Back

Assess the third parties' reputation during due diligence.


CONTROL ID
12068
CONTROL TYPE
Business Processes
CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Conduct all parts of the supply chain due diligence process., CC ID: 08854

This Control has the following implementation support Control(s):
  • Assess any litigation case files against third parties during due diligence., CC ID: 12071
  • Assess complaints against third parties during due diligence., CC ID: 12069


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Before selecting a service provider AIs should perform appropriate due diligence. In assessing a provider, apart from the cost factor and quality of services AIs should take into account the provider's financial soundness, reputation, managerial skills, technical capabilities, operational capability… (2.3.1, Hong Kong Monetary Authority Supervisory Policy Manual SA-2 Outsourcing, V.1-28.12.01)
  • When outsourcing the storage of backup copies, it is necessary to consider the reliability, security, and utilization system (whether stored programs are available whenever necessary, etc.) of the company entrusted with operations. (P41.3. ¶ 2, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • When outsourcing the storage of backup copies, it is necessary to consider the reliability, security, and availability (whether stored data are available whenever necessary, etc.) of the company entrusted with operations. (P39.3. ¶ 3, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • In the case of outsourcing the storage of backup copies, it is necessary to consider the reliability, security, and utilization system (whether stored documents are available whenever necessary, etc.) of the company entrusted with operations. (P45.2. ¶ 2, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • corporate governance, business reputation and culture, compliance, and pending or potential litigation; (5.4.3 (c), Guidelines on Outsourcing)
  • An institution should assess all relevant aspects of the service provider, including its capability to employ a high standard of care in the performance of the outsourcing arrangement as if the service is performed by the institution to meet its obligations as a regulated entity. The due diligence s… (5.4.2, Guidelines on Outsourcing)
  • the long-term relationships with service providers that have already been assessed and perform services for the institution or payment institution; (4.12.3 71(b), Final Report on EBA Guidelines on outsourcing arrangements)
  • With regard to critical and important functions, institutions and payment institutions should ensure that the service provider has the business reputation, appropriate and sufficient abilities, the expertise, the capacity, the resources (e.g. human, IT, financial), the organisational structure and, … (4.12.3 70, Final Report on EBA Guidelines on outsourcing arrangements)
  • reputational risks; (4.4 31(b)(iv), Final Report on EBA Guidelines on outsourcing arrangements)
  • capability, expertise, and reputation; (§ 5.19 Bullet 2, SS2/21 Outsourcing and third party risk management, March 2021)
  • reputational risk. (Table 5 Column 2 Row 3 Bullet 1 Sub-Bullet 4, SS2/21 Outsourcing and third party risk management, March 2021)
  • conduct risk; (Table 5 Column 2 Row 3 Bullet 1 Sub-Bullet 1, SS2/21 Outsourcing and third party risk management, March 2021)
  • Quality control policies and procedures to comply with the quality control requirements often include consideration of the integrity and reputation of service organization management and significant shareholders or principal owners to determine whether the firm's reputation is likely to suffer by as… (¶ 2.33, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • According to paragraph .A12 of QM section 10A, matters to consider when evaluating the integrity of a client include the identity and business reputation of the principal owners of the service organization, key service organization management, and those charged with governance. (¶ 2.39, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Risk-based due diligence is performed on prospective third parties before contracts are signed, including reviews of their background, reputation, financial condition, stability, and security controls. (Domain 4: Assessment Factor: Relationship Management, DUE DILIGENCE Baseline 1 ¶ 1, FFIEC Cybersecurity Assessment Tool, Baseline, May 2017)
  • When reviewing information provided by the institution's third-party providers, determine the adequacy of third-party provider audit reports in terms of scope, independence, expertise, frequency, and corrective actions taken on identified issues. Work with the examiner reviewing the third-party mana… (App A Objective 12:17, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Whether vendors are considered to be industry-recognized leaders. (App A Tier 1 Objectives and Procedures Objective 1:5 Bullet 7, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • References from current users or user groups about a particular technology service provider's reputation and performance; (App A Tier 2 Objectives and Procedures O.3 Bullet 1, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)