2023 Compliance Trends: Staying Ahead in an Evolving Regulatory E...
2023 Tax Calendar
VIEWpoint Issue 2 | 2022
Social Security’s Future: The Problem and the Proposals
4 Tax Challenges You May Encounter if You’re Retiring Soon
SBA Releases Updated Standard Operating Procedures
by Blake Waud, IT Audit Associate, Doeren Mayhew
With cybercrimes and identity theft on the rise, including attacks aimed directly at prominent financial service providers, it’s no surprise vendor due diligence and management is currently a hot button issue for regulators and examiners, and will most likely continue to be so. Examiners and regulators from various agencies are concerned about financial institution vendor management, as evidenced through regulations such as the Gramm-Leech-Bliley and Dodd-Frank. The Federal Financial Institutions Examination Council (FFIEC), Federal Deposit Insurance Corporation (FDIC), National Credit Union Agency (NCUA) and Consumer Financial Protection Bureau (CFPB) all have invested interest in vendor management programs.
What’s the Purpose of These Regulations?
Consumer protection is ultimately the most basic goal of all the regulators, as authorized by Congress through acts such as Gramm-Leech-Bliley and Dodd-Frank. GLBA aims to protect sensitive consumer data from being inappropriately used or accessed, while the Dodd-Frank Act intends to protect consumers from inappropriate business practices that could result in direct financial harm to the consumer.
When a financial institution contracts with a third party for services (such as Internet banking, call center assistance or statement printing), they are exposing the consumer and his or her sensitive, personally identifiable information to a company or institution that the consumer is not able to control. Therefore, regulators and examiners want to see that the financial institution is properly managing the relationship.
Best Practice: Focus on Flow
Addressing the myriad of regulations financial institutions face requires adhering to best practices, rather than simply attempting to comply. A solid vendor due diligence program is based on risks. A financial institution should consider the flow of sensitive data, who has access to it and when they have that access. Following the flow of information allows you to identify threats to sensitive data. Once the threats are identified, mitigating controls can be determined as needed.
This flow of information often involves a vendor gaining access at some point. Consider, for example, what happens to paper documents when the cleaning service enters the building after hours: Are there controls in place to ensure these workers are appropriately vetted before being allowed into your secure facilities? Taking this approach, a vendor management program becomes more an exercise in critical thinking and less an exercise in checklist completion and/or document gathering.
If your financial institution is having difficulty managing vendor risks or has been cited by examiners, Doeren Mayhew’s dedicated professionals can assist you in identifying threats at all data flow points, including when data travels to, or is accessed by, third parties. To learn more or schedule a call, contact our professionals in Michigan, Houston or Ft. Lauderdale.
This publication is distributed for informational purposes only, with the understanding that Doeren Mayhew is not rendering legal, accounting, or other professional opinions on specific facts for matters, and, accordingly, assumes no liability whatsoever in connection with its use. Should the reader have any questions regarding any of the news articles, it is recommended that a Doeren Mayhew representative be contacted.
A quick registration is required to view our resources.
You will only be asked to do this one time (unless you don't save your browser cookies).