Vendor Management – The Devil’s in the Details

By Deepa Saldanha, Director, Professional Services

Much has already been written about vendor management. However, it’s important to address the role that the compliance function can play in the management of vendors for financial services institutions. You only have to read the headlines to know how important the intersection of information security, auditing, governance and outsourcing is today.

The growth of outsourcing has the potential to increase the information security risk profile of any organization through the expanding network of partners with shared access to sensitive data. This risk is accelerated through the advent of cloud computing where information becomes even more dispersed and decentralized over the Internet. And when a bank or credit union outsources data management to a vendor who offers services in the cloud, there is even more risk to consider and manage.
 
Using the cloud for data processing and storage may have its advantages in terms of simplicity and cost, but ensuring regulatory compliance is not nearly as simple. Compliance in the cloud is challenging, and it’s possible, but it takes special effort. You need to understand what you’re responsible for versus your cloud service provider and one thing you don't want is a costly and labor-intensive manual audit mechanism. We’ve noticed increasing pressure by federal regulators or internal auditors to ensure that vendors are managing information risk in a manner that’s consistent with best practices or specific regulatory requirements.
 
In this article from the ABA Bank Compliance magazine (American Bankers Association), you’ll learn how to incorporate vendor management into your compliance risk assessment process, the type of due diligence expected to be performed on a vendor, and how to monitor your vendors to ensure they are delivering up to your standards. The worksheet referenced in the article can be requested by sending an email to info@coalfiresystems.com with ‘vm worksheet’ in the subject line.

Vendor Management: The Devil’s in the Details
Source: ABA Bank Compliance Magazine, November/December 2010 issue (American Bankers Association)

If you’re a compliance officer, you no doubt have very little leisure time for reading articles that appear to have little, if any, applicability to the numerous responsibilities you already own. Thus, at first glance you might be inclined to take a pass on this article. You probably view vendor management in the traditional sense--it's an information technology (IT) or operations function. However, as this article reveals, vendor management and compliance are inextricably connected. And, as you will see, the devil is in the details.
 
How did we get where we are today? Well, let's start by taking a walk back in time. Vendor management first came on the scene as a specific topic of risk around 2000. It started in the IT area and has morphed into its own piece of the regulatory examination process. IT has always been the starting point for vendor management. It truly began with the fury of fear about the Year 2000 (Y2K) problem in software systems, As early as December 17, 1997, statements such as the following were made by the Federal Financial Institutions Examination Council (FFIEC) regarding vendor due diligence:
 
The purpose of these safety and soundness guidelines is to underscore the responsibilities of senior management and the boards of directors. This includes managing the internal and external risks presented by providers of data-processing products and services {vendors}, business partners, counterparties, and major loan customers.

Interestingly enough, before the Y2K phenomenon little can be found on vendor management, vendor due diligence, or vendor monitoring. On March 21, 2000, the FFIEC issued SR 00-5(SUP), titled "Lessons Learned from the Year 2000 Project." This SR discusses different topics regarding the process for the Y2K project and there it is: "vendor management."The paragraph is four sentences long and has been a driving force for vendor management programs all over the country. So what exactly did it say?
 
Financial institutions established better due diligence processes to oversee service providers and software vendors that provide mission-critical services and products, many financial institutions that relied upon service providers, software vendors, and consultants found that they had substantial risk exposures related to vendor management that were not adequately measured, monitored, managed, or controlled. Many financial institutions expanded their analysis of the ability of service providers, software vendors, and consultants to fulfill their contractual obligations. In addition, institutions took steps to improve communications and clarify roles, responsibilities, and contractual obligations.

First, let's be clear: what was said back then is not the reality of today. Since these four sentences, vendor management has rapidly evolved into a demon of work that now includes significant components of a bank's examination process. In 2007, the Federal Deposit Insurance Corporation (FDIC) issued a new IT officer's questionnaire and vendor management not only is referenced throughout, but also has its own section. FDIC listed part 5 of the questionnaire with this lead-in statement: "Given the increased reliance on outside firms for technology-related products and services, please answer the following questions to help us assess the effectiveness of your vendor management and service provider oversight programs." Clearly vendor management was playing a bigger role in the IT examination process. Did it stop there?
 
No. Vendor management has continued to spark flames in many areas of the examination process. The Office of the Comptroller of the Currency (OCC) listed vendor management as a control in its public handouts for a May 6, 2003, telephone seminar about information security. In that presentation the OCC stated that each bank must understand the security of its vendor as a nontechnical control. In order to do so, the bank must answer the following questions:

  •  Has your vendor historically maintained a secure environment?
  • Are your security requirements part of the vendor contract?
  • How do you know the vendor is fulfilling those requirements?
  • What if a security incident occurs at the vendor? Is the bank told and are procedures in place for a coordinated response?

These are just a few of the items listed in the handout for the telephone seminar. Noticeably, we see vendor management becoming a more robust component of the regulatory examination process. Vendor management started as an IT component requiring banks to identify and acknowledge the vendors it used. In three years, vendor management guidance included the requirement that the bank have knowledge of the vendor's security protocols protecting bank data and understand the vendor's potential impact on the bank's risk profile. Vendor management was about information security as a whole, not just IT.

As part of information security, vendor management had to be incorporated into business continuity testing, control matrices, and privacy programs. On the surface, vendor management appeared to be simply a small fire in one designated field, but the continued growth and due diligence requirements pushed vendor management into more fields and subfields of the overall risk management program of an institution. So, how exactly did vendor management get to compliance?
 
Vendor management's movement toward compliance was quiet and stealthy until the last couple of years. (Keep in mind, vendor management is still an IT and information security issue, too.) Between 2004 and 2007 there was little focus in the compliance area on vendor management, but in 2008 the "state of vendor management" began to emerge. Forrester Research, a technology and market research company, said, "... [this] shows that the investment and focus on vendor management activities continues to increase. This trend shows that firms are clearly taking more of an activist sourcing approach, which is also paying off in a higher level of satisfaction with their decisions to outsource."

In contrast, in 2008 as an industry we start to see the emergence of the vendor as a real threat for the bank. What if the vendor is mishandling data? What if the vendor files bankruptcy or shuts down? What if the vendor has a power outage or a disaster and—here it comes—you cannot provide bank statements, disclosures, or other regulatory compliance documents?
 
Vendor management became a compliance issue because of regulatory requirements to deliver information to the customer in a specified time frame and in a specified manner. Regulations such as Z, X, B, and CC (to name a few) are time sensitive and require specific verbiage. If a vendor is not keeping up with regulatory requirements and does not have a business continuity plan (BCP) and an information security program, the compliance program of the bank is in perilous danger. So now what?
 
While there is no specific section of the Compliance Examination Handbook called vendor management, it is intertwined with the enterprise risk management program by default. Compliance examiners will ask for the vendor management risk assessment as well as the bank's vendor management policies and procedures and yes, they will look at a sample of your contracts as part of your enterprise risk management program. Now that we know how we got here, what do we do?
 
Risk Assessment
Determine the criticality of the function to be outsourced.
 
Do you know the compliance risks your vendors present? This is an important question and one the regulators expect you to be able to answer. The key to a mature compliance function is being able to appropriately determine all of your institution's compliance risks. For those functions that are outsourced, it is important to determine how critical they are to your bank. To start, you might seek the answers to two questions: What risks are impacted—legal, reputation, operations, compliance? And, if this function fails, what would the practical implications be to the bank?
 
For example, let's imagine that your bank hires ABC Collections Agency to collect its past due debts. ABC will have direct and indirect contact with the bank's customers. In addition to a host of regulatory and legal requirements, the collectors contacting customers will be viewed as if they are bank employees. Any failings by ABC could have a devilish impact on the bank's compliance rating and even its reputation. The potential impact of ABC's failing to adhere to the bank's standards makes this relationship critical to the bank and one that requires heightened scrutiny.

On the other hand, let's assume a number of your bank's branch offices are fairly old and require regular plumbing maintenance. The bank decides to sign Joe's Plumbing Service to a maintenance contract. Although ensuring that the plumbing is working properly is important, the failure of the hot water to come on when called upon does not pose the same level of risk to the bank as does the relationship with ABC.
 
Determining the criticality of the function to be outsourced should be the first step in determining how much risk your bank is taking by outsourcing a function. This will also help you determine how much due diligence (something we discuss in more detail below) is necessary for a particular vendor. After distinguishing between your critical and noncritical vendors, you are now ready to include those critical vendors in your compliance risk assessment process.

Determine what laws and regulations apply.

Just as you assess the risks of each of your bank's business lines that offer the bank's products and services, you should apply the same scrutiny to your third-party vendors. As with any risk assessment, you must first determine which laws and regulations are impacted by the function you've outsourced. Don't make the mistake of thinking that just because your contract with a third-party provider requires it to comply with all applicable laws and regulations that you're off the hook for any missteps it might make. The fact is that even if you are able to recover monetary damages for their noncompliance, such recoveries will not satisfy your compliance examiners and can never restore your bank's good name.
 
After determining the criticality of the outsourced function, you should develop an inventory of the laws, regulations, and bank policies that the vendor is required to adhere to. You then need to determine the inherent risk posed by this relationship and test the adequacy of the control environment the vendor has in place to mitigate the risk; this will lead you to conclude the residual risk posed by this relationship.
 
As you embark on this risk assessment process, there are various tools you can develop to assist in determining the risk each of your third-party vendors poses. An example would be to develop a vendor management risk assessment worksheet. Answering the questions presented on the worksheet will help you determine the risk level each of your vendors presents. This sounds like a lot of work, and it is. But if you are not currently considering the functions you outsource to third parties in your compliance risk assessment, you should.
 
The regulatory environment is more intense today than it ever has been. Simply relying on the reputation of your vendor or the contract you have in place is little security these days.
 
Due Diligence
 
In my search for the keys to effectively managing third-party relationships, I continued to run into the concept of "due diligence." I then sought to find an appropriate definition of this concept in the context of managing vendor relationships. The following definition was the best I found: "Due diligence is a reasonable inquiry into a vendor's ability to operationally meet the bank's requirements for the proposed service and an inquiry into the vendor's financial ability to deliver on its promise." In other words, can the vendor do the job the bank is hiring it for and is it financially sound? Ah, more details. The financial soundness of your vendor is an important factor, too.