It is written in our Policy that Not in Scope vendors are the responsibility of the Business Unit to monitor and not Vendor Management because they are either a low-risk Tier 3 - Moderate vendor or a Non-vendor who is not in scope of our regulatory requirements. We do keep a full inventory of vendors and non-vendors in our software who are not in scope for a few reasons. We centralize all contracts to the software for both in scope and out of scope vendors or non-vendors and we have a custom button called Vendor in Scope where we indicate yes or no within each vendor profile. This way we can pull a report to show all vendors who are not in scope for audits and exams. We also set the Residual risk assessment to a Not in Scope status to show it was scoped and we do not have blank spaces in our reporting.
It is common knowledge that customers and employees are not vendors so we do not include that on our list. Please see our list below:
Non-vendors:
Independent sales organization sponsorships
Public fund bids
Image and branding sponsorships
Correspondent bank or investment arrangements, excluding products or services provided directly to a customer on behalf of the Bank or the Bank Holding Company
Asset sale or divestiture arrangements, such as originated loans sold on the secondary market
Purchase and lease agreements for Bank premises, excluding other real estate owned
Warehouse Lending – Lender arrangements
Professional Memberships
Tier 3 – Moderate vendor types who are out of scope:
Title company services
Real estate appraisal and evaluation services
Real estate inspection services
Real estate Brokers
Environmental assessment services
Flood determination services
Income and tax verification services
Facilities-related engagements, including supplies, maintenance and landscaping, whether or not associated with a banking facility
Direct engagements of licensed professionals (for example, attorneys, auditors, accountants, architects, consultants, etc.) in providing those services for Bank or Holding Company matters
Investor Relations
Catering and vending
Recruiting or staffing agency engagements
Subscription services
We do also have a note on these exceptions in our Policy document stating if any NPPI or sensitive Bank information is shared those vendors automatically become in scope. An example of this would be a Facilities HVAC vendor who has integration into the software for maintenance. Most HVAC vendors physically come out to perform maintenance and have no integration but when they do, they are now in scope and we will perform Ongoing Monitoring on them.
Original Message:
Sent: 05-01-2025 05:22 PM
From: Anonymous Member
Subject: Not in Scope Vendors
This message was posted by a user wishing to remain anonymous
Is anyone adding vendors like Amazon and Office Depot to their "Not in Scope" list?
For those vendors on your "Not in Scope" list:
- How are they being monitored?
- Are you doing a review (Insert timeframe) to determine if they are going to stay on this list?
- How are you keeping track of them - included in your VM program but clearly marked as "Not in Scope"? Keeping an excel document?
We are working on changing our policy to have a "Not in Scope" section and wanted feedback on how other banks are doing this process.
Potential examples are:
• Customers
• Employees
• Investors
• Government entities
• Public utilities
• Sponsorships or donations
• Vendors covered under travel and expense policies (hotels, airlines, shuttle bus, etc.)
• Media subscriptions
• Professional membership dues and conference fees
• Payees (Board members, legal settlements, etc.)