We recently received an FFIEC examination report for one of the top card payment network providers from our federal regulator. Our current Vendor Management policy states payment card licensing network providers (i.e. VISA, MasterCard, etc.) are out of scope. However, we are questioning if we can still call them out of scope now that we received the examination report.
How are other banks treating card network providers? Are they within scope and if so, how are you risk rating them and what type of due diligence are you requesting/obtaining? Have you been able to collect due diligence documentation?
Thank you in advance for your feedback!
Colleen