Risk Assessments

Hallo, We are performing an onsite assessment of a check processing vendor and would like to include questions about 4^th party management and AI usage during payment processing. Our scope does not include Infosec, IT or Privacy risk, but everything else 'resilience' related. Below are our draft questions. What other thoughts are out there – any tips or ideas?

Questions:

1. 4th Party Management

    •         How do you monitor and assess the resilience of your own critical third parties (4th parties) involved in payment processing?

    •         What mechanisms are in place to ensure that 3rd parties (our 4^th parties) meet our compliance and security standards?

    •         How frequently do you perform risk assessments for your 3rd parties (our 4^th parties), and what specific metrics do you track?

    •         How would you notify us if a 4th-party vendor experiences an outage or breach that affects your services to us?

2. AI Use in Payment Processing

    •         What AI technologies are currently integrated into your payment processing workflows, and what roles do they serve?

    •         How do you ensure the AI models used are secure and compliant with relevant data privacy standards?

    •         How is AI monitored and tested to prevent errors in processing?

    •         Can you provide an outline of your incident response plan if an AI-related error impacts our payment processing?

Hi there,

Your list of questions is a great starting point. However, one of the best benefits of onsite reviews is that is allows you gain a firsthand view of risk management practices and controls that aren't always the focus of vendor due diligence questionnaires or documentation. For example, if you are talking about the vendor's third-party risk management practices, it's a great time to ask them for evidence of their processes. That might look something like this:

How do you monitor and assess the resilience of your own critical third parties (4th parties) involved in payment processing?

• Ask them to pull the list of their critical third parties, select two critical vendors at random and ask to see the risk and control reviews for those vendor's BCP/DR plans.

What mechanisms are in place to ensure that 3rd parties (our 4th parties) meet our compliance and security standards?

•Ask them to see their process documentation that details how 4th parties are reviewed, who is reviewing them, their qualifications and if they have any examples of vendors who did not meet the standards.

How frequently do you perform risk assessments for your 3rd parties (our 4th parties), and what specific metrics do you track?

• Ask to see their risk-based re-assessment schedule and reporting detailing on-time completion

How would you notify us if a 4th-party vendor experiences an outage or breach that affects your services to us?

•This should be part of your contract, but you could ask to see their standard contract language requiring vendors to notify them in case of a breach. And double check to see if that language exists in a few critical vendor contracts pulled at random

Onsite visits are also a great time to talk to the vendors' management team and employees (beyond your representative) to discuss their understanding of third-party risk management practices and to gauge their internal risk culture.

Because no-one likes surprises and to be courteous you should set some expectations with the vendor before the visit, mentioning that that you would like to review evidence of their processes. Giving them enough notice will help ensure that relevant employees are available during your visit, but I would not necessarily detail everything you want to see in advance. You will want to see firsthand how organized they are and how quickly they can respond.

Those are some of my thoughts, but I would love to hear from other members.

Thank you for the thorough responses Hilary.