Speaker 1: Hello, and thank you for tuning in today to Issues of Interest from Baker Neumann Neuss, where we cover assurance, tax, business advisory, and technology topics and trends affecting the banking and financial services industry. I'm Joe Jalbert, and I lead the banking and financial services practice here at BNN. Banks and financial institutions are constantly navigating volatility and change. Here at Issues of Interest, we help you stay current on what's happening in the industry so you can achieve success for your institution. Now, let's get into the episode.

Speaker 2: Hi everyone, thanks for joining us for Issues of Interest, BNN's podcast for the banking and financial services industry. I'm your host today, Zach Porter, a senior manager on the information systems and risk assurance team here at BNN, and I am joined here today with Pat Morin.

Speaker 3: Hi, Zach, and hello to everyone listening. Glad to be here.

Speaker 2: Great. So, Pat, before we dive into things, could you just take a moment to share a bit about your role at BNN?

Speaker 3: Sure. Thanks. I've been with BNN since its founding, not sure I'm glad to say, but nearly 30 years ago, and I lead the information and risk assurance practice here. We work with quite a range of clients, ranging from five-person startups to global corporations. They include third-party administrators, financial institutions, managed service providers, and cloud software providers. Much of what we do is we evaluate IT and system controls, as well as third-party risks related to those companies, in order to provide assurance to their clients, our clients, and other third parties, which could include prospective customers of theirs and regulators. We provide our services through the delivery of IT controls testing, SOC report examinations, and a variety of risk assessments. Also, as part of our services, we can also advise clients as they prepare for any of those services, including SOC reports and other audits.

Speaker 2: Great. I'm excited to be here speaking with you today, Pat. So today, we're here to talk about third-party vendor management. To get us started, could you just talk a bit about the types of third-party relationships that might be applicable to banks or financial institutions?

Speaker 3: Sure. So I spent some time thinking about this before this podcast, and there's actually quite a list of what would be considered third-party providers that financial institutions may use. So it could be straight-up outsourced service providers. That could include the core banking system and maybe some other integrated client service software providers. Banks have a great history of using independent consultants, such as actuaries, and I'm sure it's a favorite on everyone's list today, those that are providing support for the recently implemented CECL or current expected credit loss calculations for the latest loan loss disclosures. They could also include merchant and other third-party payment processing providers or services provided by affiliates and subsidiaries, including third-party hosting. So if they're using a website provider or any other kind of third party to supplement their business process, and actually what's become popular for the last several years is joint ventures with organizations such as fintech providers.

Speaker 2: Great. And what would be some of the reasons banks or financial institutions use those third parties?

Speaker 3: One of the biggest reasons third parties are used is to either support specialty services or in many cases, and particularly recently, to fill out gaps in skill spaces that organizations can't get, and particularly in high-risk areas like cybersecurity and technology. They might also be to help supplement the organizational issues and can bring clarity to the financial institution's process, streamline. There are a number of third parties that provide workflow tools so financial institutions can help streamline their loan decisioning process or even customary resourcing. When I mentioned fintechs a second ago, one of the reasons you might want to work with a third party is time to market. The pace of change in the market today is very fast. And so working with third parties such as fintechs, financial institutions can more quickly offer emerging services to their customers. Some other examples of why they might outsource, outsourcing your entire core processing system offloads all the need to support the banking software and the related technology updates and all that. Also they might outsource to tools like Salesforce to help create a framework around the customer relationship management. And what's really becoming common is to outsource things like first-line and second-line support for helpdesk, where the first and second level support are outsourced to a third-party provider. And so then the financial institution need only keep resources on staff for the more technical and challenging issues. We also see a significant amount of outsourced information security and cybersecurity management functions to be better prepared to manage the associated risk by really strong, qualified third parties. And again, it offloads the need for the financial institutions to keep their own in-house staff up to speed on this wide range of issues.

Speaker 2: Yeah, I would say probably with the banks that I've worked closely with over the last several years, probably the biggest shift is moving the core processing system to the cloud. The onsite data center infrastructure cost is definitely a thing of the past. We have a few clients that still have the core hosted onsite, but I would say the wide majority have since shifted to a cloud model.

Speaker 3: And those providers also recognize the value they provide to the financial institutions, and it's worth financial institutions to meet with them regularly. And we'll talk about that in a minute, to understand what else they can offer to expand on the services they offer, because as we'll talk about in a minute, monitoring a third-party providers is an entirely separate exercise. And if you can streamline that set, it makes that process a bit easier.

Speaker 2: Right. So that's a good segue to this. So thinking about the scope of the wide range of third parties you just mentioned, which ones should be monitored? Are there different risks among the different types of providers?

Speaker 3: Yeah, Zach, that's a great question. Even with our largest clients, I've yet to find one that has unlimited resources. But the reality is, is you can't cover everything. So what the first step is to first understand which providers have access to customer data, which third-party providers are key to your ability to operate because you rely on them so heavily, and then to basically evaluate them through a formal process. That's often accomplished through an enterprise-wide vendor risk assessment. There are a variety of frameworks, and the framework can provide help in determining what should be evaluated, when should they be evaluated, and how to monitor those third parties. You know, the goal is really to assess the vendor's ability to manage and mitigate both operational and IT and or cyber risk. And then do they have methodologies in place to remediate those vulnerabilities if they do come up, and then to protect its own and all of its partners' information and systems from operational and cyber threats. Something else to consider is to consider the vendor's resilience and sustainability. Do they have a good business continuity plan, or do they have contingency plans in place so that if there were some interruption in their service offering or their business, they could provide ongoing support or the service. The evaluation that we just talked about should involve participation from the leadership of your financial institution's various functional areas, because everyone has different priorities and expectations. And if you don't look at it on an enterprise-wide basis like this, you might miss something. So each of those functional leaders can cite the areas that are of greatest importance and concern for their particular area. I should note that last year, I think it was in June, the FDIC issued a more specific set of guidance for what financial institutions should be doing when they're evaluating third parties. So, Zach, our listeners can check our show notes for this podcast if they want to find a link to that article. One of the highlighted areas of focus in the guidance is to ensure that the financial institution understands who is being given access to sensitive information. It's really important to understand where the data is being stored to ensure the relevant responsibilities are understood, such as who must protect the data, who will manage and access what is granted access to, and who will monitor it. Many times, I've helped organizations looking at contracts for third parties, and those aren't clearly defined. And making sure it's understood who has that responsibility and control would certainly help in being able to properly monitor those third parties.

Speaker 2: Yeah, that's a great point. The first thing that comes to mind there is the financial institution that you and I both work with that has the very, very extensive contract with many requirements. And they are very specific in terms of where the data is stored, particularly offshore. So, we have to be aware of what providers we are using to support the engagement that we perform for them.

Speaker 3: That's a great point. Another client that you and I share, we have helped them evaluate who has access to each of the third provider systems. And we were both surprised when their spreadsheet had over 100 tabs of all the different institutions and providers they're connected with. So that really gives a, and this is a small institution, at least stresses the importance of having a clear and formal process to doubt who all those are and to manage that.

Speaker 2: Absolutely. So, thinking about the overall risk management process and being able to do that evaluation that you just spoke to, how can institutions help ensure that their third party vendors provide them the necessary information that they need to do that evaluation?

Speaker 3: The best way to do that is at time of initial contract execution to ensure that the contracts include the opportunity for the financial institution to conduct an audit, actually the right to perform an audit. If it isn't in the contract, it's certainly worth evaluating at any renewal point to make sure that's included in that. Additionally, if they don't have that, certainly the vetting process and the ongoing monitoring should include a set of specific questions that are relevant to your financial institution, such as minimum standards for data handling or minimum security practices. And ideally, if it's possible, if the third party can provide a relevant third party assessment or an attestation report, such as a SOC 1 or SOC 2, or even an ISO certification over their IT systems, that would go a long way to provide some determination of the formality and the appropriateness of that vendor's systems. Through some of the Sarbanes-Oxley work we do, and to some extent, some of the SOC reporting we do, we do help organizations do a second validation of that information they collect, and or at the same time, we help them come up with sets of questions they might consider asking so that they can better facilitate their process.

Speaker 2: So during the vetting process, when you're requesting SOC 1 or SOC 2 reports from your third party vendors, it's important to consider the vendors that that third party is using as well. A good example of that is one of our clients uses an outsourced accounting vendor who also uses a third party hosting provider for that data. So part of the vetting process, it's important to understand where your data is actually being hosted and if you need to request additional SOC reports or information from those downstream vendors.

Speaker 3: And I think in that situation, you would share with me that downstream provider has a SOC report. Yes, yes. And that downstream term you use is important because in the SOC reporting guidance, anyone who is a second or third party user of a service provider has a SOC report has a reasonable right to request those reports.

Speaker 2: Absolutely. So with that information that you collect from the third parties, whether it be through the contract process, third party assessments, or other reports like we were just talking about, what do you do with that information and how can you use it to evaluate the residual risk?

Speaker 3: Sure. So you mentioned it earlier in your example, first thing to do is to make sure what is collected is relevant to the service or activity that is being provided. If not, really the only thing to do is to go back and ask for more clarity. But once it's received, the information should be reviewed in the context of that service and activity and to see if the controls and protections that are described meet your minimum standards for your financial institution and its related risk appetite. So everyone is somewhat different and the responses should be evaluated as a whole. So they may have, say for example, their password settings aren't as strong as you would like, but if they have other strong factors, like maybe they also supplement it with multi-factor authentication or something else, that would be something worth considering when you look at it as a whole.

Speaker 2: And I think you mentioned it earlier. It's important in that evaluation process when you have that information to ensure that all of the stakeholders are involved in that process. I think a lot of times we see that financial institutions and banks have a compliance team that sort of spearheads this effort, but it's also important for the relevant business lines to also have a piece in that to ensure that all of the relevant risk areas are being considered. So with that, if for some reason you've requested information from the vendor and they're either unable to provide it or they do provide it and you have some concerns that the vendor's processes and controls are not in alignment with your organization's risk appetite, what are some things you can do at that stage?

Speaker 3: So the first is to communicate your concerns with the vendor. Perhaps they failed to provide enough information or they weren't sufficiently clear and with follow-up you can close that risk consideration. If not, it would be ideal to work with them to come up with a reasonable solution short of terminating the relationship because that's often more costly than what may be involved in resolving it. I had an example where a quasi-financial institution that we're affiliated with had a particular vendor that their charge was to collect cash payments on behalf of this financial institution. And they were filling up security questionnaires and they were just never quite able to close the gap around the risk assessment that the financial institution had. So while we were able to maintain independence, they hired us to come in and evaluate their system and what we discovered is that their system was eligible to fit into a SOC 1 report. And so working with them, they identified the right objectives and we helped them develop a SOC report that they now do annually and it satisfies the requirements of this financial institution.

Speaker 2: So that actually leads well into the next point. So Pat, if I'm a service provider, what are the things I might want to think about or be prepared for in the context of the requests I might get from my customers?

Speaker 3: As I mentioned at the beginning in our practice, we work with literally dozens of service providers and the most frequent requests we get are to provide assurance over the systems and processes and in particular areas of security and confidentiality and in some cases their processing activities. A good approach for if you're a service provider is put yourself in the place of your customer and think what they might want to be assured of and so be prepared to ask yourself the questions they may ask and provide answers around that. I've mentioned the SOC report a couple of times. If you're a service provider, that is certainly an option. We always, whenever we talk to an organization that may be looking at a SOC report, we want to make sure it's really the right fit. Sometimes if it's a very specific need, some other assurance might be able to be provided such as if they already get themselves a PCI attestation, they could use that. Or there might be a smaller set of services that a third-party firm like Baker Newman always could provide. Or others, it could be a specialty cybersecurity firm like doing a pen test report to provide that assurance. So there's always lots of options and we're always happy to help our clients find what's a good fit.

Speaker 2: Yeah, I would say there I think the thing we're seeing a lot over the last couple of years when clients are considering whether they want to go for a SOC 1 or a SOC 2 report to satisfy third-party requests, it's often a cost consideration, but the other one is just an administrative consideration that, as you mentioned earlier, banks or financial institutions don't always have unlimited resources. So having people have to respond to these extensive questionnaires multiple times throughout the year for different clients, sometimes having something like a SOC report can be helpful in addressing all of those in one swipe. Well, Pat, it's about time for us to wrap up. Is there anything else that you'd like to add that we haven't touched on already? What should people walk away with today to help them at their institutions going forward?

Speaker 3: Well, the main thing is to understand who are your key providers and to keep regular discussions with them so that you know where they stand, know how they're doing, and in particular to be aware of any changes they may be implementing. It's certainly important to monitor and evaluate them on a regular basis. We generally recommend annually, and particularly when they are trusted with access to sensitive information or if they're critical to your financial institution's business process and customer service delivery.

Speaker 2: Yeah, thanks, Pat. That's very helpful. So today, I think we've covered some great topics and things to consider for banks and financial institutions engaging with third-party vendors. As a quick recap, we've covered some of the main reasons banks and financial institutions use third parties, how to monitor those third parties and their related risks, ensuring those third parties provide the necessary information needed to evaluate them, and then what some of your options are if you have concerns over the level of service or information provided by those third parties. Pat, it was great speaking with you today. I appreciate you joining me.

Speaker 3: Absolutely, Zach. Thanks for sitting down with me, and thanks for our listeners for tuning in, and we hope this information is helpful.

Speaker 2: Yes, and BNN is always monitoring and sharing updates and development, so stay tuned for more articles, podcasts, and resources from our team. Thanks, all.

Speaker 1: Thank you for listening to Issues of Interest from Baker Neumann Noyce. The BNN Banking Team thrives on solving complex business challenges and helping institutions meet their goals. You can find more of our industry content and subscribe to our newsletter at BNNCPA.com. If you'd like to connect with a member of our team, email info at BNNCPA.com. Bye now.

Speaker 4: This podcast is brought to you by Baker Neumann Noyce. The information contained in this episode is based on data available as of the date of its release. BNN is under no obligation to update this information as changes occur. BNN podcasts, events, and publications are intended to provide general information to our clients and friends. It does not constitute accounting, tax, or legal advice, nor is it intended to convey a thorough treatment of the subject matter. The information in this podcast may or may not apply to your individual situation. Consult a professional for help applying these concepts to your personal circumstances. Please contact Baker Neumann Noyce for additional assistance at info at BNNCPA.com. More information can be found online at BNNCPA.com.