Book traversal links for 4.2. Use of Vendors and Other Third Parties
4.2. Use of Vendors and Other Third Parties
Effective from 8/9/2021LFIs may use externally provided TM or sanctions screening services and other third-party providers to fulfil their legal and regulatory obligations to monitor and screen their customers and transactions. However, LFIs are ultimately responsible for complying with AML/CFT and sanctions requirements, even if they choose to use third-party models to assist with their compliance obligations.
The selection of third-party system or service should be guided by the LFI’s size, geographic footprint, business and technology environments, and financial crimes risks, as well as functional requirements, such as the volume of data to be screened, the degree to which TM and sanctions screening processes will be centralized across business lines within the LFI, the nature of existing data integrity processes, and the ability of the application to integrate effectively within an LFI’s technological infrastructure. When selecting a vendor, LFIs should require the vendor to provide developmental evidence explaining the product components, design, and intended use, so as to determine whether the model is appropriate for the LFI’s products, exposures, and risks. Vendors should provide appropriate testing results that show their product works as expected. They should also clearly indicate the model’s limitations and assumptions and where the product’s use may be problematic. LFIs should expect vendors to conduct ongoing performance monitoring and outcomes analysis, with disclosure to their clients, and to make appropriate modifications and updates over time.
LFIs are expected to validate their own use of vendor products. External models may not allow full access to computer coding and implementation details, so the LFI may have to rely more on sensitivity analysis and benchmarking. Vendor models are often designed to provide a range of capabilities and so may need to be customized by an LFI for its particular circumstances. An LFI’s customization choices should be documented and justified as part of validation. If vendors provide input data or assumptions, or use them to build models, their relevance for the LFI’s situation should be assessed. LFIs should obtain information regarding the data used to develop the model and assess the extent to which that data is representative of the LFI’s situation. The LFI also should conduct ongoing monitoring and outcomes analysis of vendor model performance using the LFI’s own outcomes. Systematic procedures for validation help the LFI to understand the vendor product and its capabilities, applicability, and limitations. Such detailed knowledge is necessary for basic controls of an LFI’s operations. It is also very important for the LFI to have as much knowledge in-house as possible, in case the vendor or the LFI terminates the contract for any reason, or if the vendor is no longer in business. LFIs should have contingency plans for instances when the vendor model is no longer available or cannot be supported by the vendor.