Due Diligence and Ongoing Monitoring

 View Only

  • 1.  have you requested a copy of your vendors own reports of examination?

    Posted 09-12-2019 04:18 PM

    @Anthony Lang just posted a great question on one of the resources (see resource here – One of the Best Due Diligence Items Vendor Managers Aren't Even Aware Of). I wanted to add it here to reach the wider group.

     

    Anthony asked "Has anyone done this? What type of vendor did you request it for? Which agency did you request it from? How valuable was it? Were there questions from the agency or vendor after requesting it?"

     

    Brittany Padgett
    Community Manager
    Third Party ThinkTank



  • 2.  RE: have you requested a copy of your vendors own reports of examination?

    Posted 09-13-2019 08:35 AM

    ​Hi Brittany-
    We do request them from the OCC every year at the end of Q1/start of Q2 and review them.  Yes we have found them valuable, we have seen some reports that identify weaknesses in their vendor oversight, internal audit process, etc that could impact us. We then follow up with the regulators in Q4 to see if any findings have been remediated/updated. It also allows us to add a deeper review during our remote or onsite visit with the provider.  For example, the provider who displayed weakness in their vendor management had by the time we got the report:


      • Hired a head of TPRM, Replaced the Vendor Manager

      • Created new Policies and Procedures for Vendor oversight

      • Built a solid Risk Assessment and updated their list of critical providers



    So yes, I do ask our third parties for the reports, but I ask the regulators first. You can send your regulator the list of third parties you contract with and they will not only provide the reports to you, but they also will tell you who is in scope for the year ahead.
    I hope that helps!

    ------------------------------
    Jenn Wilkinson
    Vice President
    Strategic Vendor Management


    Original Message


  • 3.  RE: have you requested a copy of your vendors own reports of examination?

    This message was posted by a user wishing to remain anonymous
    Posted 09-16-2019 11:38 AM
    This message was posted by a user wishing to remain anonymous

    Is the list you send for only your critical vendors?  Third Party Service Providers?  How do you know they have been audited by the OCC?
    Original Message


  • 4.  RE: have you requested a copy of your vendors own reports of examination?

    Posted 09-13-2019 09:01 AM
    Yes, I have done this in my prior institution - typically, you request it through the regional office of your prudential regulator, but typically only for those where you really need it, such as your core processor or data storage provider.  Also, expect questions as to why you are requesting it on X but not for vendor Y. That said, it can be a very helpful resource.
    Original Message


  • 5.  RE: have you requested a copy of your vendors own reports of examination?

    Posted 09-13-2019 10:03 AM
    I usually ask for these once a year - in bulk.  It's not the easiest process to go through.  It's probably the same for all regulatory bodies, but the OCC requires vendor name, city/state, date of contract, and last report received for each vendor.  One issue that I've come across several times is some of our vendors don't report us as a customer.  In the past, we had to contact our vendor and request they list us as a customer - one of these we had been doing business with for over 20 years.  More recently, the OCC required that we provide a copy of the contract.

    Like others have mentioned, I have found the reports to be very helpful.  They are much better than a SOC report.  I typically follow up with the vendor and press them to provide details on what they have done or doing to resolve the issues identified.

    Lastly, if you're not requesting the reports, you do risk criticism from the regulators.  My first encounter a few years was just a question about whether I was receiving them (I didn't even know they existed).  I believe it's an expectation now.  Just FYI.
    Original Message