Who are our vendors? How do we know if the list is complete?
The newly proposed and combined guidance from FRB/FDIC/OCC purposefully casts a very wide net on what and who is to be included in your Third Party/Vendor inventory. Below are some thoughts on who to include, what you are on the hook for and where to find them.
Link to guidance document pr21061a.pdf (fdic.gov)
Scope (p 11) – A third-party relationship is “any business arrangement between a banking organization and another entity, by contract or otherwise.” The term “business arrangements” is meant to be interpreted broadly to enable banking organizations to identify all third-party relationships for which the proposed guidance is relevant. Neither a written contract nor a monetary exchange is necessary to establish a business arrangement.
Examples outside the traditional definition of VENDOR
|Independent consultants||Subcontractors||Networking arrangements||Merchant payment processing services|
|Services provided by affiliates & subsidiaries||Joint Ventures||Business arrangements the Financial Institution has an ongoing relationship/may have responsibility for records|
Where do I find it all?
|Accounts Payable||Conduct periodic assessments between AP and Vendor inventories|
|BCM||What and Who is identified in the BIA documentation?|
|IT/App Management||Apps are considered software – what external services are in use?|
|IT/Change Management||Change Mgmt is often the first to know when there will be a shift in the environment – what can they share?|
|IT/Cloud||Cloud managers are responsible for maintaining Cloud controls – who are they working with on the outside?|
|IT/Help Desk||What tracking & ticketing tools is the Help Desk using? Anything external?|
|Facilities||What tracking & ticketing tools is Facilities using? Anything external?|
|Legal||What contracts/agreements is Legal working on?|
|Sales Teams||What Sales efforts are underway? Is an outside institution providing services?|
|Project Management||What projects are underway? Do they involve an outside service provider?|
|Strategy Management||What Strategy efforts are underway? Do they involve an outside institution?|
|Building Owner/Landlord||What outside systems & service providers does the landlord require?|
- Find partners in the above areas (and any other helpful teams in your institution). Once these SME’s understand what you are looking for, they will come to you.
- Always end conversations with “Is there anything or anyone else I should contact?”
- Document and save evidence for EVERYTHING – if its not written down, it doesn’t count.
- Update your policy and procedure documentation to reflect your ongoing reconciliation efforts.
While you may never have every vendor on the inventory 24/7, conducting periodic investigations with your SME’s demonstrates the depth and maturity of your Third Party program.
Fortrex can help you execute your third party risk management program successfully. Please contact us to discuss.