Exams or Audits

We are currently undergoing an exam with the regulators and one of the questions that has come up is notification to regulators on new critical service providers.

What guidance are all of you following and what new "critical providers" are you notifying to the regulators.  Which group within the organization is doing the notification to your respective regulatory body; is that InfoSec, Vendor Management, Compliance?

Our TPRM program is a blend of guidance from OCC-2013-29 as well as third party guidance provided by FDIC and FFIEC.  So far the only guidance i see out there is Section 7 of the BSA program that FDIC directs to that highlights the type of services that requires depository institutions to notify, in writing, their respective federal banking agency of contracts or relationships with technology service providers that provide certain services. 

Curious to learn what you all are doing out there?

Thanks 

We are currently undergoing an exam with the regulators and one of the questions that has come up is notification to regulators on new critical service providers.

What guidance are all of you following and what new "critical providers" are you notifying to the regulators.  Which group within the organization is doing the notification to your respective regulatory body; is that InfoSec, Vendor Management, Compliance?

Our TPRM program is a blend of guidance from OCC-2013-29 as well as third party guidance provided by FDIC and FFIEC.  So far the only guidance i see out there is Section 7 of the BSA program that FDIC directs to that highlights the type of services that requires depository institutions to notify, in writing, their respective federal banking agency of contracts or relationships with technology service providers that provide certain services. 

Curious to learn what you all are doing out there?

Thanks 

We are currently undergoing an exam with the regulators and one of the questions that has come up is notification to regulators on new critical service providers.

What guidance are all of you following and what new "critical providers" are you notifying to the regulators.  Which group within the organization is doing the notification to your respective regulatory body; is that InfoSec, Vendor Management, Compliance?

Our TPRM program is a blend of guidance from OCC-2013-29 as well as third party guidance provided by FDIC and FFIEC.  So far the only guidance i see out there is Section 7 of the BSA program that FDIC directs to that highlights the type of services that requires depository institutions to notify, in writing, their respective federal banking agency of contracts or relationships with technology service providers that provide certain services. 

Curious to learn what you all are doing out there?

Thanks 

We are currently undergoing an exam with the regulators and one of the questions that has come up is notification to regulators on new critical service providers.

What guidance are all of you following and what new "critical providers" are you notifying to the regulators.  Which group within the organization is doing the notification to your respective regulatory body; is that InfoSec, Vendor Management, Compliance?

Our TPRM program is a blend of guidance from OCC-2013-29 as well as third party guidance provided by FDIC and FFIEC.  So far the only guidance i see out there is Section 7 of the BSA program that FDIC directs to that highlights the type of services that requires depository institutions to notify, in writing, their respective federal banking agency of contracts or relationships with technology service providers that provide certain services. 

Curious to learn what you all are doing out there?

Thanks 

We are currently undergoing an exam with the regulators and one of the questions that has come up is notification to regulators on new critical service providers.

What guidance are all of you following and what new "critical providers" are you notifying to the regulators.  Which group within the organization is doing the notification to your respective regulatory body; is that InfoSec, Vendor Management, Compliance?

Our TPRM program is a blend of guidance from OCC-2013-29 as well as third party guidance provided by FDIC and FFIEC.  So far the only guidance i see out there is Section 7 of the BSA program that FDIC directs to that highlights the type of services that requires depository institutions to notify, in writing, their respective federal banking agency of contracts or relationships with technology service providers that provide certain services. 

Curious to learn what you all are doing out there?

Thanks 

We are currently undergoing an exam with the regulators and one of the questions that has come up is notification to regulators on new critical service providers.

What guidance are all of you following and what new "critical providers" are you notifying to the regulators.  Which group within the organization is doing the notification to your respective regulatory body; is that InfoSec, Vendor Management, Compliance?

Our TPRM program is a blend of guidance from OCC-2013-29 as well as third party guidance provided by FDIC and FFIEC.  So far the only guidance i see out there is Section 7 of the BSA program that FDIC directs to that highlights the type of services that requires depository institutions to notify, in writing, their respective federal banking agency of contracts or relationships with technology service providers that provide certain services. 

Curious to learn what you all are doing out there?

Thanks