It’s that time of year – prepping budgets for the upcoming calendar year. As you think about your resource allocation, consider outsourcing as an alternative to increasing staff to complete your due diligence review.
Organizations often have very few employees working in vendor management, leading to heavy workloads. Manually tracking, monitoring, and reviewing vendors assumes vast amounts of time and resources. About half of financial organizations do not utilize an automated vendor management platform for tracking and assessing vendors. Adopting an automated vendor management system not only allows organizations to become proactive while easily staying on top of due diligence, but also delivers insight into the effectiveness of your compliance strategy.
Topics: outsourced vendor management
By now, many organizations have begun to receive control audit reports covering 2017 (SOC1/SSAE18 and SOC2). One element of note is the emergence of subservice organizations, or fourth parties, in reports generated after May 1, 2017.
It is interesting to see the reveal of underlying providers (fourth parties) within the updated reporting formats. While these new formats intentionally define what is being performed by contracted fourth parties, the disclosure of who is performing these efforts is often not as revealing as we expected or hoped. At times, there is a fog placed on the identities of fourth parties; phrases like "industry-recognized third party" or "subservice organization" are inserted in place of the names of the companies your vendors have outsourced responsibilities to.
New tax plan is enabling many banks to invest in technology that helps them be more competitive. Vendor management is leading the way.
At this year's ABA National Conference for Community Bankers (NCCB), ABA President Rob Nichols
discussed how banks are already spending based on savings they'll see under the new tax plan. According to ABA polling, banks are reinvesting their projected tax savings in their employees, customer growth, philanthropic activities, and technology to help them gain a competitive edge. This is going to put pressure on other banks to invest or get left behind.
New Year, Same Story
The Office of the Comptroller of the Currency’s (OCC) Committee on Bank Supervision (CBS) released its annual operating plan setting forth the agency’s supervision priorities and objectives for the fiscal year (FY) 2018; October 1, 2017 to September 30, 2018. You can find a direct link to the operating plan at the bottom of this post.
New year, new focus right? New priorities. New objectives. Well… not exactly.
If you’re familiar with the OCC’s past FY operating plans, it’s likely that you will experience déjà vu reading through the OCC’s FY 2018 operating plan. But just because this plan echoes prior years doesn’t mean it should be disregarded. The OCC hasn’t much shifted its focus or priorities, and that means we shouldn’t either.
Once again, if risk management is the target, third party relationships are at the bullseye.
The Midsize and Community Bank Supervision (MCBS) Department for FY 2018 is focused on operational risk. This means assessing information security, data protection, and third party risk management including risks associated with third party relationships (as defined in the OCC’s Bulletin 2013-29, “Third Party Relationships: Risk Management Guidance”). Specifically, examiners will be evaluating bank management’s plans to respond to increasing operational risk as a result of third party relationships, including outsourcing providers.
Furthermore, midsize and community banks will be assessed on enterprise data governance, including vendor and third party management, which typically influences systems capacity, testing, security, sharing, monitoring, and retention.
One piece of the operating plan that is particularly interesting is the section about service providers… particularly their pending evaluation of interconnectivity and third party risk management. This means that while your bank is being assessed on third party vendor risk management, your third party vendors will be assessed on their third party vendor relationships (aka, your fourth party vendor relationships). This is likely in response to the SSAE 18 standard for fourth party vendor relationships that went into effect May 1, 2017.
This much is certain: the OCC has and continues to express concern for interconnectivity and interdependency of third party vendor relationships. Banks will need to demonstrate a resilient and well-defined program for identifying, assessing, and managing third and fourth party risk. They will need to be aware and proactively working to prevent any gaps in the planning, due diligence, oversight, and control of their vendor relationships.
FY 2018’s operating plan priorities and focus might not be too different from past years, but that means that if your bank’s vendor management program has slid under the OCC’s radar in past years, 2018 is the year to tighten up your vendor management program before they (inevitably) do come knocking. The best way to ensure you’re in compliance with the latest regulatory guidance? A professional, automated vendor management solution.
VendorInsight® helps banks by providing a centralized, easy to use platform for all of your vendor management needs. We give you the tools to help automate your vendor management process and strengthen your program. VendorInsight® due diligence services provide annual updates to your SSAE18/SOC reviews, financial reviews, OFAC verifications and more.
To talk with a VendorInsight® team member about how we can help strengthen your vendor management program in preparation for the OCC’s 2018 examination priorities, follow the link below:
"Financial institutions are upping their investments in change programs, and experts say credit unions that ignore this trend could be left in the competitive dust."
Our very own Jay Fitzhugh, VRM Pro Director and Chief Regulatory Advisor for VendorInsight, was interviewed by Credit Union Times Magazine for an article titled "Pouring Money Into Change Programs." Jay was sought for his insight stemming from over 20 years working in the financial world.
To see the full article to read what he has to say about change programs for credit unions, follow the link below:
Single Sign-On (SSO) is a service that allows users to need only a single set of login credentials (username and password) to access multiple applications during their session. The goal of SSO is to minimize the number of times a user has to log in at various websites or applications by having the user manually log in at one site or application (called the identity provider or IdP), and then being automatically logged in, without having to provide credentials, at one or more other sites or applications (called service providers or SPs).
In addition to streamlining the user’s working experience, SSO is also helpful on the back end with monitoring user accounts and providing a log of user activities.
There are two single sign-on flows supported by the Security Assertion Markup Language (SAML) v2.0: IdP-initiated SSO and SP-initiated SSO. In IdP-initiated SSO, the user starts at the IdP site, logs in, and clicks a link to the SP site which then initiates SSO.
In the SP-initiated SSO, the user starts at the service provider site and, rather than logging in at the SP site, SSO is initiated with the IdP (as long as the user is already authenticated at the IdP--if they are not, then the user will have to enter their credentials).
At the end of a user’s session, there are two types of single logout flows that can occur: IdP-initiated and SP-initiated. Again, with IdP-initiated single logout (SLO), the user will start at the IdP site and click a link to log out, effectively logging the user out of every SP site to which there is an SSO session as well.
In SP-initiated SLO, the user will again begin at the service provider site. The user will click a link to log out of the IdP site, and effectively also be logged out of every SP site to which there is an SSO session.
While single sign-on is a highly sought service by users due to the great convenience it provides, organizations should also pay attention to the risk it can create to enterprise security. If an attacker gains control of a user’s SSO credentials, they’ll have access to all of the SP sites and applications that user has permission to, increasing the amount of damage they can inflict. It is imperative that a relationship of trust exists between the identity provider and the service providers. Service providers must trust that the identity provider has authenticated the user.
VendorInsight supports single sign-on via the SAML v2.0 Assertions, Protocol, Binding and Profiles as defined by the OASIS standard. For more detailed information please refer to the SAML v2.0 specification documents at www.oasisopen.org
To learn more about this feature and how it works within the VendorInsight risk management software, please contact a team member using the link below and we will follow up with you as soon as possible.
Remember the FFIEC’s 2015 Appendix J addition to the Examination Handbook? The addition covered business continuity planning for your technology service providers (TSPs). Appendix J presented a new standard for TSP contractual requirements—its purpose to strengthen the resilience of outsourced technology services—which regulators expected financial institutions to adopt and implement moving forward.
Moving ahead to 2017, two years after the introduction of Appendix J, regulators performed an evaluation of TSP contracts as they pertain to the third party vendor management responsibilities for insured and supervised financial institutions. The evaluation, which sought to determine the effectiveness of the prior guidance in altering TSP contract terms, focused on cybersecurity readiness and responsibility, and the use of subcontractors (aka your fourth parties).
In response to the findings of their evaluation, the Office of the Inspector General (IG) of the FDIC issued EVAL-17-004. According to the report, the IG, “did not see evidence, in the form of risk assessments of contract due diligence, that most of the FDIC-supervised FIs we reviewed fully considered and assessed the potential impact and risk that TSPs may have on the FI’s ability to manage its own business continuity planning and incident response and reporting operations.”
The report went on…
“Typically, FI contracts with TSPs did not clearly address TSP responsibilities and lacked specific contract provisions to protect FI interests or preserve FI rights. Contracts also did not sufficiently define key terminology related to business continuity and incident response.”
This is not the outcome any of us would have expected.
As a result, the FDIC Inspector General has laid out a few recommendations. First, the Division of Risk Management Supervision (RMS) of the FDIC must communicate to FIs the importance of fully considering and assessing the risks that TSPs present. FIs must ensure that contracts with TSPs include specific and detailed provisions that address FI-identified risks and protect FI interests. And finally, FIs must clearly define key contract terms that would be important in understanding FI and TSP rights and responsibilities.
In the meantime, it may be wise for your organization to revisit and freshen up on the 2015 FFIEC Appendix J addition to the Examination Handbook, and be aware of the possible implications this report may have on future examinations.
In the wake of launching Procipient® ERM-GRC, our newest SaaS solution for banks and other financial institutions, we thought it valuable to take a moment and reflect on “why?” Why would CMPG, LLC, creator of VendorInsight® third and fourth party risk management software and BCPInsight business continuity software, decide to add an enterprise risk management and GRC software to their lineup?
CMPG, LLC was founded in 1998 as a performance consultancy firm for banks and other financial institutions. From inception to today, its mission hasn’t changed: the CMPG team exists to help bank executives and boards identify and implement significant improvements in the areas of non-interest expense, revenue, staffing and productivity, banking technology, and process improvements.
As a part of this mission, CMPG launched VendorInsight® in 2008 which was met with widespread adoption and acclaim—still occupying a top position in the industry nearly 10 years later as one of the most sophisticated and fully-featured software solutions available. And now, the CMPG team has heard the cry for an improvement to the way banks run their ERM programs—and their mission statement propels them to answer the call.
We sat down with some of the executive team members to bring you an inside look at the making of Procipient®, and why it matters now:
1. Why is the need for a new automated ERM-GRC solution significant right now, in 2017?
Grant Karnes (CEO): “Our ears are always open to our customers, regulators, and other industry professionals. The feedback we had been hearing boiled down to regulators putting pressure on financial institutions to take a comprehensive approach to managing their enterprise risk, and Chief Risk Officers feeling that all of their options for an ERM program were poorly designed and difficult to use. When Deloitte released their 2017 Extended Enterprise Risk Management Global Survey Report earlier this year, calling out Governance and Risk Management processes as being key areas where organizations are struggling, our team was already putting the finishing touches on our solution to the problem: Procipient® ERM-GRC.”
2. What sets Procipient apart from other SaaS solutions that have tried to accomplish the same goal?
Grant Karnes (CEO): “For one thing, our company is founded on the principle that customer satisfaction is equally important to having great software features. It doesn’t matter how powerful our reporting features are if we’ve made them too complicated for customers to fully utilize, so our team has worked very hard to live in that sweet spot where sophistication and simplicity meet. We conducted a soft launch of Procipient® in May 2017 to current VendorInsight® customers during our annual User Group Meeting, where it held up to the ease-of-use standard our customers have grown used to. Enterprise Risk Management and GRC truly are simplified with Procipient®.”
3. We use the words “simple” and “easy to use” a lot around here. How will Procipient® simplify Enterprise Risk Management?
Grant Karnes (CEO): “We know that many organizations are currently combining several different platforms in order to meet their Enterprise Risk Management needs, which was also indicated by over half of the respondents in Deloitte’s 2017 global survey. Procipient® addresses ERM needs at all angles with fully integrated and turnkey functionality. And because we know that every enterprise is unique, Procipient® can be fully customized and configured as well."
Jay Fitzhugh (Chief Regulatory Advisor): “I would also add that we’ve redefined simple tangibly with the design and features of the software itself. Procipient® makes it easy to see, understand, and maintain data. When you see the Risk Matrix Filtering, which transcends all data and reporting views in Procipient®, you suddenly get it.”
In the end, Procipient® will be put to a multifaceted test. It must help Chief Risk Officers assess and oversee the management of their enterprise risk and compliance, and it has to be friendly enough to help users manage a lot of complex data in the system. Focusing on helping customers overcome the challenges of poor integration, data maintenance, and difficult user interfaces is what has made CMPG successful for nearly 20 years now. Procipient® and its thoughtful design will extend that legacy.
It really is possible! Sometimes it feels like there just isn’t enough time in the day to get everything done, and having to put something as important as vendor risk management on the back burner isn’t always a smart decision for you or your business. VendorInsight® offers a solution that enables you to put your focus on the tasks that need your attention while we enter, update, and manage all of your vendor records and risks.
The team at VendorInsight® has the resources to ensure you are always up-to-date on which contracts are going to expire, which vendors pose a risk to your business, and what the next steps are—without you ever having to ask. Our professional team will review all of your vendor documents and contracts before uploading them into our software system, giving you back valuable time to allow you to grow other areas of your business.
No other vendor risk management software is as advanced or experienced as VendorInsight®, so you can be sure that when you partner with us you are gaining a team of experts in the industry to help your business identify areas for improvement, and provide a seamless workflow platform.
Contact a VendorInsight® team member today to become a part of the strong VendorInsight® community.
We spent the beginning of last week at the American Bankers Association Risk Management Conference in Indianapolis, Indiana; this year’s theme: The Dynamics of Risk.
This is one of our favorite events to be a part of each year for a number of reasons. By now, we tend to see a lot of the same people who also make it a priority to attend year after year, and it’s always nice to catch up and watch how those relationships evolve. Second, as the event grows, we also get to meet a lot of new people each year, which is equally as fulfilling.
And finally, the ABA Risk Management Conference is uniquely designed around the topic we care most about—the full range of risks that face banks today and in the future. We love engaging in dialogue with other experts and learning ways we can innovate to anticipate the needs of our current and future customers.
There was a lot of knowledge and wisdom transferred last week, but for the sake of respecting your time, here are just a couple takeaways from the featured topics of discussion of the 2017 ABA Risk Management Conference:
A New ERM Framework
One of the most widely recognized and applied risk management frameworks across the world, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) ERM-Integrated Framework, was originally developed in 2004 to provide guidance to boards and management. 13 years later, the landscape in which this guidance was created has evolved dramatically—risk discussions are increasingly prominent at the board level, stakeholders are seeking greater transparency, and all around the bar for ERM has risen—and now the COSO Framework is adapting. The proposed changes to the COSO ERM Framework will elevate discussions on strategy and enhance the focus on how entities create, preserve, and realize value in relationship to risk.
Annual Review Best Practices
Annual reviews should be performed to ensure that model owners are carrying out and regularly documenting appropriate performance testing for each model, as well as to identify any changes in performance, the environment, staff, etc., and to provide input for risk-reporting to management and the Board. To make the most out of your annual review, you should collaboratively leverage the ongoing roles of each line of defense by splitting the work among project managers, validators, and first line staff and have all necessary validation material ready to go before the process begins. It’s also a good idea to use a validation report template that can be filled in as the material arrives from various sources.
Thanks again to the ABA for another great event! To learn what VendorInsight® is doing to keep pace with the ever shifting regulatory environment and new wakes of risk that your bank may be facing, follow the links below.
As vendor management has evolved from contract management a decade ago, focused upon risk management and regulatory compliance, the emerging challenge is keeping track of all the elements required to keep pace. You can no longer run an Excel or SharePoint solution from a server in the corner of the IT Department to get the job done. Vendor management requirements have grown too large and too widespread.
Vendor risk management, as defined by the FFIEC across a multitude of vendor analytical dimensions, was the first layer of complexity to be placed on top of traditional document repository contract management systems. Today’s fully-featured solutions have expanded upon this layer to include vendor news monitoring, vendor risk alerting, performance risk inclusive of SLA monitoring, the many facets of onboarding and ongoing due diligence review and risk assessment, complaint and social media monitoring, information and cyber security reviews, on-site evaluations, fourth-party risk review practices, and most recently, the newly unveiled concentration risk analysis.
The key to a successful vendor management program is in the quality of its tracking and documentation:
-What vendor documentation do you have?
-When does it need to be updated?
-What documentation have you reviewed?
-Where do you require added focus or should concern be raised?
-Who are you still waiting on to respond?
-What needs to be reported upward?
-How long has it been since last contact?
-How is the vendor performing against the contract?
-When does the contract renew and what are your options to terminate/renegotiate?
Topics: Vendor management
In our last blog post we shared the OCC’s Bulletin 2017-7, which outlines supplemental examination procedures for future regulatory exams—most notably the expanded focus on concentration risk. Today, we’ll take a quick look at why the OCC cares about dialing in the risk associated with geographical concentration of vendors (and perhaps more importantly, vendors’ vendors).
It’s no surprise that understanding the risks associated with your vendors is a much more complex process than it was 20 or even 10 years ago. Organizations not only have to evaluate their vendors, but also their vendors’ vendors (aka fourth-parties or subcontractors). This gets particularly tricky when it comes to concentration risk. For example: Let’s say your organization outsources critical business services to vendors A, B, and C, and those three vendors all outsource to a common vendor, D. If vendor D’s services become unavailable due to a data breach or other event, vendors A, B, and C may not be able to service your organization without disruption. In this scenario, your organization must bear the risk of vendor failure, breach, and regulatory penalties.
Historically, the approach to mitigating concentration risk was to simply ask vendors via a vendor risk assessment questionnaire to provide additional information on the vendors and third-party providers they work with. Unfortunately, as vendor management grows in size and complexity, this approach contains several flaws.
First, questionnaires can be extremely limited in their effectiveness. While commonplace, they rely too heavily on human assessment and calculation. They are also not the most verifiable, nor do they provide hard data; often, organizations must simply trust their vendors’ responses and hope they are accurate and true. The second issue with this approach is that often times, your vendors may not even know all of their vendors, or at least not to the extent you need to evaluate all potential risk.
Knowing all of this, it makes sense that the OCC would expand their examination focus on the validation of geographical concentration risk. We see this as an important next step for the evolution of industry best practices for vendor risk management, and we are already equipped and prepared for this increased focus with data management, analytics flexibility, and fourth-party tracking within our solutions and service offerings.
Loose documentation and voluntarily submitted information from vendors are inadequate methods of tracking, assessing and monitoring risk, and preparing for your next exam—especially when automated solutions exist that use data analytics to help you make educated decisions about vendor risk, and show examiners that every step along the way can be accounted for.
On January 24, 2017 the OCC published a bulletin with the subject, "Third-Party Relationships" followed by the description, "Supplemental Examination Procedures." Within the bulletin is a link to the actual supplemental examination procedures for future examinations (links to the OCC Bulletin 2017-7 and the supplemental exam procedures can be found at the bottom of this post).
The supplemental procedures document states,
“These procedures are designed to help examiners tailor the examinations of national banks and federal savings associations (collectively, banks) and determine the scope of the third-party risk management examination.”
The specificity as to an expanded focus on concentration risk is found under the heading "Quantity of Risk" on page four of the document, beneath “Objective: To determine the quantity of operational risk associated with the use of third parties."
Concentration Risk examination validation is detailed in the following passage and associated footnote:
“1. Determine whether there are any concentrations among third-party relationships.
• Review the bank’s methodology for identifying concentrations among third-party relationships
• Determine whether there are concentrations due to the bank’s reliance on a single Third party for multiple activities, particularly when several of the activities are critical to one or more lines of business
• Determine whether there are geographic concentrations where the bank’s own operations, the operations of its third parties, or the operations of third parties’ subcontractors are located in the same region or are dependent on the same critical power and telecommunications infrastructures.”
“(Footnote 7) Concentrations may arise when a bank relies on a single third party for multiple activities, particularly when several of the activities are critical to bank operations. Additionally, geographic concentrations can arise when a bank’s own operations, and that of its third parties and subcontractors, are located in the same region or are dependent on the same critical power and telecommunications infrastructures.”
The implication is clear: vendor management organizations have been given a new challenge. It should be no surprise that there is a required understanding of service concentration for a single vendor--the new piece being introduced here is how to validate geographical concentration. At VendorInsight®, we have developed our software with the capability to maintain data management and with analytics flexibility. We are currently working with our existing clients to detail and manage these new examination expectations. If you are not our client (yet), how are your providers addressing this just-announced expectation--and when? It is a fair question you should be asking.
As most know, what the OCC defines, many of the remaining regulators will follow or formally adopt.
VendorInsight®’s EVP Jay Fitzhugh was recently quoted in a story published by the ICBA’s Independent Banker Magazine. The story, titled Automating Oversight, explored how a vendor management software system could benefit community banks.
The author begins by acknowledging the limited resources and growing regulatory pressure that many community banks are facing—the same challenges that we hear from our own customers and prospects. Specifically, we’ve identified two common obstacles that many community banks struggle with when it comes to vendor management:
1. You feel like your Vendor Risk Management policy is being criticized by regulators because it has not been updated in recent years to reflect the growth of your bank
2. Your Vendor Risk Management program continues to be managed by one or two people—or—managed by individual business owners, and the management and monitoring of vendors is becoming increasingly overwhelming and unorganized as more and more vendors are added to your bank
While Jay’s feature in the Independent Banker story only touches upon a vendor management software system’s ability to manage staff requirements, costing less than a single employee and delivering the benefits and productivity improvements equivalent to several employees, there is so much more that a vendor management solution can do for your organization. Often put on the back burner due to not being an “active” money-maker, a strong vendor risk management system may be your greatest offense against a major weakness in many community banks—regulatory compliance. It can also be one of your greatest money-savers.
Each year, hundreds of millions of dollars are spent unintentionally because vendor contracts automatically renew, committing companies to pay for services they no longer want, and vendors will impose annual price increases that are not monitored, understood, or validated. So, in addition to saving you money from a staffing position, an automated VRM solution will allow you to understand exactly which vendor costs will increase, when, and by how much.
A vendor management software system also allows for easier, faster completion of required tasks and activities such as vendor risk assessments, performance reviews, or RFPs, and results in improved resource utilization and productivity—all saving your bank and your employees valuable time.
Automated vendor management systems, especially the class-leading solutions offered by reliable, established companies like VendorInsight®, can be easily and quickly implemented. They are easy to use, reliable, cost-effective and efficient.
Now, let’s go back to the issue of having limited resources. VendorInsight® understands that one size does not fit all—many times a community bank simply doesn’t need an enterprise level vendor management system yet, just a system that meets their regulatory requirements and allows risk monitoring and vendor relationship management. That’s why we’re happy to offer multiple levels of software and services—so that you can have the assurance and quality of a premier system that fits your needs AND your budget, with the ability to grow as you do.
To learn how VendorInsight® can help your community bank keep up with the growing regulatory demands, simply fill out our contact request form (link found below) and we will be in touch soon.
In April 2016, the American Institute of Certified Public Accountants (AICPA) announced an updated standard. This Statement on Standards for Attestation Engagements 18 (SSAE 18) is set to supersede the widely known SSAE 16 report that has been a mainstay with vendor management organizations tracking vendor adherence to defined controls since 2010.
The new SSAE 18 will be effective for reports produced after May 1, 2017, but organizations can adopt it earlier.
The new standard will require companies to monitor service organizations’ subservice organizations—or in vendor management terms, fourth-party providers. Essentially, the SSAE 18 will expand on the existing SSAE 16 standard to include validation of effective vendor management, as practiced by your vendors for their contracted fourth-party providers. This includes fourth-party monitoring beyond the initial vetting and selection process, just as required of FIs.
In early 2016 VendorInsight® implemented features to track, capture, and monitor risks associated with fourth-party vendors.
While the new standard is required for reports after May 1, 2017, many of the reports generally available from vendors supporting the financial services industry tend to cover an audit period from the late third or early fourth quarter. As such, we would expect the vast majority of 2017 vendor reports to report on audits completed prior to the start of the new SSAE 18 standard.
When fully deployed in 2018, this new standard offers the promise of added visibility to key vendor fourth-parties that today may not be easily discerned. It will also shine a light onto the vendor management practice of your vendors who have historically kept this discipline out of sight and away from detailed review. We see this as an important next step for the evolution of industry best practices for vendor risk management, and we are already equipped and prepared for this expanded tracking within our solutions and service offerings. To learn more about the new standard, follow the links below to download our FREE SSAE 18 eBook or speak with a VendorInsight Team Member about how your organization can prepare for the new standard.
Well not exactly. Many of us are all too familiar with the e-mail and phone chase of your vendor population to obtain their third party control audits. Most know control audits by their various designations: SSAE16 or SOC 1, SOC 2, be they Type I or Type II. Confused yet?
What seems to have grown in scrutiny with control audits is not the receipt, review and acceptance of your third (and fourth party) control audits by an independenndering an unqualified opinion, but that deep inside these documents there is actually information that you are charged to validate within your own institution's control environment. You typically find the Complementary User Entity Controls as a separate section in the Table of Contents page of any professionally completed control audit report.
Complementary User Entity Controls are those things that your institution must perform from your side of a vendor relationship. As an example, if a vendor is posting transactions that you submit, the Complementary User Entity Control will likely require that you balance and validate the batch of transactions prior to submission. That makes perfect sense, right?
The catch is that someone physically needs to match and validate that your controls match those prescribed by your vendor. And you will be asked at some point by an auditor or examiner in the future, if not already, for this internal control validation. The person performing the validation needs exceptional internal control documentation or must possess intimate working knowledge of your organizational structure, process and policies. The verification of controls likely leads them on a hunt for signatures across the organization: accounting, operations, items processing, IT, etc.
This is an area where solution providers such as VendorInsight® can provide assistance in organizing the required validation efforts and certifications; whether it is specific reports, or tracking outstanding control item exceptions. While many may still want to copy and sign the top of the page from the SSAE16; John Smith, SVP, We Do This!, this approach will likely not meet expectations, if ever, for much longer. VendorInsight® is designed to improve in this critical area of Vendor Risk Management. If you’d like to schedule a consultation with a member of our team, follow the link below and we’ll be in touch soon!
On Tuesday, November 22, 2016, the OCC, Federal Reserve and the FDIC a press release announcing an invitation of comments on an advance notice of proposed rulemaking (ANPR), regarding enhanced cyber risk management standards for large banks under their supervision.
These regulatory agencies hope to increase operational resilience and lower the probability of failure in the banks they supervise.
Here’s what you need to know:
• The ANPR was published in the Federal Register on October 26, 2016, and comments are due by January 17, 2017.
• The ANPR applies to:
o any national bank, federal savings association (and any subsidiaries thereof), or federal branch of a foreign bank that is a subsidiary of a bank holding company or savings and loan holding company with total consolidated assets of $50 billion or more;
o any national bank, federal savings association, or federal branch of a foreign bank that has total consolidated assets of $50 billion or more and does not have a parent holding company; and
o any third-party service provider with respect to services provided to any covered national bank or federal savings association (or any subsidiaries thereof).
• The ANPR is not applicable to community banks
• Banks regulated by the above-mentioned agencies are required to ensure that the services they receive from third-parties are conducted with the same standards that would apply if the bank conducted the operations itself—therefore, the proposed enhanced standards would apply to all operations, even those serviced by third-parties.
We talk a lot about the horrors and headaches of vendor risk management, but the reality is that most financial institutions wouldn’t be able to meet their customers’ needs without their third and fourth-party vendors. So in the spirit of Thanksgiving, we give you five sincere reasons to say “thank you” to your vendors this month:
1. Thank you for working with us to create a mutually beneficial relationship built on mutual trust.
2. Thank you for providing accurate documents and information in a timely manner—Bonus: especially when it’s without even being asked!
3. Thank you for maintaining consistent, open communication between our parties.
4. Thank you for playing fair and not attempting to get the real advantage when it comes to putting together contracts.
5. Thank you for acting as an extension of our institution in order for us to provide our customers the level of service they expect.
Vendors don’t typically receive words of appreciation, so if you’ve got some good ones in your corner, take a moment this month to let them know they’re doing a good job! Tis the season after all, and a little encouragement is sure to go a long way in the quality of your relationship.
VendorINSIGHT strives to constantly improve our system to give our customers the most up-to-date and advanced technology. With the new PCM Document Request feature we recently introduced, users can request documents directly from any vendor through the PCM Associations screen. Vendors will receive an email with a link allowing them to upload the requested document. This feature makes it easy for users to collect necessary documentation without the hassle of tracking and sending separate emails. VendorINSIGHT takes pride in serving our customers with a streamlined and simplified VRM process and the PCM Request module is just one of the many ways we continue to do so.