Vendor risk management is an ongoing process—one that begins with due diligence before a contract is signed and continues with monitoring throughout the length of the relationship. This blog series on the Top 10 risks will help you more effectively address how third-party vendor risk throughout every department in your financial institution.
If you think it’s tricky to keep track of the rules and regulations of your regulatory agency, imagine having to follow the legal, regulatory and operational requirements of foreign countries.
That’s exactly what needs to happen if a vendor is conducting any segment of your business in another country. Country risk is “an exposure to economic, social, and political conditions in a foreign country that could adversely affect a vendor's ability to meet its service level requirements,” according to the FFIEC’s Appendix C: Foreign-Based Third-Party Service Providers.[1] In extreme cases, country risk might result in loss data loss.
Country risk is yet another overlapping risk—touching everything from cloud and reputation risk to transaction and operational risk.
It’s not always obvious when a company poses country risk. For banks and credit unions the threat is most pronounced when it comes to data centers and the cloud, but can affect any overseas operation. Many data centers store their data on the other side of the world in foreign countries to ensure their systems are always running—the extreme opposite of geographic concentration.
While this sounds good on the surface, it’s a challenge for FIs that must then answer questions about the country where their data is stored. Topics to address include: political and economic stability; infrastructure such as the power grid; and local regulatory and legal oversight such as background checks and authorization.
The FDIC warns “Managing country risk requires the ability to gather and assess information regarding a foreign government’s policies, including those addressing information access, as well as local political, social, economic, and legal conditions.”[2] The Fed encourages ongoing monitoring of these risks.[3]
To manage these risks and prepare for unexpected disruptions in service, the FFIEC says FIs should establish strategies for:
[1] http://ithandbook.ffiec.gov/it-booklets/outsourcing-technology-services/appendix-c-foreign-based-third-party-service-providers.aspx
[2] https://www.fdic.gov/regulations/compliance/manual/7/VII-4.1.pdf
[3] https://www.federalreserve.gov/boarddocs/srletters/2002/sr0205.htm