With the expansion of cloud computing and other third-party services to financial institutions, renewed emphasis is being placed on vendor management activities within financial institutions.
The Gramm-Leach-Bliley Act (1999) has long called for vendor management oversight as part of a comprehensive Information Security Program, and the FDIC originally released publications relative to managing outsourcing relationships back in 2001. Just recently, the FDIC re-issued three publications covering the management of third-party relationships, including:
Interestingly, these publications were released without any modifications, indicating that, while expectations remain unchanged, regulators likely expect financial institutions have sufficient processes in place to meet the guidance.
Guidance for Managing Third-Party Risk (FIL-44-2008)
As stated in FDIC’s Guidance for Managing Third-Party Risk (FIL-44-2008), “Financial institutions often rely upon third parties to perform a wide variety of services and other activities. An institution’s board of directors and senior management are ultimately responsible for managing activities conducted through third-party relationships, and identifying and controlling the risks arising from such relationships, to the same extent as if the activity were handled within the institution.”
As such, that guidance places emphasis on management to develop processes relative to four basic elements of “an effective third-party risk management program.” Those elements are highlighted below along with a brief description.
1. Risk Assessment
This is a formal process to address the risks, security controls, and procedures to ensure vendors are capable of maintaining appropriate safeguards to protect information and information resources. Also during the risk assessment, the following items should be considered and/or obtained:
Each vendor relationship should be analyzed to determine how critical the services or product is to the institution’s operations, the sensitivity of information that is shared, and the volume of information that can be accessed.
Management should maintain all documents and assessments performed on the third-party vendor during the risk assessment process.
2. Due Diligence in Selecting a Third Party
Evaluate third parties thoroughly before selecting one as a vendor. This includes looking at all available information, including audited financial statements, experience, reputation, internal controls and more.
3. Contract Structuring and Review
Topics to consider for contracts will depend on the scope of the service, but common topics to discuss include pricing, performance standards, confidentiality and security, ownership of data, right to audit and dispute resolution. Each topic is dependent upon the nature and significance of the third-party relationship.
On at least an annual basis, management should monitor the performance of each critical third-party vendor. Monitoring should include, as appropriate, a number of items including the third party’s financial condition and insurance coverage, licensing, compliance, personnel changes and the effectiveness of the relationship.