Hi everyone, below are the regulations related questions that were asked during last week's Third Party Risk Management Bootcamp hosted by Venminder! The online webinar was three days, 6 sessions and 11 presentations long, covered by nine experts. The live sessions were packed with tons of useful information and there were a lot of great questions that came in as well. The team thought it would be helpful to share what those questions were along with the answers. Chime in if you have further answers, comments or questions. Also, if you're interested in viewing the recordings, you'll find the link on the Program Improvement library page.
Q: What's some regulatory guidance surrounding vendor risk?
A: A lot of that is listed on this handy resource. The FFIEC IT Examination Handbook is also helpful.
Q: How do you harmonize critical activity providers in OCC guidance with material and substantial providers in other guidance?
A: I always aimed for the most stringent standards – thus if I knew if I could leap the highest threshold – in the current standards, OCC 2013-29, 2017-7, 2017-21 – I knew I would exceed all other regulators' expectations. Even in my most recent two institutions and at Venminder, I manage with OCC standards (at my two most recent FI's, we were FDIC and FRB)… and when I speak to the FFIEC and FDIC, I speak on OCC standards. I always take the most stringent and most conservative approach. Always.
Q: You mentioned Appendix J. I'm not aware of what that is. Could you talk about what that is?
A: The guidelines on outsourcing anything. Find more information on it here.
Q: Can you restate the document that has a list of legal requirements for contracts with critical vendors?
A: There are clauses within the FFIEC Handbook.
Brittany Padgett
Community Manager
Third Party ThinkTank