What About Your Bank’s Approach to Vendor Management?
E. Stephen Lilly
First Community Bancshares, Inc
Member of the WVBankers Operations & IT Committee
Vendors, or third party service providers, play a significant part in how we operate and serve customers in our financial institutions today. With customers expecting extended services, such as mobile banking and person-to-person (P2P) payments, it forces all banks to rely more heavily on third-party service providers so specialized technologies and services can be offered. In today’s business environment, avoiding third-party service providers is simply not an option; therefore, bank management and boards of directors need to ensure appropriate measures are in place to avoid the numerous risks posed by Fin-Tech companies and others providing significant services or products.
So, why is vendor management important for banks and such a huge concern for regulators? In many cases, service providers perform many critical functions that are essential to running the bank and storing confidential information. Without a solid vendor management program a bank cannot mitigate the many risks that are present in these third party relationships. Obvious risks associated with third-party relationships could be all or a combination of the following: operational risk, transaction risk, reputation risk, credit risk, interest rate risk, compliance risk, liquidity risk, and strategic risk. If effective vendor management controls are not practiced, banks can potentially be exposed to loss of funds, loss of competitive advantage, reputational damage, improper disclosure of information, and regulatory action.
Banks of all sizes should consider adopting a well contemplated risk management program for all vendors with respect to the relative level of risk each vendor poses. An effective vendor management program needs to identify vendor types and their related risks while setting forth the necessary steps to adequately manage a wide array of third party relationship types. An effective vendor management program should contain the following basic elements:
1. Risk assessment: A strong vendor management program is a framework that starts by listing all third party service provides that conduct business with the bank and classify all vendor relationships according to their level of risk (e.g. High Risk, Moderate Risk, or Low Risk).
2. Due Diligence: After a thorough risk assessment is performed, the bank should conduct due diligence for vendors that are considered to be critical and significant to bank operations and customers. Due diligence elements should include: underwriting the vendor’s financial condition and reputation, evaluating compliance and regulatory capabilities, checking the background of owners/principals, verifying information security controls, evaluating business resumption planning processes, and validating operational resilience.
3. Ongoing Monitoring: Financial institutions should continually monitor vendor relationships with vendors by performing reviews of service level agreements and comparing them with actual contracted performance; assign qualified staff to monitor vendors on an ongoing basis; review general controls of the vendor through onsite vendor visits and analyzing audits such as SSAE16/SOC audit reports, and engaging a qualified, independent third-party to regularly test the bank’s vendor management controls and compliance practices.
4. Proper documentation and reporting: Banks must generate and retain proper documentation to demonstrate accountability and monitoring of the vendor management program. Documentation should include: current list of vendors, due diligence and underwriting findings, contracts and corresponding reviews, risk assessment results, overall program assessment reports to the board of directors, and independent program audits.
5. Contracts: Banks should physically or digitally store a copy of vendor contracts off-site. OCC Bulletin 2013-29 states that vendor contracts must contain the following: nature and scope of services, duration of the contract, the right to audit, cost, confidentiality and integrity, and contingency plans.
6. Procedures for terminating relationship: Banks should also have processes in place to transition or discontinue activities when a relationship with a vendor ends or does not meet service level standards.
7. Nondisclosure/Confidentiality agreements: It is vital to have written and well-constructed nondisclosure/confidentiality language in all agreements with vendors, especially when the vendor will have access to the bank’s critical or confidential data. Vendors who fall into this category certainly include core system processers and other third party services involving customer data and movement of funds, but it also can include less technical third party services such as security guards, cleaning services, and other contractors who have unsupervised access to the bank’s facilities where critical data may be obtained.
In summary, structuring and maintaining an effective and formalized vendor management program is very specialized and technical. Bank management may want to seriously consider engaging qualified consulting firms to provide guidance and expertise needed to establish and maintain an effective, compliant vendor management program. If not managed properly, vendor relations can lead to a host of negative consequences. One benefit is that a formalized vendor management program will also assist in future negotiations pertaining to third party agreements are needed. More information can be found about third party risk management in the FFIEC IT Examination - Management Booklet at the following link: https://ithandbook.ffiec.gov/it-booklets/management/iii-it-risk-management/iiic-risk-mitigation/iiic8-third-party-management.aspx.