Do you have a process for evaluating tools and platforms to see if they’re compliant with your industry’s regulations?
Sort by:
Yes, we do have a rigorous process for evaluating tools and platforms to ensure they are compliant with our industry's regulations. In the banking and finance sector, adherence to regulatory standards is not optional—it's a fundamental requirement. Our evaluation process is designed to thoroughly assess compliance with all relevant legal and regulatory frameworks before any tool or platform is implemented.
As part of vendor qualification you would want to ask them about relevant standard and regulation, and ask them to evidence their current levels of compliance, as well as any plans to obtain (if they are not yet compliant) or recertify that compliance. Organisations operate within a regulatory or statutory context - you need to ensure you are not diluting or knowingly weakening your compliance position by making uninformed choices.
Yes, definitely. When working with vendors, we often ask them directly about their compliance status. For example, we asked an insurance vendor if they were HIPAA compliant. When they were unsure, we sat down with them, reviewed the HIPAA compliance documentation, and mapped it line by line to their offerings.
If most of the compliance needs are met, we are ready to evaluate the vendor further, though not necessarily onboard them immediately.
Ours is called an Approval to Operate process. It focuses a lot of on the security aspects but does cover other regulations too like privacy. It involves a lot of documentation of what we are using, how it will be setup, privacy assessments, processes like incident management and DR, compliance with the relevant standards, etc. The output goes to senior management for approval, and also produces a hitlist of improvements for you to report progress against.