Due Diligence | By Lori Peterson
If you’ve felt the list of regulations impacting vendor management grow longer every quarter, you may be wondering what you can do to stay current and keep the examiners at bay. Horror stories abound of examinations of vendor oversight taking longer and longer, and of examiners asking for increasingly complex documentation and evidence of vendor programs. This article shares three tips for improving and right-sizing vendor management compliance programs.
Compliance and vendor management have become increasingly intertwined. Today’s financial institutions are not only accountable for their own actions, but for the actions of the various vendors that provide services on their behalf. As community banks outsource more activities to third parties, and more of those activities are subject to regulations, the stakes are higher. It feels as though “know your vendor’s vendor’s vendor” is the phrase that rules the day.
Examiners are scrutinizing vendor management programs heavily, across every facet of financial services – from mortgage to credit card operations to information. Like the mega-banks, community banks are also at risk as they outsource more activities. In fact, they may be exposed to more risk. A community bank could not weather the financial and reputational impacts of an enforcement action as well as a larger bank.
Like most compliance mandates, interpretation varies. Is every type of vendor subject to the same regulations? Does it make sense to have a one-size-fits-all vendor management program? What are the cost implications? Community banks must revamp their vendor management programs to make sure they identify risks ahead of time, and protect against costly regulatory enforcement actions and civil monetary penalties.
Here are three tips to help your bank improve its efficacy and efficiency around vendor management:
Right Info, Right People, Right Time
Most community banks have developed vendor management programs exclusively for IT and information security compliance. Today’s compliance requirements impact a myriad of activities from mortgage servicing to marketing. Your vendor management program must ensure that the people appropriate to make vendor-related decisions are involved in the process. It’s no longer wise to have everything handled in just one department. Organize vendors by the activities they perform, and then identify how different regulations affect that vendor and its activities. Those personnel in your bank who know the vendor and deal with its products or services daily are best equipped to evaluate the risks a particular vendor poses to your institution.
Once your bank understands the specific impact that different regulations have on each vendor, you must create a formalized process for risk assessment, vendor training and risk management. Assign oversight of each vendor relationship and each contract to a specific management official within your bank. Also, ensure that your initial consideration of vendors, due diligence processes and ongoing vendor risk assessments and contract compliance reviews follow a consistent structure, schedule and format to ensure nothing falls through the cracks.
Apply Reasonable Judgment
Not every vendor requires the same level of risk management and oversight. A payment-processing provider is subject to significantly more regulations than a landscaping service. Factors that influence a vendor’s risk profile include the degree of impact to your performance: is this vendor “mission critical” to your operations, or could they be easily replaced if they do not or cannot perform satisfactorily? Likewise, how sensitive the data is that they may handle or come into contact with plays a big role in the degree of risk the vendor poses. A holistic and consistent approach to your vendor management practices will provide the ability for your bank to understand which vendors and activities need the most oversight and enforcement. A smart first step is to determine which vendors pose the greatest risk to your institution, and ensure that a thorough evaluation of their capabilities and performance happens throughout the relationship. Initial and ongoing due diligence are key to ensuring proper oversight.
Vendor compliance will become more complex as financial institutions rely more heavily on third-party service providers. Having the processes and tools in place so you can easily assess and mitigate vendor compliance risks will be critical!■
Lori Peterson, CRCM, is director of regulatory infrastructure at Continuity (www.continuity.net), an IBANYS Preferred Provider. She can be reached at 866-631-5556 or firstname.lastname@example.org.