Due Diligence and Ongoing Monitoring

 View Only
  • 1.  Apple and Google Play

    This message was posted by a user wishing to remain anonymous
    Posted 05-08-2024 12:12 PM
    This message was posted by a user wishing to remain anonymous

    Hi all!

    What are other FI's doing with Apple and Google/Google Play?  Are they on your vendor lists?  If so, what level/criticality? Do you conduct periodic reviews?  If so, do you find that one or both of these vendors provide documentation?

    Thanks!



  • 2.  RE: Apple and Google Play

    Posted 05-16-2024 11:09 AM

    Just to confirm, the following reply is regarding Apple Pay and Google Pay (not Google Play). Please let me know if I assumed incorrectly.  

    Fintech partnerships have been getting more attention from regulators in recent months, so I think this is an important topic. If your organization has integrations with these types of apps, they should be considered in scope for third-party risk management.

    The inherent risk level will depend on your process for assessing risk, but here are three questions that can help determine criticality:

    1.    Would the sudden loss of this vendor cause a significant disruption to your organization?

    2.    Would that disruption impact your customers?

    3.    If the vendor's service was down for more than 24 hours, would that cause a material negative impact on your organization?

    If you determine the vendor to be high risk and/or critical, I recommend doing periodic risk re-assessments and due diligence reviews at least annually.

    As far as documentation, that might be challenging since these larger organizations usually don't respond to due diligence requests. Some information like privacy policies is available online, but for anything you can't obtain, you'll want to just document your efforts and report to senior management and the board. This will show auditors and examiners that you made an effort to collect relevant documentation.

    Thanks for the question and I hope my reply was helpful. I'm interested to know how other organizations handle these type of vendors.