Vendor and Third-Party Management

Some financial institutions rely on third party service providers and other financial institutions for wholesale payment system products and services either to enhance the services performed in-house or to offer wholesale payment services that are otherwise not cost effective.

Financial institutions should have adequate due diligence processes, appropriate contract provisions, and service provider monitoring procedures to ensure they conduct wholesale payment operations appropriately.  Effective monitoring should include the review of select wholesale payment transactions to ensure they are accurate, reliable, and timely.  The integrity and accuracy of wholesale payment transactions depend on the use of proper control procedures throughout all phases of processing, including outsourced functions.

Regardless of whether the financial institution's control procedures are manual or automated, internal controls should address the areas of transaction initiation, data entry, computer processing, and distribution of output reports.  Financial institutions should also maintain effective control over service provider access to customer and financial institution information consistent with GLBA 501(b).  Contractual provisions should define the terms of acceptable access and potential liabilities in the event of fraud or processing errors.  Refer to IT Handbook's Outsourcing Technology Services Booklet for more detail.

 

Previous Section
Business Continuity Planning (BCP)
Next Section
Appendix A: Examination Procedures