<img src="https://ws.zoominfo.com/pixel/pIUYSip8PKsGpxhxzC1V" width="1" height="1" style="display: none;">

Third-Party Vendors & Compliance Risk: 10 High-Risk Compliance Situations

3 min read
Jun 18, 2020

The only thing worse than getting in trouble for making a mistake is getting in trouble when somebody else makes a mistake. That’s the situation financial institutions face when a third-party vendor acting on behalf of the bank doesn’t comply with laws and regulations.

Your FI may think its compliance game is strong, but if it doesn’t have a good vendor management program that risk assesses vendors, provides enhanced oversight of critical vendors, and actively monitors vendors for compliance, it’s got a gaping hole.

How can you tell if you need to be extra worried about third-party vendor compliance risk? Here are 10 situations where compliance risk is elevated:

  1. You aren’t reviewing third-party vendors and their products, services, and systems for compliance. When it comes to vendor compliance, ignorance isn’t bliss. Regulators will hold you accountable for your vendor’s actions. You need to know if what vendors are doing for you, or on your behalf, is compliant.
  2. Your third-party isn’t following applicable laws, regulations, ethical standards, or your own FI’s policies and procedures. When it comes to compliance, there is no such thing as an unimportant rule. If you find any evidence that your third-party vendor isn’t following every compliance rule or policy, that’s a sign there may be a bigger problem. Increased vigilance is a must.
  3. Evidence of unfair, deceptive, or abusive products or services. This is a compliance violation, so technically it falls under bullet point #2. But this is one area that deserves a line item of its own. UDAAP violations are one of the most common—and costliest—sources of enforcement actions. The regulatory agencies are on the lookout for UDAAP violations. You need to be too.
  4. Non-compliance with BSA and OFAC. Just like UDAAP, Bank Secrecy Act and anti-money launder regulations are a common source of enforcement actions. If there’s a possibility that your vendor isn’t following BSA/AML rules to the letter of the law, there’s increased risk. Transactions must be monitored for compliance risk.
  5. Violating intellectual property rights. If your FI is licensing or using technology that later is subject to a lawsuit for an intellectual property rights violation, you could find yourself as a defendant in the lawsuit even though you didn’t know. Make it your point to know. If there’s a possibility that your vendor doesn’t have the right to use or sell a technology or service, there’s an increased risk.
  6. Your FI lacks the resources needed for vendor audits and oversight. From a strong contract to expertise and personnel, your FI needs both the controls and the bandwidth to oversee and monitor your vendor relationships. If your FI doesn’t have the resources to dedicate to vendor management, especially of critical vendors, your compliance risk is elevated. This is especially true when entering new business activities or expanding existing ones.
  7. Your vendor outsources to subcontractors. Fourth-party risk is a real concern. Not only do you have to trust that your vendor is doing the right thing, but you also have to trust that it has a strong enough vendor management program to ensure its vendors are also doing the right thing—and that its vendors’ vendors are behaving too. The further critical activities are subcontracted, the greater the risk.
  8. Business is being conducted in foreign countries. If the vendor is conducting business activities in a foreign country on your behalf or customer and employee data is transmitted to foreign countries, your FI faces greater compliance risk. Foreign countries may have different economic, social, and political conditions that could result in vendor non-performance or data loss. This increased risk (known as country risk) means your FI will have to monitor the government policies and legal and social conditions as part of its due diligence.
  9. Conflicts of interest aren’t appropriately managed. You need to be sure your vendor is giving you objective advice and performing to the best of its abilities. You want it to look out for your interests, not just its own. Be on the lookout for signs that your FI’s best interests may not be the top priority. Is the contract written in a way that financially penalizes your FI for leaving but creates no accountability for vendor non-performance? Will your proprietary information be held in confidence? Is the CEO of a critical vendor married to the CEO of your biggest competitor? Does its board have a financial interest in a competitor? Does the vendor prioritize larger clients or industries over others? Make sure your vendor has and adheres to an ethics program.
  10. There aren’t sufficient data security controls to protect sensitive data. There’s no faster way to end up on the front page of the local paper than being the victim of a data breach that releases consumers’ sensitive information. If you find weaknesses in your vendor’s data security controls, you’re exposed to a lot of risk.

Related: Creating Reliable Risk Assessments

Subscribe to the Nsight Blog