Vendor Management-
The Next Compliance Frontier
A two Part series-
Part Two Developing the Proper Balance There can be no doubt that vendor management is a “hot topic” among regulators these days. Each of the “prudential regulators” (OCC, FDIC, FRB) have all issued recent guidance about developing third party relationships. As we discussed in the first part of this series, the guidance from each of the regulators has a central theme. Put succinctly,
“ A bank should adopt risk
management processes commensurate with the level of risk and complexity of its
third-party relationships” [1]
The guidance from each of the regulators includes differing
levels of detail. However, there are
common themes of risk that are delineated.
In addition, it is clear that the regulators expect financial
institutions to complete due diligence on the third party services they
engage. Unfortunately, one of the
questions that remains open is just what level of due diligence is required for
each relationship. A corollary question
might be which services that are performed by third parties are considered
critical or core services.
While we agree that vendor management is a critical issue
and that your vendor management program must be appropriate and comprehensive,
we also believe that there must be a balance between the due diligence it performs on third party
services and what the bank does internally vis a vis the third party
providers.
History of Vendor
Relations and the Reason for the Guidance
Starting at the beginning of the first decade of the new
millennium, the relationship between banks and third party services providers
enjoyed a relative boom. During the time
period, banks used third parties to offer services that were traditionally in
house such and core operating systems,
In addition to these services, banks also used outside firms to offer
new and diverse products that the bank itself had not offered. Subprime lending and brokered deposits and
two such products.
While the use of outside vendors has many benefits such as
reduced costs and leveraging the skills and experience housed at the outside
firm. These relationship can also
increase risks. By the middle the decade, the level and types of risks that
these firms present began to present themselves. Some of the areas that regulators began to
find trouble with third party vendors included:
·
Several banks relied too heavily on a provider
to administer the flood loan portfolio.
When examiners review the
portfolio, they found many instances where the insurance amount was inadequate
, Further in one case, the provider was
unaware that changes had occurred in the flood mapping.
·
Vendors who have been retained to assist with
loan modifications have in many cases, failed to meet the agreed upon terms of
modification. In other cases, vendors delay the processing
of loan modifications by sending borrowers duplicate document requests, causing
hardships for the borrowers. If bank management is not monitoring a vendor’s
activity, it will not be aware of problems that may be occurring with the
vendor. We are all too familiar with how
this process created a huge problem during the financial crisis of 2009
·
Vendors who promised revenue enhancement. In several cases, the revenue enhancement
schemes included things like increased overdraft fees additional charges to
customers for use of their credit facilities.
This additional revenue resulted in UDAAP violations at banks and in at
least one case lead to enforcement action.
·
Privacy concerns that have been created by the
failure of a third party vendor to maintain adequate security over customer
records.
Various cases such as these has led to the guidance that we
now see being issued by the regulatory bodies.
The Federal Reserve issued a statement that describes the types of
activities that can lead to problems with third party relationships.
· Overreliance
on third-party vendors. The
regulators have made it clear that banks are ultimately responsible for the
work of their third party providers.
Therefore, even though the bank is outsourcing, it must do what is
necessary to administrate the area.
·
Failure
to train new staff or retain knowledgeable staff. There must be somebody at the bank that
understands what it is that the provider is doing!
·
Failure
to adequately monitor the vendor. There should be a way for the bank to
determine that the vendor is meeting standards.
The Bank must have a way to regularly monitor the results of the vendor
·
Failure
to set clear expectations. The
bank has to be clear in what it needs,
This includes letting the vendor know that expectations include keeping
up to date with changes in regulations.
The guidance in the area of vendor management is written to
address these concerns and the problems that have historically been caused by
the third party vendors. All of the
guidance is clear that the regulators will hold the banks ultimately responsible
for the actions of its vendors.
Level of Due Diligence
One of the questions that we noted above was about what
level of due diligence is required for a third party contract. The OCC guidance defines a critical activity
as
Critical activities—significant bank
functions (e.g., payments, clearing, settlements, custody) or significant
shared services (e.g., information technology), or other activities that
·
could cause a bank to face significant
risk if the third party fails to meet expectations.
·
could have significant customer impacts.
·
require significant investment in resources to
implement the third-party relationship and manage the risk.
·
could have a major impact on bank operations if
the bank has to find an alternate third party or if the outsourced activity has
to be brought in-house.[2]
For those arrangements that involve critical activities, the
expectation is that the that bank will
perform comprehensive due diligence at the start of the contracting process as
well as monitoring throughout the execution of the contract.
The steps that are necessary for the proper engagement of a
third party for a critical activity are discussed in each of the regulatory
guidance documents that have been released.
The OCC bulletin provides the most comprehensive list that
includes:
·
Relationship
Plan: Management should develop
a full plan for the type of relationship it seeks to engage. The plan should consider the overall
potential risks, the manner in which the results will be monitored and a backup
plan in case the vendor fails in its duties.
·
Due
Diligence : The bank should
conduct a comprehensive search on the background of the vendor, obtain references, information
on its principals, financial condition and technical capabilities. It is during this process that a financial
institution can ask a vendor for copies of the results of independent audits of
the vendor. There has recently been a great deal of
attention given to the due diligence process for vendors. Several commenters and several banks have
interpreted the guidance to require that a bank research a vendor and all of
its subcontractors in all cases. We do
not believe that this is the intention of the guidance. It is not at all unusual for a third party
provider to use subcontractors. We
believe that a financial institution should get a full understanding of how the
subcontracting process works and consider that as part of the due
diligence, however, it impractical to
expect a bank to research the backgrounds of all potential subcontractors
before engaging a provider.
·
Risk
Assessment: Management should
prepare a risk assessment based upon the specific information gathered for each
potential vendor. The risk assessment
should compare the characteristics of the firms in a uniform manner that allows
the Board to fully understand the risk associated with each vendor. [3]
·
Contract
Negotiation: The contract should
include all of the details of the work to be performed and the expectations of
management. The contract should also
include a system of reports that will allow the bank to monitor performance
with the specifics of the contract.
Expectations such as compliance with applicable regulations must be
spelled out. The OCC bulletin includes
the following phrase:
o Ensure
that the contract establishes the bank’s right to audit, monitor performance,
and require remediation when issues are identified. Generally, a third-party
contract should include provisions for periodic independent internal or external
audits of the third party, and relevant subcontractors, at intervals
and scopes consistent with the bank’s in-house functions to monitor performance
with the contract
This language has also been the
subject of a great deal of media and financial institution attention. Some have interpreted this phrase to mean
that a community bank that uses one of
the large core providers has the right to perform an independent audit of the
provider. We believe that this
interpretation is inaccurate as it would be impractical to carry out. We believe that the phrase means that the
financial institution is entitled to a copy of the report of the independent
auditor.
·
Ongoing
Monitoring: Banks must develop
a program for ongoing monitoring of the performance of the vendor. We recommend that the monitoring program
should include not only information provided by the vendor, but also internal
monitoring including
o Customer
complaints;
o Significant
change sin sources of expenses and revenues
o Changes
in loan declines, withdrawals or approvals
o Changes
in the nature of customer relations ships (e.g. large growth in CD
customers).
·
Oversight
and Evaluation: There should be
a fixed period for evaluating the overall success and efficacy of the vendor
relationship. The Board should, on a
regular basis evaluate whether or not the relationship with the vendor is on
balance a relationship with keeping.
[1] OCC
BULLETIN 2013-29
[2]
Ib. Id.
[3] It
should be noted that the regulatory agencies have made it clear that they
expect the Board of Directors to present a credible challenge to the
information being presented. To do so,
the Board must be fully informed of the risks associated with each potential
vendor.
No comments:
Post a Comment