Industry regulations are becoming increasingly stringent, and in this economic environment, an effective vendor management program is a crucial regulatory demand. Management may need to ensure that service provider contracts include specific language regarding regulatory guidance and requirements or other industry-specific language. Management may also need to provide appropriate documentation for due diligence efforts regarding vendor selection and vendor monitoring, including periodic review of vendor initiatives and external opinions.

Regulatory Due Diligence Requirements May Include:

• Corporate history and financial status, including reviews of audited financial statements and systems control documents.
• Qualifications, backgrounds, and reputations of company principals, including criminal background checks where appropriate.
• Other companies using similar services from the provider that may be contacted for reference
• Strategy and business model review
• Service delivery capability, status, and effectiveness
• Technology and systems architecture to ensure compliance with regulatory requirements for data security
• Internal controls environment, past security breach history, and audit coverage
• Legal and regulatory compliance, including any complaints, litigation, or regulatory actions
• Reliance on and success in dealing with other third-party service providers
• Insurance coverage
• Ability to meet the bank's disaster recovery and business continuity requirements