholding the same standards that you'd be putting on your own third parties. In other cases, you want them to provide evidence of that and be transparent in the process. Ultimately, you're the one on the hook to be accountable for your customers' data so you want to make sure you're going as far as you possibly can to make sure all is well.
Q: Is there somewhere an organization can go to obtain vendor complaints similar to BBB regarding the services they offer?
A: There are several. Other areas are ripoffreport.com, the CFPB complaint database, states attorney general websites as some have their own complaint database, Google News searches, social media searches and you can contractually obligate the vendor to provide a list.
Q: Any comments on situations where "Risk" owns Vendor Management, unless "it plugs in", and then IT owns that Vendor Risk Management?
A: I always believe that Risk should be independent of any business unit function, including IT – gives you autonomy and an equal vote, rather than being drowned out by business issues.
Q: It's great to see that the role of vendor manager has been elevated to a professional risk focused role. Do you foresee that there will be more regulatory requirements around vendor management education and certifications going forward?
A: Yes, there will – particularly given the heightened focus on cybersecurity and breaches.
Q: Where can we find resources for exact oversight and reporting standards for each industry to help us customize our due diligence for each business?
A: There is no single source – it will depend largely on how your company uses that particular service or function. However, there are many resources available in the community libraries.
Q: What level of due diligence do you recommend for fourth party vendors?
A: Precisely the same as your third party.
Q: Do you vet prior to a contract and do you have documented standards?
A: Yes, definitely prior to the contract and yes, I always had documented guidelines on what I planned to reasonably obtain.
Q: Why would we not require them to provide all the due diligence documentation in advance? This would be part of why we do or do not sign a contract. As long as we sign an NDA.
A: We always try but sometimes they simply will not provide prior to a contract.
Q: Where in the third party risk management (TPRM) critical path (initial due diligence and risk assessment, contract, onboarding, monitoring, etc.) is onboarding performed?
A: Onboarding should be done as early as possible – definitely pre-contract.
Q: What is the difference between a centralized vs decentralized vendor risk management (VRM) program?
A: A centralized vendor risk management program means there is one person or group of people typically in the second line of defense own the responsibility of vendor management. For example, they will vet the vendors, assess due diligence, participate in contract negotiation, etc. This core team ensures your vendor management program is being executed properly. A decentralized vendor risk management program is when the job of vendor management has been spread across the organization which becomes extremely difficult to manage.
Q: Would this group consider a bank that holds company money, or a rating agency such as Standard & Poor, a third party vendor?
A: Yes, definitely- provides a service to the financial institution – thus it is a third party provider.
Q: Can Dana (Dana Bowers, Founder and Chief Solution Architect at Venminder) touch on her thoughts on where vendor risk management sits within the lines of defense? Our program is currently with the second line, but we've gotten critiques that our activities should really be performed by the first line.
A: Definitely second line – happy to discuss in more detail for specifics.
Q: How far into fourth parties do you need to dig? i.e. if your third is considered very diligent can you use that, or must you vet the fourth as detailed as your third party?
A: If they are handling any sort of proprietary or confidential information, dig as deeply as though they are in the office next to you.
Q: Do you have a preferred resource you use to stay on top of regulation and actions taken?
A: Ballard Spahr, JD Supra, Bryan Cave and all of the regulators' websites.
Q: When starting the vendor due diligence on high-risk vendors who originally turned in their documentation 9 months previously, would you use their information and start from there? Or would you send out the SIG questionnaire and request documentation now?
A: If it was complete 9 months ago, I'd be ok starting from there, otherwise, start fresh.
Brittany Padgett
Community Manager
Third Party ThinkTank