Hi there,
Your inherent risk assessment can be very helpful in determining regulatory requirements for vendors. Rather than trying to classify regulator responsibilities by product type or service, you can ask standardized questions such as "Does the vendor interface with customers?" or "Will the vendor access, process, transmit, or store data?" or "Will the vendor process financial transactions?" Questions such as these are easy for any stakeholder to answer. And those three primary questions will help identify vendors that have regulatory requirements. Using your inherent risk assessment to determine who must follow regulatory requirements can take away the guesswork involved in identifying these vendors.
It is important to keep in mind that even if your vendor is not directly regulated, they are still required to follow the same guidelines that your organization must follow. I hope that is helpful but would love to hear from other members on this topic.
Original Message:
Sent: 11-13-2023 04:25 PM
From: Anonymous Member
Subject: Regulatory Compliance Responsibilities
This message was posted by a user wishing to remain anonymous
How does your program determine if a vendor/third party partner have regulatory compliance responsibilities?
If a vendor is a loan servicer, you would categorize them as a vendor servicer who performs regulatory compliance responsibilities. But if the vendor is cleaning/janitorial company, you would say they don't.
However, it's the vendors that fall in between those that can be difficult for our stakeholders to answer if their vendors have regulatory compliance responsibilities.