Due Diligence and Ongoing Monitoring

 View Only
  • 1.  SWIFT

    This message was posted by a user wishing to remain anonymous
    Posted 08-31-2022 02:21 PM
    This message was posted by a user wishing to remain anonymous

    Good morning!  For anyone who works at an institution that utilizes SWIFT for FX and other services, do you have SWIFT setup for vendor oversight and monitoring?

  • 2.  RE: SWIFT

    Posted 08-31-2022 02:49 PM
    We have SWIFT as a Tier 2 vendor as we participate in their payment network.  We also have some additional services with them specific to SWIFT messaging etc.  We definitely want to ensure vendor has adequate controls in place to protect information.  SWIFT has had data breaches in the past and they are not immune to attacks so we should monitor them closely.

    Due Diligence with them is a challenge but they do have ISAE report and other security documents that outline control environment.

  • 3.  RE: SWIFT

    Posted 09-01-2022 09:33 AM
    That confirms what I was thinking. Thank you!  Also good to know they have some reports available and I do see some on their website as well.  When you say Tier 2 vendor, how are you defining Tier 2?  Critical, non-critical, high, moderate or low risk?

    Brandon Mayfield
    Vendor Management

  • 4.  RE: SWIFT

    Posted 09-01-2022 12:43 PM
    Our VM program is a 5 risk tier based program with Tier 1 being the most critical and Tier 5 being low risk.  Tier 1 could be a combination of vendor has access to NPI data, connects into our network/infrastructure, may not have NPI data but is heavily reliant upon for services (RTO requirements), and is customer facing (if not available could cripple the bank). 

    It is a points based program where we assess the Inherent risk of the vendor based on the nature of products and services sourced.  The higher the score the lower the tier. Each risk point bracket defines which category of risk vendor is tiered.  The risk score then drives the level of due diligence we perform as prescribed in our VM policy.  Tier 1 have more scrutiny in review versus a Tier 3.  For example, for a Tier 1 we would do a vendor onsite, control survey, remote security assessment etc. but for a Tier 3, we may only perform a control survey and based on residual risk determine if any other review is warranted.  Tier 2 may involve information security review in addition to control survey depending on nature of service and residual risk.  Tier 4 and 5, we may only perform the initial screening and review that annually. Tier 1-3 we review on a monthly basis so there is ongoing monitoring occurring throughout.