Look into bankpolicies.com. Brent and his team are amazing.
This message was posted by a user wishing to remain anonymous You mentioned PCI - I have a critical vendor that will have access to a lot of customer information beyond cardholder data. Their PCI indicates segmented - it is my understanding that ...
This message was posted by a user wishing to remain anonymous Having been on both sides of the table... As a vendor, I never shared policies outside of the organisation as they were considered to be proprietary. There were times when a policy included ...
This message was posted by a user wishing to remain anonymous Hello! I work for a community bank and we onboard quite a few valuation vendors for commercial loans (these are not AMCs). These vendors will assess the value of the business and its assets, ...
In my opinion, no. The only caveat is a recommendation to audit the exit plan and documentary evidence that supports a safe and secure exit (data, continuity, etc).
Concentration risk insight enables risk-informed decisions whether concentrations are acceptable, but it is not necessarily a case for change.
You should conduct a full review every 3-5 years. Have you considered streamlining your periodic monitoring practices so you only ask for documentation and information about material changes in their organization (new CIO/CFO/CIO/CISO; M&A activities; ...
Yes, I can confirm that this practice is very common in the financial services sector, oil and gas and law firms.
This message was posted by a user wishing to remain anonymous Similar to reviewing and assessing SOC reports, does anyone currently do assessments on your third-party vendors' information security policies? If so, would you be willing to share? Thanks ...
This message was posted by a user wishing to remain anonymous Hello Are you including AML in the vetting of a new vendor (onboarding)? We are completing OFAC on all vendors but asking if anyone else has AML participate in the Onboarding review process? ...
We have a 6-month window built into our policy on completion time to allow for this. Some vendors may take a week or two, but most that we are seeing range in the month or longer timeframe to return their documents and answer the questionnaire, if they ...
This message was posted by a user wishing to remain anonymous Looking for inspiration and practical methods to assess and monitor concentration risk with third parties e.g. when it relates to: Over-reliance to one vendor for critical services ...
This message was posted by a user wishing to remain anonymous Yes, we've also been experiencing delays in receiving documentation from several vendors.
We are a small credit union so not nearly as many vendors as some others use. There are some vendors that are consistently delayed in getting me their due diligence docs in full to review. I have departments chunked into months for their annual reviews ...
If the vendor is low risk, we require just a handful of documents from the vendor. As their risk level increases, the number and types of documents we want to see also increases. We start our vendor risk rating process based on the level of risk for ...
This message was posted by a user wishing to remain anonymous We have been using one questionnaire and ask that the vendor indicates on the questionnaire if the answer does not apply to a product. We also ask them provide documents that cover all products. ...
This message was posted by a user wishing to remain anonymous Our CLM tracks it and notifies us when an NDA is about to expire.
This is just now coming up for me: starting a conversation with a third party and realizing that our NDA expired 6m ago. Some folks have proposed non-expiring NDAs but I'm not crazy about that idea - I see concepts in legal agreements all the time that ...
This message was posted by a user wishing to remain anonymous Hi Everyone, Sorry if this was brought up before as I'm sure it has come up from time to time. Has anyone noticed more delays in getting due diligence documents from your vendors for ongoing ...
Relationships and governance of the third party relationships are audited for the existing and live contracts. Is there value in assessing the ongoing monitoring of relationships by a Relationship Manager for an expired contract (expired during the audit, ...