Has anyone come across a risk assessment for vendors that specifically focuses on compliance? Our regulator has recommended that we implement one, but in my research, I’ve only found generic assessments intended for onboarding.

I would think that compliance related risk assessment components would vary considerably depending on what sort of vendor you are dealing with. There is a huge difference between say an appraiser or an attorney or a debt collector versus a core system.

Compliance with what exactly?

@ACBbank - Compliance with the various regulations that fall outside of anything that is IT related. This is something that is new as we have not been required to do this in the past, but they are wanting to see a checklist or risk assessment verifying that we have verified compliance with all of the regulations applicable.

We have compliance components to our vendor due diligence risk assessment. Which questions/assessments are triggered depends on the services/products the vendor provides and whether they have customer contact. You might find some helpful hints in Interagency Third Party Risk Management and OCC Third Party Risk Management for Community Banks.

For our key vendors, we are more interested in if they are complying with our requirements. For example, data encryption, data sharing, who has access to our data, meeting SLAs.