The NCUA and FDIC requirements for managing third party relationships (aka vendors) is fairly straight-forward. The problems with meeting compliance, and protecting an institution, arise when dealing with multiple vendors for critical services. Different financial reports, security audit reports, reputation factors, etc etc etc.
Using different wording, the FDIC and NCUA both require that banks and credit unions to:
- Evaluate the overall effectiveness of the third-party relationship and the consistency of the relationship with the financial institution’s strategic goals.
- Review any licensing or registrations to ensure the third party can legally perform its services.
- Evaluate the third party’s financial condition at least annually. Financial review should be as comprehensive as the credit risk analysis performed on the institution’s borrowing relationships. Audited financial statements should be required for significant third-party relationships.
- Review the adequacy of the third party’s insurance coverage.
- Ensure that the third party’s financial obligations to others are being met.
- Review audit reports or other reports of the third party, and follow up on any needed corrective actions.
- Review the adequacy and adherence to the third party’s policies relating to internal controls and security issues.
- Monitor for compliance with applicable laws, rules, and regulations.
- Review the third party’s business resumption contingency planning and testing.
The way I interpret the regulations there are four key areas to focus due diligence and monitoring on:
- Vendor Details—who they are, who owns them, where are the located, the basics.
- Reputation—do their customers like them, do they provide the right service, are there any red flags your institution will suffer by entering into a relationship with said vendor.
- Financial Stability—are they profitable enough to provide your critical services for the life of the agreement and expected use of the service.
- Cybersecurity—are your institution’s data and transactions safe on the vendor’s systems.
Cybersecurity is our specialty and we review a lot of vendor security programs for our clients. The most common report format, though not a requirement, is the SSAE 16. The SSAE 16 audit report format was a major improvement over the old SAS70 format, but there are still gaps and potential pitfalls when trying to assess the vendor’s security posture. If you don’t have internal staff capable of digging through the details and fully assessing the vendor’s cybersecurity posture, give us a call. The vendor security assessments we do for our clients give them piece of mind knowing their customer/member data is secure, and helps them meet vendor due diligence regulations.