My older child often asks if he can play at his friend's Mac's house. If his homework is completed, my wife and I will give him the green light, as we are comfortable with where he is heading. This level of comfort comes from our due diligence of getting to know Mac's parents and even the different sitters who watch the children when Mac's parents might be working late. Things often get more challenging when he calls to tell us that he and Mac want to go to another friend's house. And this might not be the last request as our son might end up at yet another friend's house before finding his way home for dinner. We might not be familiar with these other environments beyond Mac's house so we often have to rely on other parents' or sitters' judgment and due diligence when deciding whether or not it is okay for our son to go. Regardless of under whose supervision he falls, we, as his parents, are ultimately responsible for his well-being and want to know where he is and who he is with.
As I think about my responsibility in protecting my children in their many different environments, I realize that parenting is an excellent metaphor for vendor risk management and data security. For financial institutions (FI), it is highly likely that they are intimately familiar with their core banking service providers. For merchants, the same can probably be said for their merchant acquiring relationship.
However, what about the relationships these direct vendors have with other third parties that could access your customers' valuable data? While it probably isn't feasible for FIs and merchants to be intimately familiar with the potentially hundreds of parties that have access to their information, they should be familiar with the policies and procedures and due diligence processes of their direct vendors as it relates to their vendor management programs.
In today's ever-connected world, with literally thousands of third-party solution providers, it is necessary for FIs and merchants to be familiar with who all has access to their customers' data and with the different places this data resides. Knowing this information, it is then important to assess whether or not you are comfortable with the entity you are entrusting with your customers' data. Just as I am responsible for ensuring my children's safety no matter where or who they are with, financial institutions and merchants are ultimately responsible for protecting their customers' data. This difficult endeavor should not be taken lightly. Beyond the financial risks of fraud losses associated with stolen or lost data, businesses might also be subject to compliance-related fines. And you are highly likely to take a negative hit to your reputation. What are you doing to ensure various third-parties are protecting your sensitive data?
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed