Today’s financial institutions often tap into third-party vendors to carry out services that fall beyond their industry expertise. This practice allows banks and credit unions to focus their resources and efforts on delivering high quality service and products to their customers and members. Along with improved service and greater productivity achieved through use of vendors, however, comes increased risk of data compromise as these outside parties access a financial institution’s secure systems and sensitive information.
As risk from third party access comes under increasing scrutiny from regulators, leaders of financial institutions must evaluate new vendors thoroughly and continue to monitor them throughout the term of service. A robust vendor management program is critical to building a proactive approach to risk management that can give financial institutions a competitive advantage. Read on to discover the key components to help your financial institution build an effective and comprehensive vendor management program.
Board and Senior Management Responsibilities
While ultimate responsibility for vendor relationships falls onto the board of directors, it is important to construct the proper infrastructure at the senior management or department level for day-to-day relationship management and status reporting. If multiple individuals are responsible for different parts of the process (i.e., contract negotiation, business continuity planning), make sure these roles are clearly defined and supported. Once vendor management responsibilities and reporting structure are established, it is important to formalize them as part of the financial institution’s official policies and procedures.
Vendor management risk assessment goes beyond basic vendor categorization and depends upon a thorough understanding of the risks associated with the service performed by each vendor and the area of impact. Timing is key to this process – not only should the risk profile of each vendor be evaluated before signing an agreement, but for vendors relied upon the most, a similar assessment should continue throughout the contract term. Financial institutions should determine the exposure of vendors across all types of risk – strategic, compliance, reputational and security. A vendor risk and responsibility matrix allows a wide range of risk factors to be evaluated in one comprehensive document.
In addition to assessing risk factors, financial institutions should also rank vendors according to their criticality. This determination should not be made based on the amount of exposure a vendor has to sensitive information, but instead based on the criticality of the function it provides. In other words, what would the impact be on the bank or credit union and its customers or members if this vendor disappeared tomorrow? Financial institutions are also required to conduct annual performance reviews of critical vendors, so this criticality ranking helps determine which vendors require annual review and which can be reviewed less frequently.
Due diligence is a traditional part of the vendor selection process, but financial institutions should strive to learn as much as possible about potential vendors during this phase, particularly as it relates to risk factors. Dig deeper into financial reports and scrutinize their corporate, financial, legal and regulatory history. Ask references probing questions to get a sense of reliability, transaction volume, track record and industry experience. Site visits provide additional value to the due diligence process, as do examinations of any subcontractors a vendor will be using.
The Federal Financial Institutions Examination Council, the governing body responsible for oversight of key federal regulators of financial institutions, outlines common provisions that should be reflected in all vendor contracts. Financial institutions should incorporate them into all contracts, since examiners will be looking at these aspects during examinations or regulatory reviews. The common provisions include:
- Scope of service
- Rights and responsibilities
- Security and confidentiality
- Internal controls
- Audit and regulatory compliance
- Subcontracting and performance standards
Another important regulatory aspect to keep in mind is the notification required by the Bank Service Company Act, under which financial institutions must notify federal regulators of any vendor relationship within 30 days of entering into the contract or the service(s) being performed, whichever comes first.
As mentioned earlier, ranking vendors by criticality helps in terms of ongoing monitoring that is a critical piece of any vendor management program. Vendors with a higher criticality level will require more frequent scrutiny than those with less impact.
Monitoring brings vendor management programs full circle, with the individuals responsible for certain vendors or functional areas bringing board members or senior management up to speed with regular and robust reporting. This reporting should also include any audits of vendors (SSAE16 SOC reports) – be sure to review these closely and work with vendors to implement corrective actions as needed.
Armed with a robust vendor management program, board members and senior management can fulfill their regulatory requirements and trust the process to identify the best vendor for the institution and its customers. Financial institutions with questions about implementing a vendor management program or strengthening an existing model may contact me or Financial Services Industry Group leader Barry Pelagatti.