Insights: Article

Managing Third-Party Risks

By Eric Pulse

August 16, 2016

With the expansion of cloud computing and other third-party services to financial institutions, renewed emphasis is being placed on vendor management activities within financial institutions.

The Gramm-Leach-Bliley Act (1999) has long called for vendor management oversight as part of a comprehensive Information Security Program, and the FDIC originally released publications relative to managing outsourcing relationships back in 2001. Just recently, the FDIC re-issued three publications covering the management of third-party relationships, including:

  • Effective Practices for Selecting a Service Provider
  • Tools to Manage Technology Providers’ Performance Risk: Service Level Agreements
  • Techniques for Managing Multiple Service Providers

Interestingly, these publications were released without any modifications, indicating that, while expectations remain unchanged, regulators likely expect financial institutions have sufficient processes in place to meet the guidance.

Guidance for Managing Third-Party Risk (FIL-44-2008)
As stated in FDIC’s Guidance for Managing Third-Party Risk (FIL-44-2008), “Financial institutions often rely upon third parties to perform a wide variety of services and other activities. An institution’s board of directors and senior management are ultimately responsible for managing activities conducted through third-party relationships, and identifying and controlling the risks arising from such relationships, to the same extent as if the activity were handled within the institution.”

As such, that guidance places emphasis on management to develop processes relative to four basic elements of “an effective third-party risk management program.” Those elements are highlighted below along with a brief description.

1. Risk Assessment
This is a formal process to address the risks, security controls, and procedures to ensure vendors are capable of maintaining appropriate safeguards to protect information and information resources. Also during the risk assessment, the following items should be considered and/or obtained:

  • Business goals and objectives match the institution
  • Detailed description of services/product being performed
  • Performance standards and reporting

Each vendor relationship should be analyzed to determine how critical the services or product is to the institution’s operations, the sensitivity of information that is shared, and the volume of information that can be accessed.

Management should maintain all documents and assessments performed on the third-party vendor during the risk assessment process.

2. Due Diligence in Selecting a Third Party
Evaluate third parties thoroughly before selecting one as a vendor. This includes looking at all available information, including audited financial statements, experience, reputation, internal controls and more.

3. Contract Structuring and Review
Topics to consider for contracts will depend on the scope of the service, but common topics to discuss include pricing, performance standards, confidentiality and security, ownership of data, right to audit and dispute resolution. Each topic is dependent upon the nature and significance of the third-party relationship.

4. Oversight
On at least an annual basis, management should monitor the performance of each critical third-party vendor. Monitoring should include, as appropriate, a number of items including the third party’s financial condition and insurance coverage, licensing, compliance, personnel changes and the effectiveness of the relationship.

Latest Insights

January 18, 2019
While having your audit team onsite can be stressful, there are certain steps you can take to reduce that stress and make the most of your audit.
January 17, 2019
In this installment of our Common Single Audit Findings and Remediation Series, we discuss the three distinct parts that make up Requirement “G.”
January 17, 2019
Here’s a list of what the IRS is and isn’t doing as the  partial government shutdown rolls on.
January 17, 2019
Eide Bailly recently sat down with Bill Stovall, CEO of Community National Bank in Texas, to hear his thoughts on the current state of the banking industry.
January 15, 2019
The back and forth on tariffs is wreaking havoc for many businesses. Here’s what you can do to help ease the pain.
January 15, 2019
If you are a farmer who sold to a cooperative in 2018, you will need to provide additional information if you’re looking to take advantage of deductions this tax season.