Kevin Malicki keeps financial institutions up-to-date on Governance, Risk, and Compliance (GRC) as Director of Product Management at Harland Clarke.
Today I’m going to talk with you about third-party risk management. This is a hot topic because if a vendor messes up, it’s your assets on the line.
The Fed expects you to have everything in check with your vendors — Appendix J makes it clear that using a third party to perform or support operational services does not relieve you of the need to ensure that those services are performed securely.
Your responsibilities are clear: You have to identify risks, verify compliance, monitor for changes that might create new risks, and investigate and remediate incidents as they occur. And they will occur.
Whether you have just a few outside vendors or many of them, oversight and ongoing monitoring are required. But how can you keep up with what you’re supposed to be doing?
Here are a few thoughts for you:
First, be aware that regulators are very tuned into third-party risk right now. Improper marketing or sales techniques, debt collection, data breeches — these are all problems that your competitors — big and small — have had to address. The risk is real.
Second, pick the right vendors. Be sure your vendors are vetted well — with Appendix J third-party risk management in mind. Choosing the right vendors can keep you out of trouble.
Third, get your paperwork organized. And when I say “paperwork,” I’m not kidding. Many banks and credit unions are still working with paper contracts, filed in three-ring binders all over the place. You need to get a handle on what’s out there, floating around.
If you’re not on top of your third-party vendors and how they’re performing, you’re risking big fines and a big hit to your bank’s reputation. My recommendation? Recognize that third-party risk is a first-rate problem. Take steps now to get your third-party risk management in line.
>>Ready to improve your institutions’ risk and compliance efforts? Click here to get the 40 question checklist, “Questions Institutions Should Ask When Assessing Data Breach Risk.