Insights: Article

Managing Third-Party Risks

By   Eric Pulse

August 16, 2016

With the expansion of cloud computing and other third-party services to financial institutions, renewed emphasis is being placed on vendor management activities within financial institutions.

The Gramm-Leach-Bliley Act (1999) has long called for vendor management oversight as part of a comprehensive Information Security Program, and the FDIC originally released publications relative to managing outsourcing relationships back in 2001. Just recently, the FDIC re-issued three publications covering the management of third-party relationships, including:

  • Effective Practices for Selecting a Service Provider
  • Tools to Manage Technology Providers’ Performance Risk: Service Level Agreements
  • Techniques for Managing Multiple Service Providers

Interestingly, these publications were released without any modifications, indicating that, while expectations remain unchanged, regulators likely expect financial institutions have sufficient processes in place to meet the guidance.

Guidance for Managing Third-Party Risk (FIL-44-2008)
As stated in FDIC’s Guidance for Managing Third-Party Risk (FIL-44-2008), “Financial institutions often rely upon third parties to perform a wide variety of services and other activities. An institution’s board of directors and senior management are ultimately responsible for managing activities conducted through third-party relationships, and identifying and controlling the risks arising from such relationships, to the same extent as if the activity were handled within the institution.”

As such, that guidance places emphasis on management to develop processes relative to four basic elements of “an effective third-party risk management program.” Those elements are highlighted below along with a brief description.

1. Risk Assessment
This is a formal process to address the risks, security controls, and procedures to ensure vendors are capable of maintaining appropriate safeguards to protect information and information resources. Also during the risk assessment, the following items should be considered and/or obtained:

  • Business goals and objectives match the institution
  • Detailed description of services/product being performed
  • Performance standards and reporting

Each vendor relationship should be analyzed to determine how critical the services or product is to the institution’s operations, the sensitivity of information that is shared, and the volume of information that can be accessed.

Management should maintain all documents and assessments performed on the third-party vendor during the risk assessment process.

2. Due Diligence in Selecting a Third Party
Evaluate third parties thoroughly before selecting one as a vendor. This includes looking at all available information, including audited financial statements, experience, reputation, internal controls and more.

3. Contract Structuring and Review
Topics to consider for contracts will depend on the scope of the service, but common topics to discuss include pricing, performance standards, confidentiality and security, ownership of data, right to audit and dispute resolution. Each topic is dependent upon the nature and significance of the third-party relationship.

4. Oversight
On at least an annual basis, management should monitor the performance of each critical third-party vendor. Monitoring should include, as appropriate, a number of items including the third party’s financial condition and insurance coverage, licensing, compliance, personnel changes and the effectiveness of the relationship.

Latest Insights

July 13, 2018
Here are some idea for giving your new hire a smooth start into your business and alleviating stress for you.
July 13, 2018
The impact of the recent SCOTUS Wayfair decision will continue to have a ripple effect on businesses and state sales tax compliance.
July 9, 2018
The revenue cycle is a complex system and we have historically given much attention to the front-end and back-end while oftentimes leaving the middle functions of the cycle neglected.
July 3, 2018
FASB Accounting Standards Codification Topic 606, Revenue from Contracts with Customers, provides a 5-step framework for determining revenue recognition.
July 2, 2018
As part of the Tax Reform Act of 1986, the “Kiddie tax,” a taxing regime designed to make the transfer of income items by wealthy parents to lower tax paying children less attractive, was implemented.
July 2, 2018
When it comes to your employees, you likely conducted interviews on them when you first hired them.
July 2, 2018
Nearly ten years after the release of the initial exposure draft, FASB issued ASU 2016-02, Leases - The standard may have been issued, but the conversation about this re-write of legacy guidance has not slowed.
June 29, 2018
Banks look at three broad categories when considering small business financing: business cash flow, personal financial strength, and collateral value.
June 28, 2018
You need to be cautious when entering into a bartering relationship and remember to track everything and the key to accounting for bartering is making sure you still record the income earned and expenses incurred.