Financial institutions know that onboarding a new vendor isn’t as simple as signing a contract—especially when it’s a critical vendor.
What’s a bank or credit union to do? Read to find out what your financial institution needs to know about onboarding new vendors strategically, efficiently, and compliantly.
1. Assess the business case for outsourcing. Every major decision your financial institution makes should align with your strategic plan and business strategy. That includes outsourcing third-party vendor management.
Your financial institution’s strategy should be based on its mission, vision, and values and include a defined risk appetite. This information guides an institution as it develops and implements long and short-term goals and a plan for achieving them.
Related: Vendor Risk Countdown: Top 10 Risks Third-Party Vendors Pose to Your Financial Institution
When considering outsourcing a new or existing business line or activity to a third-party vendor, it’s necessary to weigh the risks and benefits of working with a vendor versus maintaining the function in-house. What strengths would a vendor bring that the financial institution would benefit from? What would be the return on investment when considering revenue versus direct costs and indirect costs such as vendor management oversight? Are there quality vendors able to fill this role? How does outsourcing this function help the institution achieve its goals? These discussions should be documented.
It’s also important to determine whether the vendor will be a significant/high-risk/critical vendor. Critical vendors are vendors that could have a material impact on the institution’s financial condition, are critical to ongoing operations, have access to sensitive customer information, or pose material compliance risk. They require heightened levels of vendor management, including increased due diligence and monitoring. The board must review and approve of critical vendor relationships.
Try to conduct these assessments as objectively as possible, including key stakeholders and leaving preconceived preferences behind. This is an important moment and an opportunity to pause and reflect on the best use of your institution’s resources and whether this activity aligns with its strategic goals and risk tolerance. It will help set expectations going forward.
Related: 5 Ways to Succeed at Vendor Management
2. Identify potential vendors. Research potential vendors. Reach out to peers, associations, message boards, and existing vendors and look for conferences, trade shows, webinars, whitepapers, podcasts, blogs, and other materials that can help you identify potential vendors and what others think about them. Choose a handful of vendors that look promising.
The goal is to consider multiple options, whether that means interviewing competing providers or exploring different ways to meet the business’s requirements (example: hiring a consultant versus buying technology). Make sure this research and discussion are documented.
3. Request for proposal. Write a request for information, request for proposal, or request for quote and draft a list of interview and demo questions. Your earlier discussion justifying the business case for outsourcing and vendor research should make this task simpler since you will have already identified key risks and concerns.
4. Evaluate vendors. Create a vendor evaluation scorecard as well as service level agreements. Compare vendors and decide which vendor best aligns with your strategic needs, risk appetite, and budget. Consider which vendor has the best capabilities for meeting your business and user requirements.
5. Vendor due diligence. Before moving forward with any vendor, management should conduct third-party vendor due diligence. (Ongoing due diligence will be important throughout the relationship as well.) The more high-risk a vendor, the deeper the diligence should go. The goal is to uncover potential risk by investigating the vendor’s financials, experience, legal and regulatory knowledge, reputation, and the scope and effectiveness of its operations and internal controls.
This gives your institution the opportunity to uncover red flags that may cause you to reconsider your decision or add provisions to the contract to mitigate risk.
Related: Due Diligence Documentation: 9 Common Mistakes
6. Negotiate the contract. Negotiating contracts is about more than itemizing pricing. Go over the contract to ensure there are clearly defined performance standards carefully selected to measure performance. Other key items include guaranteed, regular access to reports and audits, data privacy protection, complaint resolution, business resiliency and continuity planning, ownership of data and intellectual property created, and default, termination, and dispute resolution provisions, including remedies.
Everything must be in writing.
7. Inform vendors that weren’t chosen of your decision. Once you’ve decided to move forward with a vendor, it’s always good business to let the other vendors you were conversing with know that you went in a different direction. It’s also helpful if you give them feedback on why you made your decision. It can lead to improvements down the line that could potentially benefit you in the future.
8. Implementation. Work with your vendor to develop an implementation plan and timeline. Don’t forget training and a launch effort to raise awareness.
9. Keep an eye on the vendor. Ensure you’re engaging in ongoing due diligence as part of your vendor management program so that your institution can identify any issues or emerging risks and take steps to remediate or mitigate them. Make sure terms are being met.
Rather than re-create this process every time a new vendor needs to be onboarded, make sure you have a vendor management program that’s scalable and provides workflows so that it’s easy to replicate and follow the same process every time—and nothing is overlooked.
Want to know more about vendor requirements? We break it down by regulator.
- FDIC
- Federal Reserve
- NCUA
- OCC
Learn about the 5 steps to vendor onboarding in our free Ultimate Guide to Fintech & Third-Party Vendor Onboarding.
Subscribe to the Nsight Blog
Share this
Why Vendor BCP Matters: Texas Storm Knocks Massachusetts CU Offline
Should Vendor Management Report to Compliance or IT?
