Vendor Risk Management in Banking
Vendor Risk Management in banking is one of the most highly regulated disciplines there is. It makes sense since financial information is one of the most confidential items we all care about. On every unit of US currency, it says “in God we trust” – obviously, that trust is sacred and must be expected of the companies with whom we entrust valuable information.
Fortunately, there is a great deal of regulatory guidance out there. The Federal Financial Institutions Examination Council (FFIEC) has very prescriptive information in the form of the FFIEC IT examination handbook and the guide to outsourcing technology; both of these (and much more) can be found on their website. All of the primary federal regulators (i.e., OCC, FDIC, NCUA, etc.) have written extensively about the need for prudent third-party risk management.
When we say “third party risk management,” what do we mean? Well, the third-party risk is a bit broader than traditional vendor management, as we’re not thinking just about a particular service being provided, but any company involved in the delivery of products or services to the bank or on behalf of the bank to its customers. Included in third party risk management are subsurface providers, in other words, the third party’s third party – that’s important because, in today’s highly interconnected world, you must know where your customers’ data is going and chase down all of those rabbit holes to ensure that is not the possibility for loss of data.
The FFIEC is broad in its set of recommendations and guidance, but let’s go even well beyond those and into the combined guidance and more recent experience of several regulatory institutions and examination observations. At a minimum, all risks of outsourcing a product or service should be included – Consider these – and they will vary greatly on a variety of factors, such as how much data is being shared, the proximity of the location, the type of reliance the institution has on their continuous support. At a reasonable pace, it’s always worth considering these factors, starting with FFIEC IT Examination Handbook Sect IIIC.B on Third-Party Management:
a). A reasonable contract that meets the institution’s expectations (and not a boilerplate from a third party, generally speaking)
b). Consider financial risk in the form of analyzing financial statements at least annually (though it’s a good idea to do so more often with a high-risk third party)
c). This is perhaps the most difficult and often needs to be a contractual consideration – having the rights to review independent audits of IT controls in place at the third party
d). Ongoing monitoring of the third party – which can be in the form of consumer complaints, reports of outages, notifications of data breaches – in any scenario, those items should be discussed and agreed upon before entering into a contract
Over and above those, the primary regulators’ regulatory guidance focuses on various risks that build upon the IT-centric concerns. These include, but are not limited to, such things as:
a). From an Information Security standpoint, consider the amount of non-public information that is being shared, the security of that data in transit and storage and, where, at the end of the day or end of the relationship, that data sits – also consider – sort of a “pro-tip” – consider if they have post-contract rights to use that information – if so, that should be carefully codified in the contract and understood by the institution’s senior management team.
b). Use of offshore third parties – again, it’s always a good idea to document where the data will be stored and backed by a thorough analysis of the controls over access to US consumer information – can the account numbers be truncated? How often are visits made to the third party? Has an appropriate review of the Country Risk associated with its location been done?
c). Financial risk – bears repeating from above as a third party’s financial condition can certainly impact the relationship and/or ability to perform.
d). Consider if the third party’s strategic objectives are in line with the institution’s expectations – for example, one would not reasonably expect an investment bank t use a payday lender as a third party to be hyperbolically clear on an example.
e). Internal or external counsel should carefully identify legal risks, whether it’s negative news in the form of suits against the company or properly making sure that the contract identifies all material terms.
f). Compliance risk is another consideration that needs to be taken into account to ensure that their compliance management system assures adherence to all applicable laws and consumer protection regulations are in place.
Other risks should be considered on a case-by-case basis depending on the product or service provided – these might include operational risk, geographic concentration risk, interest rate risk, reputation risk, etc. A handy list of these can be found in the FDIC financial institution letter 44-2008.
The key to all of these is careful documentation and a step-by-step approach to the life of a third-party relationship – the latter portion of this deals with these crucial activities.
Vendor risk is a multi-faceted risk. FFIEC recommends that all these risks are considered holistically before engaging as well as periodically. Risks to consider are:
• A disciplined approach for selecting a new third party
• A documented set of policies and procedures to govern the protocols
• A manner of conducting initial and ongoing due diligence
• A way of assessing the risk of outsourcing a particular product or service
• Ongoing monitoring standards to ensure the reliable performance of the third party
• Contract standards to stand up each of the other activities as well as provisions for terminating the relationship, if needed
In a well-functioning third-party risk management discipline, besides just regulatory compliance, there are other benefits: a real return on investment and a functioning set of business continuity plans and cybersecurity standards.
We all have a role to play in third-party risk management – from the front-line managers who deal with the vendors each day to the control functions and even executive management. Tone from the top is important – having an executive team sets the right plans and holds people accountable is fundamental to the program’s success.