LO 57.2: Explain how financial institutions should perform due diligence on third- party service providers.
In performing due diligence on a third-party service provider, a financial institution should involve any relevant technical specialists and/or important stakeholders. The three key areas of review include (1) business background, reputation, and strategy; (2) financial performance and condition; and (3) operations and internal controls. Ultimately, the financial institution must ensure that the service provider follows all relevant laws and regulations in performing services on the institutions behalf.
Business Background, Reputation, and Strategy
There should be a review of the potential service providers past business history and of its key management personnel. The service provider should provide evidence of an adequate background check system for its new employees.
A review of the service providers experience, strategy and mission statement, service philosophy, methods of maintaining and improving quality, and company policies is needed. The flexibility and feasibility of the service providers business model should be evaluated to determine the likelihood of providing services to the financial institution for the long term.
References should be contacted and confirmed, and any licenses and certifications necessary to perform the services should be confirmed. A search for any past or present legal and compliance problems should also be undertaken.
Financial Performance and Condition
The service providers most recent financial statements (and annual report, if applicable) should be obtained to analyze its assets, liabilities, liquidity, and operating performance for sufficiency. Financial information of any subcontractors should be obtained and analyzed for the same reason. The expected financial impact of the potential contract on the service provider should be determined.
Page 260
2018 Kaplan, Inc.
Topic 57 Cross Reference to GARP Assigned Reading – Board o f Governors o f the Federal Reserve System
The service providers long-term survival prospects should be analyzed by considering how long it has been operating as well as its market share growth. Furthermore, its ability to provide the service for the length of the contract in terms of capital and personnel needs to be ascertained. Finally, the amount of insurance coverage and any other issues that may impact the service providers finances should be considered.
Operations and Internal Controls
The service providers internal controls, IT systems development and support, IT security systems, and methods of securing confidential information should be evaluated. Additionally, there should be a review of the service providers staff training, analysis of the service support provided, and confirmation that employee background checks are being performed. Finally, queries should be made about the process involved in maintaining records and any disaster recovery processes in place.
C o n t r a c t P r o v i s i o n s