Nsight Blog | Ncontracts

7 Risks that Third-Party Vendors Pose to Your Financial Institution

Written by Ncontracts | Mar 27, 2019 1:30:00 PM

If you’re reading this, chances are you’re aware that partnering with a vendor can deliver valuable efficiencies, but also presents risks. In this post, you’ll learn some of the top risks that third-party vendors can pose to your FI.

In 2019, vendor risk management remains a key concern for financial institutions in the US. There’s a good reason for that! As the cost of compliance increases, partnering with vendors provides lots of opportunities to streamline and enhance efficiencies. At the same time, such partnerships create potential problems. While most relationships with vendors are likely to be productive and helpful, there are risks to consider.

Here are 7 of the most important vendor management risks that banks, credit unions, and mortgage companies need to know!

As you’ll see, much of the conversation around vendor management at financial institutions talks about IT and compliance. As you’ll see, lots of these different risks relate to one another and even overlap. That’s why we encourage financial institutions to take a holistic approach to vendor risk management, and consider a more comprehensive third-party risk management solution.

Let’s jump right in:

1. Compliance Risk

For financial institutions, compliance risk associated with vendors remains a big concern. The regulators have made it abundantly clear that they will view any compliance risk in a vendor’s policies and procedures as risk of the financial institution.

“The Board can outsource a service, but they cannot outsource the responsibility.”

- FDIC, "Vendor Management" Presentation

Let’s use Fair Lending as an example of an area of compliance where vendor management is important. In general, regulators view the actions and policies of a third-party vendor as the actions and policies of the institution being examined. If an examiner identifies Fair Lending risk in a vendor, it could result in Fair Lending risk for your institution.

 

This OCC guidance from 2013 on third-party risk management remains one of the best resources for learning more about how the banking regulators view third-party risk management. In it, they advise financial institutions to adopt risk management processes that are appropriate for the risk and complexity of your third-party relationships. In particular, they recommend “comprehensive risk management and oversight of third-party relationships involving critical activities.”

They also encourage financial institutions to make sure to include the following items in your risk management process

  • “Plans that outline the bank's strategy, identify the inherent risks of the activity, and detail how the bank selects, assesses, and oversees the third party.

  • Proper due diligence in selecting a third party.

  • Written contracts that outline the rights and responsibilities of all parties.

  • Ongoing monitoring of the third party's activities and performance.

  • Contingency plans for terminating the relationship in an effective manner.

  • Clear roles and responsibilities for overseeing and managing the relationship and risk management process.

  • Documentation and reporting that facilitates oversight, accountability, monitoring, and risk management.

  • Independent reviews that allow bank management to determine that the bank's process aligns with its strategy and effectively manages risks.”

If you’re a community bank, the above-mentioned OCC resource is definitely worth a read-through.

2. Cybersecurity Risk

Over the past few years, regular news of data breaches and cyber attacks has put cybersecurity risk in the national spotlight. This is true for all companies, including banks, credit unions, and mortgage companies.

According to industry experts, cybersecurity is one area where more focus is probably needed.

In 2015, the FFIEC released a cybersecurity risk assessment tool. Since then, the regulatory agencies have released more guidance and the OCC even shared an Advanced Notice of Proposed Rulemaking in 2016. In this joint notice of proposed rulemaking, they noted that "the agencies are considering establishing enhanced standards to increase the operational resilience of these entities and reduce the impact on the financial system in case of a cyber event experienced 2 by one of these entities."

As you’re reviewing your cybersecurity risk, here are a few things to consider:

  • Identify high-risk activities.

  • Controls from the top.

  • System protection and controls.

  • Incident response.

  • Internal controls.

  • Business continuity.

  • Human resources.

  • Data security.

  • Cloud risk.

We’ll focus a little more on cloud risk in the next section.

Looking for more help?

If you’re focused on cybersecurity - and let’s be honest, we all should be - here are a few more resources that can help.

  • The FDIC has a whole page of resources about cybersecurity risk, including a video series just for bank directors.

  • The NCUA has also compiled a page of resources that may be helpful.

  • Ncontracts/TRUPOINT has designed a cybersecurity risk assessment, Ncyber, that can help you understand your risk. 

3. Cloud Risk

With the prevalence of cloud-based software solutions, cloud risk is an important emerging area of vendor risk management. The so-called “cloud” is a network of data centers, and cloud solutions providers are “renting” access to that network to provide web-based software and services. Sometimes, they use a private cloud, while others are using a shared cloud.

The benefits of the cloud are plentiful: easy and convenient access, speedy delivery time, reliable and affordable infrastructure. You are using a cloud-based solution when you sign up for TRUPOINT Analytics! That’s part of why there’s no annoying software to install or update, and you can access it anywhere. To manage this risk, we do conduct cybersecurity assessments, too.

As we're seeing, financial institutions are embracing the cloud. 

However, cloud-based solutions present the same risks as any third-party solution. As it becomes more prevalent, we’re expecting regulators to pay even more attention to cloud-based solutions.

Read also: Vendor Management: What the Fed Really Wants


4. Reputational Risk

Reputational risk is one of those areas that is difficult to measure quantitatively, but which has a big emotional impact on your brand and your customers.

When you’re conducting vendor risk management and due diligence, it can be easy to overlook reputational risk. That would be a mistake.

As Maya Angelou famously said, “People will forget what you said, people will forget what you did, but people will never forget how you made them feel.”

Reputational risk isn’t about simply what you and your vendors say to and do for your customers, it’s how you make them feel. Pay particular attention to vendors that are involved in any customer-facing or customer-focused products or services, as these will provide the most exposure for emotional reputation risk.

5. Transaction Risk

Transaction risk is simply the risk that a third party won’t provide the expected products and/or services in a way that negatively impacts either your institution or your customers.

For example, the software vendor who provides your mobile app is having a software problem, and your customers can’t access their mobile banking portal. Or say the servers for your bank’s website are down, so customers, consumers, and your employees can’t access the site. Both of these are examples of transactional risks that impact your institution and your consumers. As you can imagine, both examples also have operational, IT, or reputational risk implications.

In fact, the FFIEC requires that you consider transaction risk in the IT Examination Handbook.

This resource specifically notes that financial institutions should evaluate a vendor’s “business resilience controls to minimize financial loss and mitigate adverse effects of service interruptions.”

When assessing your transaction risk with third-party vendors, consider the business continuity plan, threat management, recovery, data protection, incident response, and the risks posed by any subcontractors.

6. Credit Risk

Credit risk is the risk that a company won’t stay in business. credit risk is measured by evaluating the financial strength and ability of a company to manage debt and stay in business to ensure continued operations. Put simply, the best way to manage your third-party credit risk is to avoid doing business with financially challenged vendors.

Best practices recommend that financial institutions evaluate the credit strength of their vendors at least annually.

When evaluating credit risk, you may want to consider:

  • Look for any public certifications or criticisms of the potential vendor. These may include complaints, Better Business Bureau notices or ratings, or other trade references.
  • Search for any public documentation that may provide insight into the financial health and stability of the company. Quarterly or annual reports, investors letters, and information about business locations will likely be valuable.
  • Consider comparing the potential partners' performance to benchmarks, if available. 
  • Review any available business credit scores and ratings, as these can be an important indicator of their health.
  • Lawsuits or other legal proceedings related to the finances of the company.

These are just a few things to consider. Luckily, your Board is likely to be skilled at evaluating the financial health of any vendor or third-party provider, and will probably be able to help.

7. Operational Risk

In general, operational risk is defined as the broad risk of financial loss when processes, people or systems fail. Due to its broad nature, operational risk is sometimes seen as a kind of catch-all.

Likewise, there is a bit of nuance to the relationship between operational and vendor management risk. When evaluating your operational risk, you have to consider vendor management, and vice-versa. Some even consider third-party risk a subcategory of operational risk. In general, here is the operational risk management cycle:

  • Identify risk

  • Measure/evaluate risk exposure

  • Mitigate and implement controls to manage risks

  • Conduct ongoing monitoring and review

  • Create reporting. These reports may include:

    • Audits  

    • Business Continuity Plans and Testing  

    • Service Level Agreements  

    • Information Security

    • Financial Statements

    • Higher-Risk Service Provider

    • Regulatory IT Exam Reports

That said, there are clear operational risks that can arise when working with a third party. One such risk is often referred to as “concentration risk” - that is, you may be too reliant on just one vendor.

Note: this is not a comprehensive list of all the different types of risks posed by a vendor. There are many, and different industry experts may use slightly different names. Some other types of third-party risk that you may read about, in addition to the seven mentioned above, include interest rate risk, liquidity risk, and strategic risk.

Ncontracts Viewpoint: So how can you manage your third-party risk? It comes down to five main things:

  1. Risk assessment,

  2. Due diligence process,

  3. Ongoing monitoring,

  4. Contract structuring and review, and

  5. Oversight.

In addition, you’ll want to make sure that you have the appropriate documentation and reporting during these steps. Your contract structuring and review process should also include plans for what to do if anything goes wrong, such as processes for terminating a relationship, as well as non-disclosure and/or confidentiality agreements.

Remember, vendor risk management isn’t one-and-done. It requires active, consistent management to ensure your risk exposure is limited.