Third-Party Risk Assessment
Purpose
This document establishes the Bank's framework for assessing and managing risks associated with third-party vendors, service providers, and outsourced arrangements. Effective third-party risk management is essential to protecting the Bank's operations, data, reputation, and regulatory standing from risks introduced through external relationships.
Scope
This framework applies to all third-party relationships where the Bank relies on an external entity to provide goods, services, or technology that support or are integral to the Bank's operations. This includes, but is not limited to: technology service providers (cloud, infrastructure, software), payment processing partners, data service providers, consultancy and professional services, facilities management, and outsourced business functions.
Risk Classification
All third-party relationships are classified based on the criticality of the service provided and the level of risk exposure:
| Risk Tier | Criteria | Examples |
|---|---|---|
| Tier 1 — Critical | Third party provides services that are essential to the Bank's critical business functions; loss of service would have immediate and significant impact on operations, clients, or regulatory compliance | Core banking system vendor, SWIFT service bureau, cloud infrastructure provider, primary payment processor |
| Tier 2 — Significant | Third party provides services that support important but non-critical functions; loss of service would cause material disruption but can be mitigated in the short term | Secondary technology vendors, specialist consultants, market data providers, client communication platform |
| Tier 3 — Standard | Third party provides non-critical goods or services; loss of service would cause minimal disruption and can be readily substituted | Office supplies, facilities maintenance, non-critical software licences |
Due Diligence Requirements
Tier 1 — Critical Vendors
- Comprehensive financial assessment, including review of audited financial statements for the past three (3) years.
- Operational due diligence, including site visits (physical or virtual), review of business continuity and disaster recovery plans, and assessment of information security controls (SOC 2 Type II report or equivalent).
- Regulatory and legal review, including verification of licences, certifications, and compliance with applicable regulations (e.g., data protection, financial services regulations).
- Cybersecurity assessment, including penetration testing results, vulnerability management practices, and incident response capabilities.
- Review of the vendor's sub-contracting arrangements (fourth-party risk).
- Reputational screening, including sanctions checks, adverse media screening, and litigation history.
Tier 2 — Significant Vendors
- Financial assessment based on available financial data and credit ratings.
- Review of information security policies and certifications (ISO 27001, SOC 2).
- Verification of regulatory compliance and applicable licences.
- Reputational screening (sanctions, adverse media).
Tier 3 — Standard Vendors
- Basic financial and reputational screening.
- Verification of business registration and insurance coverage.
- Standard terms and conditions review.
Assessment Procedure
Step 1: Initiation
- The business line requesting the third-party engagement submits a Third-Party Risk Assessment Request via the Vendor Management System (VMS).
- The request includes a description of the services, the proposed contract value, data access requirements, and the business line's preliminary risk classification.
Step 2: Risk Assessment
- The Third-Party Risk Management (TPRM) team reviews the request and confirms or adjusts the risk classification.
- The TPRM team conducts the applicable due diligence based on the risk tier.
- Assessment timelines are as follows:
| Risk Tier | Assessment Timeline |
|---|---|
| Tier 1 | 20 business days |
| Tier 2 | 10 business days |
| Tier 3 | 5 business days |
Step 3: Approval
| Risk Tier | Approval Authority |
|---|---|
| Tier 1 | Chief Risk Officer + Chief Operating Officer |
| Tier 2 | Head of Operational Risk |
| Tier 3 | TPRM Team Lead |
Step 4: Contract Execution
- Upon approval, the contract is finalised with mandatory clauses covering: data protection and confidentiality, business continuity and disaster recovery, right to audit, regulatory access, termination and exit provisions, sub-contracting restrictions, and service level agreements.
- All contracts involving access to client data must include data processing agreements compliant with applicable data protection regulations.
Ongoing Monitoring
| Risk Tier | Review Frequency | Monitoring Activities |
|---|---|---|
| Tier 1 | Annually (minimum); quarterly performance reviews | Financial health monitoring, SLA performance review, security assessment refresh, BCP/DR test participation, on-site review |
| Tier 2 | Every 2 years; semi-annual performance reviews | Financial monitoring, SLA performance review, security certification renewal verification |
| Tier 3 | Every 3 years | Basic financial and reputational re-screening |
Concentration Risk
The TPRM team monitors concentration risk, ensuring that the Bank does not become overly dependent on a single vendor or a small number of vendors for critical services. Concentration risk assessments are reported quarterly to the Operational Risk Committee.
Exit Strategy
For all Tier 1 and Tier 2 vendors, the Bank must maintain a documented exit strategy that outlines the steps required to transition services to an alternative provider or bring them in-house within a defined timeframe. Exit strategies are reviewed annually and tested where feasible.
Related Documents
- Operational Risk Reporting
- Business Continuity Plan Overview
- Information Security Policy
- Data Protection Policy
- Procurement Policy