Exams or Audits

Hello All,

I work for a community bank, and recently we were notified by an email from FDICConnect that one of our Significant Service Providers had a number of Examination Concerns Requiring Attention (ECRAs). 

We have inquired with the vendor, and they provided us with memos explaining what they have done with each ECRA. Many of them have been closed, some are in progress.

Currently we conduct the highest level of due diligence (inherent high risk) on this vendor, we also consider them critical vendor. 

So, my question is:

How do we validate what they tell us?

We are also unable to mitigate some of these ECRA's, as they are beyond our control.  Unfortunately ending our relationship with them would be very difficult, time consuming and expensive. 

Any input about this situation would be appreciated.

Hello, yes, I'd recommend looking at your contract with this vendor, to see what audit obligations they have.  I'd recommend going on site for a site visit and specifically meet to discuss and tour as best as possible to visually confirm controls are in place.  And, I'd recommend an executive or two of your bank attends that onsite visit, to send a message that you take this seriously and expect compliance with regulations.   And, I'd document what you've done, such that you can show your examiners the sincerity of your due diligence. Good luck!