Examine third-party vendor risks to remain safe and secure
By Mary Thorson Wright
With community banks relying more on outsourced technology and services, third-party vendor management has arguably never been more important—or more challenging. With concerns spurred further in part by rising risks over the growing complexities of data security and cybersecurity, safety and soundness examiners increasingly focus on the multiple dimensions of third-party vendor management.
Nearly everything community banks do is from or through a vendor, suggests Sam Kilmer, senior director of Cornerstone Advisors Inc., a community bank consulting firm in Phoenix, Ariz., that specializes in reviewing vendor management, contracts and performance.
“While the factors for facilities and people are staying relatively flat, technology is the element rising,” Kilmer says. “If vendors are enabling the technology, then technology is the growing element to manage.”
A Cornerstone Advisors report last year found that the average community bank is managing 30 different software applications. Kilmer says those software systems are either new, need improvement or are under some form of contract negotiations. “That’s a lot of moving parts to manage,” he says. “Without visibility and a roll-up view of all those pieces, there is potential for innumerable integration points that could break. A well-planned and -executed vendor management program helps bankers deal with these challenges.”
No doubt, the regulatory banking agencies have taken notice of the risk-management challenge. The Consumer Financial Protection Bureau, only a year after forming, published CFPB Bulletin 2012-03 detailing expectations for supervised banks and nonbanks to have an “effective process for managing the risks of service provider relationships.” The CFPB went a step further, stating that financial institutions “may be held responsible for the actions of the companies with which they contract.”
The Federal Reserve Board followed in December 2013 with its “Guidance on Managing Outsourcing Risk,” and the Office of the Comptroller of the Currency issued soon after OCC Bulletin 2013-29 and Bulletin 2001-47 to provide risk-management guidance for managing and auditing third-party relationships. In a note addressed specifically to community banks, the OCC wrote that risk- management practices should be commensurate with the level of risk and complexity of an institution’s third-party relationships.
Last year, because of the growing emphasis on cybersecurity, the Federal Financial Institution Examinations Council developed a Cybersecurity Assessment Tool to help financial institutions identify their risks and determine their cybersecurity preparedness. The tool is designed to help bank managers and directors understand supervisory expectations, increase awareness of cybersecurity risks, and assess and mitigate the risks facing their institutions, including prominently vendor management oversight.
To deal with these various complexities, some vendor management consultants are advising community banks to move toward a more comprehensive process to build and maintain relationships with service providers. They generally agree that a strong vendor management program should comprise four actions:
Create a vendor management committee. Enterprise-wide representation helps ensure coverage of all functions subject to vendor agreements and compliance with all of a bank’s policies and procedures.
Establish and maintain internal controls through a centralized vendor inventory. Managing vendor agreements in a centralized environment precludes duplication and facilitates a timely and efficient system for implementation, revisions and renewals.
Categorize vendors according to data access, access to bank facilities, and level of risk for potential compromises. The types of vendor services, level of risk to the organization, and exposure of bank operations help to determine an approved level of access for each vendor and any controls needed to manage the access.
Build and maintain a pool of knowledge about vendors and vendor management that is accessible enterprise-wide. Shared knowledge is critical for a bank to operate an efficient and effective vendor management program.
Kilmer advises that to manage third-party vendor relationships in 2016, “community banks must move beyond managing vendor risk with a compliance-based ‘check the box’ exercise. Tactically executing on building a database, assessing risk of the vendors and other fundamentals are all worthwhile and necessary as a foundation for the program.
“There’s a broader, more strategic role for vendor management. It’s not just about the risk of the vendor but the performance of the vendor and value to the bank.”
Brad Smith, a managing director with Cornerstone Advisors, agrees that vendor management considerations must be part of any good due-diligence process, which should involve a classic cost-benefit analysis that includes any risks associated with doing business with any company or service provider. “The examiners and auditors focus primarily on the risk aspect of the equation,” Smith says, “but the board and management need to take a more balanced approach when making technology investments and ongoing decisions.”
Smith recommends three key steps community banks need to take to keep pace with the growing regulator expectations for third-party vendor management. The first step is to put in place an enterprise-wide risk assessment process that is ongoing and involves multiple managers, he says. “Many banks still assign a vendor risk rating based on one person’s judgment. Examiners expect a structured, repeatable vendor risk assessment.”
“If vendors are enabling the technology, then technology is the growing element to manage.”
—Sam Kilmer, Vendor Management Expert
Ideally, such assessments would cover five to 10 key questions that vendors would answer before a bank purchases any product or service, he says. Then those questions would be updated and reviewed annually with vendors a bank does business with.
The second step Smith recommends is to report vendor management issues to bank executives and directors. A bank’s board of directors should receive an annual update on what the institution has done to evaluate the safety and performance of its outside vendors, Smith says. To help directors efficiently gauge their bank’s overall work and priorities, he suggests that the bank develop a color-coded, quick-view scoring and summary of its vendor activities and relationships along with information that outlines specific details behind those scores.
The third step Smith recommends involves business continuity planning for vendors. He says community banks should consult Appendix J to the FFIEC’s Business Continuity Planning Booklet. The appendix covers how banks can monitor whether third-party product and service providers are adequately prepared to handle and continue operating after a severe storm or other natural weather event. He notes that vendors may become flooded with business continuity planning program requests, so banks may need to get the testing into their plans and wait for vendors to respond. In the meantime, banks should continue to test the vendor functions that are more readily available.
America’s community banks can no longer organically grow every program they need to conduct their day-to-day business. They also can no longer afford to rely exclusively on local talent—regardless of the quality and dedication found there—to address technical, operational and compliance challenges. For these reasons, thorough, effective and disciplined third-party vendor management is now essential to every bank’s operational risk management.
The Office of the Comptroller of the Currency’s primary guidance on vendor risk management is OCC Bulletin 2001-47. The office developed the bulletin to further clarify effective auditing of vendor relationships. In a note addressed specifically to community banks, the OCC wrote that risk-management practices should be commensurate with the level of risk and complexity of an institution’s third-party relationships.
The OCC added that a community bank’s board and management should identify those third-party relationships that involve critical activities and ensure the bank has risk-management practices in place to assess, monitor and manage the risks.
The agency also said an effective risk-management process throughout the life cycle of a vendor relationship includes:
- a specific due-diligence process for a selecting a third party;
- written vendor contracts that outline the rights and responsibilities of all parties;
- ongoing monitoring of all third-party activities and performance;
- contingency plans for terminating a vendor relationship in an effective manner;
- clear roles and responsibilities for overseeing and managing vendor relationships and a vendor risk-management process;
- documentation and reporting that supports vendor oversight, accountability, monitoring and risk management; and
- independent reviews that allow bank management to determine that the bank’s process aligns with its strategy and effectively manages risks.
Further, the OCC points out that an effective third-party risk-management process should follow a continuous life cycle for all relationships. The agency breaks down the life cycle of vendor relationships into five phases:
1. Planning: Develop a plan to manage the relationship. This is often the first step in the third-party risk-management process.
2. Due diligence and third-party selection: Conduct a review of a potential third party before signing a contract to ensure an appropriate third party is selected, has sufficient controls in place and will perform its function consistent with the bank’s risk appetite.
3. Contract negotiation: Develop a contract that clearly defines expectations and responsibilities of the third party. Contracts should ensure that performance and responsibilities can be enforced.
4. Ongoing monitoring: Ensure that the third-party relationship is monitored regularly once a vendor contract is in place.
5. Termination: Develop a contingency plan to ensure that a bank can transition a vendor’s activities to another third party, bring the activities in-house or discontinue the activities. Such a transition could occur when a contract expires, the terms of the contract have been satisfied, in response to contract default, or in response to changes to the bank’s or third party’s business strategy.
Mary Thorson Wright, a former Federal Reserve managing examiner, is a financial writer in Virginia.