Are You Performing Due Diligence on Your Vendors’ Vendors?

You may be surprised to learn that many of your bank’s vendors actually outsource to a third party certain critical functions that you perhaps believed your vendor was directly performing for you. As an example, your vendor may not be directly providing a secure e-mail system for you, but instead uses a third party company to host and support your secure e-mail. Maybe your vendor offers data storage for your bank—but your vendor doesn’t provide that service directly. A different third party operates the actual data center space where your information is being hosted or backed up, with control over employee hiring and training, and the level of physical and electronic security that exists. How much do you know about the third-party companies your vendors are using?

Regulators are particularly interested in making sure that a bank understands the operational risks it is taking. Therefore, they expect banks to perform appropriate due diligence to learn the risks associated with each vendor and what security controls that vendor is using to mitigate risk. A bank should carefully review any vendor, or vendor sub-contractor, that performs significant bank functions such as payments, clearing, settlement, custody services or information technology.

Of particular interest with respect to vendor outsourcing is a bank’s need to determine:

- Whether the bank’s vendors in turn outsource to third parties.
- Whether the vendor or any of its third party vendors is based outside of the United States.
- Do the vendor and its vendors have appropriate internal controls and SSAE 16 audits to verify these controls?
- Are the vendor and its vendors under federal banking regulatory oversight?

If one of your vendors is in turn outsourcing to multiple outside vendors, this may mean that the bank needs to perform due diligence on those multiple additional vendors in order to meet regulatory requirements. The OCC recently emphasized that when it cannot find adequate due diligence in the bank’s files concerning a vendor or a vendor’s subcontractor that performs “critical services,” and that vendor or subcontractor also is not one that is already regulated and examined by federal banking regulators, federal law allows the OCC (and other banking regulators) to conduct a direct examination of the vendor or subcontractor, and to assess the cost of the examination to the bank.

When a bank outsources critical activities, it’s best to choose a company (1) that has no or very limited outsourcing, (2) that is based entirely in the United States, and (3) that receives a Technology Service Provider exam from bank regulatory authorities.