by Blake Waud, IT Audit Associate, Doeren Mayhew

With cybercrimes and identity theft on the rise, including attacks aimed directly at prominent financial service providers, it’s no surprise vendor due diligence and management is currently a hot button issue for regulators and examiners, and will most likely continue to be so. Examiners and regulators from various agencies are concerned about financial institution vendor management, as evidenced through regulations such as the Gramm-Leech-Bliley and Dodd-Frank. The Federal Financial Institutions Examination Council (FFIEC)Federal Deposit Insurance Corporation (FDIC), National Credit Union Agency (NCUA) and Consumer Financial Protection Bureau (CFPB) all have invested interest in vendor management programs.

What’s the Purpose of These Regulations?
Consumer protection is ultimately the most basic goal of all the regulators, as authorized by Congress through acts such as Gramm-Leech-Bliley and Dodd-Frank. GLBA aims to protect sensitive consumer data from being inappropriately used or accessed, while the Dodd-Frank Act intends to protect consumers from inappropriate business practices that could result in direct financial harm to the consumer.

When a financial institution contracts with a third party for services (such as Internet banking, call center assistance or statement printing), they are exposing the consumer and his or her sensitive, personally identifiable information to a company or institution that the consumer is not able to control. Therefore, regulators and examiners want to see that the financial institution is properly managing the relationship.

Best Practice: Focus on Flow
Addressing the myriad of regulations financial institutions face requires adhering to best practices, rather than simply attempting to comply. A solid vendor due diligence program is based on risks. A financial institution should consider the flow of sensitive data, who has access to it and when they have that access. Following the flow of information allows you to identify threats to sensitive data. Once the threats are identified, mitigating controls can be determined as needed.

This flow of information often involves a vendor gaining access at some point. Consider, for example, what happens to paper documents when the cleaning service enters the building after hours: Are there controls in place to ensure these workers are appropriately vetted before being allowed into your secure facilities? Taking this approach, a vendor management program becomes more an exercise in critical thinking and less an exercise in checklist completion and/or document gathering.

If your financial institution is having difficulty managing vendor risks or has been cited by examiners, Doeren Mayhew’s dedicated professionals can assist you in identifying threats at all data flow points, including when data travels to, or is accessed by, third parties. To learn more or schedule a call, contact our professionals in Michigan, Houston or Ft. Lauderdale.