FDIC and NCUA Vendor Management Requirements

The NCUA and FDIC requirements for managing third-party relationships (a.k.a. vendors) are pretty straightforward. However, the problem with meeting compliance requirements arises when juggling multiple vendors' due diligence, i.e., financial reports, security audit reports, reputation factors, etc.

The FDIC and NCUA both require that banks and credit unions to

• Evaluate the overall effectiveness of the third-party relationship and the consistency of the relationship with the financial institution’s strategic goals.

• Review any licensing or registrations to ensure the third party can legally perform its services.

• Evaluate the third party’s financial condition at least annually. Financial review should be as comprehensive as the credit risk analysis performed on the institution’s borrowing relationships.

Audited financial statements should be required for significant third-party relationships.

• Review the adequacy of the third party’s insurance coverage.

• Ensure that the third party’s financial obligations to others are being met.

• Review audit reports or other reports of the third party, and follow up on any needed corrective actions.

• Review the adequacy and adherence to the third party’s policies relating to internal controls and security issues.

• Monitor for compliance with applicable laws, rules, and regulations.

• Review the third party’s business resumption contingency planning and testing.

When interpreting regulations, there are four key areas to focus due diligence and monitoring:

1. Vendor Details—who they are, who owns them, where are they located, and the basics.
2. Reputation—do their customers like them, do they provide the right service, are there any red flags your institution will suffer by entering into a relationship with said vendor?
3. Financial Stability—are they profitable enough to provide your critical services for the life of the agreement and the expected use of the service?
4. Cybersecurity—are your institution’s data and transactions safe on the vendor’s systems?

Governance is the last key step to ensuring thorough oversight of the third party's lifecycle. Practices should include:

1. Oversight & Accountability— the board is ultimately responsible for providing guidance on risk appetite, approving policies, and ensuring proper procedures. 
2. Management responsibilities—Management integrates risk, directs activities, and assesses day-to-day compliance
3. Independent Review—periodic independent reviews that assess alignment with strategy and provide a fresh set of eyes on due diligence, contracts, remediation plans, etc.

The Rivial platform provides security leaders at banks and credit unions with an easy-to-use solution for managing vendor security assessments. By providing consistency and streamlining this process, vendor management teams have alleviated the burdensome task of manually scouring and aligning security documents for regulatory or audit compliance. We don't only save valuable time but also improve the accuracy and effectiveness of vendor risk assessments, ultimately strengthing the overall security posture for financial institutions. Schedule some time to learn more about our vendor management features.