I usually ask for these once a year - in bulk. It's not the easiest process to go through. It's probably the same for all regulatory bodies, but the OCC requires vendor name, city/state, date of contract, and last report received for each vendor. One issue that I've come across several times is some of our vendors don't report us as a customer. In the past, we had to contact our vendor and request they list us as a customer - one of these we had been doing business with for over 20 years. More recently, the OCC required that we provide a copy of the contract.
Like others have mentioned, I have found the reports to be very helpful. They are much better than a SOC report. I typically follow up with the vendor and press them to provide details on what they have done or doing to resolve the issues identified.
Lastly, if you're not requesting the reports, you do risk criticism from the regulators. My first encounter a few years was just a question about whether I was receiving them (I didn't even know they existed). I believe it's an expectation now. Just FYI.
Original Message:
Sent: 09-12-2019 04:18 PM
From: Brittany Padgett
Subject: have you requested a copy of your vendors own reports of examination?
@Anthony Lang just posted a great question on one of the resources (see resource here – One of the Best Due Diligence Items Vendor Managers Aren't Even Aware Of). I wanted to add it here to reach the wider group.
Anthony asked "Has anyone done this? What type of vendor did you request it for? Which agency did you request it from? How valuable was it? Were there questions from the agency or vendor after requesting it?"
Brittany Padgett
Community Manager
Third Party ThinkTank