Back

Assess third parties' financial stability during due diligence.


CONTROL ID
12066
CONTROL TYPE
Business Processes
CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Conduct all parts of the supply chain due diligence process., CC ID: 08854

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Before selecting a service provider AIs should perform appropriate due diligence. In assessing a provider, apart from the cost factor and quality of services AIs should take into account the provider's financial soundness, reputation, managerial skills, technical capabilities, operational capability… (2.3.1, Hong Kong Monetary Authority Supervisory Policy Manual SA-2 Outsourcing, V.1-28.12.01)
  • proper assessment of the suitability of partnering with the platforms/portals in the light of relevant factors including the financial conditions and the adequacy of risk management controls and track record of the platforms/portals in guarding against data leakages; (§ 7.2.2(i), Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, V.3)
  • A licensed corporation should only keep Regulatory Records with an EDSP which is suitable and reliable, having regard to the EDSP's operational capabilities, technical expertise and financial soundness. (7.(c), Circular to Licensed Corporations - Use of external electronic data storage)
  • financial strength and resources (the due diligence should be similar to a credit assessment of the viability of the service provider based on reviews of business strategy and goals, audited financial statements, the strength of commitment of major equity sponsors and ability to service commitments … (5.4.3 (b), Guidelines on Outsourcing)
  • An institution should assess all relevant aspects of the service provider, including its capability to employ a high standard of care in the performance of the outsourcing arrangement as if the service is performed by the institution to meet its obligations as a regulated entity. The due diligence s… (5.4.2, Guidelines on Outsourcing)
  • its business model, nature, scale, complexity, financial situation, ownership and group structure; (4.12.3 71(a), Final Report on EBA Guidelines on outsourcing arrangements)
  • whether the service provider is a parent undertaking or subsidiary of the institution or payment institution, is part of the accounting scope of consolidation of the institution or is a member of or is owned by institutions that are members of the same institutional protection scheme to which the in… (4.12.3 71(c), Final Report on EBA Guidelines on outsourcing arrangements)
  • short- and long-term financial resilience and viability, including, if applicable, its assets, capital, costs, funding, liquidity, profits and losses; (4.4 31(b)(i), Final Report on EBA Guidelines on outsourcing arrangements)
  • financial stability of the UK; (§ 5.11 Bullet 1, SS2/21 Outsourcing and third party risk management, March 2021)
  • financial resilience, ie assets, capital, funding, and liquidity; or (§ 5.11 Bullet 2 Sub-Bullet 4 Sub-Sub-Bullet 1, SS2/21 Outsourcing and third party risk management, March 2021)
  • business model, complexity, financial situation, nature, ownership structure, and scale; (§ 5.19 Bullet 1, SS2/21 Outsourcing and third party risk management, March 2021)
  • financial, human, and technology resources; (§ 5.19 Bullet 3, SS2/21 Outsourcing and third party risk management, March 2021)
  • Risk-based due diligence is performed on prospective third parties before contracts are signed, including reviews of their background, reputation, financial condition, stability, and security controls. (Domain 4: Assessment Factor: Relationship Management, DUE DILIGENCE Baseline 1 ¶ 1, FFIEC Cybersecurity Assessment Tool, Baseline, May 2017)
  • Oversees management processes for approving third-party providers that include an assessment of financial condition and IT security posture of the third party, including on cybersecurity. (App A Objective 2:2 c., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Verifies that the third-party providers can continue to support current contract requirements and future changes (e.g., that the third party has a satisfactory financial condition). (App A Objective 4:7 a., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • If the institution is an ODFI and permits third-party sender payments, determine whether it requires the third-party sender to establish the identity of each originator using commercially reasonable methods to warrant that the originators will assume their responsibilities under NACHA rules and to w… (App A Tier 1 Objectives and Procedures Objective 8:5, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Whether management regularly reviews the financial status of the technology service provider. (App A Tier 1 Objectives and Procedures Objective 11:2 Bullet 2, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • For retail EFT/POS and bankcard transaction processing activities contracted to third-party service providers, assess the adequacy of the review process performed by management regarding annual financial statements, audit reports, and Payment Card Industry (PCI) Data Security Standard assessment. (App A Tier 2 Objectives and Procedures A.3, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Determine whether the ODFI has established procedures to monitor the creditworthiness of its originator customers on an ongoing basis. Determine whether: (App A Tier 2 Objectives and Procedures H.2, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • The ODFI assigns credit ratings to originators. (App A Tier 2 Objectives and Procedures H.2 Bullet 1, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Determine whether management approves payments resulting in extensions of credit lines or drawings against uncollected funds and retains documentation to support the approvals. Determine whether the institution performs credit assessments of customers originating large dollar volumes of ACH credit t… (App A Tier 2 Objectives and Procedures J.5, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Reviews the financial stability of the technology service provider; (App A Tier 2 Objectives and Procedures O.2 Bullet 1, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Assesses the impact of economic, political, or environmental risk on the service provider's financial stability. (App A Tier 2 Objectives and Procedures O.2 Bullet 6, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)