"Based on your experience working with other banks, you know banking is a highly regulated industry and you may also be familiar with the FDIC's guidance for managing third-party risks (FIL 44-2008). We are accountable for effectively evaluating all third party risk. As such, it is our responsibility to conduct comprehensive due diligence in order to identify, understand and mitigate risk arising from our third party relationships.
One aspect of evaluating third party risk is ensuring that our partners have a financial position sufficient to support their ongoing operations and to provide ongoing uninterrupted services to us in both the short and longer terms. We have found financial statements to be an effective way to evaluate the financial health of the third parties that we do business with consistent with FDIC guidance."
Despite the regulations from bodies like the FDIC and the NCUA, it is still within the rights of a private firm to refuse to disclose their financials.
What I have found in the past to work in this situation is one of two things:
Ask if their accounting firm would write a letter that essentially says "this firm is in a stable financial position" or something equally bland
Note in the vendor file that the request was made, attempts to discern financial health were made, but no information was forthcoming, and the risk was accepted or not.
If it's a relationship that is vital, and the risk is acceptable, then that's the answer.
If the risk is too great, that is a different but equally valid answer.
This is, to my mind, not far different from a refusal or a lack of a SOC report. The refusal or lack is an answer to the request, resulting in a risk rating that is either within or outside of the risk appetite of the company. If you communicate that this is a make or break part of the relationship, or even include it in contract negotiations, then you may get the information you want, or you might need a new vendor for the service.
David Howe, CCUFC
Chief Information Officer