Exams or Audits

Hello All,

I work for a community bank, and recently we were notified by an email from FDICConnect that one of our Significant Service Providers had a number of Examination Concerns Requiring Attention (ECRAs). 

We have inquired with the vendor, and they provided us with memos explaining what they have done with each ECRA. Many of them have been closed, some are in progress.

Currently we conduct the highest level of due diligence (inherent high risk) on this vendor, we also consider them critical vendor. 

So, my question is:

How do we validate what they tell us?

We are also unable to mitigate some of these ECRA's, as they are beyond our control.  Unfortunately ending our relationship with them would be very difficult, time consuming and expensive. 

Any input about this situation would be appreciated.

Hello, yes, I'd recommend looking at your contract with this vendor, to see what audit obligations they have.  I'd recommend going on site for a site visit and specifically meet to discuss and tour as best as possible to visually confirm controls are in place.  And, I'd recommend an executive or two of your bank attends that onsite visit, to send a message that you take this seriously and expect compliance with regulations.   And, I'd document what you've done, such that you can show your examiners the sincerity of your due diligence. Good luck!

Good morning,

How do you determine which vendors are examined by regulators in the Banking and financial industry?

Do mortgage servicer get examined?

Health care Insurance companies?

Any other major vendor category that are examined by federal or state examiners?

Another question is whether we should we request these reports from regulators?

Thanks.

Typically, the Regulators will want to know all of the FI's critical or material vendors. These could be vendors that have access to NPI, such as customer information, or employee information. Vendors that represent a portion of an FI's income, or expenditure. They will also review the FI's policies and procedures. The audit based off of those documents. 

Reports of Examination are a valuable tool for assessing vendor performance. However, it's important to recognize that not all issues may impact your product or service. My first recommendation is to evaluate the noted issues to determine if they affect your product or service. If they do, further review whether these issues are open or closed. If closed, assess whether the implemented controls were adequate. If the regulatory body closed them, you can be confident that they were reviewed and the controls were deemed satisfactory.

Additionally, onsite or virtual remote assessments can be beneficial. Engaging in discussions with the third party, along with your core team and other stakeholders such as InfoSec, can help you understand the issues and ensure remediation to your satisfaction. Given that this vendor is already highly rated, you likely have higher visibility on performance and screening (OFAC, reputational, financial screening, etc.).

You can also outline the issues in the vendor relationship and start tracking them for closure. This may assist with future renewal negotiations with the third party. Since this is an ECRA, it is likely quite serious, and the vendor is already working on it. Monitoring and waiting for details on closure is advisable. Alternatively, you may consider working on contingencies and backups in case the vendor's service deteriorates or if you need to change providers. This approach can enhance resiliency moving forward.