What are Vendor Management requirements?
FFIEC guidelines call for banks to perform risk assessments on major vendors that will store or have access to customer and/or bank confidential information or whose services have a significant impact on the normal operation of the bank. The guidelines are specific as to what steps are required for these risk assessments and what facets of the vendor should be evaluated. FFIEC also requires that a risk assessment is performed on the contract with the vendor. Your bank is also required to annually review the relationship with the vendor.
What does it mean for your bank?
If done the traditional way many banks do it, it means that your bank is burdened with a long, resource consuming process. Most banks will try to review the vendors SAS70 and financials looking for risks to assess. The problem with this is that many community banks do not have the expertise necessary to assess risk on vendors' information security programs and systems even if they have the SAS70. Banks have to show evidence of the process and report it to the board. The contract review is just as difficult. The summation of it is that your bank will work hard to be compliant and most likely not benefit from the process.
How can CBC make it easier?
Community Banc Consulting, Inc. has streamlined the vendor management and risk assessment process for community banks through years of experience working with banks and various examining bodies. We have developed a system of documents that potential vendors must complete and attest to their validity. The worksheets make it very simple to assess risk on the different categories of information security required by the FFIEC guidelines. The Vendor Management Policy and Risk Assessment includes worksheets that simplify the contract review process. Our process puts the burden on the vendor to provide you the very specific information your community bank needs to properly assess risk and comply with the regulations.
Summary of features:
- Professional policy and guidance
- Formal vendor document requests
- Thorough yet simple risk assessment worksheets
- Detailed contract review and risk assessment
- A valuable built-in chain of evidence to show your bank's due diligence
Can CBC perform my vendor management and vendor risk assessments?
Yes, we can. One of the FFIEC requirements is that the person performing the risk assessment has the required, proven knowledge to make the judgment on the risk. If your community bank does not have the technical and compliance capabilities in-house, CBC can perform the process for you.
If you would like more information about CBC's Vendor Management Policy and Risk Assessment or any of our policies, please contact us or call:
- Paul Elder at 614-848-3189 ext. 121
- Larry Krietemeyer at 614-848-3189 ext. 143
The expertise and learning that they bring to the organization is very helpful. Their professionalism, sharing of ideas, and willingness to sit and talk when we want them to, is a big help.