Right now we are moving from a questionnaire document into Venminder Onboarding (I just haven't been able to train staff due to the pandemic and work changes, so currently I am receiving the questionnaire and putting the answers into Onboarding). Venminder Onboarding will assign a preliminary risk rating to a new vendor based on questions answered. Ours are questions like, does the vendor require a username and password; does the vendor collect member data, employee data; does the vendor have access to our network. If it looks like the vendor will be low risk, I only request privacy policy, Tax ID number, and proof of insurance. Moderate risk will require a SOC report, financials, and some other docs. High risk involves more like BCP. If we find out in the due diligence process that the risk is greater or we have other concerns, I ask for more documentation as necessary, but at minimum what we request matches our procedures.
We also have a compliance attorney we use to review all of our contracts, just to make sure we aren't getting ourselves into anything questionable that may have been overlooked by the employee overseeing the vendor relationship.
Let me know if you have any other questions!
Original Message:
Sent: 06-10-2020 04:52 PM
From: Tonya Harper
Subject: New Vendor Review
We are currently reviewing our approval process for new vendors and looking for some process improvements to our current procedures; we would like to understand what other financial institutions are doing. Would anyone be open to sharing how you are evaluating your new vendors? If so, I would like to hear from you.