In conducting due diligence on a supplier/vendor, at what point is the line drawn between accepting the way the supplier/vendor conducts themselves to prescribing how they should do it? By prescribing, are you accepting risk and liability unnecessarily?

As far as the regulator is concerned, the supervised entity has the liability and responsibility. Indemnification provisions within a contract – if you specifically direct your vendor to do something a certain way because you believe that is in compliance with an applicable law and it just turns out the regulator has a different view – at some point down the line it may be more difficult to invoke that indemnification provision if you’re the source of the [legal] interpretation. That’s certainly a risk and something you should take into account. But of all the risks at play here, I think that, if you see something in the way your vendor is handling whatever the task might be that you’re concerned creates a compliance issue, the obligation on you is to make sure it’s being done correctly. If that means you’re directing your vendor and taking on yourself the risk that you’re wrong, I think that’s what’s expected of you under all the guidance.

Note: This transcript has been edited from the January 2015 vendor management webinar for clarity and completeness.

Answered By: Ben Olson