Policy, Program and Procedures

 View Only
  • 1.  Foreign Vendor Definition

    This message was posted by a user wishing to remain anonymous
    Posted 04-27-2022 08:07 AM
    This message was posted by a user wishing to remain anonymous

    I am curious to see how others define Foreign Vendor in their Policy/Program. I ask because there are some clear FFIEC Definitions but the difference is using the term providing Services vs. providing technology vs. manufacturer of a Software. Point is Providing "Banking/Financial" Services or if again outside USA and its Local Hosted Software (No Brainer) vs. a Hosted Platform (No GLBA) vs Hosted Platform but its critical to infrastructure. Just food for thought as again seeking any definitions people are using for a Foreign Vendor is............ and then of course when they are not a Foreign Vendor or more importantly when you would not report them as Foreign Vendors in the spirit of definition by FFIEC.

    Anyone?

    Sincerely,

    Paul


  • 2.  RE: Foreign Vendor Definition

    Posted 04-27-2022 08:19 AM
    We have differentiated Foreign Vendors from services provided outside the US.  Foreign Vendors for us are very simply any vendor headquartered outside the US.  We separately track any services or service delivery that occurs outside the US regardless where the vendor is headquartered.

    ------------------------------
    Shelly Chase
    AVP Operational Risk
    ------------------------------



  • 3.  RE: Foreign Vendor Definition

    Posted 04-27-2022 10:51 AM

    I've struggled with this as well. In one case, we have a vendor that is head quartered in Australia, but all billing and contracts use their US office, and none of the services are delivered outside the US. Because the contract is with the US division of the company, I believe they must comply with all US regulations, so for all practical purposes, they are a US company.



    Darrell Bateman | SVP - Chief Information Security Officer
    City Bank



    Member FDIC | Equal Housing Lender

    Confidentiality Notice: This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please delete this message immediately and advise the sender that you have received this message in error by reply e-mail or by calling 1-800-687-2265. Thank you for your cooperation.








  • 4.  RE: Foreign Vendor Definition

    Posted 04-27-2022 11:01 AM
    I agree, if the third party invoices and contracts through their US office, and none of the services are delivered outside the US we categorize them as domestic. 

    ------------------------------
    Andrew Jones, Vendor Risk Manager, VP,
    Apple Bank
    ------------------------------



  • 5.  RE: Foreign Vendor Definition

    Posted 04-27-2022 11:44 AM
    I agree with focus on where the performance is located...this is especially important when a vendor is performing in more than one location, and a more extensive due diligence review is required to ensure they are compliant in all performance jurisdictions. I have developed a chart that can be uploaded to the Venminder tool to elicit the additional information required for each jurisdiction outside the vendor's home base country.

    As a side note--Our team is used to talking about "CONUS" (CONtinental US -  spoken as CONE-us) and "OCONUS" (Outside CONtintental US  - spoken as OH-Cone-us).  Neither of these is a precise fit for vendor due diligence efforts--especially since our HQ is in Alaska!  This led me to coin the term "NONUS" (Non-US spoken NO-nus) and I use it to keep focus on the location of performance, whether acquisition of goods, services, or both.