- This topic has 2 replies, 2 voices, and was last updated 5 years, 11 months ago by
.
-
Posts
-
How long are banks required to retain the Third Party Risk Assessments for each vendor? We prepare a new Risk Assessment and an review yearly on our third-party vendors. We are an FDIC bank. FDIC FIL 44-2008 states on page 6 “Therefore, institutions should maintain documents and records on all aspects of the third-party relationship, including valid contracts, business plans, risk analyses, due diligence and oversight activities etc.”. Some vendors go back several years (10 or more years). Any advice would be appreciated.
Trish Bowman
I’m not aware of a particular period of time – I’ll have to look into it and get back to you. I do know we’ve seen enforcement actions with vendors whose issues stretch back more than a decade so it may be prudent to retain records of risk management for the period of the relationship and beyond.
I’ll see what I can find.
Thanks!From Matt Stone:
Record retention issues can be tricky, because unless there are prescribed retention periods (such as under BSA/AML rules or Reg DD, for example), record retention is largely discretionary, and there can be lots of variables, and both pros and cons, involved with retaining certain records for longer or shorter periods of time.With respect to risk assessments for third-party relationships, at a minimum, other than the most current risk assessment of course, it would be advisable to also retain at least those from the prior two years (or such longer period) that will ensure that the FDIC and your state regulator can be provided with a full picture of your bank’s vendor risk assessment activities from one examination to the next.
You may also want to confirm your risk assessment retention approach with your examiners. Additional considerations for longer retention could include whether your bank has been subject to any kind of adverse examination finding (e.g., an MRA) relating to risk assessments and/or your vendor management program generally, or whether your risk assessment process, format, cycle, results, etc.
have been subject to material changes. In each case, it may be helpful to be able to demonstrate the corrective actions and/or the evolution of other changes over a more extended period of time.You’ll also want to adhere to your bank’s record retention policy, and, with advice from internal or external legal counsel as necessary, also consider your state’s various statutes of limitations, as well as the vendor’s performance and the results of the risk assessments for that vendor. For example, if your vendor has, at any point during the relationship, exhibited substandard or otherwise questionable performance, it may be helpful to retain all evidence of such performance (including annual risk assessments) for the term of the agreement and beyond – although this may also depend on the extent of performance reports and other related documentation.
-This response does not constitute legal advice.-
- You must be logged in to reply to this topic.