If you’re a fintech company reading this, there’s a strong, high chance you have clients who are amongst highly regulated verticals – banks, credit unions, mortgage companies and more. Regulators are frequently asking to see those organizations’ vendor management policy, program and procedures documentation as well as all of the due diligence they’re performing on their vendors. They want to make sure it’s adequate!
For this reason, your clients are likely starting to request the same of you. They’re expecting you to have a proper third party risk management process in place. They really do care. It’s important to them.
So, do you? Does your third party risk management program meet their high standards? Hopefully it does, but if it doesn’t, we want to share with you some “fixes” that should help if implemented.
5 Ways to Improve Your Third Party Risk to Meet Client Standards
Here are five recommendations to implement now:
- First, create your vendor management policy. A comprehensive policy is critical to any successful vendor management program. Your policy should be high-level. It’s typically no longer than 5-6 pages and it will define how your organization will manage third party risk. It should also reference other key elements of a well-defined compliance management system. Financial institutions are likely tacitly asking “do they (aka you) have proof internal compliance discipline is actually happening or is it just a great idea with no evidence or actions to back it up?”
- From there, also create your vendor management program and procedures documentation. The program expands on the policy, going into much more detail, and is usually around 20-30 pages. The procedures are a step-by-step guide that anyone at your organization could reference to help them better understand their role in third party risk.
- Have a list handy of your high risk and critical vendors. Show that you’ve identified who they are and are doing due diligence on them. There are a few steps you’ll need to take to accomplish this:
- Reach out to your Accounts Payable team.
- Peruse the list and determine the vendors who need to be actively managed. Be sure to note the reason for any exclusions (e.g., one-time vendor).
- Determine if the vendor is high, moderate or low risk by answering a risk assessment questionnaire. Regulatory risk categories that are evaluated often include areas such as strategic, reputation, operational, transactional, credit and regulatory risk (there are more! Take a look at guidance like FDIC FIL 44-2008).
- Determine if the vendor is critical or non-critical. If you answer “yes” to any of the following questions, then they are considered critical:
1. Would a sudden disappearance of this vendor cause a material disruption to the business (e.g., due to insolvency, due to sudden termination)?
2. Would the disappearance have an impact on your customers?
3. Would the time to recover be greater than 24 hours or 1 business day?
- Have YOUR OWN due diligence available. Expect your clients to request documents from you such as your financials, SOC reports, business continuity plans, disaster recovery plans, cybersecurity policies, etc. Get it all up-to-date and make sure it covers all bases. You want the documentation to be very complete.
- Show that you’re performing due diligence and ongoing monitoring on your vendors. Just like your clients reach out to you and request due diligence periodically, you should also be reaching out to your vendors and performing thorough reviews on their due diligence. Keep it all on file and refresh as needed.
These five tips should help with ensuring your third party risk management program meets expectations.
Check that you have the right components in your third party risk program. Download the checklist.