Skip to main content

Looking for Valuant? You are in the right place!

Valuant is now Abrigo, giving you a single source to Manage Risk and Drive Growth

Make yourself at home – we hope you enjoy your new web experience.

Looking for DiCOM? You are in the right place!

DiCOM Software is now part of Abrigo, giving you a single source to Manage Risk and Drive Growth. Make yourself at home – we hope you enjoy your new web experience.

Due diligence in third party risk management

March 29, 2014
Read Time: 0 min

An effective risk management process includes a continuous lifecycle for all third-party relationships and covers planning, contract negotiation, ongoing monitoring, termination, and due diligence and third-party selection.

An in-depth assessment of a third party’s ability to perform critical activities while complying with regulatory guidelines should be performed before entering into a contract or relationship. Banks should not rely on experience with or prior knowledge of the third party, and the level of due diligence should be equal to the risk and complexity of the relationship.

In practical terms, this means a core system that houses the entire bank’s loan and customer data might require more attention than a relationship contracted to print deposit slips.

Due diligence recommendations from the OCC includes a whole host of criteria for assessing a third party. Here’s an example of some of the recommendations:

Corporate strategies: do they conflict with the bank’s strategy, or will business arrangements planned by the organization affect the bank?

Legality: does the third party have all necessary licenses and audits according to the service agreement?

Financial condition: upon reviewing audited financial statements, does it appear the third party is in good financial health (i.e. growth levels, profitability, debt) to offer uninterrupted service 

Experience: does the third party have a history of satisfactorily providing the service and with the level of expertise required?

Fees: does the license fee or cost structure create financial difficulties for the bank?

Principals of the company: does the third party periodically check the background of senior management and personnel that will participate in the relationship?

Risk management: does the organization have proper internal controls and audit functions in place? A third party’s SOC 1 report is an excellent starting point. A SAS 70 is no longer the relevant audit report. In 2011, the AICPA replaced the SAS 70 with the more comprehensive SSAE 16, also known as SOC 1.

Information security: do the controls at the third party adequately keep data safe and quickly address new threats or vulnerabilities once identified?

Resilience: has the third party made disaster recovery plans for continued service in light of natural disasters, cyber or physical attacks or human error? Have these plans been effective in the past

This list is meant to start the due diligence thought process but may not be conclusive; it’s recommended to read the guidance in its entirety to gauge how the identified risks could apply to a bank’s specific relationship.

A chief financial officer of a privately held bank in the Northeast commented, “The new OCC guidance forces banks to be more cognizant of the relationships they undertake and assess the risk involved with third parties. As banks recover from the financial crisis in 2008, it’s clear the OCC is promoting a more structured approach to mitigate risk.”

Streamline the reserve calculation process and impress examiners.

Request More Information »

While this list may be onerous to administer, it does help bank management and board members understand and execute a thorough vendor due diligence program.

It is management’s responsibility to review and determine whether or not the third party meets expectations. If critical activities are part of the contract, senior management must present the due diligence results to the board for approval when making recommendations on third-party relationships.

For more information on the risk management process and best practices for evaluating third-party relationships, download the whitepaper: Risk Management Guidance on Third Party Relationships.

About the Author


Raleigh, N.C.-based Sageworks, a leading provider of lending, credit risk, and portfolio risk software that enables banks and credit unions to efficiently grow and improve the borrower experience, was founded in 1998. Using its platform, Sageworks analyzed over 11.5 million loans, aggregated the corresponding loan data, and created the largest

Full Bio

About Abrigo

Abrigo enables U.S. financial institutions to support their communities through technology that fights financial crime, grows loans and deposits, and optimizes risk. Abrigo's platform centralizes the institution's data, creates a digital user experience, ensures compliance, and delivers efficiency for scale and profitable growth.

Make Big Things Happen.