Insights: Article

Managing Third-Party Risks

By Eric Pulse

August 16, 2016

With the expansion of cloud computing and other third-party services to financial institutions, renewed emphasis is being placed on vendor management activities within financial institutions.

The Gramm-Leach-Bliley Act (1999) has long called for vendor management oversight as part of a comprehensive Information Security Program, and the FDIC originally released publications relative to managing outsourcing relationships back in 2001. Just recently, the FDIC re-issued three publications covering the management of third-party relationships, including:

  • Effective Practices for Selecting a Service Provider
  • Tools to Manage Technology Providers’ Performance Risk: Service Level Agreements
  • Techniques for Managing Multiple Service Providers

Interestingly, these publications were released without any modifications, indicating that, while expectations remain unchanged, regulators likely expect financial institutions have sufficient processes in place to meet the guidance.

Guidance for Managing Third-Party Risk (FIL-44-2008)
As stated in FDIC’s Guidance for Managing Third-Party Risk (FIL-44-2008), “Financial institutions often rely upon third parties to perform a wide variety of services and other activities. An institution’s board of directors and senior management are ultimately responsible for managing activities conducted through third-party relationships, and identifying and controlling the risks arising from such relationships, to the same extent as if the activity were handled within the institution.”

As such, that guidance places emphasis on management to develop processes relative to four basic elements of “an effective third-party risk management program.” Those elements are highlighted below along with a brief description.

1. Risk Assessment
This is a formal process to address the risks, security controls, and procedures to ensure vendors are capable of maintaining appropriate safeguards to protect information and information resources. Also during the risk assessment, the following items should be considered and/or obtained:

  • Business goals and objectives match the institution
  • Detailed description of services/product being performed
  • Performance standards and reporting

Each vendor relationship should be analyzed to determine how critical the services or product is to the institution’s operations, the sensitivity of information that is shared, and the volume of information that can be accessed.

Management should maintain all documents and assessments performed on the third-party vendor during the risk assessment process.

2. Due Diligence in Selecting a Third Party
Evaluate third parties thoroughly before selecting one as a vendor. This includes looking at all available information, including audited financial statements, experience, reputation, internal controls and more.

3. Contract Structuring and Review
Topics to consider for contracts will depend on the scope of the service, but common topics to discuss include pricing, performance standards, confidentiality and security, ownership of data, right to audit and dispute resolution. Each topic is dependent upon the nature and significance of the third-party relationship.

4. Oversight
On at least an annual basis, management should monitor the performance of each critical third-party vendor. Monitoring should include, as appropriate, a number of items including the third party’s financial condition and insurance coverage, licensing, compliance, personnel changes and the effectiveness of the relationship.

Latest Insights

November 16, 2018
If your business sells or operates in more than one state, it’s important to understand the concept of nexus. Depending on how you’re earning revenue, having nexus could impose a variety of taxes, which vary state to state. Learn more in our…
November 15, 2018
Until recently, many businesses weren’t overly concerned about sales tax. They knew they needed to collect and remit in the state in which they resided, but beyond that, their compliance burden was limited.
November 12, 2018
This insight explores what dealerships can expect from the proposed section 199A regulations under tax reform.
November 8, 2018
Are you a business taxpayer with annual gross receipts of $25 Million or less? If so, you may be eligible to take advantage of new Small Taxpayer Safe Harbors that could generate significant tax savings and simplify your tax returns in future years!
November 8, 2018
Considered the most significant tax code overhaul in over three decades, the Tax Cuts and Jobs Act passed in 2017 includes provisions affecting both individuals and businesses.
November 7, 2018
Recorded Webinar
State and local sales tax compliance is always evolving, making it important to stay up-to-date on changes affecting your tax liability and responsibilities. This session will cover what you need to know regarding the recently enacted state and…
November 7, 2018
“Why is my portfolio underperforming the market?” This question may be on your mind.
November 5, 2018
Identify your implementation methodology. There are four practical expedients available. We'll explore each option.
November 5, 2018
Deeper dive into ASU 2016 liquidity.