Due Diligence and Ongoing Monitoring

 View Only

  • 1.  Software purchased but no contract with the third party

    Posted 11-21-2024 09:54 AM

    There is software that we purchased to use; however, we do not have a contract with the vendor.  The software is critical; however, I am struggling if this should be classified as a vendor, because there are no legal obligations between the software company and the bank. 

    Any thoughts or insights would be appreciated.  Thank you.



  • 2.  RE: Software purchased but no contract with the third party

    This message was posted by a user wishing to remain anonymous
    Posted 11-21-2024 10:22 AM
    This message was posted by a user wishing to remain anonymous

    We have the same issue.  We list the software supplier as the vendor and list out each software as a separate service.  Due Diligence is requested from the software supplier and often the supplier will have access to SOC reports for the software.  




  • 3.  RE: Software purchased but no contract with the third party

    This message was posted by a user wishing to remain anonymous
    Posted 11-21-2024 11:17 AM
    This message was posted by a user wishing to remain anonymous

    Fascinating question.

    At our company, the answer depends on what that software does. Generally, if the software provides a critical function OR gives the software provider access to sensitive data (defined here to be: any category that your company thinks should be protected by law or practice), then a SIG report is requested of the software provider-at the minimum. Critical function couldn't have been purchased without extensive due diligence to ensure the software would perform as advertised.

    FWIW: Arrangements that give the software provider access to sensitive data increasingly require a contract throughout the financial industry.