Insights: Article

Managing Third-Party Risks

By Eric Pulse

August 16, 2016

With the expansion of cloud computing and other third-party services to financial institutions, renewed emphasis is being placed on vendor management activities within financial institutions.

The Gramm-Leach-Bliley Act (1999) has long called for vendor management oversight as part of a comprehensive Information Security Program, and the FDIC originally released publications relative to managing outsourcing relationships back in 2001. Just recently, the FDIC re-issued three publications covering the management of third-party relationships, including:

  • Effective Practices for Selecting a Service Provider
  • Tools to Manage Technology Providers’ Performance Risk: Service Level Agreements
  • Techniques for Managing Multiple Service Providers

Interestingly, these publications were released without any modifications, indicating that, while expectations remain unchanged, regulators likely expect financial institutions have sufficient processes in place to meet the guidance.

Guidance for Managing Third-Party Risk (FIL-44-2008)
As stated in FDIC’s Guidance for Managing Third-Party Risk (FIL-44-2008), “Financial institutions often rely upon third parties to perform a wide variety of services and other activities. An institution’s board of directors and senior management are ultimately responsible for managing activities conducted through third-party relationships, and identifying and controlling the risks arising from such relationships, to the same extent as if the activity were handled within the institution.”

As such, that guidance places emphasis on management to develop processes relative to four basic elements of “an effective third-party risk management program.” Those elements are highlighted below along with a brief description.

1. Risk Assessment
This is a formal process to address the risks, security controls, and procedures to ensure vendors are capable of maintaining appropriate safeguards to protect information and information resources. Also during the risk assessment, the following items should be considered and/or obtained:

  • Business goals and objectives match the institution
  • Detailed description of services/product being performed
  • Performance standards and reporting

Each vendor relationship should be analyzed to determine how critical the services or product is to the institution’s operations, the sensitivity of information that is shared, and the volume of information that can be accessed.

Management should maintain all documents and assessments performed on the third-party vendor during the risk assessment process.

2. Due Diligence in Selecting a Third Party
Evaluate third parties thoroughly before selecting one as a vendor. This includes looking at all available information, including audited financial statements, experience, reputation, internal controls and more.

3. Contract Structuring and Review
Topics to consider for contracts will depend on the scope of the service, but common topics to discuss include pricing, performance standards, confidentiality and security, ownership of data, right to audit and dispute resolution. Each topic is dependent upon the nature and significance of the third-party relationship.

4. Oversight
On at least an annual basis, management should monitor the performance of each critical third-party vendor. Monitoring should include, as appropriate, a number of items including the third party’s financial condition and insurance coverage, licensing, compliance, personnel changes and the effectiveness of the relationship.

Latest Insights

September 24, 2018
Article
Since the Affordable Care Act became reality, businesses have been scrambling to figure out what compliance looks like and how best to comply.
September 21, 2018
Article
In the wake of hurricanes, devastating results have been experienced by communities and businesses throughout the Texas Gulf Coast, Caribbean, Florida and southeastern United States. As a result of these catastrophes, businesses will turn to…
September 20, 2018
Firm News
Eide Bailly LLP announced the winners of its 2018 Nonprofit Resourcefullness Awards, recognizing creative and sustainable revenue ideas from nonprofits in Arizona, Colorado, Minnesota, North Dakota and Utah.
September 19, 2018
Article
The IRS has started sending out Letter 5699 asking businesses to verify if they should have filed Forms 1094/1095-C. These forms are required for all ALEs.
September 19, 2018
Recorded Webinar
Are you considering doing business or having employees in Pennsylvania? Have you had issues with your state tax filing? Join our state and local tax team for some helpful insights into Pennsylvania tax filings.
September 19, 2018
Recorded Webinar
Are you considering doing business or having employees in Nevada? Have you had issues with your state tax filing? Join our state and local tax team for some helpful insights into North Dakota tax filings. This webinar will cover registration,…
September 19, 2018
Recorded Webinar
Are you considering doing business or having employees in North Dakota? Have you had issues with your state tax filing? Join our state and local tax team for some helpful insights into North Dakota tax filings. This webinar will cover registration,…
September 18, 2018
Article
As the largest tax reform legislation in the past 30 years becomes reality, it is important to stay up-to-date on planning opportunities and how reform may impact you and your business. Our Tax Reform: Practical Insights examples aim to break down…
September 18, 2018
Tool
Get ahead of tax season with the Eide Bailly Tax Planning Guide. A supplemental strategy guide to help guide year-end and make the tax laws work for you.