Vendor Risk Assessment & Review
Partnership is the name of the game. How well do you know yours?
Banks, Fintechs, Regulators, oh my! The future of the financial world is a partnership-based-ecosystem. Knowing who your partners are (and what risks they bring) is vital.
A risk assessment can help evaluate your level of exposure, investment and dependency, assigning a risk rating to each vendor. Higher-risk vendors deserve additional scrutiny in terms of performance, consumer protection compliance, contract content, financial stability, internal controls and business continuity planning.
Before you sign:
New Vendor Due Diligence
A risk assessment to evaluate the criticality and complexity of the services. Risks to be evaluated will include:
- Function Risk, based on the criticality of the service to Bank operations and the sensitivity of information of which the vendor will have exposure
- Service Provider Risk, based on strength of financial condition, staff experience and turnover, business continuity processes, whether or not the vendor is governed by law or a professional code of conduct, and other factors
- Technology Risk, based on factors such as reliability, security, and scalability
A review of prospective vendors should include the following, based on risk:
- Coverage of written contract and/or agreement and SLAs
- Financial statements
- Report of internal controls (SSAE 16/18, SOC, or other independent audit of security controls)
- Vendor background, e.g., executive bios, customer complaints, legal or regulatory actions
- Policies and practices for hiring, BCP, vendor management of subcontractors, information security, incident response, change management, etc.
A risk assessment and review of the Bank’s third party vendors will include:
- Level of exposure to customer information along with the sensitivity of that information, including remote access ability
- Volume of customer transactions related to the vendor’s product and/or service
- Bank’s investment in the products or services
- Bank’s operational dependency on the service
- Vendor’s own third-party dependency
- Vendor requirements for independent audit and/or review
- Foreign-based status
- Cloud-based technology
The vendor review includes evaluation of, at minimum, each high-risk vendor in the following key areas:
- Service level performance, according to the opinion of the Bank
- Consumer protection compliance, according to Bank experience and/or online resources
- Content of written contract and/or agreement
- Financial statements in order to assess financial performance/stability in regards to return on equity, return on assets, and, at minimum, three year history of revenue and net income
- Report of internal controls (SSAE 16/18 or other information security audit results)
- Provider’s business continuity planning and testing and third-party oversight efforts as applicable
- Report of examination (as applicable)
- Alignment of vendor contracts with the Bank’s current environment, according to the opinion of the Bank
Ready to get started?
Please contact Tom Layman, Managing Partner, Risk Management: