Policy, Program and Procedures

 View Only
  • 1.  Social Media

    This message was posted by a user wishing to remain anonymous
    Posted 02-22-2023 03:35 PM
    This message was posted by a user wishing to remain anonymous

    I work for an FI should we include social media companies in our VMP? (Yelp, Goggle, etc.) 



  • 2.  RE: Social Media

    Posted 03-02-2023 01:21 PM

    Hi,

    To determine if a third party should be considered in a third-party risk management program, it is necessary to establish criteria for what constitutes as an in-scope vs out-of-scope vendor.

    I've provided a list below to help enable you as you include those relevant third parties while excluding the others based on clear criteria:

    In-Scope Third Parties

    The third party or vendor directly provides a tangible product or service to your organization or customers

    • There's a written agreement detailing the product or service, cost, responsibilities of both parties, and termination conditions
    • Your organization directly influences and manages the relationship
    • There are documented service level agreements related to the delivery and quality of the product or service
    • Invoices are provided, reviewed for accuracy, and approved before payment
    • The inherent risks or the dollars spent are significant and should be actively monitored and managed

    Out -of-Scope Third Parties

    • Government entities
    • Payee relationships
    • Travel and Entertainment
    • Sponsorships and donations
    • Public Utilities
    • Industry group memberships

    Note: Subscriptions are an excellent example an outlier because this category does not fall neatly into Either-Or approach. 

    Regarding social media companies, if you are merely subscribing to establish an online presence and your organization will create and monitor posts, then you can probably exclude them from your third-party risk management program. However, if you are purchasing data services or placing ads, then those third-parties should be in-scope for your program.

    Hopefully this information facilitates your decision on whether to include social media companies into your program.

    I'd be interested to hear what others think!




  • 3.  RE: Social Media

    This message was posted by a user wishing to remain anonymous
    Posted 03-03-2023 04:20 PM
    This message was posted by a user wishing to remain anonymous

    Hi Jill,

    What kind of due diligence is required for Yelp or Google? 

    Thanks




  • 4.  RE: Social Media

    Posted 03-07-2023 04:10 PM

    Hi, 

    In order to determine what due diligence is required for these 2 social media companies you referenced - assuming that Yelp and Google are, in fact,  In-scope for your organization, the webinar linked to this response, which focused on Risk-Based Vendor Due Diligence provides lists of documentation for collection and validation.

    https://www.venminder.com/webinar/on-demand/vendor-risk-based-due-diligence

    I'd be interested in what others think.