Due Diligence and Ongoing Monitoring

 View Only

  • 1.  SOC Report Due Diligenge Request - Vendor Wants to Charge us $500

    Posted 05-23-2022 12:03 PM
    Good morning,

    We are performing due diligence for a Tier 2 Significant vendor who serves as the transfer agent for our bank's stock and assists with M&A as needed. When we requested their SOC 2 Type 2 report as part of the document request, they stated that we have to pay them $500 to obtain it. I've had vendors ask for $20 before on a rare occasion but never to this extreme. 

    I will be consulting with our regulators to ask if this is allowed before proceeding and wanted to ask if anyone has experienced this? Did you have to actually pay? Thanks in advance.

    Kind Regards,

    Mary Garcia
    VP, Project & Vendor Administration


  • 2.  RE: SOC Report Due Diligenge Request - Vendor Wants to Charge us $500

    Posted 05-23-2022 12:30 PM
    Hi Mary,

    The only vendor of ours that charges us for their SOC is also a Transfer Agent. It is a line item in their fees in the agreement and we have historically paid it. I only recently noticed it and did not pursue any further. I am interested to know how your regulator views it.

    Thanks, 

    Candace Dunigan
    Third Party Risk Manager
    Original Message


  • 3.  RE: SOC Report Due Diligenge Request - Vendor Wants to Charge us $500

    Posted 05-23-2022 01:20 PM

    I had one vendor request payment for their SOC report (requested a much higher sum than you've mentioned!)

     

    We did not pay.  We reviewed documents the vendor did provide, forwarded an in-house developed questionnaire and, after reviewing all available materials, completed our review.  Our relationship manager for that vendor was required to execute a Risk Acknowledgement, recognizing that no SOC report, or other third party verification of control design and effectiveness, was available.  That acknowledgement was presented to our Enterprise Risk Committee, and through that Committee, to our Board. 

     

    FYI, within the next 2 years, that vendor began providing the SOC at no cost.  It would appear they wanted to recoup their initial costs from those customers initially requesting the report.  But as more of their customers requested it, they began treating it as a cost of doing business.

     

    Good luck! 

     

    Rosalie Stremple, MS-MIS, CTPRP, CBCP

     

     

    **************************************************************



    Original Message


  • 4.  RE: SOC Report Due Diligenge Request - Vendor Wants to Charge us $500

    This message was posted by a user wishing to remain anonymous
    Posted 05-23-2022 02:23 PM
    This message was posted by a user wishing to remain anonymous

    It is outrageous to be asked to pay any amount for any SOC report. I've been doing SOC (and predecessor form types) reviews for over two decades and have NEVER been asked to pay. The payment request is a business issue that should be addressed directly by the business relationship manager with the vendor. As a business issue, too, transfer agents are a dime a dozen. They could be replaced more quickly – from a review perspective - than most. (The actual replacement, I concede: NOT easily or quickly….TA work and data is complex. But the available pool of candidates is broader than many specialized services.)
    Original Message