Guidance on Bank Vendor Management Program

5/26/2011

Banks are required to perform due diligence on vendors – all vendors, not just those vendors with access to sensitive personally identifiable information (PII). Below is an outline of what bank examiners are looking for when evaluating your Vendor Management Program.

• Which Vendors? Ensure that each vendor is included on your vendor-specific risk assessment. Many vendors are obvious candidates to be assessed for potential risks, but you may also want to include lunch or food delivery personnel, lawn maintenance, printer and multi-function repair personnel, maintenance personnel and bottled water delivery personnel. Essentially the bank must account for all vendors.
• PII Access: Vendors should then be rated by personally identifiable information (PII) access. If a vendor has or maintains access to PII then they may be classified as critical vendors. If a vendor is rated critical, additional due diligence may be required. This may include non-disclosure and red-flag contractual language, financial statements, and background checks may be necessary. Remember that private vendors rated as critical are not required to present financial statements for analysis. In addition, some vendors may not always be cooperative in some areas that the bank would like to evaluate.
• Red Flag Contractual Language: Examiners are evaluating vendor contracts to ensure that if the vendor encounters an identity theft incident that may raise a red flag pertaining to the bank’s PII, notification is to be sent to the bank within a reasonable timeframe. Ensure that you account for this in your risk matrix and Board-approved documentation for vendors that require this oversight.
• Additional Due Diligence. Banks may also want to consider escalating a vendor to a critical risk status if the bank cannot function without that vendor’s support. The vendor may not access PII; however, if the bank cannot function without that vendor, they may be rated as critical. Examples may include public utilities, security companies and monetary delivery service vendors.
• What about Bank Examiners? Most banks do not account for the State, FDIC or OCC as vendors. These agencies have access to an incredible amount of PII and should be subject to the bank’s policy as it relates to the Vendor Management Program. Most of these agencies receive Information Technology Reports which should be obtained on an annual basis. Any irregularities noted in these reports should be reported to the Board of Directors.

Over the next year, expect to see the following three items scrutinized: Vendor Management, Incident Response and Disaster and Business Continuity Planning, which also includes the bank’s Business Impact Analysis. During your next IT examination, insist that these controls are included in the scope of the assessment.