Due Diligence and Ongoing Monitoring

 View Only
  • 1.  Vendor does not share Financial Statements

    This message was posted by a user wishing to remain anonymous
    Posted 14 days ago
    This message was posted by a user wishing to remain anonymous

    For some of our Critical vendors, I am being told they do not share their Financial Statements.

    I have tried looking up their 10K reports, Annual Reports with no luck.
    How do you evaluate them when you don't have any information on their financial health?

    If you accept the risk, do you document Internet search results as documentation of your attempts to determine their financial health?

    Any information is appreciated.

    Forgot to say, I am with a Credit Union.

    Thanks.


  • 2.  RE: Vendor does not share Financial Statements

    Posted 14 days ago
    I'll start by saying we don't require financials for all vendors, we tie that requirement to our risk assessment and only require for certain risk profiles.

    That being said, when we do require financials we will always push back if we get a "no" response.  I usually start with the following to provide some context around the request and why we feel financials are required:

    "Based on your experience working with other banks, you know banking is a highly regulated industry and you may also be familiar with the FDIC's guidance for managing third-party risks (FIL 44-2008).  We are accountable for effectively evaluating all third party risk.  As such, it is our responsibility to conduct comprehensive due diligence in order to identify, understand and mitigate risk arising from our third party relationships. 

    One aspect of evaluating third party risk is ensuring that our partners have a financial position sufficient to support their ongoing operations and to provide ongoing uninterrupted services to us in both the short and longer terms.  We have found financial statements to be an effective way to evaluate the financial health of the third parties that we do business with consistent with FDIC guidance."

    Depending on the risk and nature of the relationship, we also try to be flexible and identify what can be provided such as:
    • a copy of just the balance sheet,
    • an overview of the key financial metrics and a statement of overall financial health or
    • opinion on financial statements from independent accountant.

    Some third parties don't want to release the financials but they will show you during a discussion such as Zoom and make internal resources available for those discussions.  

    In the absence of full financials, assuming we have come to an agreement on alternative documentation, we will always perform additional research, usually using LexisNexis. We document the exception to policy and note the alternative documentation obtained.  

    If a third party won't provide financials and refuses to provide alternative documentation, we would recommend not moving to contracting.  If the Business unit owner decides to pursue the relationship, we require the business unit owner to approve the exception to policy in writing and have that exception approved by the SVP of Risk.

    Shelly

    ------------------------------
    Shelly Chase
    AVP Operational Risk
    ------------------------------



  • 3.  RE: Vendor does not share Financial Statements

    Posted 14 days ago

    Despite the regulations from bodies like the FDIC and the NCUA, it is still within the rights of a private firm to refuse to disclose their financials.

     

    What I have found in the past to work in this situation is one of two things:

     

    Ask if their accounting firm would write a letter that essentially says "this firm is in a stable financial position" or something equally bland

     

    Note in the vendor file that the request was made, attempts to discern financial health were made, but no information was forthcoming, and the risk was accepted or not.

     

    If it's a relationship that is vital, and the risk is acceptable, then that's the answer.

                    If the risk is too great, that is a different but equally valid answer.

     

    This is, to my mind, not far different from a refusal or a lack of a SOC report.  The refusal or lack is an answer to the request, resulting in a risk rating that is either within or outside of the risk appetite of the company.  If you communicate that this is a make or break part of the relationship, or even include it in contract negotiations, then you may get the information you want, or you might need a new vendor for the service.

     

     

    Thanks,

          Dave

     

    David Howe, CCUFC

    Chief Information Officer