Vendor Management: Service Providers Respond to New Pressure from Regulators
Increased Scrutiny on Outsourcing Puts Heavier Burden on Market's Smaller PlayersThe major banking regulatory agencies have sent a clear statement to the institutions they oversee: Do a better job of selecting, contracting with and managing your major vendors. (See: Vendor Management: New Guidance Pressures Institutions to Improve Outsourcing Practices).
But the pressure isn't solely on banking institutions to improve their practices. The heat is also turned up on the vendors themselves to anticipate their clients' needs and to do a better job helping them respond to these higher levels of regulatory scrutiny.
The larger service providers and larger institutions are "well aware of the vendor management tasks they need to perform," notes Ken Stasiak, CEO of SecureState, a Cleveland, OH information security risk assessment firm.
The real pressure, observers say, is on the smaller "mom and pop" vendors. Financial institutions have already been doing third-party risk assessments under the requirements of the Gramm Leach Bliley Act and as part of their regulatory examination. But with the increased focus, the costs associated with performing additional risk assessments are likely to be absorbed by the institutions and vendors alike - a heavy burden for the smaller players.
Large Vendors: Business as Usual
Tom Wachtl, Corporate Senior Vice President and Chief Technology Officer for FISERV's Online Banking Group, agrees that recent regulatory guidance affects the smaller vendors more than the top tier banking service providers. "We've been operating under those guidelines and expectations for many years," Wachtl says. FISERV, he notes, is one of the service providers that is assessed directly by the federal regulatory examiners. FISERV meets with bank examiners of the Federal Financial Institutions Examination Council (FFIEC) once per quarter to keep them updated on FISERV activities.
Metavante, another financial institution service provider, also goes through the "very rigorous tests and audits," both internally and by the FFIEC for vendor management. Dave Fortney, the Chief Technical Officer at Metavante, says the firm regularly shares the results of these audits with its financial institution customers.
Fidelity National Information Services (FIS) also undergoes the FFIEC audits, according to Michael Weathers, Senior Vice President of Governance and CISO at the global service provider. "We don't anticipate making any significant changes to our program," Weathers says. "To ensure FIS is meeting our clients' ongoing needs, we have established a semi-annual roundtable session with clients to review our governance, security, audit, business continuity and vendor programs."
Last year, FIS was invited to present its client/vendor governance program to the FFIEC's national examiner conference because it was "noted to be the gold standard within the industry," Weathers says.
Industry analysts share the large service providers' perspective on the vendor management landscape. "The increased scrutiny being placed upon third-party solution providers will likely impact the smaller players in the industry," says David Schneier, Director of Professional Services, Icons, Inc. Entities such as FISERV are already addressing many of the concerns inherent in the relationship between a financial institution and a vendor, he says. "These firms are providing SAS 70s that are comprehensive and well-documented," Schneier says. "Their contract language is specific to information security and data handling policies/procedures, and the contract language provides service level agreement touch points."
The SAS 70 - or Statement on Auditing Standard 70 - is a professional standard are set up for a service auditor to audit and assess internal controls of a third-party service provider. Recent regulatory guidance is clear that SAS 70 reviews alone do not suffice as evidence of an institution's risk assessment program, but they are a foundation upon which stronger practices can be built
Schneier cautions that a SAS 70 also doesn't necessarily provide assurances that the vendor is operating in a secure and properly managed environment. "It simply provides proof regarding what was tested," Schneier says. "Upon closer inspection, some of these vendors may, in fact, be found to have issues that were previously overlooked."
Smaller Vendors: Pay to Play
The cost to become as robust as the larger vendors is a challenge for the smaller players in the market, Schneier agrees.
"Providing such a strong compliance posture requires a significant investment," he says. "For the smaller vendors who haven't had to address this or have only done so partially, this will present challenges in terms of financial and resources constraints."
With the looming reality of real costs involved with generating the type of controls necessary going forward, "This could wind up being too great a burden to bear" for vendors with a single offering or a small market share. Schneier sees smaller vendors who are doing things right, "but never had to provide proof, and [now] may be revealed as being more secure, more reliable and better business partners than their larger competitors."
David Walter, senior product manager at Archer Technologies, a risk and compliance solutions vendor, says there has been "an explosion" in the past 18 months on the management side on the controls that vendors place on data. He, too, sees an increased cost burden on both institutions and service providers.
Steve McCalmont, CEO at Avior Computing, an analytics-based software as a service company, says vendor risk has long been a major issue in the financial services industry. "It is now being put into reasonable perspective, and everyone is getting a better understanding of it," he observes. Regulators are pushing financial institutions to look at their overall risk as a whole, "not just one single vendor or one area of their institution." This leads to more questions being raised by institutions, and more vendors being assessed on how well they are handling risk within their own operations.
McCalmont sees two ends of the vendor management spectrum:
"Sending an excel spreadsheet via email asking those types of questions is an information security flaw in itself," McCalmont says.
The BITS Shared Assessment program (See related story: Is This Vendor Management's Silver Bullet?) has developed a secure portal for industry vendors to submit their information to institutions -- just because they did not want such sensitive information about their services being sent in a spreadsheet over email, McAlmont notes. For those institutions that can't afford or aren't mature enough yet to add automation internally, this portal offers them the ability to retrieve information in a secure manner from their vendors.
Even so, BITS is a division of the Financial Services Roundtable, which in turn was created by the CEOs of the 100 largest financial institutions in the U.S. The Financial Institution Shared Assessments Program (FISAP) developed by BITS is an exhaustive process that can prove taxing upon smaller institutions and vendors that lack sufficient resources dedicated to the process.