Third Party Risk Management Flashcards
What should the compliance function consider to be the PRIMARY factor when determining the scope and frequency of third-party relationship risk assessments?
A. The same for each third-party relationship
B. Commensurate with the financial institution’s residual compliance risk
C. Commensurate with the compliance risk that the third-party relationship presents
D. Based on the financial health of the third-party relationship at the time of contracting with the third party
C. Commensurate with the compliance risk that the third-party relationship presents
The compliance professional is conducting a review and discovers a high risk vendor. How should the compliance professional ensure the vendor is adequately reviewed in the future?
A. Implement a more frequent and stringent monitoring plan for all high risk vendors
B. Contact other customers of the vendor to determine if they are exercising proper due diligence
C. Notify management of the vendor’s scope of work and review alternative vendors
D. Determine if the work could be conducted by the business line to reduce the risk of third-party vendors
A. Implement a more frequent and stringent monitoring plan for all high risk vendors
Interagency guidance on third-party risk management requires that high-risk vendors be monitored on a regular basis, and more frequently than vendors that are not considered high risk. If a high-risk vendor is identified through a review, it shows a gap in the bank’s monitoring process to identify high-risk vendors. Therefore, a more frequent and stringent process is called for. None of the other choices would satisfy the requirement for the high-risk vendor to be reviewed in the future.
When evaluating a new relationship with a third-party vendor, what should the compliance professional be MOST concerned with?
A. Vendor providing indemnification from all regulatory violations that may occur
B. The bank achieving financial goals and return on investment with vendor contract
C. Internal testing and monitoring frequency of documents provided by third-party vendor
D. Retention and reporting frequency of complaints received by the third party from customers of the institution
D. Retention and reporting frequency of complaints received by the third party from customers of the institution
When implementing and reviewing vendor management programs, who has the overall responsibility for identifying and controlling risks with third-party relationships?
A. Line of business
B. Board of directors
C. Senior management
D. Compliance professional
B. Board of directors
What are the phases of an effective third-party risk management oversight program?
A. Issue resolutions, event management tracking, remediation planning, and termination
B. Security breach notification, response to service interruptions, and record retention scheduling
C. Planning, contract negotiation, termination, oversight and accountability, and independent review
D. Planning, reporting, continuous monitoring process, internal risk assessment, and record retention scheduling
C. Planning, contract negotiation, termination, oversight and accountability, and independent review
An effective third-party risk management process incorporates the following phases:
- Planning
- Due diligence and third-party selection
- Contract negotiation
- Ongoing monitoring
- Termination
- Oversight and accountability
- Documentation and reporting
- Independent reviews
The compliance professional has been asked by management to participate in due diligence efforts for the bank’s vendors. Which of the following would be considered a vendor relationship that would be subject to these reviews?
A. An off-site records storage firm that stores internal bank paper records
B. The bank’s relationships with its corporate customers
C. A real estate agency that shares space with one of the bank’s branches
D. The United States Internal Revenue Service
A. An off-site records storage firm that stores internal bank paper records
Off-site records storage vendors are the only ones listed here performing business incidents to the business of banking. Customer relationships, third parties sharing real estate, and the IRS are not third parties involved in assisting banks in the business of banking.
The compliance professional has been asked to assist in developing the bank’s third-party risk compliance program. Which of the following is MOST important to include in the program?
A. Opinions of other banks that utilize the vendor’s services
B. Termination provisions if targets are not met
C. Cost estimates from potential vendors
D. How long each vendor has been in business
B. Termination provisions if targets are not met
Termination provisions are a core element of a bank’s vendor management program. All other aspects, while potentially useful, are not as critical as the termination provisions.
When evaluating risks that third-party relationships present to the bank, which of the following would be considered MOST concerning to the bank?
A. Lack of quarterly reviews of a vendor’s financial statements
B. Excessive complaints received from vendors’ other customers
C. A compensation review was not performed prior to entering into the contract with a vendor
D. Lack of backup procedures for the bank’s core system provider
D. Lack of backup procedures for the bank’s core system provider
For an essential service such as the bank’s core system, lack of a backup would present a serious concern and therefore a gap in the bank’s third-party management system. There is no need for as frequent a review of financial statements as quarterly – annually is acceptable. Excessive complaints from other customers of a vendor are concerning but not as much so as a lack of core system backup. There is no requirement to perform a compensation review of a vendor prior to contract execution.
