Pub. 14 2023 Issue 2

• Assess third-party’s access to customer information and interactions with customers • Understand potential information security implications • Determine how to select, assess, and oversee the third-party, including monitoring for compliance with applicable laws • Determine the bank’s ability to provide adequate oversight and management on an ongoing basis • Outline the bank’s contingency plans if need to transition to another third-party or bring the product in-house 2. Due Diligence and Third-Party Selection The guidance provides that the scope and degree of due diligence should be commensurate with the level of risk and complexity of the third-party relationship, with more diligence required for critical activities. The guidance permits the use of external parties to assist with due diligence but notes that such use does not abrogate the responsibility of the bank to manage the third-party relationship. The guidance lists the following factors that should be considered as part of due diligence of the thirdparty: strategies and goals; legal and regulatory compliance; financial condition; business experience; qualification and backgrounds of key personnel and other human resources considerations; risk management (policies, processes and internal controls); information security; management of information systems; operational resilience; incident reporting and management processes; physical security; reliance on subcontractors; insurance coverage and contractual arrangements with other parties. 3. Contract Negotiation The guidance addresses the difficulty in negotiating contracts and the importance of banks in understanding their negotiating power and consequential risks. The guidance notes that the board of directors should be aware of and, as appropriate, approve or delegate approval of contracts involving high-risk activities and that legal counsel review may be warranted prior to execution of a contract. The factors listed in the guidance for consideration during contract negotiation include the nature and scope of arrangement; performance measures or benchmarks; responsibilities for providing, receiving and retaining information; the right to audit and require remediation; the responsibility for compliance with applicable laws and regulations; costs and compensation; ownership and licensing; confidentiality and integrity; operational resilience and business continuity; indemnification and limits on liability; insurance; dispute resolution; customer complaints; subcontracting; foreign-based third-parties; default and termination and regulatory supervision. 13 West Virginia Banker

RkJQdWJsaXNoZXIy MTg3NDExNQ==