Due Diligence and Ongoing Monitoring

 View Only

  • 1.  Third Parties Regulated by Government Agencies

    This message was posted by a user wishing to remain anonymous
    Posted 07-18-2023 05:59 AM
    This message was posted by a user wishing to remain anonymous

    Hi All, 

    Searching for input from others in the financial services sector on the topic of due diligence on supervised or regulated third parties. 

    In the new guidance, the agencies acknowledge that not all relationships require the same level or type of oversight and that each banking organization has the responsibility to analyze the risks associated with each third-party relationship.

    Understanding that the supervision posed upon these organizations is far more complex from regulators than our institution's vendor management program, does this allow for us to scale down our oversight activities. Today, we complete Financial Health Assessments, Business Continuity Assessments, and Information Security Reviews (including SOC assessments). 

    Does your organization take a lesser degree of oversight for these relationships? If so, what does this look like for your Vendor Management program? (e.g., what documentation do you require, what assessments/reviews are conducted, etc.)

    Any thoughts/suggestions on this?

    Thank you in advance!



  • 2.  RE: Third Parties Regulated by Government Agencies

    This message was posted by a user wishing to remain anonymous
    Posted 07-18-2023 06:38 AM
    This message was posted by a user wishing to remain anonymous

    I am also interested in this and curious as to what other FI's do to manage their correspondent banks and Fannie/Freddie.




  • 3.  RE: Third Parties Regulated by Government Agencies

    Posted 07-18-2023 07:13 AM

    Are any of these vendors willing to share the details of their last audit, any MRIAs or MRAs that were issued, or any other supervisory findings? My guess is no.  I've heard this argument from select vendors for years that their assessment process should be less because they are heavily regulated.  Sometimes they'll provide a SOC report and other limited evidence that help provide some assurance but sometimes they won't provide anything. 

    We don't treat them any differently than any other vendor.  The inherent risk of the engagement drives the type of assessment the vendor receives.  If it's high-risk they get treated just like other high-risk vendors. Trust but verify is a good motto here and without any evidence to verify, you're really just taking the vendor's word that everything is fine. 

    A few years ago, I attended an ABA roundtable with a number of regulators.  Someone asked the regulators if they could help with this very situation by providing some sort of external audit report available to financial institutions on these larger companies (many of which push back on our assessment requests).  They recognized it was an opportunity, but that was the last that I heard about it. 




  • 4.  RE: Third Parties Regulated by Government Agencies

    Posted 07-19-2023 01:48 PM

    I work for an organization that is in a highly regulated industry - insurance. Yes, you should do the same level of due diligence as any other third party.  You might have the added benefit that the entity is examined by the regulating government agency. The examination report may be available for public review on the agency's website.



    ------------------------------
    Mark Ewert, CPCU, CIC
    Director Vendor Management
    Penn National Insurance
    ------------------------------