Did you know your bank could be responsible for the performance of your vendors?
No bank wants to encounter regulatory trouble or face reputational risk; especially as a result of vendor activities. It’s a well-known fact that vendor management due diligence is a topic of increasing importance for all credit unions. The Office of the Comptroller of the Currency (OCC) has provided clear direction regarding vendor due diligence. Additionally, the OCC has deemed several areas as critical in third-party vendor management.
Risk Assessment & Planning
- Banks should complete a comprehensive risk assessment prior to engaging a third-party relationship.
- Risk areas include Credit, Interest Rate, Liquidity, Price, Operational, Compliance, Strategic, and Reputational.
- Officials should document how the relationship will relate to their bank’s strategic plan.
Due Diligence
- Banks must demonstrate an understanding of the vendor in order to effectively identify and mitigate risks. Key due diligence elements include Organization, Business Model, Financial Health, and Program Risks.
- It is important to contemplate what degree of due diligence rigor is required. Not all vendors are created equal. More complex vendor relationships with more risk will typically require increased due diligence; less complexity and risk means less rigorous due diligence.
- Ongoing monitoring and control is equally as important as upfront due diligence. Banks must be able to continually measure performance and risk.
Risk Measurement, Monitoring and Control
- Documented policies and procedures are critical in terms of clearly outlining processes and responsibilities.
- A method for vendor performance management should be developed and implemented to validate expectations are being met. One commonly used performance management tool is a scorecard.
- A solid performance management tool will aid in ensuring vendor processes are in control and risks are mitigated; if performance is below expectations, then the bank must take appropriate corrective action to ensure remediation occurs.
Failure to conduct thorough due diligence and effectively monitor vendors places a bank at risk.
All banks utilize vendors to help them achieve their strategic objectives. As the OCC has conveyed, the utilization of vendors does not in any way diminish the bank’s level of responsibility. In fact, vendors are essentially extensions of the bank.
Ultimately, the performance of vendors can directly influence how banks are viewed. Furthermore, failure to conduct thorough due diligence and effectively monitor vendors places a credit union at risk. Again, it is important to keep in mind that all vendor relationships will not require the same level of due diligence and ongoing monitoring. Banks must determine, based on a risk assessment what is appropriate for a particular vendor.
There are a number of important questions banks should contemplate in their vendor management programs. We will explore five that are focused on ensuring banks understand and effectively mitigate risks they face as well as the risks to their members.
1. How do you ensure my customers’ information is protected?
This is a critically important question. Banks must ensure Gramm Leach Bliley Act (GLBA) compliance. Questions related to the flow of customer data should be explored and documentation obtained as to what occurs with customer information in various processes (marketing, billing, servicing, etc.). In addition, the documentation should include customer data touchpoints that take place even beyond the primary vendor; i.e. with subcontractors. Topics such as data encryption are critical for banks to thoughtfully consider. This point cannot be stressed enough. Privacy compliance is non-negotiable, and banks should obtain evidence to confirm their vendors’ processes are effective and compliant.
2. What industry-recognized certifications does your company hold?
There are a number of certifications vendors may hold that attest to their capabilities. Banks should request and even require vendors to provide certifications and documentation to validate the soundness of internal controls. A few examples include:
- SSAE16 (Statement on Standards for Attestation Engagements) Report: Based on an independent party’s evaluation of a service provider’s control policies and procedures.
- PCI (Payment Card Industry) Certification: Based on a set of requirements designed to ensure companies that process, store, or transmit credit card information in order to maintain a secure environment.
- ISO (International Organization of Standardization) Certification: 27001 is based on a set of Information Security System standards to ensure data security.
3. What is your level of experience and market position?
Banks should consider the experience of vendors. Are they new to the market or proven in their industries? Banks should request documentation or evidence of vendors’ market stability. Additionally, a valuable exercise is to complete a competitive analysis to better understand the vendors’ position in the market and to help validate that the best vendors are being considered and ultimately selected.
4. What ongoing reporting can you provide?
An important point is ensuring a positive member experience. Banks should work with their vendors to ensure an appropriate reporting process is agreed upon and implemented. The bank is required to monitor vendors, and to accomplish this, quality data is needed. Information related to service level performance, complaints, etc. is critical to understand the experience a vendor is providing to members. A best practice is to contemplate reporting requirements in the contracting process.
5. Is your company financially stable?
Visibility into the financial stability of vendors is vital. Banks must understand the financial structure and health of vendors. Many independent ratings agencies can assist in this review. Obtaining and reviewing financial statements and reports is a best practice. It is also important to understand the growth trajectory as well as challenges of vendors. EBITA (earnings before interest, taxes, and amortization) is an example of a helpful metric to understand. This is a widely recognized indicator of a company’s efficiency and profitability. Understanding a vendor’s profitability is critical; regardless of whether the company is privately or publicly owned.
Know Your Vendors
There are many additional questions that should be raised by banks as they engage with and actively manage third-party vendors. To this point, it is always helpful if banks engage with vendors who have a clear understanding of regulatory requirements related to vendor management. Ideally, vendors will have a well-developed vendor due diligence program or process that aligns to regulatory requirements. This will make bank due diligence much easier and you’ll know the vendor you’re working with takes vendor management seriously.