Hi Cameron,
In general, it helps to think of third-party compliance in the following way – your institution is ultimately responsible for making sure that you're meeting regulatory requirements, even when certain functions are performed by third parties. Some laws and regulations may only be applicable to your specific industry, so your institution would be held accountable if your third parties are causing you to be non-compliant. If an employer is using a third party to perform a particular ERISA function like reporting or handling the employees' claims, that employer must ensure the third party is complying with ERISA requirements.
When it comes to risk assessments and due diligence, a good first step would be identifying the compliance risk that exists within the vendor's product or service. This might involve having the vendor owner answer questions such as "Do we rely on this product or service to maintain compliance with any regulations?" and "Is the vendor required to be licensed to provide the product or service?" From there, you can perform due diligence to get a better understanding of the third party's compliance practices. You might review items such as their policies, audit reports, and any relevant certifications.
I hope this can give you a good starting point to understand third-party compliance, and I'm interested to learn how others are handling similar situations.
Original Message:
Sent: 09-11-2024 03:47 PM
From: Cameron Clark
Subject: ERISA Requirements
Good afternoon,
To anyone that may have a better understanding of this topic, it would be appreciated for some more solid answers or real-life examples. I have a basic understanding of the ERISA requirements for employers, but for third-party risk am struggling to see if there is a connection that needs to be analyzed further. Is there ever an instance, for risk assessment purposes, that a third-party (or fourth?) would need to be held accountable for being ERISA compliant? Has anyone ever implemented this into their risk assessment framework or due diligence requests? I only ask due to our institution having a payroll department that is beginning to utilize various connections to different custodians, in relation to their payroll clients.
Thank you in advance!