Request More Information

For more information, contact: Constandinos Vinall

What are the key lessons delegates will take away from your session on developing enhanced due diligence assessments?

Delegates will learn there is a lot of pre-planning necessary. A good portion of your due diligence exercise is understanding what questions need to be asked, but also, who should answer your questions. You need to establish a recurrence for due diligence; or rather your Subject Matter Expert (SME) needs to set the recurrence.

Due Diligence is a process which requires understanding how to take the qualitative and quantify it. This, of course, is where we say, “Risk Management is more art than science.” To ensure we meet the regulatory requirements, we need to document, document, and document. Our examiners will be looking for artifacts. When you establish your due diligence program, are you measuring the Vendor, the engagement or both? We will discuss those elements and what will be important to document.

There are processes that already exist at your firm/bank. Your BSA/AML program conducts enhanced due diligence (EDD) of your high risk commercial clients. Take note of your BSA teams EDD process. A similar level of review can be modified to fit your Vendor / Third Party Risk Program. For instance, include in your enhanced due diligence a review of the vendors' management team. Are they seasoned professionals with strong backgrounds in the core competencies of their business? Have they been recession tested? Monitor for any changes in the vendors' management team. Your vendor EDD process can likely use existing tools and systems. In the end, Due Diligence should be a Lifecycle process supported with on-going monitoring of your significant vendors.

What are the main challenges third party risk managers are encountering in their current due diligence processes?

Both the Vendor and the Business Unit are impatient. You, as the Risk Professional, are in the way of the “deal,” from their perspective. So the biggest challenge most Vendor / Third Party Risk programs face is internal. Vendor / Third Party Risk Management is more about creating partnerships internally than externally; albeit you need to do both. If you have strong internal partners, they will lean on you to help them create the “deal” instead of bringing the hindrance to the deal. 

You can have training programs, use LMS platforms for force business units to read and agree to your policy. You can even become the gatekeep in the procurement process to enforce compliance. However, your main objective with the business unit leaders is to be a facilitator of “deal making.” You need to strive to rid all notion and belief Vendor / Third Party Risk Management is a roadblock. Again, this is more art than science. Yet, a well-structured Vendor / Third Party Risk program will focus on the value-add to the business unit. That is enhancing profitability and strategic decision making, while ensuring regulatory compliance. 

How are financial institutions innovating their due diligence processes?

The innovations I’ve seen are the new platforms appearing in our industry specifically designed to support Vendor / Third Party Risk programs and not just a re-tooling of a GRC application or a bolted on application in the middle of an ERP process. For years, Vendor / Third Party Risk managers, if they wanted to get away from spreadsheets and prosumer grade databases, they were forced to utilize afterthought middleware applications inserted into existing ERP or GRC applications. Now we are seeing purpose-built applications that attempt to support a holistic workflow for Vendor / Third Party Risk. There remain a number of challenges with these applications. Of course, the biggest challenge is getting the funding.

Additional innovations are more process related. Vendor / Third Party Risk programs are being re-aligned and placed within the Risk Management structure. I’ve watched a number of firms have Vendor / Third Party Risk start out in IT or Finance/Procurement groups and they are now being moved under the CRO (Chief Risk Officer). In my opinion, Vendor / Third Party Risk belongs under the CRO for a number of reasons, chiefly, the CRO understands the language of Risk. That is a game-changer for a lot of Vendor / Third Party Risk Managers. However, the new problem is that budget now competes with BSA/AML.

 What trends in due diligence assessments do you feel the third party risk managers should be looking out for in the near future? 

We have experienced a strong focus over the last few years on fourth party risk. The newly developed SSAE18 (Standards for Attestations Engagements No. 18) effective May 1, included a significant change in the monitoring of subservice organizations. Given the security breach events over the last few years where the vector to the breach was the subcontractor, pressure will still be focused on fourth party risk. So while it may not seem a new trend, what will be new is how we manage the assessment process. A number of firms have attempted, to various levels of success, requiring the vendor to perform a specific due diligence task with the fourth party, or perform that due diligence task with the fourth party directly. Of course, there are a number of roadblocks teams face when attempting to manage the fourth party risk in this fashion; some of which are contractual challenges and others which are relationship challenges. Contractually, you and the fourth party do not have an agreement, so the fourth party does not have an obligation to facilitate your requests. On the relationship side, your vendor may not be willing to connect you directly to the fourth party for fear they will be cut out of the relationship or you learn their markup or other various concerns.

The trend I expect to see across our vendor base is the development of Vendor / Third Party Risk programs within our vendor’s organization. We have already seen a big push by regulators on our FinTech suppliers to have Vendor / Third Party Risk programs. We have even seen a few Consent Orders which cite the lack of Vendor / Third Party Risk program as one of many issues to be resolved. 

The near future will, therefore, be the development of assessments and examinations of the vendor’s Vendor Management Program. That is, Vendor / Third Party Risk managers will need to develop risk assessments to determine if the vendor is effectively managing their vendors. The theme of that assessment will be “Does my vendor have a Vendor / Third Party Risk program equivalent to or better than my program?” 

What would you like to achieve by attending the 8th Edition Third Party Vendor Risk Management for Financial Institutions conference?

At every conference, I learn something new. There are always little gems I get to take back to the office and share with my colleagues. What I find a great benefit is the diversity of individuals and experiences now looking at Vendor / Third Party Risk. Having spent so much time working in the role as Vendor / Third Party Risk Manager, it is easy to get stuck with blinders on. At the GFMI conference, I get to see how others are tackling old and new problems. That diversity of perspective is vastly beneficial. I will ask questions of what my colleagues are seeing from their respective regulatory field examiners. To that end, I’m very excited to see we have a panel that will include an S&R SME from FRB. With GDPR taking effect, I am curious to understand what other firms are doing to ensure compliance. Overall, there are a number of new topics and hot topics I’m very excited to see as part of the program. I only hope we have enough time! Feels like we have a week’s worth of topics to cover in just 2 days. 

Ahead of the 8th Edition Third Party Vendor Risk Management for Financial Institutions conference, we spoke with Bradley Martin, SVP, Vendor Risk Management at Bank of Hope about the key lessons delegates will take away from his session on developing enhanced due diligence assessments. He will shed light on the main challenges third party risk managers are encountering with their current due diligence processes and explore the latest innovations in these assessments. Furthermore, Bradley will point out the due diligence assessment trends he is expecting in the near future so firms are able to develop their strategy to ensure they optimize their due diligence processes. 

Practical Case Studies From:
  • RBC
  • Federal Reserve Bank of Atlanta
  • Bank of the West
  • Bank of Hope
  • Charles Schwab
  • First Republic Bank
  • Union Bank

About the Conference:

This GFMI conference will give you the critical insight to combat the prominent issues surrounding third party risk management in your firm. During this conference, we will address the latest regulatory requirements and priorities, so financial institutions can streamline their TPRM strategies to ensure compliance. Additionally, delegates will augment their approach for 4th party risk management by developing a comprehensive risk rating system and calculating their concentration risk tolerance in order to enhance control of their supply chains. Furthermore, we will address best practices for improving cyber and information security by optimizing vendor oversight programs to ensure effective controls are in place to mitigate data security risks. Attendees will also advance their disaster recovery strategies by developing their incident scenarios and improving their disaster response times to ensure business continuity. Moreover, industry experts will share their practical knowledge of shared assessments in order to allow delegates to develop comprehensive frameworks to improve time and cost efficiency in their firms.

The 8th Edition Third Party Vendor Risk Management for Financial Institutions will take place from the 26th to 28th of September 2018 in San Francisco, CA, USA.  

Delegate Discounts available for registering online HERE. Discount Code: CMU236_IV_200

Copyright © 2018 GFMI. All rights reserved.

About the speaker:

Bradley Martin has over 20 years experience enriching and developing Vendor Management programs across multiple industries. His programs support enhancing organizational profitability and improving strategic decisioning, while concurrently ensuring regulatory compliance. He worked with and developed programs for leading firms such as EarthLink, Medical Technology Management, Union Bank, East West Bank and Bank of Hope. Over the last ten years, Mr. Martin defined himself as the leading expert in Third Party Risk Management for Financial Institutions. For five years he served on the Financial Services Roundtable TPRM Advisory committee. His approach includes a framework of Sourcing and Due Diligence; Risk Identification and Administration; Contract Development and Administration with a strong focus on Vendor Performance Management. Mr. Martin currently leads Bank of Hope’s newly created Vendor Risk Management program. With a strong background in technology and finance, he often bridges the gap between IT Professionals and Business Professionals.

Developing Enhanced Due Diligence Assessments 

An interview with Bradley Martin, SVP, Vendor Risk Management at Bank of Hope

Bradley Martin, SVP, Vendor Risk Management at Bank of Hope 

Speakers Include: 
  • Head of Third Party Management, Charles Schwab Banking and Trust Services
  • Senior Vice President, Head of Technology Vendor Management, Bank of the West
  • Global Security Engineering, Head of Reengineering, RBC 
  • Senior Vice President and Chief Information Security Officer, Lending Club
  • Chief Risk Officer, Montecito Bank and Trust
  • Executive Vice President, Head of Risk Management, CTBC Bank
  • Senior Vice President and Manager, International Banking Department, Bridge Bank
  • Head of Strategic Vendor Management and Contracts, University Federal Credit Union
  • Director, Global Provider Strategy, Global Head of Governance and Infrastructure, Blackrock
  • Vice President, Shared Services, First Republic Bank
  • Director, Third Party Risk Management, Union Bank
  • Director, Third Party Oversight, Prosper Marketplace
Previous Attendees Include: 

• American Bankers Association
• American Express
• Bank of America
• BlackRock Group
• BMO Financial Group
• BNP Paribas
• Deloitte
• GE Capital
• Goldman Sachs
• HomeStreet Bank
• John Deere Financial
• JP Morgan Chase
• Lexis Nexis
• Mastercard Worldwide
• Morgan Stanley & Company
• National Bank of Canada
• Prudential

• State Farm Insurance
• State Street Corporation
• TD Bank
• UBS Financial Services Inc
• USAA Federal Savings Bank
• Vanguard
• Visa Inc
• Wellington
• Wells Fargo Bank

Fix the following errors: