Vendor Management Best Practices
When regulatory requirements impact strategic or management action, our goal is to help business leaders make well-informed decisions.
Outsourcing a function DOES NOT outsource the corresponding Risk
"Reliance on third-party relationships can significantly increase a bank's risk profile, notably strategic, reputation, compliance, and transaction risks. Increased risk most often arises from poor planning, oversight, and control on the part of the bank and inferior performance or service on the part of the third party, and may result in legal costs or loss of business. To control these risks, management and the board must exercise appropriate due diligence prior to entering the third-party relationship and effective oversight and controls afterward." (OCC 2001-47).
Board of Directors and Senior Management are responsible for providing “appropriate oversight and risk management of significant third-party relationships.” (FDIC Guidance).
Who are our “Vendors”?
FDIC focuses on significant third-party relationships, determined by whether:
It is a new relationship OR involves implementing new bank activities;
It may have a material effect on the institution's revenues or expenses; The third party performs critical functions;
the third-party stores, accesses, transmits, or performs transactions on sensitive customer information;
The third-party markets bank products or services;
The third party provides a product/service involving subprime lending or card payment transactions; or
The third party poses risks that could significantly affect earnings or capital.
Third Party Originator Example
Bank wishes to contract with a residential mortgage broker to boost mortgage originations. This would be a “significant” 3rd party relationship because it is a new activity for the bank and the 3rd party would have access to sensitive customer information. Following the FDIC’s guidance, the Bank should have a risk assessment completed and delivered to the Board for discussion. Due diligence should be performed in selecting the 3rd party. For example, an on-site visit is recommended. It is also recommended that the Bank investigate multiple mortgage brokers. Third, a written contract should be structured that requires the 3rd party to follow Bank policies and to remain in compliance with other laws. The contract should also describe the service to be provided. Finally, the 3rd party’s performance should be monitored. This may be accomplished by subjecting a portion of the mortgage broker’s loan through a post-closing quality control and compliance review.
What about those who are NOT "Significant"?
Don't just ignore them! This should go without saying, but just because they are not a significant vendor, does not mean they cannot pose legal, reputational, or operational risks to your operations. Consider the following examples:
Example 1: You’re co-marketing with a realty company. They’re not considered subject to our formal vendor management program. But why are you comfortable doing business with them?
Example 2: Your local mayor is partnering with you to provide free financial service classes at the local library. Obviously this is an example that seems perfectly safe, presuming the mayor is a respected person and the library has no evil intentions. But imagine a scenario with less savory parties –who makes the decision on whether to engage in that relationship?
Example 3: Commercial lending runs ad campaign with owner of new marijuana dispensary in Massachusetts where the owner says “Don’t be a dope! Bank ABC has the good stuff. Business checking accounts and commercial loan options that will save you major coin.” The owner is then arrested for selling marijuana to minors, but not before local newspapers ran full page advertisements distributed across your assessment area.
Vendor Management Principles:
Risk Assessment
Identify and describe risks/laws
Mitigating Controls
Continue or not?
Due Diligence in Onboarding
Licensed/Registered
Evaluate vendor compliance
Written Contractual Relationship
Clear expectations Customized to vendor
Performance metrics
Termination
Policies and Procedures
Board Oversight
Privacy and Security
Proper Incentives
Set Expectations and consequences
Monitoring and Corrective Action
Monitoring and testing
Remedial actions
Thanks so much for reading our weekly newsletters. We're not always going to be perfect, but because we always do our best and try not to overpromise, we hope that we're always going to be trustworthy. Your calls and e-mails are very helpful - please keep contributing.