How do you conduct an on-site third-party vendor review? It’s a hot topic at conferences and online. It’s also the wrong question. Instead of asking how to conduct an on-site review, bankers should be asking if they even need to conduct an on-site third-party vendor review. That’s because the answer in a large number of cases is no. An on-site third-party vendor review is often unnecessary and a waste of time and money.
Let’s start with guidance on the subject. There is very little guidance requiring on-site due diligence. It’s peppered with words like “may” or “consider.” Examiners might ask if on-site visits are conducted, but that doesn’t necessarily mean they are required.
The FDIC "Guidance for Managing Third Party Risk" makes no specific mention of on-site visits. The agency’s Compliance Examination Manual mentions it briefly: “Review the adequacy and adherence to the third party’s policies relating to internal controls and security issues. This practice may also include performing on-site quality assurance reviews, targeting adherence to specified policies and procedures (e.g., visiting customer call centers to observe and verify sales, customer service, collection call procedures, and listening to verification recordings).”
The OCC’s "Bulletin 2013-29" states “On-site visits may be useful to understand fully the third party's operations and capacity. If the bank uncovers information that warrants additional scrutiny, it should broaden the scope or assessment methods of the due diligence as needed…Regular on site visits may be useful to understand fully the third party's operations and ongoing ability to meet contract requirements... In addition, bank management may consider on-site visits, reference checks, and inquiries with industry groups and peer institutions.” The OCC’s Supplemental Examination Procedures for Risk Management of Third-Party Relationships notes “Determine whether on-site visits are performed for a third party involved in critical activities. Analyze whether someone with the necessary authority and expertise conducts the visits and how information gathered during the visits is used for ongoing monitoring purposes.”
Fed guidance notes “Financial institutions should ensure that risk management processes include triggers to escalate oversight and monitoring when service providers are failing to meet performance, compliance, control, or viability expectations. These procedures should include more frequent and stringent monitoring and follow-up on identified issues, on-site control reviews, and when an institution should exercise its right to audit a service provider's adherence to the terms of the agreement.”
NCUA’s Third Party Relationships Questionnaire doesn’t mention on-site visits at all.
The FFIEC discusses the possibility of on-site visits for managed service security providers (MSSP) in its Booklet for Outsourcing Technology Services: “Management should consider performing an onsite visitation to determine if the servicer has the appropriate experience and control environment to meet the FI's needs, how long the MSSP has been in business, the MSSP's staffing, the MSSP's incident response methodology, etc. Periodic review of the MSSP's processes, infrastructure, and control environment through offsite reviews of documentation and onsite visitations.”
Unless you are sending an auditor or someone else who is specially trained, the value of an on-site visit is limited. You’ll be able to confirm that the company and its offices exist. You might be able to observe if some policies and procedures are actually followed. You’ll probably meet some nice people who will take you out to dinner. But chances are you’re not going to make a huge discovery. And there are a lot of less expensive and time-consuming ways to confirm that a company exists and employs real people. While it’s easy in this day to pose as a company with a fake email address and website, it’s also easy to uncover frauds by checking in with peers and trade associations. Checking references is good due diligence. Some financial institutions conduct a site visit every time they spend more than a fixed dollar amount, but that’s a misleading parameter. It’s all about how critical a vendor is and how much risk they present to your financial institution. You may employ a relatively inexpensive marketing company and that company has access to a great deal of sensitive data under GLBA. Your financial institution also has an expensive contract for naming rights to a local stadium. I’d be far more concerned about the small firm with access to sensitive data. They pose a much greater risk.
There are some times when a vendor visit is worthwhile.
Don’t waste time and money visiting every vendor when a deep dive into due diligence documentation will do the job just as well (and is necessary anyway). Save on-site vendor visits for when there is something important that can’t be uncovered with research from a desk. I can’t find anything in the guidance to justify the effort or expense.