Why Financial Institutions Need a Vendor Onboarding Process
As banks look to “buy” versus “build” tech solutions, third-party fintech partnerships are on the rise. Cornerstone Advisors recently reported that two out of every three banks and credit unions have entered at least one fintech partnership in the last three years.
At the same time, the number of partnerships is compounding. Today, the average financial institution has 2.5 fintech partnerships, and a whopping 90% of bank executives believe such partnerships are important for driving their institution forward. It’s safe to assume this trend will continue.
These relationships are increasingly complex.
“The growth of the fintech industry, of banking-as-a-service (BaaS), and of big tech forays into payments and lending is changing banking, and its risk profile, in profound ways... A majority are related to fundamental elements of risk management, e.g., board oversight, governance, and internal controls. Common issues involve insufficient information security controls, change management issues particularly with emerging products and services, and IT operational resilience,” noted Acting OCC Comptroller Michael Hsu in a September 2022 speech.
Beyond fintechs, financial institutions are tapping into many other third-party vendors, partners, and consultants for efficiency gains and to access outside talent. How many? That depends, but many institutions have upwards of 400 to 600 vendors.
Related: How Many Vendors Should Your Financial Institution Have?
How Many Vendors Should Your Financial Institution Have?
Financial institutions shouldn’t have to reinvent their vendor onboarding process every time there’s a request for a new vendor. And with hundreds of possible vendors, this isn’t even manageable.
3 Reasons You Need a Vendor Onboarding Process
Financial institutions should have a centralized vendor management program that addresses every step in the lifecycle, including onboarding. Thoroughly vetting vendors isn’t just a best practice—it’s also a regulatory requirement.
Here are three reasons to consider:
- Your institution needs to clearly outline the pros and cons of outsourcing to a third party.
At the onset of onboarding, financial institutions should thoroughly weigh the risks and benefits of working with a third-party vendor or fintech versus keeping the function in house, including the costs for both. Identifying if and why a vendor is needed is crucial. It shouldn’t just be a nice-to-have. Your reason needs to be clear.
Questions may include:
• What strengths would a third-party vendor have that will benefit the financial institution?
• What will be the cost to outsource? What is the expected ROI?
• Are there quality vendors available?
• Does outsourcing this function help the financial institution achieve its goals?
- Your institution needs to evaluate the inherent risk of potential third-party vendors and fintechs.
Once a list of potential vendors is narrowed to one or two, financial institutions should assess the inherent risk for each.
Regulatory guidelines require financial institutions to conduct due diligence before entering into a contract with a vendor, but the level of due diligence depends on the risk inherent in the relationship.
A good onboarding program starts with an inherent risk assessment of the vendor to ensure that the appropriate level of due diligence is performed.
- Your institution needs to evaluate the residual risk of potential third-party vendors and fintechs.
Residual risk is risk that remains after controls are considered. This evaluation helps financial institutions evaluate a specific vendor relationship against its risk tolerance.
For instance, you might find a candidate with the potential to be a good vendor but also needs some additional controls due to residual risk. Without this process, there is no sure way to know.
Contract Negotiation Critical to Onboarding
Once a third-party vendor or fintech is identified, a written contract defining every aspect of the relationship, including responsibilities, obligations, and performance standards, is required. In fact, The Federal Deposit Insurance Corporation (FDIC) calls contract negotiation the most important control of the outsourcing process.
Beyond pricing, contract duration, and termination, third-party agreements must be designed to ensure that vendors, including fintechs, satisfy regulatory requirements and your financial institution’s specific needs, including its tolerance for risk.
Getting Necessary Approvals
Due diligence results and contracts should be shared with the board, and the board should sign off on any critical or high-risk vendors. Low-risk vendors may require sign off from others within the institution. Regardless, all due diligence, risk, and contact information should be kept in a centralized, easily accessible location.
Onboarding a vendor isn’t as simple as signing a contact. Financial institutions that tighten up their vendor onboarding process are doing more than reducing the risk of working with a single vendor on fintech. They are taking the time to ensure outsourcing activities will support the institution’s strategic goals and risk profile while meeting regulatory requirements.
To learn more on how to best onboard new vendors, plus overcome common challenges, download our latest guide.
Topics: Risk & Compliance