Regulations

 View Only
Expand all | Collapse all

Proposed Interagency Guidance and Staff in Vendor Management

  • 1.  Proposed Interagency Guidance and Staff in Vendor Management

    This message was posted by a user wishing to remain anonymous
    Posted 10-06-2021 05:31 PM
    This message was posted by a user wishing to remain anonymous

    I am hoping for some feedback on an issue here with management buy-in or alternate solutions.  The Vendor Management team for our credit union is a singular person.  We currently do not review all relationships, such as maintenance contractors, commodity services, catering, etc.  In preparation for the new guidance we proposed to have another staff member added to the Vendor Management team (even a .5 FTE) to help as our relationships to be reviewed will go up over 100%.  Right now we are getting some resistance and Sr. Leadership wants me to consider having the vendor owner handle these low risk items.  Of course this raises concerns as the responsibility for third party relationships fall under our VM Program.
    Does anyone have suggestions?
    Do your vendor owners handle their own vendors without a vendor management rep assisting in the 2nd line of defense?  How is this working for you?  What obstacles are you encountering?
    How are other FI's preparing for the regulations when is comes to vendor vetting? 
    I don't expect a lot of heavy lifting for the due diligence as it is risk based, but the volume is what I am concerned with.

    Thank you


  • 2.  RE: Proposed Interagency Guidance and Staff in Vendor Management

    Posted 10-06-2021 06:57 PM

    For the past 8 years, our vendor management program was single-handedly managed by myself. This year, we onboarded Venminder and with their assistance, created a new Third Party Risk Management and Oversight Policy, which assigns all vendor owners to manage their own vendors. The hardest part was building the platform with all of our vendors and performing risk assessments. I am not done yet as I still need to turn on Oversight Automations and Vendor Onboarding. I am still tweaking the vendor due diligence requirements. It is a lot of work as I pretty much did everything, including facilitating the risk assessments with the vendor owners. I've had several meetings with the vendor owners informing them of their responsibilities and I explained that this can be shared or delegated to their staff, who are identified in Venminder.

    Once this entire process has been finalized, it will be easier moving forward. It is important that vendor owners realize what they are responsible for, moving forward. As the new policy was approved by the Board, vendor owners realize that they have to accept their new responsibilities. I will be providing oversight over the entire program, making sure vendor owners perform their tasks on time, that due diligence materials are properly submitted to the platform and reviewed in a timely manner, and new vendors are onboarded properly.

    I have spent the last 4 months building this platform and am still not finished. However, we are not planning to hire another person to be in charge of third party risk management, now that vendor owners are being held responsible for their own vendors.I hope this information helps you.

    ------------------------------
    Lynn Francisco
    SVP & CIO
    Mission National Bank
    ------------------------------



  • 3.  RE: Proposed Interagency Guidance and Staff in Vendor Management

    Posted 10-07-2021 12:36 PM
    This is directed more towards Lynn Francisco than to the topic at hand and my apologies for sidetracking things. 

    Lynn - your approach to vendor management and assigning vendor owners to manage their own vendors is exactly what we are in the process of doing.  We too are a National Bank.  I think it's rare for the decentralized approach to be used based on those we have visited with that are also users of the Venminder platform so was super excited to read your message.  Would you be willing to share your Third Party Risk Management and Oversight Policy by chance?  That is one piece we have yet to tackle and it would be amazingly helpful to see how someone, who does things in a similar fashion, has crafted their policy.  Also whether there may be an opportunity do some networking as we have similar structure and could potentially learn from each other as to what has worked and what hasn't. 

    I look forward to your reply and any others who have taken the decentralized approach.  If it would be more appropriate to start a new topic thread on this I certainly can do so.

    Kind regards,
    Karmin Thompson
    Alerus Financial, N.A.


  • 4.  RE: Proposed Interagency Guidance and Staff in Vendor Management

    Posted 10-07-2021 12:40 PM
    Lynn - I didn't realize I had the ability to respond to your message directly.  This is my first time dipping my toes into the Venminder ThinkTank community board.  I posted a message further below and will recap here.

    Your approach to vendor management and assigning vendor owners to manage their own vendors is exactly what we are in the process of doing.  We too are a National Bank.  I think it's rare for the decentralized approach to be used based on those we have visited with that are also users of the Venminder platform so was super excited to read your message.  Would you be willing to share your Third Party Risk Management and Oversight Policy by chance?  That is one piece we have yet to tackle and it would be amazingly helpful to see how someone, who does things in a similar fashion, has crafted their policy.  Also whether there may be an opportunity do some networking as we have similar structure and could potentially learn from each other as to what has worked and what hasn't. 

    Kind regards,
    Karmin Thompson


  • 5.  RE: Proposed Interagency Guidance and Staff in Vendor Management

    Posted 10-07-2021 04:54 PM

    Karmin,

     

    Thanks form the information you posted on Proposed Interagency guidance and Staff in Vendor Management.

    I am trying to redesign our Vendor Risk Management program, and would appreciate if you would be willing to share your  Third Party Risk Management and Oversight Policy?

     

    I am fairly new to Think Tank and apologize if I did this wrong.

     

    Karen Mikita, CISSP, ITIL

    IS Governance, Risk and Compliance Advisor

     

    NOTICE: This message is confidential, intended for the named recipient(s) and may contain information that is (i) proprietary to the sender, and/or,(ii) privileged, confidential and/or otherwise exempt from disclosure under applicable Florida and federal law, including, but not limited to, privacy standards imposed pursuant to the federal Health Insurance Portability and Accountability Act of 1996 ("HIPAA"). Receipt by anyone other than the named recipient(s) is not a waiver of any applicable privilege. Thank you in advance for your compliance with this notice.





  • 6.  RE: Proposed Interagency Guidance and Staff in Vendor Management

    This message was posted by a user wishing to remain anonymous
    Posted 10-07-2021 09:12 AM
    This message was posted by a user wishing to remain anonymous

    ​We established a Materiality Assessment, which is a short series of questions, that if any are answered Yes to, then the vendor is deemed Material. Think spend threshold, critical impact to service customers, accessing data, marketing services on our behalf processing payments, offshore, etc. 
    Once a vendor is deemed material, they are fully risk assessed for a tier assignment. Our TPRM governs the critical and medium risk vendors. The lines of business govern the low risk and non material relationships (think caterers, office supplies, subscriptions, landscapers, etc.)  TPRM periodically runs control reports to ensure the business assessments are accurate- for example our materiality threshold for spend is 100K or greater. We may have a non-material vendor whose spend hits that mark over time. We monitor spend reports with tier to catch them and re assess the vendor for additional due diligence. I am not sure how large your vendor population is, but my organization has about 600 third party relationships; roughly half are non material. The others are material and require ongoing monitoring, oversight and periodic recertification. I have 10 people who handle this ongoing and onboarding due diligence as well as produce and validate scorecards for them, facilitate performance calls with agendas and meeting minutes and monitor negative news. They also support the first line procurement function for contractual SLA assistance, as well as facilitate all SME due diligence reviews to ensure there is sufficient evidence that risk based decisions and reviews have been conducted for our regulators. The biggest obstacle I encounter are vendor owners who are lax in providing information we require to complete our due diligence reviews and the perception that all of this due diligence is just "check the box" and not really something that is in fact time consuming and important.  If you ensure you are able to govern your most critical and medium risk providers, you are off to a good start.  Good Luck!


  • 7.  RE: Proposed Interagency Guidance and Staff in Vendor Management

    This message was posted by a user wishing to remain anonymous
    Posted 10-07-2021 09:40 AM
    This message was posted by a user wishing to remain anonymous

    Curious, what do you do for contractors or 1099 workers?  If they have access to your data (and PII) using controlled portal access?  Do you assess them and to what extent? I struggle with this as we are a non-profit and have many of them that provide service. If one failed to provide service, we would just use another one.  They can't download documents/information as its contained on the portal but I guess they could screenshot information. But so could employees.....Curious how others treat them in the assessment process.


  • 8.  RE: Proposed Interagency Guidance and Staff in Vendor Management

    Posted 10-07-2021 10:07 AM
    Hi

    Please share any format to calculate where the vendor is material or non material.






  • 9.  RE: Proposed Interagency Guidance and Staff in Vendor Management

    This message was posted by a user wishing to remain anonymous
    Posted 10-07-2021 12:28 PM
    This message was posted by a user wishing to remain anonymous

    We have been informally following the OCC guidance (although we are FDIC regulated) in maturing our TPRM program so the change in guidance is not going to impact the kinds of vendors we track so much as it will expand, in some instances, the scope of the review.  One example is that we are currently tightening up our contract management, review and tracking processes in anticipation of some of the changes we feel will likely be adopted.

    Our TPRM program falls under our broader risk umbrella, separate from the business units (BU) who own the relationships.  The BU is responsible for the vendor selection and initial procurement processes (obtaining and checking references, scoping etc), contracting and contract management although we have added in requirements for contract approval by legal and/or TPRM for critical relationships, foreign based third parties and certain dollar amounts.  We are also store the contracts in a central database and provide reporting on certain key dates for contract to ensure renewals etc are not missed at the first line. 

    The BU also complete the assessment of operational criticality and data confidentiality risk that we use to determine the appropriate due diligence to require and the frequency of any subsequent reviews (annual, semi-annual, not reviewed again).   

    One way you might be able to limit volume of handling by TPRM is to identify certain kinds of relationships that are outside the TPRM scope and managed by anther area or by the BU- like joint ventures, partnerships, Fintech etc.  We have also explicitly scoped out of TPRM certain vendor types such as subscriptions, associations, federal, state and local governments, merchant payment processors (we have scoped those to a specific BU) etc.   You could also allow the BU to handle certain risk level relationships directly and have TPRM handle the higher risk relationships as those would require increased expertise, review etc.

    To respond to another question in this conversation, operational criticality and data confidentiality risk are determined based, in part, on the following criteria:

    Is the time to replace vendor greater than 5 business days and are there limited alternatives (only 1-2) to their service?

    Yes 

    No 

    How important to operations are the services or technology provided or hosted by the vendor?

    Mission critical to operations- could be down less than 5 business days

    Important to operations but not mission critical- could be down 5-10 business days 

    Incidental to operations- could be down for a longer period such as 2 weeks

    Does the vendor access, store, transmit or process NPPI (Non-public personal information) or regulatory protected information?

    Yes 

    No 

     

     

    If "yes" to above, answer the following questions.  If "no" to above, worksheet completed. 

    Data Type: Can the data be reasonably used to perpetrate identity theft?  For example, records that contain NPPI, such as a persons' name associated with an SSN, credit card number, or financial account number carry more risk than records that only include a person's name and address.

    Yes 

    No 

     

    Volume: Select the volume of regulatory protected information

    High 

    Moderate 

    Low 

     




  • 10.  RE: Proposed Interagency Guidance and Staff in Vendor Management

    This message was posted by a user wishing to remain anonymous
    Posted 10-07-2021 04:55 PM
    This message was posted by a user wishing to remain anonymous

    Since Credit Unions are regulated by the NCUA and FFIEC will they need to abide by the new interagency guidance issued by the Federal Reserve Board, FDIC & OCC?  While the guidance is comprehensive, the credit union wants to make sure we are following the correct guidance.


  • 11.  RE: Proposed Interagency Guidance and Staff in Vendor Management

    Posted 10-20-2021 12:10 PM
      |   view attached

    I had posted this info in another discussion but looks like it this question is hitting all of the discussion communities.

    I work in the insurance industry in CT.   The NYDFS Cyber Regulation prompted us to create the following worksheet to capture the risks related to a supplier.   Our work group determined which risks were most important for us to be aware of and manage. We created the scoring methodology to define what was critical.   As positive responses are entered into the worksheet, a Tiering score is calculated with Strategic and Tier one being the highest risk.   Generally we send this worksheet to the business person and ask them to complete it.  This insures that the business area understands what they are contracting for and how the service will work.  The questions below the worksheet help us to further understand the business needs so we can contract it correctly for them.   This has proven to be very helpful in insuring no surprises at the end of the day!

     Hope this is helpful!


    Attachment(s)