Exams or Audits

We recently had an audit and had the following noted:

Vendor Training: Providing vendor training ensures that the vendor understands your organization's standards, processes, and expectations. This training enhances the vendor's ability to deliver services effectively. It also fosters a collaborative and informed partnership.
Require Initial and Ongoing Training
Ensure all vendors complete onboarding training before beginning their engagement.
Implement periodic refresher training to keep vendors informed about evolving threats, updated policies, and new regulatory requirements (as recommended by OCC Bulletin 2013-29, which stresses continuous third-party oversight).

I would like to hear if this is a standard practice for your vendors, especially critical vendors. I understand asking about their training but found it odd to have us provide training to them.

Appreciate any input!

Hi Tara,

Wow! That seems like a stretch as far as I am concerned. I would push back on that "finding." All of the due diligence that was conducted for the onboarding process should indicate if the vendor will meet your needs. The contract/agreement should layout all of your expectations, standards, processes, etc. I believe "training" the vendor could be covered during the SLA development. 

I hope I am not in the minority in this mindset!

Have a good day, Kevin

Did Management accept that finding and recommendation?  If the onboarding process, regular relationship management meetings and annual review process are operating as intended, additional training seems excessive

Hi Tara,

The importance of training from a regulatory oversight perspective comes down to a bit more specifics in regards to the type of services offered by the third party. In my experience, regulators would seek understanding whether our vendors performed their own training which cover similar topics or requirements as the organization or institutions to address high risk areas (e.g. Managed Security Services, Dispute / Complaints Management, ID Theft/Fraud, FCPA/Bribery, etc). If you have an ability to outline evidence that vendors maintain their own training (e.g. SOC 2 Type II, Compliance Policy/Manual, etc) through a compliance program, etc. then that should suffice.  We would usually argue the point that training should be tailored to the specific needs of the organization and the roles involved (e.g. access to data then vendor must have trained their employees on data handling).

In the event that the finding is associated with independent consultants, small firms, etc. where more than likely they are unable to provide evidence of specified training, then regulators might "recommend" incorporating company training requirements for those individuals as a best practice with some allowable exceptions.

Training requirements can be addressed as an obligation within the agreements, whereby you can establish up front requirements on an ongoing basis.

Hope this helps and best of luck!

Without full context it seems like a stretch, unless they are referring to third parties that work in your environment. If that is the case they should be required to take your security awareness training.

If this is for vendors working outside of your environment, the MSA or SOW should contain high-Level security requirements. Some organisations have a "Security Policy for Third Parties", that is provided depending on the work being done. 

I don't see training as being continuous third-party monitoring. Continuous is pretty broad and it could be something as big as logging and monitoring all of their activity to ensuring that they provide a SOC 2 report or complete a security questionnaire annually.

If this was just a finding, I'm pushing back and taking a closer look at the other findings. It's almost like they had to find something and this was the best they could come up with.

Hi Tara

TPRM due diligence is fundamentally about "inspecting what you expect." It seems your internal controls or practices might be lacking in two key areas:

1. Defining Business Requirements: It's essential for businesses to clearly define their requirements before sourcing a product or service. This ensures that vendors can comply with or meet these expectations before they are engaged.
2. Inspecting What You Expect: The third party is an extension of your business, so the same controls you expect internally should be applied externally. This should be covered in your due diligence.

I would be curious if your due diligence standards had any findings or recommendations both on the TPRM side and the business oversight side. Is the business reviewing its relationships to ensure vendor meet all expectations (regulatory requirements, service quality, SLA, etc.)? Additionally, is your TPRM review covering all control reviews to ensure vendors meet your organization's standards for the sourced service/product? Do you have a vendor scorecard or equivalent to track and monitor performance periodically? 

Reviewing these practices to ensure that the business/bank has oversight of the vendor and that they meet your organization's requirements and continue to deliver on SLAs should help address this recommendation from Audit.

Thank you for raising this question. While it may seem unconventional for organizations to provide training to vendors, it is actually a common practice, particularly for critical vendors handling sensitive data, regulated processes, or essential business functions.

Providing vendor training ensures alignment with your organization's security standards, compliance requirements, and operational expectations. This approach strengthens third-party risk management by reducing misunderstandings, improving adherence to policies, and mitigating potential risks. Regulatory guidance, such as OCC Bulletin 2013-29, emphasizes ongoing oversight, which includes ensuring vendors remain informed about evolving threats and regulatory changes.

That said, the extent of training provided often depends on the nature of the vendor relationship. For highly regulated industries such as finance and healthcare, onboarding and periodic refresher training for critical vendors are essential. In other cases, organizations may simply require vendors to demonstrate their own training programs align with contractual obligations and industry best practices.

It would be interesting to hear how others approach this-whether they provide direct training or rely on vendors' existing programs to meet compliance and security expectations.

Looking forward to the discussion!