Management of third-party service provider relationships has been a regulatory issue as far back as the FDIC's Bank Service Company Act. But recent, well-publicized security breaches of Heartland Payment Systems, TJX Companies and Hannaford Brothers have brought Vendor Management to the fore, and banking regulators continue to issue bulletins re-emphasizing best-practices.
Register for this webinar to:
Hear directly from Donald Saxinger of the FDIC, who will clarify Vendor Management guidance, including the four main elements of an effective third-party risk management process;
Receive from James Christiansen, a noted banking and security professional a step-by-step guide on how to create an effective vendor management program.
A financial institution can outsource a service, but it cannot cede responsibility for the potential risks to itself and its customers.
This is the clear message from banking regulatory agencies to member institutions, hammered home by recent bulletins from the Federal Deposit Insurance Corporation (FDIC) and Office of the Comptroller of the Currency (OCC), which combined oversee roughly three-quarters of U.S. banks. Their guidance comes on the heels of the National Credit Union Administration's earlier announcement that vendor management is now a top examination topic for U.S. credit unions.
Selection, contract structuring and ongoing management of third-party service providers are the consistent themes from the agencies. The most frequently used term: "Due diligence."
While management of third-party service provider relationships has been a regulatory issue as far back as the FDIC's Bank Service Company Act, outsourcing has been a major examination focus since 2001, with the establishment of interagency guidelines in support of Section 501(b) of the Gramm-Leach-Bliley Act (GLBA), which calls for banking institutions to:
Exercise appropriate due diligence in selecting service providers;
Require service providers to implement appropriate security measures;
Monitor service providers via audits, test results, etc. to confirm that they have satisfied their security obligations.
Recent, well-publicized security breaches of TJX Companies and Hannaford Brothers, as well as new guidance such as the Identity Theft Red Flags Rule, have brought Vendor Management to the fore, and banking regulators in 2008 issued bulletins re-emphasizing best-practices.
In this webinar, hear directly from Donald Saxinger of the FDIC, who will clarify Vendor Management guidance, including the four main elements of an effective third-party risk management process:
Due diligence in selecting third party;
Contract structuring and review;
Beyond the guidance, hear too from David Schneier, a noted banking/security consultant, who will leverage his field experience to share insights on how to:
Establish the right 'tone at the top' for Vendor Management;
Create a Vendor Management program appropriate for the size of your institution;
Put the plan into action;
Avoid common pitfalls that can derail Vendor Management initiatives.
Christiansen is a global leader with over 30 years experience in information security and risk management, and has held senior positions for some of the world's largest companies. As the first ISO at Visa, he created and implemented Visa's worldwide information security program. As the first CISO for General Motors, he was responsible for the worldwide operations of information security for all business units. Prior to joining Sands Corp., Christiansen was chief information risk officer at Evantix where he was responsible for all aspects of operational risk.
Team Lead - IT & Operations Risk, Federal Deposit Insurance Corporation (FDIC)
Donald Saxinger serves as the lead developer of the FDIC's IT examination standards and procedures, IT examiner education, and IT examination oversight. He is also a member of the FFIEC IT Examination Handbook working group which publishes the interagency guidance and examination procedures for various IT, payment, and operational risk areas.
Saxinger has authored or contributed to various regulatory policies such as recent policies on business continuity and pandemic planning, authentication, identity theft, spyware, outsourcing, and other emerging technologies.