
Explanation:
To mitigate operational and information security risks, a bank should restrict a marketing vendor's access to its critical processes and systems following the principle of least privilege. A marketing vendor does not require access to core banking operations or critical processes to perform its duties. Option A is incorrect because third-party audit reports (such as SOC 1 or SOC 2 reports) are typically highly confidential and not publicly available; the bank should request these directly under a non-disclosure agreement. Option B is incorrect as compensating solely based on commissions significantly increases conduct risk and the potential for mis-selling. Option D is incorrect because the vendor must be responsible for developing and maintaining its own contingency planning and business continuity processes, while the bank's role is to assess and review them.
Ultimate access to all questions.
A
The bank should review all third-party audit reports of the vendor, which are publicly available.
B
The bank should ensure that the vendor's sales representatives are compensated mainly with commissions from the sale of the bank's products.
C
The bank should prevent the third-party vendor from having access to any of its critical processes.
D
The bank should be responsible for developing the vendor's contingency planning process to mitigate risk exposure to the vendor.
No comments yet.