Banks and other financial institutions habitually use outsourcing as a means to enhance performance, reduce costs, or to acquire specific expertise. Audits, compliance reviews, disclosure preparation, data processing, and website development are routinely outsourced to third parties. Assuming current indicators predict future behavior, the regulatory scrutiny of third party vendors and compliance requirements will continue to increase and evolve; banks and other financial institutions must take steps to minimize the risks inherent in these relationships.
Mandates Pertaining to Vendor Relationships
Senior management and the Board of Directors are held accountable for the management and oversight of third party contracted services to the same extent as if the activity was an in-house operation (FDIC –FIL-44-2008). Examinations have become increasingly complex as regulators review operational and compliance risk under the Bank Secrecy Act (BSA), USA PATRIOT Act, Gramm-Leach-Bliley Act, Basel II Accord, Sarbanes-Oxley (SOX) and Federal Financial Institutions Examination Council guidelines. The Gramm-Leach-Bliley Act (GLBA) mandates specific provisions to protect customer records and information, including due diligence in sourcing and vendor oversight.
There are four key components that a risk management plan must incorporate: risk assessment, due diligence (in vendor sourcing), contract issues (vendor management and contract management are inextricably entwined), and monitoring (oversight and review of vendor performance).
Risk Assessment
A banks vendor management program should be individually tailored, in accordance with an institution’s size and risk profile. The first step in designing such a program is to determine which vendors are critical to the finncial institution's operations. Critical vendors would include outsourced core processors, internet-banking providers, mobile banking service providers, and other similar vendors. For these critical vendors, the bank should conduct a risk assessment. There are specific areas of risk that should be evaluated such as reputational risk, financial risk, strategic risk, and operational risk. The end result of the risk assessment procedure should result in a score for each critical vendor to determine which vendor's need corrective action or additional attention.
Due Diligence: Vendor Selection
Federal Financial Institutions Examination Council (FFIEC) requires banks to complete risk assessments on vendors that store or have access to confidential customer information or whose services have a major impact on bank operations. They have established formal guidelines for how to complete these assessments and what information should be gathered.
Pertinent Information to collect:
- Client references (particularly ones from other financial institutions) to gauge satisfaction with the vendor’s performance.
- Specific questions about the vendor's data backup system, continuity and contingency plans, and management information systems
background, qualifications
- Willingness of the service provider how they handled security incidents/problems in the past
- Length of time the vendor has been providing the service
- Lawsuits filed against it
- Financial statements to check the vendor's financial health
Due diligence information is gathered at the time of contract negotiation, annually thereafter and at time of contract renewal. For lower risk and non-critical vendors, the due diligence process is less intensive, generally at the time of contract signature and renewal only. Once a bank has gathered, analyzed and assigned a risk score for a vendor, this information should be stored for future review and documentation purposes. Ultimately the benefits provided by a vendor should outweigh the risk of potential mishaps.
Contract Issues
FFIEC states that a risk assessment is performed on the contract with vendor by reviewing the substance of the agreement including liabilities, indemnification provisions, confidentiality provisions, and similar material aspects of the contract. The contract should clearly define the rights and responsibilities of both parties and contain specific and measurable service level requirements.
Example of Partial General Checklist:
- Scope of outsourced services including any ancillary services to be provided
- Warranties, liabilities, disclaimers
- Indemnification
- Confidentiality (GLBA)
- Security
- Payment schedules
- Assignment provisions
Monitoring: Oversight and Review
FFIEC requires banks to perform at least an annual review for high-risk vendors, however, more frequent review and monitoring may be required for critical vendors.
Sample of Items to Review:
- Financial data-at least an annual review of vendor financial condition
- Information Security Audits-update reports at least annually (SSAE 16)
- Review Policies: changes in internal policies-update at least annually
- Vendor’s contingency/disaster relief planning
If you've got to live with the lemon of more regulatory scrutiny, you might as well use the occasion to try to make some lemonade.- Kevin Funnell
Risk is an unavoidable component of the business landscape; however, preventive measures and standardized processes can minimize much of the damage. Organizations that figure out how to streamline their vendor management processes and approach compliance in a persistent and proactive manner will attain a major competitive advantage.