Is Your Financial Institution’s Vendor Management Program Ready for Examination?
Vendor management is back in the regulatory headlines with the Office of the Comptroller of the Currency’s (OCC) recent Frequency Asked Questions to Supplement OCC Bulletin 2013-29, its current vendor management guidance. This FAQ is yet another reminder to financial institutions of the importance of understanding who their vendors are—and the criticality of their functions. It is not a coincidence that this heightened focus is occurring as more institutions turn to third-party vendors, increasing their institutional reliance on them.
Is your financial institution’s vendor management program ready for the heightened examiner scrutiny anticipated as part of current regulatory guidance? No matter the size of your institution or the number of vendors it uses, living by the following four rules will pay off during your next exam.
1. Avoidance Is Not an Option
Financial institutions have struggled with the OCC’s vendor management guidance since its October 2013 publication. This uncertainty reached a crescendo when the agency released its Supplemental Examination Procedures for Risk Management of Third-Party Relationships on Jan. 24, 2017.
Why does this topic cause such strife? As Banking Exchange explained: “Bank risk management is not what it used to be—it’s much more than it used to be. Many factors not traditionally associated with the risks that banks face are now at least as important as the longstanding ones. Among these newer risks are BSA/AML, cyber risk, model risk, and vendor management. In a way vendor management is an amalgam of all of the elements listed above.”
The Federal Reserve (Fed) weighed in early this year in Community Banking Connections, pointing out just how pervasive vendor usage has become in our industry: “In addition to traditional core bank processing and information technology services, banks outsource operational activities such as accounting, appraisal management, internal audit, human resources, sales and marketing, loan review, asset and wealth management, procurement, and loan servicing.”
Given that fact, and the realization that this trend is not likely to reverse itself, financial institutions must extinguish any remaining resistance to vendor management among boards, senior management or general staff. As the Fed notes, “the increased use of outsourcing to third-party vendors and the importance of the relationships between banks and those vendors intensify the need for community banks to have highly effective third-party vendor risk management programs in place.”
And while some institutions outsource vendor management or collaborate with industry peers, they still ultimately own responsibility for their risks, including those associated with vendor usage.
The OCC FAQ addresses the idea of collaboration, indicating that institutions “using the same service providers to secure or obtain like products or services” may collaborate when “performing the due diligence, contract negotiation, and ongoing monitoring responsibilities.” However, it notes that this collaboration does not absolve an institution of its responsibility to risk. “While collaborative arrangements can assist banks with their responsibilities in the life cycle phases for third-party risk management, each individual bank should have its own effective third-party risk management process tailored to each bank’s specific needs.”
2. Vendor Management Needs an Umbrella
The OCC’s FAQ also states that, “there is no one way for banks to structure their third-party risk management process,” while noting that some institutions centralize this function as others decentralize it. Despite the OCC’s neutrality here, it is difficult to achieve and maintain all of the required elements of a risk-based vendor management program without exerting some sort of central authority over it.
The board of directors ultimately owns the vendor management program and any risks issuing from it, as they do all other forms of institutional risk. In order to fulfill that duty, the board and its senior management need to have an enterprise-wide view of vendor management that a central authority provides, including the following:
- Comprehensive inventory database that includes key details on all vendors
- Central repository for all vendor contracts, including due diligence details and approvals
- Monitoring system that facilitates ongoing reviews and tracks such key dates as renewals
The OCC’s Supplemental Examination Procedures practically beg for such easily accessible and centrally located tools. In recapping the procedures in February 2017, Banking Exchange noted the following:
- “Examiners will be starting their review of a bank’s third-party relationship risk management by asking for the bank’s full inventory of such arrangements.”
- “The institution’s due diligence that went into selecting third-party relationships will be scrutinized.”
- “Examiners will review a sample of contracts between the institution and third parties.”
- “Examiners are evaluating whether management periodically reviews third-party relationships.”
In Community Banking Connections, the Fed lends its support to the idea of centralization: “The bank’s senior management should develop and implement enterprise-wide policies to consistently govern outsourcing processes.”
3. Not All Vendors Are Created Equal
The big mistake that institutions make in vendor management is performing the same level of due diligence on all vendors. This tendency typically results in inadequate due diligence on higher risk vendors and excessive due diligence on lower risk vendors. In order to avoid that costly pitfall, institutions should classify all of their vendors into risk-based categories, such as the following:
- General vendors: any vendor who does not fit the standards for a GLBA or critical vendor
- GLBA vendors: an institution’s sensitive data and information is in their hands
- Critical or strategic vendors: an institution cannot do business without them
The OCC Supplemental Examination Procedures reiterate the agency’s definition of “critical activities” from Bulletin 2013-29. “The term refers to significant bank functions (e.g., payments, clearing, settlement, and custody) or significant shared services (e.g., information technology), or other activities that could cause a bank to face significant risk if the third party fails to meet expectations; could have significant customer impacts; require significant investment in resources to implement the third-party relationship and manage the risk; or could have a major impact on bank operations if the bank has to find an alternative third party or if the outsourced activity has to be brought in-house.”
As discussed in a previous CSI blog post entitled, “Demystifying Vendor Management,” the level of due diligence needed per vendor should be based on its designated risk category. At a minimum, for all vendors, institutions should conduct a business impact analysis, determine the vendor’s business type and status and verify general liability insurance coverage. Institutions should draw up written contracts that include service level agreements, confidentiality statements and details on who manages the relationship within the institution. Inclusion of these details is sufficient for a majority of vendors.
For GLBA-classified vendors, institutions need to delve further into their operations and policies in addition to the basic due diligence. This includes reviewing the vendor’s third-party audit, information security policy, business continuity and disaster recovery plans, employee background check policy and due diligence process for subcontractors. Institutions should verify that GLBA vendors are bonded and maintain specific cybersecurity and errors and omissions (E&O) insurance coverage. The contract should include specific GLBA language and confidentiality agreements should be prepared.
Critical vendors require the most due diligence. After completing all of the items above for a critical vendor, institutions should understand the company’s ownership structure and the status of any mergers or acquisitions; analyze its capacity and corporate image; and conduct a financial soundness review along with a legal and compliance review. The contract should specifically address the criticality of the vendor’s function. Finally, institutions should proactively identify alternative vendors for any outsourced critical functions in the event an issue arises.
4. Individual Vendors Grow and Change
Institutions can follow the first three rules, yet still fall short of regulatory expectations because they view vendor management as a one-and-done exercise, when it is anything but. While critical vendors require continuous relationship monitoring, other vendors need be reviewed at intervals commensurate with the risk they pose.
Take, for example, long-time vendors previously deemed lower risk. As the Fed explains, “third-party vendors that an institution categorized as minor or lower-tier, lower-risk service providers several years ago may today pose greater risks similar to a major core processor.” That is why it is necessary during such reviews to consider if the risk a vendor poses has changed in the regulatory environment, the industry, or within the vendor itself. Without such consideration, institutions unwittingly leave themselves exposed to risk and the consequent regulatory reprimand.
Facing the FAQs
As Banking Exchange emphasized, “third-party relationship risk management is a significant examination focus. It is not limited to critical operational functions. It is not limited to large or even medium-size institutions. It has impact on operational risk, compliance risk, strategic risk, reputational risk, credit risk, and management risk.” Regulators keep sending this same message. The OCC FAQ is just the latest installment.
It’s time to face the FAQs. Given the heightened regulatory importance of vendor management and the availability of automated solutions—as well as comprehensive services that streamline vendor management tasks and strengthen the effectiveness of an institution’s program—excuses for inadequate vendor management simply won’t fly at exam time.
Amber Goodrich, compliance strategist for CSI Regulatory Compliance, has more than 10 years of financial industry experience. She is a Certified Regulatory Compliance Manager (CRCM) and Certified Bank Secrecy Act (BSA) Professional (CBAP).