Vendor Risk Management: Time to Review Your Program

For many years, banks have relied on third-party vendors for a range of services, including core bank processing, IT, accounting, internal audit, appraisals, loan review and servicing, anti-money laundering compliance, collections, sales and marketing, and human resources. Managing the risks associated with outside vendors is key, because such parties are considered an extension of bank personnel. To protect your institution, you should:Minimize exposure. Outsourcing select services to a third party doesn’t relieve a bank from responsibility and legal liability for compliance or consumer protection issues. And as banks and vendors increasingly rely on evolving technologies to deliver products and services, their exposure to ever-changing cybersecurity risks demands constant vigilance.Even if you have a solid vendor risk management program in place, you’ll need to review it periodically. Banking regulators expect your program to be “risk-based”—that is, the level of oversight and controls should be commensurate with the level of risk an outsourcing activity entails. But here’s an important caveat: Risk can change over time.Some vendors, such as appraisal and loan collection companies, have traditionally been viewed as relatively low risk. But in today’s increasingly cloud-based world, any vendor with access to your IT network or sensitive nonpublic customer data poses a substantial risk. Last year, for example, Scottrade Bank experienced a data breach that exposed 20,000 customer records when a third-party vendor—a professional services provider—uploaded data to a cloud server that lacked proper security safeguards.Ask questions. Here are some questions that will help you review your vendor risk management program:

• Have you conducted a risk assessment? Determine whether outsourcing a particular activity is consistent with your strategic plan. Evaluate the benefits and risks of sending that activity out of office as well as the service provider risk. This assessment should be updated periodically.
• Generally, examiners expect a bank’s vendor management policies to be commensurate with the institution’s size and complexity. They also expect more rigorous oversight of critical activities, such as payments, clearing, settlements, custody, IT, or other activities that could have a significant impact on customers—or could cause significant harm to the bank if the vendor fails to perform.
• Have you thoroughly vetted your service providers? Review each provider’s business background, reputation and strategy, financial performance operations, and internal controls. The depth and formality of due diligence depends on the risks associated with the outsourcing relationship and your familiarity with the vendor. If your agreement allows the provider to outsource some or all of its services to subcontractors, be sure that the provider has properly vetted each subcontractor. The same contractual provisions must apply to subcontractors, and the provider should be contractually accountable for the subcontractor’s services.
• Do you rely on one vendor for most outsourced services? Doing so may provide cost savings and simplify the oversight process, but diversification of vendors can significantly reduce your outsourcing risks, particularly if a vendor has an especially long disaster recovery timeframe.
• Do your contracts clearly define the parties’ rights and responsibilities? In addition to costs, deliverables, service levels, termination, dispute resolution, and other terms of the outsourcing relationship, key provisions include compliance with applicable laws, regulations, and regulatory guidance; information security; cybersecurity; ability to subcontract services; right to audit; establishment and monitoring of performance standards; confidentiality (in the case of access to sensitive information); ownership of intellectual property; insurance, indemnification, and business continuity; and disaster recovery.
• Do providers receive incentive compensation? Review incentives carefully to be sure they don’t encourage providers to take excessive risks.
• Have you reviewed vendors’ disaster recovery and business continuity plans? Be sure that these plans align with your own and are reviewed at least annually. Also verify that vendors have the ability to implement their plans if necessary.
• Are you monitoring vendor performance? Monitor vendors to ensure they’re delivering the expected quality and quantity of services and to assess their financial strength and security controls. It’s particularly important to scrutinize and control external network connections, given the potential cybersecurity risks. The level of oversight required depends on the risks presented by a particular vendor.
• Do you conduct independent reviews? Banking regulators recommend periodic independent reviews of your risk management processes to help you assess whether they align with the bank’s strategy and effectively manage risks posed by third-party relationships. The frequency of these reviews depends on the vendor’s risk-level assessment, and they may be conducted by the bank’s internal auditor or an independent third party. The results should be reported to the board of directors.

Be vigilant. If your bank outsources key functions to third parties, it should develop and maintain a comprehensive risk management program for selecting, vetting, and overseeing outside vendors. Failure to do so can expose your bank to significant risks, including regulatory noncompliance, cybersecurity breaches, violations of consumer protection laws, and lasting damage to your reputation. To protect your institution, a good rule of thumb is to exercise at least the same level of vigilance in managing third-party activities as you do in managing in-house activities.While there’s no way to eliminate all risk associated with third-party relationships, proactively and consistently auditing these types of arrangements can provide the peace of mind that you and your customers deserve.Common weaknesses in vendor risk management programsAccording to the Federal Reserve, examiners have observed the following common vendor risk management weaknesses:

• Insufficient oversight by banks’ directors.
• Failure to maintain a formal, documented outsourcing policy.
• Vague contract terms, particularly with regard to vendor performance requirements.
• Contract terms that favor the vendor.
• Inadequate disaster recovery tests, especially related to potential cybersecurity events.
• Inadequate review of vendors’ information security and cybersecurity procedures.
• Inappropriate risk ratings of critical vendors.
• Reliance on one vendor for several critical products or services.

The information provided in this communication is of a general nature and should not be considered professional advice. You should not act upon the information provided without obtaining specific professional advice. The information above is subject to change.