Vendor and Third-Party Management

Action Summary

Financial institutions should establish and maintain effective vendor and third-party management programs because of the increasing reliance on nonbank providers.  Financial institutions must understand the complex nature of arrangements with outside parties and ensure adequate due diligence for the engagement of the relationships and ongoing monitoring.


Some financial institutions rely on third-party service providers and other financial institutions to provide retail payment system products and services to their customers.  Many retail payment services are directly related to core processing financial institution operations (e.g., accessing demand deposit accounts through the use of financial institution-issued bankcards) and may be run in-house through the use of purchased turnkey systems.  However, financial institutions outsource many retail payment-related services to third parties, including foreign-based, either to enhance the services performed in-house or to offer new retail payment services that are otherwise not cost effective.

To ensure retail payment operations are conducted appropriately, financial institutions should have comprehensive contract provisions and adequate due diligence processes.  They should also monitor service providers for compliance with contracts and service level agreements.  Effective monitoring should include the review of select retail payment transaction items to ensure they are accurate and processed timely.  The integrity and accuracy of retail payment transactions posted to customer accounts depend on the use of proper control procedures throughout all phases of processing, including outsourced functions.

Regardless of whether the financial institution's control procedures are manual or automated, internal controls should address the areas of transaction initiation, data entry, computer processing, and distribution of output reports.  These control considerations apply to processing checks, including through RDC, as well as electronically created payment orders, electronic bankcard, debit card, and ACH transactions.  Financial institutions must also maintain effective control over service provider access to customer and financial institution information consistent with GLBA section 501(b).  Contractual provisions should define the terms of acceptable access and potential liabilities in the event of fraud or processing errors. See the IT Handbook Outsourcing Technology Services Booklet.


Previous Section
Business Continuity Planning
Next Section
Retail Payment Instrument Specific Risk Management Controls