-
Vendor Management in 3 Parts. Part 1 – Risk Identification (or, “do they or don’t they?”)
Service provider oversight (aka vendor management) is undoubtedly the hottest hot-button item on the regulator’s agenda right now, and for good reason. For one thing, regulators know that the vast majority of financial institutions outsource at some point, in fact recent studies put the number of FI’s that either transmit, process or store information with…
-
Cybersecurity – Part 2
In Part 1 I discussed the increasing regulatory focus on cybersecurity, and what to expect in the short term. In this post I want to dissect the individual elements of cybersecurity, and list what you’ll need to do to demonstrate compliance on each one going forward. So here are the required elements of a cybersecurity program, followed…
-
Cybersecurity – Part 1
Cybersecurity has gotten a lot of attention from regulators lately, and with assessments already underway it promises to be a regulatory focus for the foreseeable future. But exactly what are they expecting from you, and how does that differ from what you may be doing already? More importantly, how should you demonstrate that you are…
-
Ask the Guru: The Vendor Report of Examination (ROE)
Hey Guru Where in the handbook does it state the Bank should request exam reports on vendors from their regulatory body? Although there is no formal FFIEC written requirement for obtaining the service provider’s regulatory examination report (report of examination, or ROE), it is mentioned as a best practice in the FFIEC 2012 TSP Handbook:…
-
FDIC Re-issues Service Provider Guidance
Originally released in 2001, the FDIC recently re-issued 3 publications related to managing outsourced relationships: Effective Practices for Selecting a Service Provider Tools to Manage Technology Providers’ Performance Risk: Service Level Agreements Techniques for Managing Multiple Service Providers What struck me about this re-release, and the fact that they were released without modification of any…
