This is a great question and actually a common one, and it depends on the number of vendors that you have and the potential level of risk that you identify in your vendor & fintech vendor portfolio. Many times the regulators will want a more in-depth rating system to allow for more “wiggle room” when there are those vendors who provide more high-risk services directly for your customer (such as payment processing services) on your behalf than just the 3-level version. If you have a Extreme High, Moderate High, Moderate, Moderate Low, and Low categories, you can see where the variances can better classify your risk, but as long as you can justify and document your methodology and can successfully communicate this clearly to your regulators, this is up to you.
------------------------------------
Learn more about Maureen Carollo’s Vendor Due Diligence & FinTechs webinar.