Due Diligence and Ongoing Monitoring

 View Only
  • 1.  Compliance Oversight/Monitoring

    This message was posted by a user wishing to remain anonymous
    Posted 04-22-2022 01:12 PM
    This message was posted by a user wishing to remain anonymous

    We received a recommendation from the FDIC and I'm looking to see how you all incorporate this into your VM program.  What all do you ask of your vendors to provide?  

    • Enhance the bank's consumer compliance oversight and monitoring. Oversight documentation should evidence vendor consumer compliance discussions and reviews should include vendor compliance assessments with specific consumer protection laws and regulations


  • 2.  RE: Compliance Oversight/Monitoring

    Posted 04-26-2022 11:13 AM

    With regulatory expectations regarding consumers. There are basically two primary considerations for monitoring your vendor's compliance

    • That the vendor protects consumers' privacy and identity.
    • That the vendor protects consumers from unfair or deceitful actions.

    As a baseline, vendors should provide policies, procedures, training materials, and evidence of employee training. Your due diligence reports should detail your review and assessment of the following:

    Privacy: The vendor has sufficient knowledge, processes, and controls to protect consumer privacy. Your vendor's risk assessment should have questions specific to privacy and permissible use of consumer data.

    Consumer Protection Laws. There are numerous regulations meant to protect the consumer. Their application can vary depending on the product or service being provided. Your vendor must demonstrate awareness of regulations of any regulations that apply. Your vendor questionnaire should specifically ask about any regulatory findings or enforcement actions. Make sure all necessary licenses are current.

    Consumer complaints. Don't forget to review the vendor's complaint management and resolution processes. Review the number and nature of complaints and resolution times and actions. Request the vendor's complaints management policy and complaints log.

    You will be better able to follow the FDIC's recommendations if you consider privacy, compliance with consumer protection laws, and the treatment of consumer complaints in your due diligence and periodic risk reviews.

    I hope that helps, but I would love to hear suggestions from other members.