The public assumes that you have vetted a vendor or service provider when you choose to enter a business relationship with them. They became an extension of your company or image and you become associated with their conduct, whether positive or negative, even if you were even aware of it prior to the event occurring.
Recently a group of banks sued a third-party payment company after the customer’s personal data was breached. Unfortunately, this has happened quite often over the last few years and has damaged companies’ brand because customers loose faith that their information will be protected, and customers may then choose not to continue the business relationship.
In addition to reputational damage, there can be significant financial costs associated with this sort of incident, including litigation costs and reimbursement costs to customers. Currently, the Office of Comptroller of the Currency (OCC) and Consumer Financial Protection Bureau (CFPB) are looking into the concerns that JP Morgan have misled customers with identity theft protection through a third party vendor.
A company should thoroughly evaluate third-party service provider prior to entering into a business relationship, and should also continue to regularly monitor control and compliance measures throughout the relationship, ensure that the third-party shares the same goals and adheres to same policies.
Due diligence on the third-party should include researching the their reputation, checking references, and using all available resources of information such as state attorney general or better business bureau.
If a third-party is new, a company should exercise additional caution. The evaluation should be just as through as if the company were to enter a financial transaction with the third-party, as the risk can be equally significant.
Most organizations do have good oversight of their tier one suppliers but the challenge very often is to achieve a line of sight into tiers two and beyond. This is where many of the problems arise. We see two distinctly different type of approach to the problem – a strictly legal approach with clear penalties; and a more partnership style of approach, which often encourages more openness between the parties. Circumstances will dictate the best option in any given set of circumstances but the second option should always be considered – this is not always the case at present.
Access the full article (PDF 910 KB).