Due Diligence and Ongoing Monitoring

 View Only
  • 1.  Vendor Control Environments

    This message was posted by a user wishing to remain anonymous
    Posted 07-05-2022 05:14 PM
    This message was posted by a user wishing to remain anonymous

    What are your businesses controls for Vendor Control Environment's? and by this question I mean What controls do you have put in place for vendors that you implement in the contract. For example......

    My Bank uses a 3rd party collection agency to collect on their charge off accounts and specifies that the call center of the 3rd party collection agency must be in the USA. (not in a different country). 

    Does anyone examples you can list below? I am looking to rebuild ours and want to make sure I have the most important ones.

  • 2.  RE: Vendor Control Environments

    Posted 07-06-2022 11:08 AM
    Our bank is FDIC regulated, but even if you are not I would recommend taking a look at the FDIC Guidance for Managing Third-Party Risk.  Section 3 of that guidance goes into great detail concerning contracting recommendations.  We initially used this guidance to build a checklist for business owners when reviewing contracts and have subsequently used it as the basis to build a TPRM standard contract.  We tied each of the FDIC recommendations to a specific contract provision and are working to risk-rate those provisions as they would not all be required or appropriate for each and every relationship.

    I found it beneficial during this process of building the contract to work directly with our CISO on the technology requirements around data privacy.  We did not want to be super granular and prescriptive in terms of technical requirements for many reasons.  Most important was we did not want to age out the contract and tie it to technology that rapidly becomes obsolete- for example requiring specific encryption.  Second reason was we want to take advantage of our vendors knowledge and experience and allow them to implement cutting edge technology without our contract hindering that evolution.  

    Below is the link to the FDIC guidance:

    U.S. Federal Deposit Insurance Corporation. FIL-44-2008, Guidance for Managing Third-Party Risk. Available at: https://www.fdic.gov/news/financial-institution-letters/2008/fil08044a.html


    Shelly Chase
    AVP Operational Risk