Making Your Vendor Management Program Work
They’re doing work for you, and are handling data that would be considered sensitive by your regulators. How do you keep up with what your vendors are doing and how do you manage your vendor relationships? Financial institutions of varying asset sizes all depend on third party service vendors to do the important transactions and handle data. And don’t forget, your regulator is also interested in what steps and controls you have in place to create a solid program for vendor management.
Many banks and other financial institutions provide products and services though arrangements with third parties. "Appropriately managed third-party arrangements can assist banks in attaining strategic objectives," said Sandra Thompson, Director of the FDIC's Division of Supervision and Consumer Protection. She was quoted in a recent FDIC statement, "Understanding the importance of managing the potential risks that can exist with these arrangements," is important. Ask any financial institution examiner these days what they’re interested in, and more often than not, vendor management program oversight is on their list.
The safety and soundness of your institution is what your regulators are concerned with, and the continuing movement toward outsourcing services and technology by more and more financial institutions has heightened the examiners’ focus on vendor management. The rule to follow – as you have your information security program structured, so should your vendor, especially in the wake of news headlines such as the recent TJX data breach. So now when you decide to outsource a function, the vendor choice and oversight of that vendor needs to be embedded into your institution’s risk management process.
There are steps you’ll want to take when making the decision to move a function over to a third party vendor. The first step is performing a risk analysis, which is what a large part of vendor management ends up being. Financial institutions will want to identify the level of importance to the institution, what actions the vendor will take over, and how much of a risk is injected into the action by moving it to a third party vendor. The more risk that is involved, the more attention is needed in the due diligence of choosing, contracting and overall management and monitoring of the vendor. As with any risk analysis performed in a financial institution, you’ll want to document these events as if your regulatory body’s examiner was at your elbow at each step. Look at how the third party vendor’s business function meets your institution’s needs in that outsourced business action. Assess what effect it would have if the vendor’s product didn’t work, or wasn’t able to handle the needs of your business. Is it an essential function that you’re handing over to the vendor? How about backup vendors who could step in the event that this vendor failed to deliver? And most importantly, how transparent is the business function in relationship to your customers? Will you be able to easily oversee the outsourcing function?
Depending on the risk analysis that you completed prior to contracting with the third party vendor and the results from that risk analysis will point to the amount of due diligence needed in the selection process. You will want have a solid understanding of the vendor’s operational abilities, and its ability to deliver the service.
As a financial institution, your approach will need to include questions on the vendor’s operations, staff, level of experience, and the controls that the vendor has in place at its office or operation center. Knowing the level of experience the vendor’s employees have, along with staffing levels to meet your needs, the vendor management team’s knowledge of the financial services industry, and the vendor’s employee turnover rate are key points to collect information on when talking with the vendor.
You’ll want to know other operational points such as, length of time the vendor has provided the service you’re looking to outsource, and do they provide this service to other institutions, either locally, regionally or nationally? Do they willingly provide information on references from other clients; can you check with industry associations or user groups about the quality of their service? Do the references measure the quality of service provided by the vendor? You’ll want to make sure that the business function you’re outsourcing to the vendor isn’t then turned over to the vendor’s third party or a partner to perform. Check if the vendor has been sued by other institutions or businesses they’ve contracted with, if that’s the case, then you’ll want to closely look at the vendor’s overall reputation and ability to give your institution the service your institution requires.
The regulatory requirements and other legal requirements of the vendor’s service also will need to be looked at, and ensure that the vendor is in compliance with those requirements. If the vendor is located nearby, and the risk analysis you’ve performed indicates a higher risk, you may want to visit the vendor, and perform a site inspection. Bring a list of checkpoints and questions you have, and don’t leave the vendor site until you’re satisfied with the level of attention and compliance. If your vendor prospect is on the other side of the country, or located outside of the U.S., you’ll have to do this investigation through other means.
You’ll want to look at the vendor’s controls and its overall operations. Points to look at will include: How the vendor’s internal information security controls are configured. Can they handle any of your institution’s information (including customers’ confidential information) in a secure manner? Do they have policies and procedures in place for internal controls, record keeping, employee background checks and physical security for its operations? Do they perform internal audits on a regular (at least annually) basis? Are those internal audit reports available to you? What type of business continuity plans does the vendor have? Can they restore their operations, including the services provided to you and your institution in a timely manner after a disaster? Do their business continuity plans contain an adequate recovery effort, especially where you, the customer is concerned?
In performing due diligence, you need to examine the finances of the prospective vendor. Look closely at all audited financial statements. If audited financial statements are not available, the vendor's most recent and year-end balance sheet and income statements should be inspected. A red flag should go up in your mind if this type of financial information is not available from the vendor. A lack of information must be considered a risk in the assessment of the vendor. Also, ask for proof of adequate insurance coverage on the vendor, and if all its policies are up-to-date. Do they have adequate coverage including liability coverage, fire, data loss, document protection, and other coverage in levels comparable to the work performed? One question to ask about adding your institution on as a customer, will this mean the vendor will be adding more staff or purchasing more equipment, and if so, can they add you as a customer and bear the additional cost?