Due diligence cannot rely on vendor reputation

Answered by:

Question:

Do we really need to conduct due diligence on all of our 3rd party vendors, including fintechs? I can understand the ones that appear to be riskier, but there are some that are very well-known in the industry and are very well respected. Wouldn’t the regulators just see the same thing in our file as they did the last bank they just left?

Answer:

Every vendor relationship and vendor agreement is different, even with what appears to be the same services, SLAs (service level agreements), etc. The regulators are more than likely familiar with the vendors, but it is their job to ensure that you know what you are doing and that you are complying with their guidance and making sure that whatever version of the vendor’s services were agreed to are being complied with and that your executive team and board truly know and understand the risks of the services the vendor is providing, and if you are conducting proper and timely due diligence during the life of the vendor relationship. Just because something looks like it is the same flavor on the outside, you may not know what is going on financially with a vendor or what may be going on with their executives or their internal control environment and these are critical things that you should be monitoring and reporting on.

------------------------------------

Learn more about Maureen Carollo’s Vendor Due Diligence & FinTechs webinar.