Due Diligence and Ongoing Monitoring

 View Only
  • 1.  Omissions from TPRM Program

    Posted 02-23-2023 09:52 AM

    How are other credit unions determining which vendors should be omitted from their program? Are others performing ongoing monitoring of Federal agencies? State agencies? Single-use vendors/contractors? Etc.

  • 2.  RE: Omissions from TPRM Program

    Posted 02-24-2023 09:17 AM

    Below is the verbiage we use in our TPRM policy: 

    The Program is not intended to cover the following relationships: 

    • Relationships with customers or members or account-holders of the Credit Union; 

    • Relationships with third-party providers of goods or products (or their sub-providers) which may reasonably be considered incidental to CACL's operations or lines of business and are therefore not material to CACL's third-party risk profile. 

    • Relationships with affiliates pursuant to intracompany service agreements to the extent such agreements are principally intended to document intracompany financial agreements for financial allocation purposes and do not include any scope of work materially related to functions of the Credit Union or Company from a third-party risk management perspective. 

    • Relationships with government regulatory agencies.  

    • Relationships that consist of a single, one-time payment.  

    • Relationships with entities that require total independence to perform their functions appropriately.  

    • Relationships that cannot be influenced by the Credit Union or held accountable to any service level agreements.  

    • Relationships with third-parties consisting of industry group memberships, sponsorships, and events.  

    Venminder provided us with a policy template back in 2020, but we made a few additions to the list. We used this guide to determine which vendors of ours would be considered out of scope - https://www.thirdpartythinktank.com/communities/community-home/librarydocuments/viewdocument?DocumentKey=020a0357-bdc4-4259-80bd-ead066c2b71e&CommunityKey=b84aae94-c495-48bb-9f3a-4bbba9a5ce95&tab=librarydocuments 

  • 3.  RE: Omissions from TPRM Program

    This message was posted by a user wishing to remain anonymous
    Posted 05-18-2023 07:48 PM
    This message was posted by a user wishing to remain anonymous

    Hi Amanda,

    Thank you so much for providing an overview of your in scope/out of scope vendors. We're in the process of maturing our program and this, along with Venminder's template provided some insight to how we can build our program. I was wondering if you could answer this question since we both work for the same type of organization, a credit union.

    One of my key pain points is trying to organize IT vendors, and identifying what should qualify as a vendor or how it should be housed in our records. As you are probably familiar, IT vendors can include software purchase/subscriptions from value added resellers (ie: CompuNet). What is your team's process to organize, these types of vendors or how do you identify how these vendors should fall in your TPRM process? Thank you.