Electronically Signed By:
Rafael Jara
Vendor Risk Management Policy
Organization: Fintable, Inc.
Owner: Board of Directors
Approved by: Rafael Jara
Approval Date: 2025 October 1
Review Cadence: Annual or upon material change
1) Purpose
The purpose of this Vendor Risk Management Policy ("Policy") is to establish a
standardized framework for identifying, assessing, managing, monitoring, and
mitigating risks associated with third-party relationships. As a banking data
services provider, Fintable, Inc. ("Fintable") is committed to maintaining the
confidentiality, integrity and availability of information assets throughout the
vendor lifecycle. This Policy supports compliance with applicable regulatory
requirements, including the Gramm-Leach-Bliley Act (GLBA), FFIEC guidance on
Outsourcing Technology Services, and applicable data protection laws.
2) Scope
This Policy applies to all third-party entities, service providers, contractors,
consultants, and technology vendors that: provide products or services, access
or process data, or support operations within Fintable's ecosystem. This Policy
applies to all Fintable employees, contractors, and business units engaged in
the procurement, management or oversight of vendors.
3) Vendor Risk Management Lifecycle
3.1) Vendor Identification and Classification
All third-party vendors must be registered and classified by Fintable based on
access to confidential data and regulatory exposure prior to engagement.
3.2) Due Diligence and Risk Assessment
Before contracting with a vendor, Fintable requires risk assessments including
reviews of certifications such as SOC 2 Type II, ISO 27001 or equivalents;
information security and privacy policies; business continuity and disaster
recovery plans; cybersecurity posture and incident response procedures;
financial stability and corporate governance; sanctions and legal background
checks; and regulatory compliance (e.g., GLBA, GDPR, CCPA, FFIEC).
3.3) Contracting and Legal Safeguards
All vendor contracts must be reviewed and approved by Fintable and must include
provisions ensuring confidentiality and data protection, incident notification,
subcontractor management, termination and data disposition, compliance
obligation, and allow for Fintable to audit and inspect security controls.
3.4) Incident Management and Escalation
If a vendor encounters a security or operational incident that impacts Fintable
or client data, they must promptly notify to Fintable within three hours of
discovery. Incident details will be reported to executive management and
regulatory authorities as per the necessary requirements. The vendor is
responsible for providing a root cause analysis and corrective action plans. All
incidents shall be monitored and tracked throughout the resolution process.
3.6) Termination and Offboarding
On termination of a contract, the vendor shall immediately produce any data
requested by Fintable and destroy any data acquired from Fintable or through
Fintable services on all local locations and ensure no data or access to such
data remains accessible. System and network access must also be revoked and any
further access beyond the contract period is prohibited until the agreement of a
new contract. Outstanding obligations or deliverables must be fulfilled unless
agreed by mutual consent.
4) Documentation and Record Retention
All vendor risk assessments, contracts, and monitoring reports must be
maintained for a minimum of seven (7) years or as required by applicable
regulation. Documentation shall be stored in Fintable's secure Vendor Management
System with restricted access.
5) Compliance and Audit
Internal audits shall periodically review vendor risk management processes to
ensure alignment with:
FFIEC IT Examination Handbook: Outsourcing Technology Services
NIST SP 800-161, Supply Chain Risk Management Practices
GLBA Safeguards Rule
ISO 27036 and ISO 27001/27002
Noncompliance with this Policy may result in disciplinary action and, where
applicable, contract termination.
6) Policy Exceptions
Any exception to this Policy must be formally documented, justified, and
approved by the Chief Information Security Officer (CISO) and Executive Risk
Committee. Exceptions must be reviewed annually or upon material change in
vendor risk profile.
7) Policy Review and Approval
This Policy shall be reviewed at least annually by the Vendor Risk Management
Team and approved by the Board of Directors or its delegate. Revisions may be
made as necessary to address evolving regulatory guidance, emerging risks, or
operational changes.
Approved By:
Rafael Jara
Vice President
Electronically Signed By:
Rafael Jara