Valentine’s Day was last month, but the Office of the Comptroller of the Currency (OCC) has answers for your burning relationship questions—at least the ones having to do with your FI’s third-party vendors.
Does your FI receive direct service from a data aggregator?
Does your FI rely on third-party models?
If you answered yes to one of the above questions, that third-party relationship is considered a vendor and should be subject to your FI’s vendor management process.
Another area of confusion is bank data aggregators. If an FI gets direct service from a data aggregator via a business arrangement, it’s a third-party vendor. Yet the OCC warns that even if FIs don’t have a direct relationship they should still perform due diligence on the aggregator’s business experience and reputation to ensure customer data will be safe. This includes “screen scraping,” or using customer login data with their permission to gather data. It can cause operational and reputation risk, the agency says.
The fact that the OCC felt the need clarify the definition of a vendor is a sign that some FIs are struggling to identify all their third-party vendors. Make sure that your FI is using a broad definition. You don’t want to accidentally omit a critical vendor.
Vendor management is a subset of risk management. Vendor management gets a lot of special attention because vendor failures can cause severe material harm to your FI. That doesn’t mean it’s a stand-alone function.
Vendor management falls under the umbrella of risk management. It allows an FI to decide if the potential risks of working with a vendor align with the FI’s risk appetite and strategic goals. Vendor management follows the same lifecycle as risk management:
The OCC makes a point of reminding banks that if they can’t get the due diligence documents they need, it’s important to risk assess the value of working with the vendor. Riskier activities may require additional risk controls. In the case of vendors, that can include backups.
Using vendors for vendor management is fine—as long as the risk judgement is performed by the FI.
From due diligence and ongoing monitoring to contract negotiation, FIs are welcome to use vendors to help management third-party vendor relationships. However, the final call of whether a vendor relationship falls within an FI’s risk tolerance must be made by the FI.
Every FI needs to tailor its third-party vendor management processes to its own needs based on its size, complexity and other unique attributes. The risk any given vendor poses differs from bank to bank and depends, in part, on the specific products and services that vendor provides.
How the vendor fits into the FI’s strategic plan and risk appetite
The amount of risk and the FI’s ability to control it
Vendor management vendors should also be risk assessed and managed.