December 30, 2020 Mick Kless, CEO A while back, one of our community bank clients selected a new automated vendor management solution from a well-known vendor in the industry. The client and vendor will remain nameless for confidentiality purposes. My direct client contact was the Vendor Program Manager who was also a part of the Accounts [...]
The Business Case for Assessing Vendor Performance © Compliance Education Institute While many of us continue to analyze our vendor inventories and our vendors’ Disaster Recovery, Business Continuity and Pandemic Plan plans as we manage through the COVID-19, we should also be scrutinizing contracts for Service Level Agreements (SLA’s), the quantitative measurable metrics to which vendors [...]
New Strategic Partnership Announcement Compliance Education Institute and Fortrex Technologies, LLC partner to deliver comprehensive services May 1, 2019 – Furthering their dedication to provide comprehensive third party risk management (TPRM) services, Compliance Education Institute and Fortrex Technologies, LLC, are pleased to announce our new strategic partnership. Compliance Education Institute provides comprehensive, detailed, and practical [...]
With the March 1, 2019 deadline looming for complying with NY’s Cybersecurity regulation, the NY DFS must be licking its chops at the prospect of imposing fines. Actually, I’m sure they really hope that all covered entities are up to snuff and have sent in their signed certifications or exemptions. “Signed certifications or exemptions?” you ask. [...]
I recently conducted a Vendor Management Program Audit and Risk Assessment as a part of our Advisory Services for a midsize financial institution. Performing both gives you a more complete picture of where the institution is at and helps document current state, desired state, gap analysis and create a prioritized road map for a healthier program. This particular [...]
Okay, the Equifax breach wasn't your fault. Neither was the Home Depot breach, Target breach, etc., etc. Thus, the Data Breach Notification regs don't apply to you so you're clear of any responsibility. Or are you? I scoured a couple hundred bank and credit union websites this weekend and found that very few provided any information [...]
While most companies have Code of Conduct for staff, not as many require their 3rd parties to sign such a document. Even fewer include violation of that Code of Conduct as a condition for cancellation of contract. As we all know, being associated with a 3rd party that has received adverse attention in the media could [...]
I've recently been asked whether a financial institution has Breach Notification responsibility in the case where the institution refers customers to vendors such as financial service providers where the institution merely vetted several vendors as a convenience for its customers, has no contract with the vendors, passes no PII/NPPI to the vendor, receives no referral fees [...]
Classic risk management employs 3 lines of defense. But there's also a possible 4th line when it comes to regulatory issues, specifically vendor management. Please note that I have seen multiple titles that fit the roles below so don't get hung up on the titles. If you're a smaller institution and you wear multiple hats, you [...]
How do you measure your vendor's value? s vendor management programs mature, we need to understand the value a vendor delivers beyond meeting its Service Level Agreements. While we frequently outsource significant functions (critical and high risk) because a vendor can help us meet our strategic goals, including doing something better/faster/cheaper, what else are we obtaining [...]