Every financial institution knows that regulatory agencies evaluate a FI’s vendor management program as part of the exam process. But did you know the Department of Justice is interested in it too?
When deciding whether to bring charges, negotiate plea agreements, or calculate criminal fines, the DOJ considers a company’s compliance program, including its vendor management program. The department is particularly interested in whether the program can “detect the particular types of misconduct most likely to occur in a particular corporation’s line of business.”
What is the DOJ Looking for in a Vendor Management Program?
In its most recent guidance “Evaluation of Corporate Compliance Programs,” the DOJ mentions four elements it assesses when looking at a vendor management program:
- Risk-based and integrated. When it comes to assessing plans, the DOJ recognizes compliance programs vary based on factors like size and geography. It expects the same of vendor management and assesses how vendor management processes correspond with identified risks.
- Controls. The DOJ wants documentation demonstrating why a company decided to outsource. If a third-party vendor was involved in the reason for the investigation, the DOJ will want to know why the vendor was selected, that it was vetted for reputation, and that the contract clearly describes services to perform and appropriate payment terms. There should be mechanisms to show work was performed and compensation is reasonable.
- Monitoring. The DOJ will look at how vendors are monitored, whether the company has audit rights and whether they use them, how the vendor conducts compliance training, and incentivizes compliance. It also will see if due diligence occurs only at the beginning or if it is ongoing throughout the relationship.
- Accountability. The DOJ will assess whether a company notes a red flag in vendor behavior and how it addresses the issue when it happens. It expects there to be consequences.
The good news for financial institutions is that a good vendor management program should already address these elements. The main difference between financial regulators and the DOJ, is the DOJ’s focus on misconduct. While financial regulators are concerned about a broad range of concerns related to the safety and soundness of the institution, including operational risk and business continuity, the DOJ cares about crime.
For example, the DOJ looks for “an understanding of the qualifications and associations of third-party partners, including the agents, consultants, and distributors that are commonly used to conceal misconduct, such as the payment of bribes to foreign officials in international business transactions.”
Does your vendor due diligence process have controls for detecting vendor malfeasance? If not, you may want to consider adding them. With luck on your side, you’ll never have to deal with the Justice Department—but it’s always a good idea to be prepared.