Policy, Program and Procedures

Hello,

A little background. I work in a community Bank.  In our TPRM program we had stated that vendor is out of scope if:

• Engaged for a single, non‐recurring service.
• Audit firms and consultants
• law firms
• Subscriptions, memberships, or associations dues
  - Employee training / educational development
  - Catering and dining (such as Bank events)
  - Public utilities & taxing authorities
  - Supply ordering or printing services
  - Bank related Contractors or Interior Design companies
  - Certain facilities (routine maintenance)

But with new TPRM guidance all third-party business relationships are in scope (excluding customers). 

So, my questions are:

• How do we differentiate these vendors with what used to be in scope vendors in our TPRM program? 
• How you keep track of all of these vendors in venminder? 
• Should we risk assess all vendors? Should we go back and reevaluate our previously out of scope vendors?
• Should we create a different risk category for them? we currently classify our in-scope vendors as High, Moderate, and low inherent risk.

Sorry for the long question.

Good Morning Anonymous!

That is the beauty of this forum- Get best practice from other professionals- I can tell you that in our shop, law firms are not out of scope, especially if they are being used in bankruptcy or foreclosure matters.  They typically get restricted information and are obligated to protect it. However many firms outsource their security and don't necessarily have a dedicated person in house to ensure they are getting the best protection.  Where I am, for every vendor we first determine if the vendor is Material- We accomplish this by making the requestor/vendor owner respond to the Materiality Assessment which asks the following questions (these questions can be altered to suit your bank):  

Will the third party perform a critical function, where if the third-party fails to perform could cause significant operational, reputational, compliance, strategic or customer damage?:

Will the third party annual spend exceed $100,000?:

Will the third party annual spend exceed 100K?

Will the third party market products and/or services on behalf of the bank directly to borrowers or clients?

Will the third party interact directly or indirectly with the bank's borrowers, clients, Board of Directors, or regulators?

Will the third party perform financial transactions, including card payment, ACH, EFT, etc.?

Will the vendor relationship require a significant investment in resources to implement, maintain, manage risk, or to bring the business activity in-house or to transfer the business activity to a different vendor?

If the answer to any of these questions is yes, then the vendor is deemed material, and then must be given a risk assessment to determine what their risk tier is. Our risk assessment is comprised of weighted questions tied to the risk vectors which determines whether a vendor is Enterprise Critical -Very high risk, Critical- High risk, Moderate- Medium risk, or Low Risk.  Non Material vendors are categorized as such by TPRM, however we still pull them into the master inventory and run OFAC on a recurring basis post onboarding, the same as our Material, risk tiered vendors.  Additionally, adding or modifying services to a non material vendor requires the same materiality questions to be provided to make sure we are still comfortable that a non material vendor's status has not changed to Material and thus requiring due diligence.  We do not do any cadence of recertification due diligence on Non Material vendors outside of the recurring OFAC check.  

Our TPRM program lists these vendors as out of scope for the TPRM program:

Third Party Relationships that are not in scope for the TPRM program (but may still be part of the 
vendor inventory to align with the appropriate internal relationship owners) are: government 
agencies, public utilities, office supplies, annual dues or fees for professional association 
memberships and subscriptions, charities, entities from which travel, meals and entertainment are 
purchased, the US Postal Service, payee relationships (for legal settlements or payments to board 
members), and Corporate Sponsorships and/or donations.

I hope that helps!

------------------------------
Jenn Wilkinson
Vice President
Strategic Vendor Management
Cenlar FSB

------------------------------

Good day! Our program considers the following out of scope: Donations & sponsorships, subscriptions, periodicals, membership dues/fees, Government entities, public utilities.

We do include professional agencies such as audit firms, legal & consultants.  For our facilities vendors & on-site catering we put them into the system & complete an Inherent Risk Questionnaire only to track their Certificate of Insurance (since they are on premise) and recognize them as third parties.

Have a good day

Good Morning, another community bank here.  We do not scope out law firms, audit firms or consultants.  We find that those relationships often include significant data privacy risk- especially outside audit firms that have access to customer information as part of their audit process.  Another kind of risk to think about relating to these types of relationships is access to strategic, privileged or proprietary information of your enterprise.  I would suggest you scope most third parties in and then use your risk assessment to determine the level of risk and associated requirements.  We evaluate the risk of each specific relationship and that risk drives the required due diligence.  For some kinds or relationships, such as financial institutions, we have very specific due diligence based on the nature of the entity. 

At our bank we have scoped out some specific kinds of relationships. I think that is still OK even with the new guidance, however you should be prepared to provide rationale for why you have excluded them.  We have scoped out the following from our TPRM program:

• ·     Services contracted with or through a law enforcement agency (local, state or federal) such as US Marshalls or Sheriff's Department are excluded from the vendor management procedures.  Examples of contracted services might include, but are not limited to, serving and enforcing court orders or repossessing collateral.
• ·        Utility Companies,
• ·        Dues paid to an association,
• ·        Providers of subscription services such as magazines, periodicals and educational resources,
• ·        Entities receiving charitable contributions,
• ·        Entities receiving sponsorships,
• ·        Employees, corporators or board members,
• ·        Investors,
• ·        Third party payment processors (managed through Payments Risk),
• ·        Entities from which travel, meals and entertainment are purchased,
• ·        Federal, state or local governments or entities engaged by the government for the collection of taxes and fees and
• ·        Limited risk vendors, annual spend < $5,000.

What type of due diligence do you assess for audit firms or consultants since most won't have SOC 2's. 

Good afternoon! You have received some wonderful considerations from others in your field to keep in mind while planning how to handle out of scope vendors. To track these vendors in Venminder, I recommend you build "Out of Scope" as a category, and assign that category to all products that fall within those specs. If you need help in completing this action, we have some great articles in our Support Center or you're always welcome to reach out to your dedicated Customer Success Manager or our Support Team.

Thank you everybody for the very helpful responses.