Policy, Program and Procedures

Hello,

I would like to get everyone's opinion on something:  We are updating our policy and the discussion of whether to include other regulated financial institutions as vendors came up.  We already monitor their financials quarterly.  The thought is since the other institution is federally regulated they are held to the same standards as our Bank.  We do evaluate them annually for the service they provide (CIP) but do not extend beyond that - like reviewing their Information Security program.  In prior discussions with the other institution they are reluctant to share any of that information because it is proprietary.  As such, we were considering updating our policy to exclude other financial institutions.  I was wondering if anyone had experience with this and what people's thoughts were?

Thanks!

We include Banks within our list of vendors but don't run them through our full due diligence process.  We will also periodically review their call report data. But, as you've discovered, you're not going to get much information from them directly.  

This really depends on the role the FI plays in the relationship with the individual organization.

Because of limitations with regulatory governing bodies sharing information relating to their oversight of FIs, it's fairly common to take on this due diligence and treat as if it's another provider to the organization. Banks have standards, similar to other suppliers, which they must follow and it supports a deeper insight into the risks which matter most towards how the FIs are supporting the organization (i.e. customer deposits, settlement processes, program components, FDIC insured funds, etc). A common point beyond CIP diligence is to ensure that the FI is compliant with relative Privacy obligations in the event that they are accessing joint customer data via CIP; and, in lieu of obtaining the documents perhaps a brief memo including a virtual walk-through and SME discussion could suffice. There are may be additional compensating controls to include the FI in Dark Web Monitoring in the event that there may be risk exposure through detection which may benefit more than reviewing a policy or procedure. 

Other financial institutions are included in our third-party evaluation scope and are assessed based on their risk level, just like any other third party. If a financial institution as a third party is classified as Tier 1 (high risk), it undergoes the full due diligence process for that risk tier.  They are not treated any different due to their status of a financial institution.

If a vendor is unwilling to provide all the requested control information and we have exhausted all alternative avenues, we assess the risk of the outsourced service and present it to the business with our recommendation not to proceed. If the risk is low, the business decides whether to accept the risk and continue the relationship or exit. If the vendor is high risk, the risk justification is presented to a committee for evaluation, and the business provides justification for proceeding. The committee then votes on whether to accept the risk.  Often, business prefer to evaluate another provider rather than go through this part of the process. It becomes increasingly difficult to convince management to take on such a significant liability for the organization.

As a regulated financial institution, you are required to have a complete inventory of all third parties, including other financial institutions. Even though you may receive limited responses to your requests for due diligence, you will need documentary evidence that you tried.

You may also want to include questions about the scope and maturity of their third party risk management program in your due diligence process. They will likely respond to these questions providing they are not too invasive.

If you are satisfied that their program is robust and compliant, you may wish to use this as documentary evidence, along with a "reliance" rationale that the bank is also required to comply and subject to regulatory exams, as rationale for determining that they are low risk. This can be signed escalated and off by Ops Risk/ ERM.