Policy, Program and Procedures

We have recently entered into the DCT CD Brokerage agreement. This involves a vast amount of financial institutions and investment companies. Will all of these FI's and Investment companies need to be tracked as Vendors? 

Thanks in advance for your help.

Hi,

A Deposit Trust Company (DTC) Certificate of Deposit (CD) Brokerage (firm) agreement connects Broker-Dealers with Financial institutions (FIs) and investment companies. The Broker-Dealers work with customers - of either/both an FI or investment company - to fund loans. Assuming you work for a Financial Institution (FI), then yes, the FIs and the Investment firms should be treated as third-party vendors and the following approach applies.

Traditionally, vendors that support your organization are classified as third parties and therefore are subject to the Third-Party Risk Management (TPRM) Lifecycle which includes Planning & Risk Assessment, Due Diligence, Contracting, Monitoring & Performance, and Termination.

• Have you identified any inherent risk to your organization via a risk assessment exercise?

• Have you defined your critical risk population of third parties?

• What is your organization's risk appetite?

• Is there precedent in your current third-party risk management policy which would classify the FIs and investment company as vendors (or conversely, whether they are out of scope)?

Beyond third-party risk posited by the third parties your organization you engage with, there may be fourth-party risk, where your organization's third-parties subcontract work to a vendor, thereby causing those subcontractors to be fourth parties.

• Are the fourth parties adhering to your organization's TPRM policy?
• Is the third-party identifying the fourth parties?
• Is such action required by your contract?

If you work for a bank which engages fintechs, then similarly, the FIs and investment companies should also be treated like vendors. As part of due diligence that must be performed each entity, the following n areas should be reviewed qualitatively Business Experience and Qualifications, Financial condition, Legal and Regulatory Compliance, Risk Management and Controls, Information Security, and Operational Resilience (which entails listing third parties and obtaining and reviewing outsourcing and subcontracting policies). This information will enable your organization to determine if you have third parties which subcontract work to fourth parties.

I hope you find this helpful and I would love to hear from other members of the community, too.