I'll start by saying we don't require financials for all vendors, we tie that requirement to our risk assessment and only require for certain risk profiles.
That being said, when we do require financials we will always push back if we get a "no" response. I usually start with the following to provide some context around the request and why we feel financials are required:
"Based on your experience working with other banks, you know banking is a highly regulated industry and you may also be familiar with the FDIC's guidance for managing third-party risks (FIL 44-2008). We are accountable for effectively evaluating all third party risk. As such, it is our responsibility to conduct comprehensive due diligence in order to identify, understand and mitigate risk arising from our third party relationships.
One aspect of evaluating third party risk is ensuring that our partners have a financial position sufficient to support their ongoing operations and to provide ongoing uninterrupted services to us in both the short and longer terms. We have found financial statements to be an effective way to evaluate the financial health of the third parties that we do business with consistent with FDIC guidance."
Depending on the risk and nature of the relationship, we also try to be flexible and identify what can be provided such as:
- a copy of just the balance sheet,
- an overview of the key financial metrics and a statement of overall financial health or
- opinion on financial statements from independent accountant.
Some third parties don't want to release the financials but they will show you during a discussion such as Zoom and make internal resources available for those discussions.
In the absence of full financials, assuming we have come to an agreement on alternative documentation, we will always perform additional research, usually using LexisNexis. We document the exception to policy and note the alternative documentation obtained.
If a third party won't provide financials and refuses to provide alternative documentation, we would recommend not moving to contracting. If the Business unit owner decides to pursue the relationship, we require the business unit owner to approve the exception to policy in writing and have that exception approved by the SVP of Risk.
Shelly
------------------------------
Shelly Chase
AVP Operational Risk
------------------------------
Original Message:
Sent: 08-01-2022 06:59 PM
From: Anonymous Member
Subject: Vendor does not share Financial Statements
This message was posted by a user wishing to remain anonymous
For some of our Critical vendors, I am being told they do not share their Financial Statements.
I have tried looking up their 10K reports, Annual Reports with no luck.
How do you evaluate them when you don't have any information on their financial health?
If you accept the risk, do you document Internet search results as documentation of your attempts to determine their financial health?
Any information is appreciated.
Forgot to say, I am with a Credit Union.
Thanks.