VENDOR RISK COUNTDOWN - Top 10 Risks Third-Party Vendors Pose to Your Financial Institution
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
VENDOR RISK COUNTDOWN
Top 10 Risks Third-Party
Vendors Pose to Your
Financial Institution
Ncontracts.com | 888.370.5552EXECUTIVE SUMMARY: Vendor risk management is an ongoing
process. It begins with due diligence before a contract is signed and
continues with monitoring throughout the length of the relationship.
Based on the inherent risk with the vendor, the financial institution
should assess the potential risks of third-party vendors in some or all
of these 10 risk categories: operational, transaction, compliance,
credit, strategic, reputation, cyber, cloud, concentration and country.
Top 10 Risks Third-Party Vendors Pose to Your Financial Institution Ncontracts 2UNDERSTANDING VENDOR RISK vendor like high, important, critical. It is
certainly not a good use of resources nor
When it comes to traditional lending risk, a requirement to perform extensive due
banks and credit unions have it down pat. diligence before ordering a delivery from
They can look at customers and quickly a sandwich shop. However, there is a big
determine whether they are a good risk. difference between the coffee vendor and
They carefully project interest rate risk. the core processor.
Theycan cite liquidity figures off the tops of
their heads. But when it comes to vendor If the financial institution policy is not well
management, it gets trickier. crafted, then it can easily create an enormous
amount of work, which is not required by
Third-party providers play a valuable role at regulatory guidance. By comparison, a well-
financial institutions, allowing FIs to compete crafted policy will align inherent risk groups
by offering a broader and more cost-effective with control processes that align efforts with
mix of products and services, but they also the risks that need to be mitigated. While the
pose risks. Every action (or inaction) a vendor guidance from federal regulators is targeting
takes has the potential to help or harm the FI. critical, significant, or high risk vendors like
It is similar to hiring an employee, because the core processors, each FI wants an inherent
FI is responsible for the employee’s actions risk system that protects them from third
or inactions. This responsibility makes proper party risk.
due diligence and oversight of vendors a
necessary part of the outsourcing process.
FIs must be able to assess the potential
risks a vendor poses and then measure how
effectively that company mitigates risk.
This is an important task, and not just because
regulators require it. Careful risk assessment
and monitoring lets FIs know which vendors
pose which risks, and whether the products
and services a vendor provides deliver enough
value to make up for the additional risk. It also
reveals how much oversight and monitoring
a specific vendor requires. Some FIs utilize
labels to identify the inherent risk posed by a
FIs must be able to assess the potential risks a vendor poses and
then measure how effectively that company mitigates risk.
Top 10 Risks Third-Party Vendors Pose to Your Financial Institution Ncontracts 3These risks from critical vendors come in many 1. OPERATIONAL RISK
forms, with new threats regularly emerging.
It’s also a comprehensive process. Regulators One of the broadest risks facing FIs that
expect FIs to address specific categories of outsource is operational risk. Operational risk
risk for this type of vendor. Unfortunately, is the risk of financial loss when processes,
there is often overlap between the areas. FIs people or systems fail. Sometimes it’s the
that choose to address risk in silos run the risk result of external events like a power outage,
of duplicate efforts, contradictory results and fire or flood. Other times it’s the vendor’s own
missed connections that result in shortfalls. internal issues, such as fraud, a hardware or
This is especially true since vendor risk software failure or an accounting error.
management is an ongoing process, which
begins with due diligence before a contract While it’s impossible to guarantee that
is signed and continues with monitoring processes, people and systems are perfect,
throughout the length of the relationship. there are steps FIs can take to mitigate
these risks. The key is ensuring that vendors
Due diligence should cover all the major risks carefully and consistently follow suitable
vendors pose. While different regulators use and effective internal controls. Many vendors
different names for different kinds of risk and will provide the results of SOC 2 Type 2
some emphasize certain types more than audit tests to address non-financial business
others, these are the top ten risks: controls in areas such as security, availability,
processing integrity, confidentiality and data
1 Operational risk
privacy. This is a great starting point. Because
2 Transaction risk operational risk is such a broad area, there
3 Compliance risk are many areas to review. The good news is
that many of these facets appear later when
4 Credit risk
discussing other forms of risk. FIs that invest
5 Strategic risk time in careful due diligence will see the
6 Reputation risk benefit when that work can be applied to
other areas.
7 Cyber risk
Subjects to review include:
8 Cloud risk
Data privacy. Governing access to electronic
9 Concentration risk
data and systems containing confidential
10 Country risk client data is essential. Policies and controls
should ensure the consistent security and
Let’s take a closer look at each of these areas confidentiality of customer information,
to understand what steps FIs should take including secure data disposal, data
to investigate the risk exposure a vendor classification and confidentiality or non-
presents.
Top 10 Risks Third-Party Vendors Pose to Your Financial Institution Ncontracts 4disclosure agreements. There should be annually. There must be documented
physical access restrictions at buildings, mandatory training and escalation procedures
computer facilities and records storage to address staff who fail to take training.
facilities where customer data is stored.
Customer information should be encrypted Monitoring. Systems should be monitored
whether it’s in transit or storage. with controls to detect actual and attempted
attacks and intrusions into customer
Threat assessment. There should be information systems. They should also protect
procedures to identify, assess and mitigate data systems from theft and corruption.
reasonably foreseeable internal and external Penetration tests and/or vulnerability scans
threats that could result in unauthorized should validate the integrity of system
disclosure, misuse, alteration or destruction security, and findings should be promptly
of customer information or systems investigated and resolved.
Governance. Both the board and management Incident response. There should be a plan
should play a role in oversight. That includes of action when unauthorized access to
definingroles and responsibilities, segregating information systems or facilities is suspected.
duties and work environments and maintaining Protocols should define the customer breach
change management controls over software notification process along with a process for
changes, application development and system addressing customer requests and complaints.
maintenance.
Data security. Measures should protect
confidential customer information and
While it’s impossible to guarantee that
systems from destruction, loss or damage
processes, people and systems are
due to environmental hazards, failures
perfect, there are steps FIs can take to
or disasters. There should be periodic
mitigate these risks.
evaluations and/or ongoing monitoring to
validate the operational effectiveness of
User access. Policies and procedures should information security policies and internal
be in place to limit system access and eliminate controls, including management reviews,
non-active users or those who violate policies. internal audits and external examinations.
Employee evaluations and training. Data processing and transactions. Policies
Background checks should be conducted and controls should ensure that processing
before hiring. Personnel responsible for the and data transmissions are complete and
design, development, implementation and accurate through reconciliations, edit checks,
operation of the system should be reviewed system entry configurations, dual controls,
job monitoring and management review.
Top 10 Risks Third-Party Vendors Pose to Your Financial Institution Ncontracts 5While a vendor might not be able
to fully disclose the details of its
business continuity plan for security
reasons, there are still plenty of ways
to assess a vendor’s preparedness
and potential risk.
It’s all a part of managing transaction risk, or
the risk that a third party will fail to provide
products and services as expected, adversely
impacting the institution or its customers.
Transaction risk differs from operational
Processing and data transmissions
risk in that it focuses on contingency planning,
transactions should be validated through
but the two share many overlapping areas.
authentication protocols with inputs
authorized through implementation
Mitigating transaction risk isn’t just good
reviews and management approvals. Timely
business. It’s a requirement of the FFIEC IT
job scheduling and transactions based upon
Examination Handbook Business Continuity
predetermined schedules is necessary along
Management Services and other regulatory
with procedures and protocols to ensure that
guidance. That why an FI must evaluate
exceptions and issues are identified, escalated,
a vendor’s business resilience controls to
tracked and addressed.
minimize financial loss and mitigate
adverse effects of service interruptions. It
Subcontractor oversight. Due diligence,
must be certain that vendors will be able to
monitoring and oversight of critical third-
meet service level agreements and recovery
party vendors is necessary.
time and point objectives (RTOs).
This is best accomplished by addressing the
2. TRANSACTION RISK following areas with vendors:
Sometimes networks go down. Yet no Planning. While a vendor might not be able
matter whether an outage or other business to fully disclose the details of its business
problem is caused by a natural disaster, continuity plan for security reasons, there
cyberattack, equipment failure, fraud or are still plenty of ways to assess a vendor’s
other event, vendors must have plans and preparedness and potential risk. The vendor
procedures in place to ensure service and should review and test its business continuity
product delivery is quickly restored. planning/disaster response plan annually and
Top 10 Risks Third-Party Vendors Pose to Your Financial Institution Ncontracts 6share the results with clients. That includes customer information systems and data. These
the date of the last disaster recovery test preventative controls include secure coding,
of the production environment. Vendors firewalls, a demilitarized zone, secure network
should share the results, letting FIs know configurations, network segmentation,
whether testing objectives were met and secure VPN’s and logging. There must also be
communicated to the board of directors. detective controls such as monitoring,
intrusion detection systems and anti-malware
Threat management. Vendors should conduct software. Corrective measures such as patch
a periodic business impact analysis to identify management and risk and vulnerability
and assess the likelihood and impact of threats remediation protocols should be defined and
that could interfere with their ability to meet implemented. Vulnerability and/or penetration
service level Vendor Risk Countdown: The Top scans must be performed periodically.
10 Risks Posed by Third-Party Vendors to Your
Financial Institution Ncontracts 4 agreements. Incident response. Another key element is
They should have clearly defined recovery anincident response and management policy
time and point objectives (RTOs) which may or plan, which outlines how the vendor would
include mirrored backups and dual processing manage and address a confidential data
sites. Roles and responsibilities for disaster security breach or cyber-security incident.
response (such as initial assessment, crisis That includes a protocol to notify affected
management and communications) should be clients.
assigned.Pandemic planning is a must.
Subcontractors. Reliance on third-party
Recovery. Recovery capabilities should be providers, key suppliers, or business partners
assessed and monitored commensurate with may expose FIs to points of failure that may
the criticality of services provided. There prevent resumption of operations in a timely
should be redundant, backup or alternate manner. Vendors should conduct their own
power sources in place (such as generators). risk assessments of all major risks, including
Alternate facilities for resuming critical credit, liquidity, transaction and reputation
services should be identified and critical data risk, among others.
should be regularly backed up, mirrored and/
or replicated. 3. COMPLIANCE RISK
Financial institutions must follow laws,
Data protection. Data should be meticulously
regulations and rules, and should require
protected. There should be physical security
their vendors to comply as well. Compliance
controls and protocols to prevent unauthorized
risk is the risk that a third-party vendor will
access to facilities or areas housing confidential
violate one of these orders or fail to follow
Top 10 Risks Third-Party Vendors Pose to Your Financial Institution Ncontracts 7the institution’s own internal policies. This can • When customer and employee data is
have reputational, financial and regulatory transmitted to foreign countries;
consequences for the financial institution. • Conflicts of interest between a bank and a
third party are not appropriately managed;
According to the OCC’s Third-Party
• Transactions are not adequately monitored
Relationships Risk Management Guidance,
for compliance with all necessary laws and
compliance risk commonly occurs when:
regulations; and
• Products, services, or systems associated
• A bank or its third parties have not
with third-party relationships are not
implemented appropriate controls to
properly reviewed for compliance;
protect consumer privacy and customer
• The third party’s operations are not and bank records.
consistent with laws, regulations, ethical
standards, or thebank’s policies and
procedures; It’s not enough for a company to say
• A third party implements or manages a it doesn’t disclose breaches to third
product or service in a manner that is unfair, parties unless they are affected—
deceptive, or abusive to the recipient of the agreements must spell out that clients
product or service; will be notified.
• A bank licenses or uses technology from
a third party that violates a third party’s Once again, compliance risk abuts several
intellectual property rights; other types of risk including operational,
• The third party does not adequately reputation, country, transaction and cyber
monitor and report transactions for risk. To assess compliance risk FIs should
suspicious activities to the bank under
the Bank Secrecy Act or Office of Foreign
Asset Control;
• A bank’s oversight program does not
include appropriate audit and control
features, particularly when the third party
is implementing new bank activities or
expanding existing ones;
• When activities are further subcontracted;
• When activities are conducted in foreign
countries;
Top 10 Risks Third-Party Vendors Pose to Your Financial Institution Ncontracts 8determine whether vendors are aware of be secure disposal measures to properly
both new and existing regulations and dispose of unneeded consumer information.
have policies and procedures in place to Information security controls/practices.
implement them. Audit and control features Vendors should encrypt all highly confidential
should demonstrate their compliance. This information and authentication credentials,
include logs and best practices for monitoring use VPN, appropriately segregate duties and
transactions for suspicious activity and require acknowledgement and acceptance
compliance with others laws and regulations. of confidentiality/non-disclosure agreements
before permitting access to confidential
Data privacy is of particular interest to data or systems.
regulators making it important to ensure
compliance with laws, regulations and best Security for personnel who will have access
practices from OFAC, the Gramm-Leach-Bliley toconfidential consumer information. This
Act, the Sarbanes-Oxley Act, the Fair Credit includes pre-employment background
Reporting Act and the Health Insurance investigations and initial and ongoing
Portability and Accountability Act. Vendor information security training.
controls should be designed with these
specifically in mind. Physical security protocols and controls to
safeguard facilities containing confidential
FIs can find information about these controls data. All desktop-computing devices should
in vendor documents such as annual due be physically secured with locking devices.
diligence questionnaires, SSAE 16 reports and There should be a visitor access policy with
independent third-party reviews during annual 24/7 security personnel on site, closed-circuit
SOC 2 audits. surveillance throughout the facility and
card-key access control with permissions
Important areas to review include: assigned based upon job responsibility.
Privacy policy. Vendors need an information
privacy policy and an information security Security protocols and controls to safeguard
program that’s reviewed and/or updated electronic data. All desktop computers should
periodically. It should include a risk require an individual identification and
assessment process to identify reasonably authentication at log on with formal policies
foreseeable internal and external threats to define password parameters. Access should
that could result in unauthorized disclosure, be restricted based on job responsibilities and
misuse, alteration or destruction of information access rights should be reviewed periodically.
and assets. These threats must be evaluated, There should also be termination protocols
managed and monitored. There should also and checklists.
Top 10 Risks Third-Party Vendors Pose to Your Financial Institution Ncontracts 9Network security protocols and controls to That’s why it’s important to focus on credit
prevent and/or detect unauthorized access risk, or the strength and ability of a company
and cyber-security incidents. Look for anti- to manage debt and stay in business to
virus software on desktops, servers and host, ensure continued operations. The FDIC says
with patches obtained from secure sites. that FIs should evaluate third-party vendor’s
Anti-malware software should be installed on financial condition at least annually2 and that
critical servers and on end-point devices, with the review “should be as comprehensive as
signatures updated nightly. There shouldbe a the credit risk analysis performed on the
defense in-depth program, including intrusion institution’s borrowing relationships.”
detection/intrusion prevention systems and
semi-annual threat and vulnerability testing The good news for bankers and credit
and attack and penetration tests. Centralized union professionals is that the board and
monitoring via security incident and event management should be very experienced
management (SIEM) and perimeter firewall in evaluating businesses, audited financial
systems is necessary. So is an incident statements and publicly available documents.
reporting and response program to address
and manage confidential data security
It doesn’t matter how compliant,
breaches and/or cybersecurity incidents. That
effective or technologically sound a
includes client notification. It’s not enough for
vendor’s product or service is if the
a company to say it doesn’t disclose breaches
company won’t be in business very long.
to third parties unless they are affected—
agreements must spell out that clients will
be notified. Areas to look at include:
Financial condition. A company’s liquidity
4. CREDIT RISK and leverage figures reveal the strength of its
condition. Assess the viability of an operation
It doesn’t matter how compliant, effective or
by noting cash, debt, debt to equity, interest
technologically sound a vendor’s product or
coverage ratio and auditor’s opinions of
service is if the company won’t be in business
ongoing concerns.
very long. An FI that partners with a financially
unsound vendor may find itself suddenly cut
Financial performance. Reviewing profitability
off from a critical product or service if that
and cash flow are essential. That includes
firm goes under.
revenue, gross margin, operating income or
loss, operating margin percent, net income
2 Financial Institution Letter. Guidance for Managing Third-Party Risk. June 6, 2008. https://www.fdic.gov/news/news/financial/2008/fil08044a.html.
3 Risk Management Principles for Third-Party Relationships. A Telephone Seminar for Community Banks. Handout. August 2002.
https://www.occ.gov/static/past-conferences-and-seminars/vmts-final-handouts.pdf.
Top 10 Risks Third-Party Vendors Pose to Your Financial Institution Ncontracts 10or loss, net margin percent, EBITDA, EBITDA or doesn’t provide the expected return on
margin percent, operating cash flow and free investment, according to the OCC.3
cash flow.
Strategic risk impacts the viability of a
Litigation. Claims for punitive or exemplary business in the same way credit risk does.
damages from pending or threatened But instead of focusing simply on numbers,
litigation can wreak havoc on the bottom line. it involves reviewing how decisions are
Be aware of any legal action on the horizon, made and implemented and how a company
the potential fallout and what, if any, plans the responds to changing market conditions.
company has to cover the damages. A company that isn’t managed well may
not stay in business long or provide quality
Acquisitions. Acquisitions can expand a products and services.
company’s offerings, spread its resources
too thin or rapidly increase the debt load.
Look into pending acquisitions or sales and
Strategic risk is the possibility that
how that may impact the company’s financial
a company doesn’t make decisions
condition as well as other unfunded liabilities.
that support its long-term goals.
The key areas to look at when assessing
strategic risk include:
Background. It begins with basic background
that includes the age of a company and the
size of its market. Large nationwide providers
tend to be stronger than smaller competitors.
And the larger the client base, the more likely
the company is to be stable.
Leadership. Determine who is responsible
5. STRATEGIC RISK forachieving corporate objectives, oversight
of operating functions and compliance with
Strategic risk is the possibility that a company
applicable regulatory requirements. You want
doesn’t make decisions that support its
to see that senior management and the board
long-term goals. This can happen when
of directors are meeting to ensure business
risks aren’t properly assessed; not enough
strategies are aligned with operations across
thought and due diligence are put into new
the organization. At larger companies,
products, business lines or activities; or when
executive management committees may
the company undertakes an action that’s
provide oversight.
not consistent with the company’s goals
Top 10 Risks Third-Party Vendors Pose to Your Financial Institution Ncontracts 11Operational controls and audits. It’s not and whether or not it outsources to foreign/
enough to have operational controls. They offshore service providers or subcontractors.
must be monitored through management
reviews and internal and external audits. Notice that transaction, operational, country
Annual independent audits should demonstrate and cyber risks are all included when
the suitability and effectiveness of internal assessing strategic risk. Any method used
controls. Lines of authority and responsibility to conduct a strategic risk assessment
should be established. Managers should should leverage these overlaps to maximize
monitor reports and controls to provide efficiency.
reasonable assurances that activities are
performed in a secure, complete, accurate 6. REPUTATION RISK
and timely manner, and exceptions are
identified, tracked, recorded and resolved. Reputation is hard to earn and easy to lose.
Whether its lawsuits, fraud or data breaches,
Vendor management. FIs need vendor consumers notice bad headlines and take their
management programs and so do vendors. business elsewhere.
The risk assessment process/program should
identify and mitigate risks that might affect a Consider the headache $18.4 billion-asset First
vendor’s continued ability to provide reliable National Bank of Omaha faced in 2016 when
services to its users. This includes third-party it came out that its credit card add-on vendor
oversight and monitoring, and identification charged customers for credit monitoring
and resolution of information security-related services they didn’t receive. Neither customers
risks. nor regulators differentiated between the
bank and its vendor when assigning blame for
Business continuity. There should be protocols ripping off customers. Not only did the bank
to mitigate or prevent business interruptions, pay millions in penalties to the CFPB and OCC,
and to respond, recover and resume critical the bad publicity of newspaper headlines
business functions after an unplanned created costs that are not easily calculated
business disruption. from loss of goodwill.
Outsourcing and offshoring. The vendor Vendor mistakes like this can hurt a bank’s
should know whether or not all operations reputation, the FDIC4 and OCC5 say, when
and personnel are all located within the U.S. they cause:
4 Financial Institution Letter. Guidance for Managing Third-Party Risk. June 6, 2008.
https://www.fdic.gov/news/news/financial/2008/fil08044a.html.
5 OCC Bulletin 2013-29. Risk Management Guidance. Subject: Third-Party Relationships. Appendix A: Risks Associated with Third-Party Relationships
https://www.occ.gov/news-issuances/bulletins/2013/bulletin-2013-29.html.
Top 10 Risks Third-Party Vendors Pose to Your Financial Institution Ncontracts 12• Dissatisfied customers/poor service FIs “Review the third party’s Web sites and
• Frequent or prolonged service disruptions other marketing materials to ensure that
statements and assertions are in-line with
• Interactions not consistent with institution
the bank’s expectations and do not overstate
policies
or misrepresent activities and capabilities.
• Inappropriate sales recommendations Determine whether and how the third party
• Security breaches resulting in the plans to use the bank’s name and reputation
disclosure of customer information in marketing efforts.”6
• Violations of consumer law and regulation
These materials help an FI identify potential
• Negative publicity involving the third party reputation risks and find out what, if any
Vendor Risk steps, the vendor has taken to remediate past
problems. Then an FI can decide if the risk
While there is no way to guarantee that can be mitigated with careful follow up and
vendor actions won’t damage an institution’s clarifying protocols to ensure oversight with
reputation, thorough due diligence can help service level agreements or if that vendor just
an institution gauge the risk a particular isn’t worth the risk.
vendor poses. It just takes some digging.
7. CYBER RISK
Go beyond the documents the vendor
gives you and seek out publicly available In a world of increasingly sophisticated cyber
information. Determine if the vendor is threats, it’s essential that vendors are able to
registered and in good standing with prevent, detect and respond to cyberattacks.
the proper authorities, including the state Cyber risk is about having the tools, policies
where it operates. Find out how many and and procedures to identify and mitigate
what types of complaints it has filed against internal and external cyber threats and
it with the CFPB website, and keep in mind vulnerabilities.
that these claims are unsubstantiated.
See how the business ranks with the Better Some people might argue that cyber risk is
Business Bureau and conduct a search of already covered by operational, transaction,
news stories to learn of any past problems. strategic and compliance risk, and it may be
Other good reference checks include the
Cyber risk is about having the tools,
Federal Trade Commission, state attorneys
policies and procedures to identify and
general offices, state consumer affairs
mitigate internal and external cyber
offices and the U.S. Securities and Exchange
threats and vulnerabilities.
Commission. The OCC also recommends
6 Ibid.
Top 10 Risks Third-Party Vendors Pose to Your Financial Institution Ncontracts 13covered based on the depth of your internal
review. But the growing number of hacks, While there is no way to guarantee
attacks and other threats make it clear more that vendor actions won’t damage an
effort is needed. institution’s reputation, thorough due
diligence can help an institution gauge
In 2015, the FFIEC released its Cybersecurity the risk a particular vendor poses.
Assessment Tool to help banks and credit
unions evaluate potential cyber risks and Here are the areas where FIs should be
understand inherent risk and cyber maturity. focusing their cyber due diligence:
Identify high-risk activities. A vendor poses
agreater cyber risk and requires increased
management oversight when it:
• Houses confidential data in a cloud-based
system
• Houses or outsources confidential data
offshore
• Outsources sensitive activities and/or
a number of critical operations
• Uses web-based services to conduct
business transactions with customers
• Permits access of confidential data to
third-party providers
Rather than lump cyber risk in with other
Controls from the top. Just like an FI, third-
categories, it’s important for banks and credit
party vendors should have controls and
unions to directly address this critical risk
protocols to identify cyber risks. The vendor’s
with vendors, using the FFIEC Cybersecurity
board or one of its committees should
Assessment Tool as a guide. Chances are
directly review and approve its cyber program
most institutions are already engaging in
Regular monitoring of the program is a must,
many of the activities recommended by the
identifying threats and vulnerabilities with a
assessment in different departments and
periodic risk assessment that estimates the
during different risk assessments. The FFIEC’s
likelihood and impact of cyber risks.
exercise will ensure information from these
different silos will come together and ensure
Protect systems. All system activity and
vendors are prepared.
events should be logged and monitored, and
physical access controls should be monitored
Top 10 Risks Third-Party Vendors Pose to Your Financial Institution Ncontracts 14to detect suspicious activity. E-mail should be Data security. There should be protocols
filtered for common cyber threats. Vendors’ andmulti-factor authentication during data
vendors with access to data should meet transmissions and storage and protocols for
defined data protection standards. securely destroying data.
Incident response. Third-party vendors must Cloud risk. Vendors that rely on a cloud-based
have an incidence response policy that clearly system require additional scrutiny. (See Cloud
defines a protocol for informing affected Risk below.) With this information, FIs can
stakeholders, regulators and law enforcement identify cyber risks, deciding if the level of risk
officials of a cyber incident where confidential presented can be mitigated through protocols
data was likely compromised. and service level agreements or if the risk is
just too great.
Internal controls. Vendors must implement
controls to prevent or mitigate the severity 8. CLOUD RISK
of a cyberattack. Network security controls
Perhaps there’s no buzz word more confusing
such as anti-malware, firewalls, intrusion
to bankers and credit union executives than
prevention and detection software, and
“the cloud.” It evokes an ethereal image of
segmented networks should be in place to
data floating safely and serenely overhead,
reduce the likelihood of unauthorized users,
able to materialize on screen with the press
devices, connections or software. There
of a button.
should be configuration, network and system
change control processes and protocols.
But the cloud is a place on earth. Actually,
Protocols for anti-malware software updates/
it may be many places on earth.The cloud
patch management must be defined and
means someone else’s computer. It is typically
implemented. Periodic vulnerability scans and/
a bunch of data centers. Using the cloud is
or penetration testing should be performed,
buying space on someone else’s infrastructure
and the vendor should have cyber insurance
(or data center) to store and/or process data
coverage.
which you can then access via the Internet.
Sometimes these computers are used
Human resources. Access controls should be
exclusively by one institution, known as a
role-based and granted based upon job
private cloud. Other times, several clients use
function. Personnel should be screened before
the same computers at a data center, known
hiring and employees should undergo data
as a shared cloud.
safety training.
The cloud faces all the same risks as any other
third-party IT vendor, which include cyber
risk, reputation risk, operational risk, etc. After
Top 10 Risks Third-Party Vendors Pose to Your Financial Institution Ncontracts 15all, it’s a physical location with all the same Cyber. There should be clearly defined
inside and outside threats any organization procedures for responding to and reporting
faces. But’s is growing use and importance security incidents and notifying customers
is undeniable—and it’s starting to attract and regulators of any breaches.
regulator attention.
The FFIEC highlighted the importance of
risk management and cloud use in a joint
statement.8 When considering working with
a cloud-based provider, institutions should
ask questions like:
• What is the type of cloud?
• Who has access to the data?
• Where is the data?
• Is the data backed-up? Data security. Access to cloud data should be
defined and restricted. Audit logs should be
• What is the third-party’s control structure?
maintained to monitor and detect changes.
• Can you perform effective/on-going Data should be encrypted at all times—both
due-diligence? at rest and during transmission. When using
• How difficult is it to disengage? shared clouds, an institution’s data must be
segregated from other client data.
Smart FIs are going beyond cyber risk to
Country risk. All cloud data should be housed
include cloud risk among their best practices
in the United States. If a vendor won’t tell you
for evaluating thirdparty vendors. When
where data is stored, find another vendor.
evaluating cloud-based vendors, an institution
should pay mind to existing vendor
management and cyber guidance paying Smart FIs are going beyond cyber
special attention to: risk to include cloud risk among
their best practices for evaluating
Compliance. Ensure the provider is in
third-party vendors.
compliance with privacy laws. Specific
responsibilities for data protection must
be defined and communicated, often in
the service level agreement portion of the
contract.
8 FFIEC Joint Statement. Security in a Cloud Computing Environment. 4/30/2020.
Top 10 Risks Third-Party Vendors Pose to Your Financial Institution Ncontracts 169. CONCENTRATION RISK shouldn’t require much extra effort as long
as the risk management team is working
When most bankers and credit union cohesively. In fact, the OCC includes
executives think of concentration risk, they concentrations under operational risk.10
think of lending. But concentration has
a different meaning when talking about 10. COUNTRY RISK
third-party vendors, as the Fed notes in its
Guidance on Managing Outsourcing Risk. Speaking of overlapping risks, country risk is
It specifically mentions concentration risk another example—touching everything from
as something that should be considered cloud and reputation risk to transaction and
when seeking out and managing vendors. operational risk. Country risk is “an exposure
The two main sources of third-party to economic, social, and political conditions
concentration risk are: in a foreign country that could adversely
affect a vendor’s ability to meet its service
Overreliance on a single vendor. This is a
level requirements,” according to the FFIEC’s
classic case of putting all your eggs in one
Appendix C: Foreign-Based Third-Party
basket. If an institution relies heavily on
Service Providers.11 In extreme cases, country
a single provider for many products and
risk might result in loss data loss. It’s not
services that institution might be unable to
always obvious when a company poses
conduct business if something catastrophic
country risk. For banks and credit unions the
happens to that vendor. That’s not to say
threat is most pronounced when it comes to
an FI can’t choose to outsource many major
data centers and the cloud, but can affect any
functions to a single vendor, but it just better
overseas operation. Many data centers store
have an airtight backup plan in place.
their data on the other side of the world in
foreign countries to ensure their systems are
Geographic concentration. If both an
always running, which is the extreme opposite
institution and its third-party vendors and
of geographic concentration.
subcontractors are in the same region,
it’s possible the same event could impact
While this sounds good on the surface, it’s
everyone’s operations since they all rely on
a challenge for FIs that must then answer
the same power and telecommunications
questions about the country where their data
infrastructure.
is stored. Topics to address include: political
The good news is that because concentration
risk overlaps with other areas including In extreme cases, country risk might
operational, credit and transactional risk, due result in loss data loss.
diligence and supporting documentation
Top 10 Risks Third-Party Vendors Pose to Your Financial Institution Ncontracts 17and economic stability; infrastructure such as CONCLUSION
the power grid; and local regulatory and There’s no shortage of risks when it comes to
legal oversight such as background checks outsourcing to third-party service providers,
and authorization. but it still frequently makes sense to outsource
critical operations. The key is to carefully
The FDIC warns, “Managing country risk assess vendors and, when it comes to the
requires the ability to gather and assess most critical vendors, choose the ones that
information regarding a foreign government’s are most effective in helping FIs mitigate
policies, including those addressing those risks.
information access, as well as local political,
social, economic, and legal conditions.”12 The overlapping nature of these risks makes
The Fed encourages ongoing monitoring of itessential for FIs to have a comprehensive,
these risks.13 Managing these risks “should top-down approach to enterprise risk
include the establishment of contingency, management and vendor management. By
service continuity, and exit strategies in the taking a broad view of risk management,
event of unexpected disruptions in service,” FIs can leverage the risk assessment and
says the FFIEC. The OCC also addresses mitigation work performed by various
the topic.14 departments throughout the institution,
streamlining the process to make it more
effective and more efficient.
Ncontracts provides a variety of tools to
help FIs face this challenge in a methodical,
organized way.
Nvendor is a secure, feature-rich, online
vendor and contract management solution
that enables financial institutions to achieve
and maintain regulatory compliance in their
10 OCC Bulletin 2013-29. Risk Management Guidance. Subject: Third-Party Relationships. Appendix A:
Risks Associated with Third-Party Relationships https://www.occ.gov/news-issuances/bulletins/2013/bulletin-2013-29.html.
11 FFIEC IT Examination HandBook InfoBase. Appendix C: Foreign-Based Third-Party Service Providers.
http://ithandbook.ffiec.gov/it-booklets/outsourcing-technology-services/appendix-c-foreign-based-third-party-service-providers.aspx .
12 FDIC Compliance Examination Manual. Unfair and Deceptive Practices–Third Party Risk.
https://www.fdic.gov/regulations/compliance/manual/7/VII-4.1.pdf.
13 SR-02-5. Federal Reserve Interagency Guidance on Country Risk Management. March 8, 2002.
https://www.federalreserve.gov/boarddocs/srletters/2002/sr0205.htm.
14 OCC Bulletin 2002-16. Risk Management Guidance. Bank Use of Foreign-Based Third-Party Service Providers. May 15, 2002.
https://www.occ.gov/news-issuances/bulletins/2002/bulletin-2002-16.html.
Top 10 Risks Third-Party Vendors Pose to Your Financial Institution Ncontracts 18third-party vendor relationships. Features silos. Careful risk assessment and monitoring
include assistance with vendor policies from pre-contract due diligence and
and procedures, vendor classification, vendor throughout the length of the relationship is
due diligence, risk assessment and vendor critical for proper vendor management.
monitoring.
The NcontractsManager platform helps
Ncyber guides institutions through break down the silos with a secure, web-
the FFIEC’s Cybersecurity Assessment based repository for all your contracts. With
Tool, helping analyze inherent risk and our expertise, you can reduce risk exposure
cybersecurity maturity levels. and develop contracts that save money and
increase profits for your organization.
Ncontinuity is a flexible, scalable, and secure
online business continuity planning solution. Nverify gives your team the tools and support
Its interactive dashboard, tools and support to conduct automated, integrated auditing
strengthen business continuity needs capabilities that not only ensure compliance,
throughout your organization and in your but also identify opportunities for internal
third-party vendor relationships. process improvement that can create cost
savings for years to come. Nverify is easy to
Nrisk is a secure, online risk management implement — in as little as two hours, your
solution that enables continuous team can have access to all the data they
measurement of financial and non-financial need to generate audits that enable positive
impacts by location, department, business exam results.
process, application or line of business.
Ncommunity integrates with other software
It simplifies the risk assessment process using
in our lending compliance suite, for holistic
natural language navigators and wizards
lending compliance that enables your
that guide users step-by-step through the
financial institution or financial services
process of evaluating risk and related financial
company to experience the upside of risk. Our
exposures—leveraging the hard work your
platform is designed, built, and supported by
institution has already done.
professionals with extensive experience in
Regardless of approach, FIs need to be
financial institutions and mortgage companies,
assessing each of these vendor risks to
empowering lenders to navigate the lending
determine the level risk and amount oversight
ecosystem, reduce compliance and lending risk,
and monitoring a specific vendor requires. As
and accelerate healthy business growth.
regulators continue to expand and investigate
categories of risk, it’s no longer efficient or
effective to conduct these risk assessments in
Top 10 Risks Third-Party Vendors Pose to Your Financial Institution Ncontracts 19Nfindings lets your organization access and Ntransmittal integrates with other software
manage findings. Our centralized platform in our lending compliance suite, for holistic
makes it easy to access and manage findings lending compliance that enables your financial
from internal, external, and regulatory audits institution or financial services company to
in real time, so you have what you need, right experience the upside of risk. Learn more
when you need it. about the comprehensive compliance
solutions we offer banks, mortgage companies,
With extensive reporting capabilities, your
and credit unions.
team can identify and evaluate exam and
audit findings to take the appropriate steps
for exam readiness and overall compliance.
Your team can assign tasks to each finding,
direct the best course of action, and monitor
the work being done. Automated reminders
and notifications help to expedite and
accelerate workflow.
About Ncontracts
Ncontracts provides integrated risk management and compliance software to a rapidly
expanding customer base of nearly 1,800 financial institutions located in all 50 states and US
territories. The company’s powerful combination of software and services enables financial
institutions to achieve their risk management and compliance goals with an integrated, user-
friendly cloud-based solution suite that encompasses vendor risk, organizational risk, audit risk,
and compliance risk management. The company was recently named to the Inc. 5000 fastest-
growing private companies in America for the second consecutive year.
For more information visit www.ncontracts.com or follow the company on LinkedIn and Twitter.
Top 10 Risks Third-Party Vendors Pose to Your Financial Institution Ncontracts 20You can also read
