Latest Discussions

  • This message was posted by a user wishing to remain anonymous I am the Vendor Manager for a bank, so it's not quite the same. We are highly regulated so my department is constantly under scrutiny. Over my years in Vendor Management, I have reported ...

  • This message was posted by a user wishing to remain anonymous Hi, I am a compliance manager working for a FTSE100 company responsible for the vendor onboarding and management (among other responsibilities). I was given a freedom to develop and embed ...

  • This message was posted by a user wishing to remain anonymous Hi All, Since 2 years, I am vendor manager in a growing mid-size Clinical Research Organization (CRO) and am responsible for setting-up and improving the processes for vendor management ...

  • Profile Picture

    RE: Vendors - state registration requirement?

    This message was posted by a user wishing to remain anonymous This topic is best handled by a contractual clause that requires the vendor to be "appropriately licensed/registered/etc in all jurisdictions where it does business". That contractual requirement ...

  • Hi there, The practice of requiring vendors to register in a specific state can vary significantly based on the type of business, industry regulations, and the state's legal framework. Keep in mind that state registrations typically serve the purpose ...

  • Posted in: Risk Assessments

    These are great questions, but I first want to clarify what you said about third-party tiering. High, medium/moderate, and low are typically used as a tier system, but critical shouldn't be used as a risk rating. Criticality is a classification, or a ...

    1 person likes this.
  • Profile Picture

    FFIEC reviews of third parties for banking industry

    This message was posted by a user wishing to remain anonymous Our bank performs an annual third party review in accordance with interagency (FFIEC) guidance, for any third-party Technology Service Provider (TSP) or Managed Security Service Provider ...

  • Profile Picture

    Procedure template

    Would anyone provide a template for your company's procedures?

  • Profile Picture

    RE: SOC Report

    Posted in: Exams or Audits

    It is to the vendor's advantage to share the SOC 2 reports as those provide you the ability to review security posture without having to conduct all that audit work yourself. If they don't provide the SOC 2, then your contractual audit rights are more ...

  • Profile Picture

    RE: SOC Report

    Posted in: Exams or Audits

    I perform third party assessments for public agency - local government, and within our policy, we do specify the following: SOC 2 (Type 2) If they do not have a SOC 2 or other external audit report I fully expect that the vendor will have ...

  • Profile Picture

    RE: SOC Report

    Posted in: Exams or Audits

    Agree - SOC1 and SOC2 are provided by privately held companies if available, particularly ones keenly aware of business value they provide to FI and is indicative of strong partnership to support regulatory commitments. For private companies who avoid ...

  • Profile Picture

    RE: SOC Report

    Posted in: Exams or Audits

    This is not true. I receive SOC 1s and SOC 2s from most of our privately held. However, financial statements are rare, so I ask for a Financial Condition Letter, which a Chief (or equivalent) needs to attest to – all of the privately helds provide these ...

  • Profile Picture

    RE: SOC Report

    Posted in: Exams or Audits

    Hi Wendi, Being publicly traded or not does preclude a necessity of a SOC report or financial statements, unless your CU has a policy surrounding what is acceptable vendor due diligence documentation. It's harder to obtain financial statements from ...

  • Profile Picture

    RE: SOC Report

    Posted in: Exams or Audits

    Hello I have been told that private companies are not required to share their financial statements. That does not stop me from asking for them though. Most of the time they will share with a signed NDA. I ask for the same documents from ...

  • Profile Picture

    RE: SOC Report

    Posted in: Exams or Audits

    Wendi, I'm right there with you. The risk and oversight requirements are the same regardless of Private or Public. Ultimately, it depends on how you have set the expectation in your contracts. When onboarding a new vendor, we request all the ...

    1 person likes this.
  • Profile Picture

    RE: SOC Report

    Posted in: Exams or Audits

    This question/comment is piggybacking on your conversion... I'm in the middle of our third-party CPA/internal audit on Vendor Management. The auditor is telling me that Privately Owned companies (vs Publicly Owned) are not required to provide us ...

  • Posted in: Regulations

    I just want to add the guidance doesn't state there is no expectation to perform due diligence on third parties subcontractors. You should evaluate the risk to your organization, and apply mitigation as appropriate. For Gene's organization that mitigation ...

  • Posted in: Regulations

    In the scenario you describe, I agree. If your platform or solution is required to integrate with another, you should be completing a level of due diligence on them. For example, I would expect security checks, pen tests etc. There should still be a ...

  • Profile Picture

    Co-Branded Credit Card Questions

    This message was posted by a user wishing to remain anonymous Hi all, I have a scenario where we are a co-branded credit card where we own the servicing and customer touchpoints, however, our bank partner owns the debt. We are in the process of migrating ...

  • Posted in: Regulations

    The new Interagency Guidance (FDIC, OCC, Fed) issued in June 23 clarifies that they do not expect us to perform due diligence around our third-party's subcontractors, but expect us to have a very good understanding of what oversight is performed by the ...