Vendor Risk Assessment & Review

Partnership is the name of the game. How well do you know yours?

Banks, Fintechs, Regulators, oh my! The future of the financial world is a partnership-based-ecosystem. Knowing who your partners are (and what risks they bring) is vital.

A risk assessment can help evaluate your level of exposure, investment and dependency, assigning a risk rating to each vendor. Higher-risk vendors deserve additional scrutiny in terms of performance, consumer protection compliance, contract content, financial stability, internal controls and business continuity planning.

Before you sign:

New Vendor Due Diligence

Risk Assessment

A risk assessment to evaluate the criticality and complexity of the services. Risks to be evaluated will include:

  • Function Risk, based on the criticality of the service to Bank operations and the sensitivity of information of which the vendor will have exposure
  • Service Provider Risk, based on strength of financial condition, staff experience and turnover, business continuity processes, whether or not the vendor is governed by law or a professional code of conduct, and other factors
  • Technology Risk, based on factors such as reliability, security, and scalability

Due Diligence

A review of prospective vendors should include the following, based on risk:

  • Coverage of written contract and/or agreement and SLAs
  • Financial statements
  • Report of internal controls (SSAE 16/18, SOC, or other independent audit of security controls)
  • Vendor background, e.g., executive bios, customer complaints, legal or regulatory actions
  • Policies and practices for hiring, BCP, vendor management of subcontractors, information security, incident response, change management, etc.

Existing Vendors:

Assessing Risk

Risk Assessment

A risk assessment and review of the Bank’s third party vendors will include:

  • Level of exposure to customer information along with the sensitivity of that information, including remote access ability
  • Volume of customer transactions related to the vendor’s product and/or service
  • Bank’s investment in the products or services
  • Bank’s operational dependency on the service
  • Vendor’s own third-party dependency
  • Vendor requirements for independent audit and/or review
  • Foreign-based status
  • Cloud-based technology

Vendor Review

The vendor review includes evaluation of, at minimum, each high-risk vendor in the following key areas:

  • Service level performance, according to the opinion of the Bank
  • Consumer protection compliance, according to Bank experience and/or online resources
  • Content of written contract and/or agreement
  • Financial statements in order to assess financial performance/stability in regards to return on equity, return on assets, and, at minimum, three year history of revenue and net income
  • Report of internal controls (SSAE 16/18 or other information security audit results)
  • Provider’s business continuity planning and testing and third-party oversight efforts as applicable
  • Report of examination (as applicable)
  • Alignment of vendor contracts with the Bank’s current environment, according to the opinion of the Bank

Ready to get started?
Please contact Tom Layman, Managing Partner, Risk Management:

(501) 374-2600

tlayman@ddfconsulting.com

How can we help?

    I am interested in:
    M&A RoadmapNew Charter Roadmap

    I'd like to receive DD&F insights via email. Sign me up!