Tag: Vendor Management

  • FFIEC Cancels E-Banking Handbook

    FFIEC Cancels E-Banking Handbook

    On May 13, 2022, the FFIEC very quietly rescinded the FFIEC Information Technology Examination Handbook (IT Handbook) booklet entitled E-Banking.  The original booklet was released in 2003 and was accompanied by a flurry of activity by financial institutions to come up with a separate E-banking policy and risk assessment.  In effect, the FFIEC is now…

  • Vlog: Are Bank Regulators Considered Vendors?

    Vlog: Are Bank Regulators Considered Vendors?

    In this special vlog installment of Ask the Guru, Tom Hinkel answers a question asked by an OCC bank examiner, “Are regulators considered vendors for banks?” Watch the video below to hear Tom’s thoughts on the matter.

  • FFIEC Issues Update to Business Continuity Guidance

    The FFIEC just issued new BCP Guidance in the form of a 16 page addendum to the existing 2008 IT Handbook on Business Continuity Planning. It is titled “Appendix J: Strengthening the Resilience of Outsourced Technology Services”, and it has significant implications for both financial institutions and service providers, and across the entire business relationship…

  • Vendor Management in 3 Parts. Part 3 – Risk Management (or, “can we or can’t we?”)

    The last step in the vendor management process is to manage, or control, the risk that was identified in step 1, and assessed (as inherent risk) in step 2.  Controlling risk is defined as applying risk mitigation techniques (or “controls”) to reduce risk to acceptable levels  It’s important to understand that risk can never be completely eliminated,…

  • Vendor Management in 3 Parts. Part 2 – Risk Assessment (or, “will they or won’t they?”)

    In Part 1 I said that vendor management, just as any other risk management endeavor, consists of 3 basic phases; Identify the risk Assess the risk, and Control the risk I also discussed why risk identification was a more difficult task today because of the “access to data” question, and also because “data” includes not just NPI, but confidential…

  • Guru Briefs – OCC on Cybersecurity & MRA’s, FFIEC on Cybersecurity Assessments

    (NOTE:  Guru Briefs are short takes on recently released regulatory activity. They are not a detailed analysis, but designed to draw attention to the Guru’s initial impressions.) In this edition: The OCC has been particularly active on the regulatory front lately, and even non-OCC institutions may want to pay attention, as the head of the OCC…