Yes, we believe that this CPA firm should be treated as a bank vendor for purposes of your third party vendor management program.
Your bank’s primary federal regulator, the FDIC, has provided guidance on third party risk management that we think encompasses this scenario. The guidance defines a “third party” broadly to include “all entities that have entered into a business relationship” with the bank. It requires “significant” third party relationships to be accorded “appropriate oversight and risk management.” A third party relationship is significant if the third party “stores, accesses, transmits, or performs transactions on sensitive customer information,” among other factors.
Here, albeit at your customer’s request, the bank has entered into a business relationship with the CPA firm, as evidenced by the fact that the bank directly compensates it. The firm also has unfettered access to your customer’s financial information in the performance of its tax preparation services, and it also necessarily stores and transmits this information. Consequently, we recommend treating the CPA firm as a significant third party vendor that should be included in your bank’s vendor risk management program.
For resources related to our guidance, please see:
- FDIC Financial Institution Letter, FIL-44-2008 — Guidance for Managing Third-Party Risk (June 6, 2008) (“For purposes of this guidance, the term ‘third party’ is broadly defined to include all entities that have entered into a business relationship with the financial institution, whether the third party is a bank or a nonbank, affiliated or not affiliated, regulated or nonregulated, or domestic or foreign.”)
- FDIC Financial Institution Letter, FIL-44-2008 — Guidance for Managing Third-Party Risk (June 6, 2008) (“This guidance provides a general framework that boards of directors and senior management may use to provide appropriate oversight and risk management of significant third-party relationships. A third-party relationship should be considered significant if . . . the third party stores, accesses, transmits, or performs transactions on sensitive customer information; . . .”)
- Supervisory Insights — Third-Party Arrangements: Elevating Risk Awareness (Summer 2007) (“For purposes of this article, ‘third party’ is broadly defined to include any entity that has entered into a business relationship with an insured depository institution. Often, these third parties are deeply involved in the delivery of financial services to the consumer. The third party may be positioned, directly or indirectly, between the financial institution and its customers or otherwise have unfettered access to the institution’s customers. Consequently, the quality of that third party’s performance is critically important to the financial institution’s long term success. A third party can be a bank or a nonbank, affiliated or not affiliated, regulated or nonregulated, domestic or foreign. The scope of the definition of third party is expansive by necessity.”)