Vendor Risk Management
Despite the benefits of hiring outside parties, such engagements may bring in new risks or an increase in existing risks for financial institutions. Some risks are inherent in the outsourced activity and others are introduced by the involvement of a third party to an already complex process. If not managed effectively, the use of third parties may expose the financial institution to risks that can result in regulatory action, financial loss, litigation, and loss of reputation.
Financial institutions are required to establish a risk management process to effectively manage risks that may occur throughout the relationship with the third party. An effective third party (vendor) risk management program includes the following phases:
Critical Third-Party Vendor Risks are associated with core business functions, significant shared services, and activities posing significant risk to customers. Third-Party risk includes material financial loss to the financial institution or significant operational disruption due to additional time or expenses associated with the execution of business continuity plans and recovery of the business function. Critical risks include:
- Disclosure of sensitive information likely to cause significant negative impact to a number of customers and/or employees;
- Loss of customer confidence;
- Disruption to the financial institution’s ability to access material sources of liquidity;
- Significant financial loss through disruption of material revenue streams;
- Significant additional expenses or diversion of significant internal resources to execute the contingency plans or the transference of the business activity from a third party vendor to another third party vendor or in-house; and
- Significant risk for regulatory action.
Critical Risk Third Party Vendors require the highest level of planning, due diligence, contract review, ongoing monitoring, and contingency planning, as well as senior management or Board supervisionat each phase of the Third Party Vendor Life Cycle.
- High Risk Third Party Vendors require the same level of scrutiny by Senior Management on a case by case basis as critical third parties and warrant special ongoing monitoring attention to determine if activities with the third party vendor are tending, through additional products and services, to a critical third party vendor status.
- Moderate Risk Third Party Vendors require a standard level of planning, due diligence, contract review, ongoing monitoring, and contingency planning.
- Low Risk Third Party Vendors represent a limited level of risk to the financial institution from both a business operations and risk perspective; typically low risk third party vendors have no access to customer information.
- Minimal Risk Third Party Vendors represent a de minimis risk to a financial institution by the products and services they provide. Financial institutions using data from their accounts payable system will develop filtering methods for removing these vendors from the risk review population.
Typically, financial Institutions gather information about their third party vendors using a Vendor Risk Software Application. The architecture includes questionnaires or surveys to help determine the inherent risk level associated with the vendor and may also include an assessment of the vendors’ products and services and the country risk associated with doing business with the third party vendor in a foreign country.
The Vendor Risk Management Review process requires experts in multiple areas to review the policy, procedures and processes of the Third Party Vendor. A thorough review of the vendor includes:
- Financial Review
- Review of the Third Party’s Insurance Certificates
- Products and Services Risk Review
- Information Security Review
- Policies and Procedures
- SIG Lite or SIG Full
- SSAE-16 (Test of the Information Security Controls)
- Penetration Test
- Secure Coding Standards
- Network Architecture
- Application Architecture
- PCI Compliance
- Privacy Policies and Procedures
- Onsite and Physical Security Review
- Business Continuity Review
- Business Continuity Plan
- Business Continuity Questionnaire
- Test Results
- Country Risk Review
- Regulatory Review
- Consumer Complaint Management
- BSA/AML Payment Transaction Review
- Other Third Party specific regulations