Skip to content
BOL Conferences
Thread Options
#416696 - 08/31/05 04:10 PM Vendor Management Policy
SouthernComfort Offline
Platinum Poster
Joined: Aug 2001
Posts: 705
Southern Illinois, USA
Does anyone have a vendor management policy they would share. I think somesone sent me one but I have lost it and need it tomorrow. I would appreciate any response. thank you.

Return to Top
eBanking / Technology
#416697 - 09/01/05 05:30 PM Re: Vendor Management Policy
Anonymous
Unregistered

Ours is pretty basic, but it gets the job done:

Vendor Management Policy

The Interagency Guidelines Establishing Standards for Safeguarding Customer Information, published February 1, 2001 and revised March 29, 2005, state that each financial institution has an obligation to ensure that each of its service providers has established a security program that is consistent with the Interagency Guidelines and guidelines set forth in the FACT Act of 2003. Recognizing how vital security and privacy of information is to the continued operation and reputation of the Bank, Citizens Bank Of Las Cruces has adopted the following Vendor Management Policy to ensure that both existing and new service providers comply with or exceed the Interagency Guideline requirements.

Definitions

Service Provider – any person or entity that maintains, processes, or otherwise is permitted access to customer information through its provision of services directly to the bank.*

Vendor – equal to Service Provider. Service Provider and Vendor will be used interchangeably throughout this and other documents pertaining to Vendor Management.

Significant Service Provider – a service provider whose services are vital to the normal daily operation of the bank. The bank would be significantly disadvantaged without this provider’s services and would be unable to replace this provider quickly and easily.


Oversee Service Provider Arrangements*

A. Exercise appropriate due diligence in selecting service providers

B. Require service providers by contract to implement appropriate measures designed to meet the objectives below:

1) Ensure the security and confidentiality of customer information
2) Protect against any anticipated threats or hazards to the security or integrity of such information
3) Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer
4) Dispose of confidential customer information in a secure manner
5) Immediately inform financial institutions in the event of a security breach involving confidential customer information
C. Monitor its service providers to confirm that they have satisfied the obligations described above. As part of this monitoring, Citizens Bank Of Las Cruces will review documents including, but not limited to, contracts, audits, summaries of test results or other equivalent evaluations of its service providers. In addition, Citizens Bank Of Las Cruces will request federal examination reports from the FDIC on significant service providers. These reviews will take place on at least an annual basis for existing vendors. For new vendors, these documents will be reviewed prior to accepting any bid or signing any contract.



Responsibility and Delegation of Duties

The Board of Directors of Citizens Bank Of Las Cruces is responsible for ensuring the adequacy of all aspects of the Bank’s IT Security Program, including Vendor Management. The Board has delegated the duties relating to IT Security to the Bank’s IT Security Officer, Linda Weir. The IT Security Officer will perform the duties relating to Vendor Management compliance as well.



Reporting

The IT Security Officer will report the status of compliance and security of all service providers to the Board of Directors annually. Additionally, the status of compliance and security of new service providers will be reported to the Board of Directors through their review of the IT Committee meeting minutes no later than 60 days after the signing of a new contract.

Return to Top
#416698 - 09/01/05 06:12 PM Re: Vendor Management Policy
Anonymous
Unregistered

Hey I just read your policy and it's a great help--thanks a bunch!!

Return to Top
#416699 - 09/01/05 06:26 PM Re: Vendor Management Policy
Anonymous
Unregistered

You are welcome - glad I could help.

Return to Top
#416700 - 09/02/05 06:03 PM Re: Vendor Management Policy
SouthernComfort Offline
Platinum Poster
Joined: Aug 2001
Posts: 705
Southern Illinois, USA
desert gal: thanks so much for your reply. Also thanks to the people who PM'd me with their policies.

Return to Top
#416701 - 09/06/05 01:52 PM Re: Vendor Management Policy
Trees Offline
Power Poster
Joined: Apr 2005
Posts: 4,013
Also take a look at the FFIEC booklet covering outsourcing Technology services and Supervision of Tech. Service Providers. Look for key points and make sure you covered them in your policy. Evena reference the fact that you referred to these booklets.

Return to Top
#416702 - 12/19/05 12:25 AM Re: Vendor Management Policy
ITGuy Offline
Gold Star
Joined: May 2004
Posts: 352
Alabama
Exam coming up soon! Does anyone have a Vendor Management Policy they would be willing to share? If so, PM me. Thanks
_________________________
"Work like you don't need the money, love like you've never been hurt, and dance like no one is watching!"


Return to Top
#416703 - 04/06/06 08:29 PM Re: Vendor Management Policy
tjbanker Offline
Gold Star
Joined: Jun 2002
Posts: 310
Are there many banks that are requesting the federal examination reports from the FDIC on significant service providers?

Return to Top
#416704 - 04/11/06 06:00 PM Re: Vendor Management Policy
KrisH Offline
Gold Star
KrisH
Joined: Mar 2003
Posts: 358
Massachusetts
Quote:

Are there many banks that are requesting the federal examination reports from the FDIC on significant service providers?




This was mentioned by the FDIC during our IT audit in December - that we should request FDIC reports on certain service providers. I therefore very diligently sent a letter to the FDIC on March 13th, almost exactly a month ago, requesting reports for three of our major providers. I have not heard a peep from them, not even a "you're sending this request to the wrong department" notice. This is great, I wonder how the FDIC expects us to comply with their request then?

To be fair, a month probably isn't very long if they're very busy, but I wonder how much longer I should wait to follow up? I sent the request to our relationship manager at our local office, but I have no idea if he's forwarded it to someone else or just hasn't gotten around to it yet. I don't really know if there's a better contact I should have sent the request to in the first place.
_________________________
My opinions are my own and do not necessarily reflect the opinions of my employer.

Return to Top
#416705 - 04/11/06 06:19 PM Re: Vendor Management Policy
John Burnett Offline
10K Club
John Burnett
Joined: Oct 2000
Posts: 40,086
Cape Cod
Kris -- I'd suggest calling your relationship manager and asking whether he or she got the request, whether it would have been better addressed elsewhere, whether he or she forwarded it for you, and what kind of turnaround you should expect.

If you learn that these requests usually take three months for results, you can stop worrying about it for a while.
_________________________
John S. Burnett
BankersOnline.com
Fighting for Compliance since 1976
Bankers' Threads User #8

Return to Top
#416706 - 04/14/06 04:46 PM Re: Vendor Management Policy
Andy_Z Offline
10K Club
Andy_Z
Joined: Oct 2000
Posts: 27,748
On the Net
We had issues at times because our bank owed our data processor. There was confusion between the bank requesting information and the data processor as it was a separate entity. The bank was making the request on their behalf and the contract that allowed this information to be obtained went from the bank to the data processor to the vendor. Normally there wouldn't be that many parties. It may also be that 4 years ago these were new and the relationships and authorizations for reports were not clear.

As John said, call and ask.
_________________________
AndyZ CRCM
My opinions are not necessarily my employers.
R+R-R=R+R
Rules and Regs minus Relationships equals Resentment and Rebellion. John Maxwell

Return to Top
#416707 - 04/17/06 04:02 PM Re: Vendor Management Policy
Jerseygirl Offline
Platinum Poster
Joined: Apr 2005
Posts: 684
Jersey Shore
Regarding Federal exams on vendors - Besides our main data processor who should we be requesting reports on - do they do them on our internet banking provider, wire transfer provider, etc? Should we also be asking for them on our coorespondent banks?

Return to Top
#416708 - 04/17/06 05:27 PM Re: Vendor Management Policy
KrisH Offline
Gold Star
KrisH
Joined: Mar 2003
Posts: 358
Massachusetts
We requested them on our internet banking provider, our ATM/debit card processor and our firewall/IDS monitoring provider. I know for a fact that the FDIC has audited and prepared reports on our firewall monitoring provider, and I'm assuming they also do the other two, but basically those three are the only systems we outsource, so those are the only ones we requested. Perhaps a good rule of thumb is to order FDIC reports on whatever vendors you request a SAS70 from?

Also, thanks for the comments John and Andy.. as you suggested, I'm going to call my relationship manager shortly to find out the status of my request. I'll post if he provides any information that anyone else might find useful!
_________________________
My opinions are my own and do not necessarily reflect the opinions of my employer.

Return to Top
#416709 - 04/20/06 04:06 PM Re: Vendor Management Policy
KrisH Offline
Gold Star
KrisH
Joined: Mar 2003
Posts: 358
Massachusetts
Just an update:

I left a message with my relationship manager on the 17th, looking for a status update on my request. He still hasn't called me back, but I received all my requested reports in the mail today. I'm not sure at this point whether our manager made any calls on it, or if it's just a coincidence, as the reports came from our regional office in Braintree, and not our local office, where our relationship manager is. I haven't had a chance to fully review them yet, but after a quick glance at them, they seem just as detailed as any audit report they would prepare on us.

As a note of interest, I received the reports for all three service providers I had requested. All examinations were done jointly with various other agencies, with one agency serving as the "lead" agency. The FDIC was the lead agency for the reviews on our firewall provider and internet banking provider; the OTS was the lead agency for the review on our ATM/debit card processor.

Now to set some time aside to pore over these!
_________________________
My opinions are my own and do not necessarily reflect the opinions of my employer.

Return to Top
#416710 - 04/26/06 02:23 PM Re: Vendor Management Policy
Don_Cochran Offline
New Poster
Joined: Apr 2006
Posts: 1
Maryland
Don, to advertise on BOL, please contact tobi@bankersonline.com. It isn't fair to the paid advertisers to allow promos here.
Last edited by Andy Z; 04/26/06 02:40 PM.
_________________________
Minimize Risk - Maximize Efficiency

Return to Top
#416711 - 04/26/06 02:42 PM Re: Vendor Management Policy
Anonymous
Unregistered

Good information. Another quick question, who is responsible at your bank for Vendor Management? I see where in the policy it say IT Security Officer. How about other banks - is it also IT Security Officer or Compliance Officer?

Return to Top
#416712 - 04/28/06 02:59 PM Re: Vendor Management Policy
Andy_Z Offline
10K Club
Andy_Z
Joined: Oct 2000
Posts: 27,748
On the Net
Our Finance area had a master list of contracts because they paid the bills. But the due diligence was up to the manager of the area affected by and using it.
_________________________
AndyZ CRCM
My opinions are not necessarily my employers.
R+R-R=R+R
Rules and Regs minus Relationships equals Resentment and Rebellion. John Maxwell

Return to Top
#416713 - 04/28/06 06:26 PM Re: Vendor Management Policy
P*Q Offline

Power Poster
P*Q
Joined: May 2001
Posts: 8,458
Somewhere
I oversee vendor management as the CO. But, contract storage is done by CFO. As Andy states, individual oversight to vendors is done my dept. mgr.

Return to Top
#416714 - 04/28/06 06:34 PM Re: Vendor Management Policy
JW Offline
Gold Star
Joined: Nov 2005
Posts: 269
Indiana
Can anyone share their vendor management programs? If so please PM me.

Return to Top
#690786 - 02/21/07 09:21 PM Re: Vendor Management Policy JW
TheQueen Offline
Member
Joined: Jun 2006
Posts: 85
CT
We recently went thorugh a State audit (Connecticut), and it was recommended that we include a section on operational risk in our Vendor Oversight Policy. Does anyone have sample language I could use to start with? Please PM me with a template, if you have one. Thanks!

Return to Top
#782514 - 07/25/07 04:10 PM Re: Vendor Management Policy TheQueen
LostFan Offline
100 Club
Joined: Feb 2004
Posts: 119
New Jersey
I too would be interested in a sample of a vendor management policy. Please PM me...thanks!

Return to Top
#790798 - 08/07/07 08:00 PM Re: Vendor Management Policy LostFan
SupTech Offline
New Poster
Joined: Aug 2007
Posts: 5
Hey everyone. I too am struggling a bit with my wordage for my banks Vendor Management Policy and supporting operational risk sections. Could anyone please PM me some documentation? Thanks in advance!

Return to Top
#792100 - 08/09/07 06:40 PM Re: Vendor Management Policy SupTech
DeNovo Offline
New Poster
Joined: Aug 2007
Posts: 3
Did you get a sample of a vendor management policy? I need to create one myself.

Return to Top

Moderator:  Andy_Z