How FFIEC expects financial institutions to manage vendor risk

FFIEC guidelines related to Vendor Risk Management

FFIEC (Federal Financial Institutions Examination Council) is one of those federal organizations that has outlined guidelines for financial institution compliance via its many IT examination handbooks.   The risk of using third parties to perform critical functions is clearly recognized, and FFIEC talks about third party management in multiple places in its IT handbooks.   We attempt to summarize those references here. For full detail, its always good for compliance personnel in financial institutions to read the FFIEC IT booklets.

FFIEC addresses vendor risk in its IT booklet on information security in the chapter on oversight of third-party service providers.    The expectation is that banks and all financial institutions exercise due diligence while working with vendors in all stages of the contract life cycle from negotiation to termination.   Ensure that you have comprehensive vendor risk management program for your organization.

Watch the replay of our Vendor Risk Assessment webinar!  Click on the image to view the recording.

Due diligence requirements with third parties

At a high level, you should undertake at least the following due diligence measures while working with third parties.  Depending on the nature of a specific contract, you may have other areas to focus on as well in terms of due diligence requirements.

• Exercise due diligence in third party research, selection and relationship management.
• Ensure that your vendor contract has the necessary clauses to bind the vendor into meeting the necessary security responsibilities, controls and reporting.
• You should have non disclosure or confidentiality agreements with vendors, protecting your confidential data, industry secrets and any personally identifiable information of personnel or customers.
• Ensure that you have contractual provisions in place that will allow you to perform a comprehensive vendor risk assessment including site visits, if needed. Be sure to have service level agreements in place for timely remediation of security findings depending on severity of the findings.
• In the event of an incident or a breach, you should have measures and agreements in place with the vendor to ensure timely breach notification within the allowances provided by law, and an agreement to share breach-related investigations or activities with the vendor.
• At all stages of the vendor relationship, be sure to have security risks appropriately identified, measured, mitigated, monitored, and reported.
• Ensure that you receive audited financial statements from third party providers on an annual basis.

External assessments for third parties

Some third parties may arrange to have an assessment or audit done by an external provider and provide that report to you.  As long as it is a comprehensive security risk assessment or audit is performed by an independent and qualified service provider, it can be a useful tool to monitor how the vendor is fulfilling the desired security controls.  Some third parties may also choose to get certified with well-known industry certifications such as SSAE 18/ SOC or FedRAMP and provide you with those reports.  These can all be good options instead of having to conduct your own security risk assessment of the third party.

Outsourced IT services 

You may choose to outsource your technology services like many financial institutions do.  Outsourced IT services can contribute to operational risks and can impact your delivery of services to your clients. FFIEC addresses outsourced technology services in a big way with a booklet dedicated to just this subject. This booklet deals with all stages of working with an outsourced technology service provider and emphasizes the importance of conducting a third party risk assessment.  FFIEC addresses service provider selection, the RFP (Request for Proposal) stage, contracts and pricing, further subcontracting arrangements if any, and ongoing monitoring and assessment of the third party including managing deliverables through service level agreements. 

REGISTER (CLICK ON IMAGE BELOW) TO ATTEND OUR EDUCATIONAL WEBINAR ON CONDUCTING SECURITY RISK ASSESSMENTS IN THE FINANCIAL SERVICES INDUSTRY:

Foreign vendors

You may choose to use a vendor that is located in another country.  There are different risks associated with foreign vendors such as country risks, compliance risks, difficulty of monitoring and oversight, and issues with ownership of data. FFIEC offers guidelines to manage these risks.   Remember that U.S. regulatory authorities must have the ability to examine the services performed by an organization's third-party service provider regardless of whether it is foreign or domestically based.  Local laws should not affect the ability of US regulatory authorities to effectively examine your vendor organization.

In summary

Guidelines on vendor risk management are included in different forms in multiple IT booklets published by FFIEC including specific subjects such as retail and wholesale payment systems, business continuity planning, acquisitions and management. In summary, FFIEC is clear about stating that financial institutions must understand the complex nature of arrangements with outside parties and ensure adequate due diligence for the engagement of the relationships and ongoing monitoring.   Outsourcing a function does not relieve you of the ultimate responsibility of ensuring that business and transactions are conducted in a safe and sound manner.  Establishing a well-defined relationship with your third party is essential to business resilience.  Your third party management program should be risk-focused and aligned with the level of risk that the outsourcing agreement presents.