How to Automate Your Yearly FDIC/NCUA Vendor Due Diligence

Every small bank and credit union regardless of asset size has to perform yearly due diligence research on each of their critical vendors. We know as IT security professionals and you know as banking professionals that there has to be a more scalable way to manage these relationships, share the information across the organizations and ensure that everyone is held to the same standard.

What is Vendor Risk Management?

It is the process of ensuring that the use of external service providers and other vendors do not create unacceptable potential for business disruption or negative impact on business performance.

So how can you protect yourself from these 3rd party risks? In October 2014 the Gartner Report is quoted as:

Through 2016, despite being a top priority of CIOs, less than 15% of vendor management programs will leverage data analytics and business intelligence to identify and manage vendor risk.

Given the quote above and the current regulations, exactly what are the requirements in performing yearly inspection of vendors and suppliers? Rivial looked at both the NCUA and the FDIC requirements and we have carefully outlined the following items to ensure that your partners meet and exceed the guidelines.

Requirements

The regulatory requirements break down into 5 categories of information: Company Details, Reputation, Engagement, Financial Stability and Cybersecurity. Rivial has studied the details and the regulations boil down to some fundamental questions.

• Who they are?
• Who owns them? Public vs Private, foreign entities
• Where are they located, the industry?
• Do their customers like them?
• Do they provide the right service?
• Are there any red flags your institution will suffer by entering into a relationship with said vendor?
• Are they profitable enough to provide your critical services for the life of the agreement and expected use of the service?
• Are your institution’s data and transactions safe on the vendor’s systems? This means a tricky and time-consuming inspection of the vendor’s cybersecurity.

When you can answer each of the questions above clearly for each vendor and each year, then you are abiding by the principles of an excellent vendor management. More specifically, let’s talk about creating a successful IT VRM program within your institution. The key areas to managing the vendors is aligning them and follow these 6 simple steps

• Yearly Screening - Commit to this simple step
• Document Requirements - Document the vendor and their specific services
• Document Collection - In a central repository for all vendor documentation
• Consistent Standard - Apply a consistent standard fairly across all vendors
• Watch List Compliant - Ensure they are abiding by the Patriot Act
• Grade the Results- Measure how your vendors are performing

Whether you decide to perform this due diligence in house with existing staff, outsource the financial and reputation reviews or use a service like Vendor Intelligence you have options.

• Hire a firm to review each of your vendors on an annual basis for each of the 4 areas required by the FDIC or NCUA ($$$)
• Perform due diligence research in-house with your key personnel (Time and $$)
• Outsource using Vendor Intelligence ($)

Rivial provides each of the due diligence areas through detailed analysis of company details, reputation, financial stability and provide a data security grade.

Review: Rivial Vendor Intelligence Sample Report - CenturyLink - 2015-02-23

A Closer Look at the Company Details

Take a look at the detailed reporting that an outsourcing company can provide. Rivial provides rich details including:

• Website, phone number, location, industry, employee size, press releases, Wikipedia
• SEC filings, stock symbol, share price, stock rating, market capitalization, recent acquisitions, OFAC screening
• Better Business Bureau rating, # of complaints, Consumer Complaint Database, Glassdoor ratings
• Detailed reporting on Twitter, Facebook and LinkedIn
• Financial Stability (includes Reputation)
• Lengthy financial audit provided by our partners at Experian
• Cybersecurity (includes Reputation and Financial Stability)
• Information Security Grade given by resident cybersecurity experts

With all the data just what exactly should you be looking for?

• Better Business Bureau Grade
• Local score by 3rd party agency who has deep community roots
• OFAC Screening
• Patriot act screening. Are these businesses foreign owned?
• Engagement Score
• Review Twitter, LinkedIn and Facebook. Is this business responsive to customers?
• Glassdoor Ratings
• Find out what it’s like working for your vendor
• Public or Private Company
• Stock Rating, Press Releases, Recent Acquisitions

Summary

If you have read this far down you have a solid knowledge of risk and how 3rd party vendor risk affects your institution. Rivial is taking this opportunity to automate your IT VRM program by outsourcing to a vendor (Rivial Security) the specialization in risk and reporting that is backed with a data partnership with Experian.

Next Steps

NCUA Link: http://www.ncua.gov/Resources/Documents/LCU2008-09ENC.pdf
FDIC – Guidance for Managing Third-Party Risk -https://www.fdic.gov/news/news/financial/2008/fil08044a.html
Vendor Intelligence
http://www.rivialsecurity.com/vi

If you run into any questions or issues please do not hesitate to contact your new security partner – Rivial Security.