Due Diligence and Ongoing Monitoring

​What additional due diligence should be conducted on a foreign vendor?  I know it depends on their significance rating with the bank. Are there specific documents we should request?.

Depending on you risk rate the vendor and the services they provide will depend on what you need, but in some cases if Cloud vendor you can't get the SOC you might have to get the ISO to review security controls.
Original Message:
Sent: 01-23-2020 10:06 AM
From: Janis Weems
Subject: Foreign Vendor Due Diligence

​What additional due diligence should be conducted on a foreign vendor?  I know it depends on their significance rating with the bank. Are there specific documents we should request?.

Original Message------

Depending on you risk rate the vendor and the services they provide will depend on what you need, but in some cases if Cloud vendor you can't get the SOC you might have to get the ISO to review security controls.

We have an attorney review the contract for language (we recently had a vendor who is based in the UK and while our data will not leave the US, the arbitration clause mentioned England and Wales, so we had the vendor strike that paragraph), and we do extra diligence on determining where our data travels and how the vendor gets our information. We don't have specific documents for International vendors, but depending on the relationship, that might move the vendor from low to moderate risk, for example, and then we have a few additional documents we request. 

All of our due diligence documents are obtained based on risk rating - domestic or international. Hope that helps!

Original Message:
Sent: 01-23-2020 10:06 AM
From: Janis Weems
Subject: Foreign Vendor Due Diligence

​What additional due diligence should be conducted on a foreign vendor?  I know it depends on their significance rating with the bank. Are there specific documents we should request?.

Original Message------

We have an attorney review the contract for language (we recently had a vendor who is based in the UK and while our data will not leave the US, the arbitration clause mentioned England and Wales, so we had the vendor strike that paragraph), and we do extra diligence on determining where our data travels and how the vendor gets our information. We don't have specific documents for International vendors, but depending on the relationship, that might move the vendor from low to moderate risk, for example, and then we have a few additional documents we request. 

All of our due diligence documents are obtained based on risk rating - domestic or international. Hope that helps!

This message was posted by a user wishing to remain anonymous

We would try to have them comply with same due diligence if based and providing services in U.S.  If not willing, we would still ask a series of questions and request documentation.  Most larger firms have information on their website regarding some items listed below.

-Questions regarding:

• Business Continuity/DR Testing
• Use of Fourth Parties (what do they do and where are they located, etc.)
• Fraud Risk
• HR Risk (do they conduct background checks, etc.)
• Records Management (Records Retention Schedule, do they have a data destruction procedure)
• Reputational Risk (Corporate Social Responsibility Report)
• City/Country where customer/employee data is stored

Documentation:

• Code of Ethics/Code of Conduct Policy or Summary
• Corporate Insurance Certificates including equivalent to Worker's Compensation
• Statement on Data Privacy/GDPR Compliance
• SSAE 18 SOC-1 Type 2, SOC-2 Type 2 or ISAE 3402 Report(s)
• Cyber Security Control documentation if access to PII/PHI
• Shared Assessment - Standardized Information Gathering (SIG)
• Latest instance of Application Security Testing (Penetration Testing, Vulnerability Assessment, Static Code Analysis, etc.)
• ISO 27001 Certification
• Client or Executive Summary covering Business Continuity Program

Hope this helps.
Original Message:
Sent: 01-23-2020 10:06 AM
From: Janis Weems
Subject: Foreign Vendor Due Diligence

​What additional due diligence should be conducted on a foreign vendor?  I know it depends on their significance rating with the bank. Are there specific documents we should request?.

​Evidence of adherence to: GDPR, NonOECD compliance and FCPA would be the big three for me.

------------------------------
Jenn Wilkinson
Vice President
Strategic Vendor Management

------------------------------

Original Message:
Sent: 01-23-2020 10:06 AM
From: Janis Weems
Subject: Foreign Vendor Due Diligence

​What additional due diligence should be conducted on a foreign vendor?  I know it depends on their significance rating with the bank. Are there specific documents we should request?.

Jenn,
I'm not familiar with nonOECD. What is it?   Thank you!
Original Message:
Sent: 01-24-2020 07:36 AM
From: Jennifer Wilkinson
Subject: Foreign Vendor Due Diligence

​Evidence of adherence to: GDPR, NonOECD compliance and FCPA would be the big three for me.

------------------------------
Jenn Wilkinson
Vice President
Strategic Vendor Management


Original Message:
Sent: 01-23-2020 10:06 AM
From: Janis Weems
Subject: Foreign Vendor Due Diligence

​What additional due diligence should be conducted on a foreign vendor?  I know it depends on their significance rating with the bank. Are there specific documents we should request?.

India is a non OECD country (there are others, you can google them). We validate they have a policy/procedure to evidence compliance as follows: ​
If the subcontractors are working in non-OECD countries confirm if they have established labour policies & processes to comply with the International Labour Organization standards for those subcontractors. This includes policies addressing the fundamental rights concerning discrimination, minimum age of employment (child labour) and wage laws, including those relating to minimum wages, overtime hours and legally mandated benefits and forced labour at all facilities

------------------------------
Jenn Wilkinson
Vice President
Strategic Vendor Management

------------------------------

Original Message:
Sent: 01-24-2020 09:13 AM
From: Christopher Halaska
Subject: Foreign Vendor Due Diligence

Jenn,
I'm not familiar with nonOECD. What is it?   Thank you!
Original Message:
Sent: 01-24-2020 07:36 AM
From: Jennifer Wilkinson
Subject: Foreign Vendor Due Diligence

​Evidence of adherence to: GDPR, NonOECD compliance and FCPA would be the big three for me.

------------------------------
Jenn Wilkinson
Vice President
Strategic Vendor Management


Original Message:
Sent: 01-23-2020 10:06 AM
From: Janis Weems
Subject: Foreign Vendor Due Diligence

​What additional due diligence should be conducted on a foreign vendor?  I know it depends on their significance rating with the bank. Are there specific documents we should request?.

This message was posted by a user wishing to remain anonymous

I'd like to suggest another track in this conversation.  When working with foreign countries with limited governing oversight (i.e. non-OCED countries, lack privacy laws) start with contractually agreed upon controls (e.g. HR, Physical, Privacy, Information Security) and if services include processing of sensitive data, have secured processing areas (e.g. physically controlled rooms, virtual desktops).   Then complete the standard due diligence plus the additional controls agreed upon.
Original Message:
Sent: 01-23-2020 10:06 AM
From: Janis Weems
Subject: Foreign Vendor Due Diligence

​What additional due diligence should be conducted on a foreign vendor?  I know it depends on their significance rating with the bank. Are there specific documents we should request?.