Advanced Third-Party Risk Issues Now that You've Created a Vendor Management Program, How Do You Keep Vendor Oversight Effective and Ongoing?

Agenda Due diligence (Kevin) Contractual requirements (Kerry) Onboarding/ongoing monitoring (Tanya) Contract termination (natural term/closure or term for cause) (Felix) When something goes wrong (breach, bankruptcy, other issues) (Robin)

Due Diligence

What counts for Due Diligence Assurance that a potential vendor is financially stable, ethically sound & has a strong corporate structure. Reviews should be tailored to the risk the vendor may present to your organization. Performed by the Vendor Management Office (VMO). The VMO is responsible for having a non-biased view of vendors and manages the vendor relationship.

Risks auditors and regulators could impose penalties, revoke licenses to practice or take legal action against your company if the vendor is not compliant to the standards. The press can also damage your company's reputation if a vendor's lack of compliance is exposed. This could negatively affect investor ratings, rating agency scores, shareholders and more.

Types of Vendors Support Technology Non-essential Most intense review Review: Handling PII, compliance, legal, financial, corporate structure and stability, annual spend Technology Depends on type of product Handling of PII, security of systems (SSAE 16 or similar audit), financial, legal, corporate structure & stability, annual spend Non-essential Financial, legal, corporate structure and stability Google search on all (news…)

RFP When to do How to review Deviations Advice in advance Follow-through Build into contracts what promise in RFP and presentation

contracts

Depends on Vendor Type: Location Expansion of services Support, Technology, Non-essential, Contractor Location Key regional differences Expansion of services One-time or build relationship Regulatory concerns

Key Provisions Services or goods Payment terms Termination Reps and warranties Confidentiality Exclusivity IP Limitation of Liability Indemnification

Special Contracts Business associate agreements Data processing agreements Employment

monitoring

External Data Sources Watch List Lookup PCI Lookup Thomson Reueters World Check tool comprises of over 300 global watchlists worldwide, including OFAC. Watchlist findings can indicate if the vendor is working with any “bad players” or terrorist organizations. PCI Lookup If the vendor is used to electronically process, store or transmit credit or debit cardholder information they are run through Visa and MasterCard’s global registry of organizations compliant with their security standards. Consumer Financial Protection Bureau (CFPB) Lookup The CFPB maintains a database of consumer complaints raised against organizations operating in the United States. Reviewing the entries in the CFPB provides insight to public perception of a vendor, as well as their ability to properly deliver services. Office of the Comptroller of Currency (OCC) Lookup A review of the data from the independent bureau within the Department of Treasury that periodically issues consent orders against regulated entities including cease and desist orders, monetary penalties, and general findings. Financial Lookups Vendors receive a financial health review from several financial data sources to properly identify any bankruptcy or solvency risk. All issues identified in the external data review are logged within the vendor risk management platform, decisioned, and tracked.

Vendor Required Updates 3rd party Service Auditor Reports (SOC 1, SOC 2 or ISAE 3402) Breach Notification Plan Business Continuity/Disaster Recovery Program Materials and Test Results Applicable PCI Attestations of Compliance Financial Package Proof of Insurance Policies and other program documentation Any other client requested documentation All evidence collected will be reviewed and any issues will be logged.

Internal Data Sources SLA’s Deliverables Relationship Have SLAs been consistently met, and/or timely credits issued where appropriate? Deliverables Have deliverables met expectations or had to be modified due to vendor requirements? Relationship How does the vendor interact with internal relationship managers? Internal Data Sources

Findings & Issues All potential matches or indications of risk stemming from the external data review, vendor control survey and evidence review are referred to as ‘findings’. When a ‘finding’ meets the appropriate level of control weakness or gap, it becomes an ‘issue’. All issues from any external data review, vendor control survey or evidence review will be logged and decisioned. Issues can be decisioned in multiple ways: mitigation, terminated vendor relationship, risk acceptance. All issues that are risk accepted are periodically reviewed to ensure that risk is still appropriate to accept.

termination

Termination of Vendor Contract Normal Termination Timing Termination for Cause Insolvency/ Trigger Event Breach of contract Elimination of the business basis

Ramp Down Often hostile or neutral enviroment Periods for handing over / Ramp down + Ramp up Process of handing over Communication with new vendor Motivations for current vendor to cooperate with the new one

Transfer of documentation Transfer of processes? Transfer of employees? Transfer of Data + Software; IP-Rights and NDAs Right to withhold goods stored at location in case of a dispute

Right to data portability Art. 20 GDPR Data subject Structured, commonly used and machine-readable form Right to transfer to third party Directly from one controller to another

When something goes wrong

Discovering News No longer receiving services Fail in SLA Law enforcement notice Regulatory action Business changes: staff, model, owner

Special “wrongs” Breaches Bankruptcy Natural disasters

Managing Ending relationship Manage transition within vendor Move to another vendor Regulatory issues? Contract changes Insurance coverage

questions

resources

As submitted