Pub. 3 2013-2014 Issue 5

O V E R A C E N T U R Y : B U I L D I N G B E T T E R B A N K S - H E L P I N G C O L O R A D A N S R E A L I Z E D R E A M S March • April 2014 17 Your bank’s third-party riskmanagement procedures should document a process that covers steps: (1) steps were taken to perform due diligence at initial vendor selection, (2) on-going monitoring during the relationship, and (3) steps taken in the event of a termination of the vendor. Your First step is to performproper vendor due diligence prior to contracting with a vendor for a service. The bank should docu- ment whether or not they comparedmultiple vendors and be able to show that a thorough analysis was performed on each of the potential vendors. Such due diligence should include assessing the vendor’s qualifications, backgrounds and reputations of the vendor’s principals, fee structures, financial condition, business experience, and reputation in the banking community. Youmay consider having each vendor to complete a detailed request for proposal (RFP) specifically designed by the bank to cover the risk management issues that are most important to the bank. As always, keep good records of your due diligence process to provide to your regulator, as it will make your life a lot easier! A major component of risk management is understanding your contract with the vendor and ensuring that it contains provisions that allow you and your bank, to audit, monitor performance and require remediation by the vendor when problems are identified. A bank can request copies of external audits of the vendor such as a SSAE 16 report to establish that your vendor is performing services for you to certain standards. Ask your vendor if they themselves use third-party vendors to provide services to them and what is their process in managing risk with those vendors. Once you have selected your vendor, it is common for many banks to assume that if no problems arise then everything must be going well. Not so! Good risk management procedures pro- vide for on-goingmonitoring even if things appear to be running like clockwork. Over the period of a contract, many things can be happening with the vendor frommajor financial changes to a new focus on an entirely different line of business. Some of these changes may be bad and some may be good, however, they will need to be documented and evaluated by management to make sure that they don’t create an unacceptable risk for the bank. Remember, risk management is ultimately your and your bank’s responsibility. Challenge your vendors, and choose those that will let you sleep at night, even before your next examina- tion! n Reach your target audience a ordably. advertise get results DANI GORDEN Advertising Sales 855.747.4003 dani@thenewslinkgroup.com