Information Security

Our bank performs an annual third party review in accordance with interagency (FFIEC) guidance, for any third-party Technology Service Provider (TSP) or Managed Security Service Provider (MSSP).

Are any other banks performing an FFIEC review of their third-party vendors?  If so, how are you determining the scope of your review, with your regulators?  What are you looking for in the review?  

Historically, information from our regulators may be provided and we review to determine if there are MRAs/MRIAs impacting our third parties for which we need to track or be aware of. Contracts may also be reviewed and findings may be issued internally to track the issue if warranted. 

Hi there,

I hope that it is safe to presume your organization is incorporating findings from your annual third-party risk re-assessment, due diligence, and vendor risk reviews as part of this annual review. As this would provide essential information related to new or emerging risks related to data confidentiality, integrity, availability, and compliance, financial health, regulatory compliance, business continuity and resiliency, among others. And would compliment your practice of reviewing MRA/MRIAs and contract reviews for those TSPs and MSSPs. If that is the case, it would seem that you have a fairly comprehensive approach in place. Still as this practice is always maturing, I would love to hear from other members who might add to the conversation.