Capital City Bank (CCB) builds strong relationships with third-party vendors and service providers. Management of these third parties (referred to as “Vendor”) relationship goes far beyond meeting regulatory requirements. The Vendor Relationship Manager (VRM)is responsible for building and strengthening those relationships. A strong vendor relationship helps mitigate potential risks. The VRM is the associate authorized by the “Delegated Approval Authorization Policy” and the “Contract Agreement and Approval Policy” to enter into a contract with a third-party vendor or the associate authorized to initiate the services of a third-party without a contract.

At CCB, the term vendor is referring to any third-party relationship. A third-party relationship is defined in regulatory guidance as any business arrangement between a bank and another entity, by contract or otherwise. It is not relevant if they receive payment from CCB.

Capital City Bank’s Vendor Management Program ensures the risk management process is commensurate with the level of risk and complexity of its third-party relationships and the bank’s organizational structure. It provides that each vendor or service provider who has access to or receives consumer client Nonpublic Personally Identifiable Information (NPI) has established a security program consistent with the GLBA Interagency Guidelines and guidelines set forth in the FACT Act of 2003 to safeguard the information.

Regulatory expectation is the Program includes more comprehensive and rigorous oversight and management of third-party relationships that involve critical activities—significant bank functions (e.g., payments, clearing, settlements, custody) or significant shared services (e.g., information technology), or other activities that:

• Could cause the bank to face significant risks if the vendor fails to meet expectations;
• Could have significant customer impacts;
• Require significant investment in resources to implement the third-party relationship and manage the risk; or
• Could have a major impact on bank operations if the bank has to find an alternate third-party or if the outsourced activity has to be brought in-house.

Our Corporate Security page on Netinterest houses additional resources related to Vendor Management including:

• Vendor Management Procedures
• Vendor Agreement Form
• Venminder Procedures
• Approved Vendor List

Emerging topics such as Artificial Intelligence (AI), Large Language Models (LLMs) and Deepfakes are all over the news today.  These fascinating products enable us to compute, modify, and provide data output faster than ever before.  However, with these technologies come certain risks as well that must also be considered.  

AI works by simulating human intelligence using algorithms, data, and computational power. AI enables computers and machines to simulate human learning, comprehension and problem solving.

It is important that Capital City Bank (CCB) associates avoid using AI software or programs containing AI functionality unless prior authorization and approval of these tool have been granted. Currently, AI tools such as LLMs are being trialed by a pilot group of key associates throughout the bank’s footprint to determine business use cases for these emerging products.  There will be more information to come on the results of that study in 2025.  

If you are currently working with a vendor (or plan to bring on a new vendor) as a vendor owner, be sure to ask the vendor about AI functionality and contact Corporate Security immediately if you determine that AI is being used.  AI specific questions has been included in vendor and application questionnaires to better understand how AI is being used in products where applicable. 

If you have approval to work with AI, keep the following points in mind:

DO's

• Ensure prompts or questions are clear and unambiguous.
• Avoid overwhelming the AI prompt with unnecessary details.
• Understand that you remain accountable for all decisions and actions, even when assisted by AI.
• Always use your judgment when analyzing AI responses.
  • Be aware that AI systems can inadvertently perpetuate or amplify societal biases due to biased training data or algorithmic design or provide false information in error.
• Balance the use of AI with human input to preserve cognitive abilities.

DON'Ts

• Don't enter sensitive information such as NPI( examples include client account numbers, SSN’s, or other personally identifiable information) or proprietary company data( an example would be confidential internal reports) into AI tools unless you have received prior authorization. It is imperative that you always protect sensitive information.
• Do not use your CCB e-mail and/or network credentials to sign up for an AI tool unless authorized to do so.
• Don't overly rely on AI. Creativity, critical thinking, and human intuition can not be replaced by AI.