9/4/12

Vital Relationships

Related Practices

Related Industries

Attorneys & Professionals

Improving Vendor Management and Oversight


By Kimberly J. Schaefer1
(Published in the Summer 2012 issue of The Bankers' Statement.)

Financial institutions increasingly look to vendor relationships, including all types of third-party relationships with service providers, as a way to gain a competitive advantage. Vendors can offer institutions a variety of safe and secure opportunities to improve overall success by, for example, reducing costs, performing functions on the institution’s behalf and providing products and services that the institution does not offer.2

Reliance on vendor relationships, however, can significantly increase a financial institution’s risk profile. Each institution’s risk profile is unique and commands a tailored risk mitigation approach appropriate for the scale of its particular vendor relationships, the materiality of the risks present and the ability of the institution to manage those risks.3 A financial institution’s responsibilities to properly manage vendor relationships and identify and control the risks arising from such relationships lie with its board of directors and senior management.4 Failure to adequately manage vendor risks leaves a financial institution exposed to regulatory action, financial loss, litigation and damage to its reputation.5

The Federal Deposition Insurance Corporation (FDIC) and the Office of the Comptroller of the Currency (OCC) require, and the Board of Governors of the Federal Reserve urges, financial institutions to control risk and oversee vendor relationships.6 Each agency has issued guidelines pertaining to such requirements.7 Given the uniformity among all three sets of guidelines, the Federal Financial Institutions Examination Council (FFIEC) has compiled them and created a comprehensive handbook to aid financial institutions in vendor management and oversight.

Many vendor relationships should be subject to the same risk management, security, privacy, oversight and other consumer protection policies that would be expected if a financial institution were conducting the activities directly.8 An effective vendor management program should provide the board of directors and senior management with the framework to identify, measure, monitor and control the risks associated with outsourcing to a third-party vendor.9

The key to vendor oversight is effective risk management, which involves several key factors, as noted in the FFIEC Handbook:

The Importance of Documentation

Before delving into the specifics of vendor management, financial institutions must always keep one necessity in mind: documentation. As a financial institution proceeds through each step of vendor management, it must always document everything that relates to the vendor relationship, including valid contracts, business plans, risk analyses, due diligence and oversight activities (including reports to the board, management or other delegated committees). Documentation of the risk assessment is especially important to help ensure coordination, consistency and standardization between the financial institution and the vendor.10

This risk management process, as noted in each agency’s guidelines and the FFIEC Handbook (collectively, the "Interagency Guidelines"), encompasses four steps:

  1. Risk Assessment
  2. Due Diligence
  3. Contract Negotiation and Structuring
  4. Ongoing Monitoring

The first three steps involve risk management procedures before a financial institution begins a contractual relationship with the vendor, while the fourth, and often overlooked step, involves continual oversight responsibilities throughout the vendor relationship.

Step One: Risk Assessment11

The Interagency Guidelines urge financial institutions to complete risk assessments on vendors that store or have access to confidential customer information or whose services have a major impact on the institution’s operations.

The first step in the risk assessment process is to ensure that the proposed vendor relationship is consistent with the institution’s strategic planning and overall business strategy. Because a risk analysis is so integral to an institution’s overall strategic planning, it should be performed by senior management and reviewed by the board or an appropriate committee.

Next, management should analyze the benefits, costs, legal aspects and the potential risks associated with the vendor under consideration. Generally, the riskier a vendor’s activity, the more important the need is for diligence in selection, contracting and monitoring. Risk is assessed by identifying threats and vulnerabilities, and then determining the impact the threats can have on a financial institution. A vendor may pose various risks, including strategic, reputational, legal, operational, transactional, credit and compliance risks.

The Interagency Guidelines recommend that management consider the following factors in evaluating the quantity of risk of the proposed vendor relationship:

A financial institution should never assume more risk than it can identify, monitor, manage and control. After completing the foregoing assessment of risks, management should review its ability to provide adequate oversight of the proposed vendor relationship on an ongoing basis (see Step Four for more details). Appointing a senior manager to serve this function is recommended.

Step Two: Due Diligence12

The due diligence process provides management with the information needed to address qualitative and quantitative aspects of potential vendors to determine if a relationship would help achieve the financial institution’s strategic and financial goals and mitigate identified risks. Similar to risk assessment, due diligence occurs not only when selecting a vendor, but it should also be an ongoing annual assessment of the vendor’s performance and ongoing suitability. Due diligence should include consideration of strategic plans, vendor reputation, financial condition and ability to provide monitoring reports.

The scope and depth of due diligence is directly related to the importance and magnitude of the institution’s relationship with the vendor. Obviously, vendors that are contracted to perform large-scale functions with sensitive data integral to the institution’s success, a financial institution should perform an in-depth due diligence assessment.

Although many due diligence considerations overlap with risk assessment considerations, they are worthy of repetition. When evaluating a vendor on the front-end, management should consider the vendor’s:

Although a comprehensive due diligence assessment may yield an ideal vendor, a financial institution should stipulate a vendor’s responsibilities in writing to ensure that it does not divert from its current status.

Step Three: Contract Negotiation and Structuring13

If a vendor passes the due diligence phase, management should negotiate a written contract that meets the financial institution’s requirements. The contract should clearly set forth the rights and responsibilities of each party to the contract, including, but not limited to, the following:

Furthermore, a financial institution may want to consider including service level agreements (SLAs) in the contract. SLAs are formal documents that outline the institution’s pre-determined requirements for the service and establish incentives to meet, or penalties for failure to meet, the requirements. Financial institutions should link SLAs to provisions in the contract regarding incentives, penalties and contract cancellation in order to protect themselves against vendor performance failures. SLAs addressing business continuity should measure the vendor’s contractual responsibility for backup, record retention, data protection and the maintenance of disaster recovery and contingency plans.

The foregoing list indicates that, oftentimes, a financial institution’s ability to effectively monitor a vendor depends upon the provisions in the parties’ contract. Likewise, the most important provisions to be included in a contract include those that pertain to the process for ongoing monitoring of the vendor, such as the authorization for the institution to monitor and periodically review the vendor for contractual and regulatory compliance. A similarly vital provision would be to require, as a condition precedent, a vendor to implement appropriate measures to prevent breaches.

Step Four: Ongoing Monitoring14

With an increasing use of third-party vendors comes an increased risk for incidents, including compromised data, breaches and cyber attacks. Accordingly, the responsibility to review third-party vendors does not stop once the contract is signed. Rather, financial institutions must continually — at least on an annual basis — monitor vendors. The authorization of a financial institution to monitor its vendors should be clearly stated in the contract.

To ensure an effective oversight program, a board may want to designate a senior manager to be responsible for the ongoing monitoring, ensuring that this senior manager possesses the requisite knowledge and skills to critically review all aspects of the vendor relationship.

Effective oversight means that, throughout the life of the contract, an institution should:

Documenting and Categorizing Vendors

As a preliminary matter, before a financial institution moves on to Step Four, it should assess its vendor relationships.  Management should first create a list of vendors that have access to customer information, and, likewise, document the types of access that such vendors have, such as electronic access to customer data.

Next, a financial institution should categorize the vendors according to criticality.  For instance, a vendor categorized as highly critical would mean that, if a breach were to occur, it could have a significant impact on an institution.  In contrast, a vendor with low criticality may indicate that any issues involving the vendor would not gravely harm the institution.  In categorizing vendors according to criticality, a financial institution generates a greater understanding of which of its vendors need more stringent, frequent oversight.

Finally, a financial institution should rank the vendors according to their level of risk, including consideration of any financial, operational or performance issues.  Vendor relationships with higher risk ratings should receive more stringent and frequent monitoring for due diligence, performance and control reviews.

Reliance on vendors to perform banking functions, to provide products or services to customers, or to provide services under an institution’s name decreases management’s direct control, and thus requires an increased oversight effort. The key to adequate oversight is to first establish, by contract, clear performance standards to which a vendor must adhere. The contract should set forth authorization for a financial institution to monitor and evaluate the vendor. The type and frequency of monitoring needs vary, depending on the complexity of the services provided and the division of responsibilities between the institution and its vendor. Thus, the number of personnel, functional responsibilities and the amount of time devoted to oversight activities will depend, in part, on the scope and complexity of the services outsourced. Nonetheless, a financial institution must bear in mind that its duty to conduct due diligence does not end once a contract is signed. Rather, due diligence responsibilities, including continual oversight, persist for the duration of the contract.

Conclusions16

Given the increased dependence on third-party vendors and the increased risks they pose, the importance of proper management and oversight is critical to a financial institution’s success. The more access to customer information that a vendor has, and the more integral a vendor is to a financial institution’s daily operations, the more thorough the evaluation and oversight must be. Likewise, financial institutions should bear in mind that these recommended procedures are not all-inclusive. Vendor management and oversight activities continue to evolve to keep pace with new technologies and business applications. To maximize benefits from vendor relationships, financial institutions should have an effective process for managing the associated risks. In the very least, senior management should be conducting the oversight procedures listed in Step Four at least annually. While even the most comprehensive set of oversight guidelines cannot fully prepare a financial institution for an operational failure on the part of its vendor, the implementation of adequate oversight procedures will certainly alleviate many detriments in the event of such a failure. The value a financial institution will derive from its use of vendor business relationships is directly proportional to the quality of management’s strategic planning, due diligence and ongoing oversight activities.

Accordingly, a financial institution should immediately assess its relationships with vendors, analyze risks, evaluate existing contracts and implement internal procedures to move toward compliance with agencies’ guidelines.

For more detailed information on vendor management and oversight, please see the applicable agency guidelines:

  • FEDERAL FINANCIAL INSTITUTIONS EXAMINATION COUNCIL, Information Technology Examination Handbook: “Outsourcing Technology Booklet,” (June 2004), http://bit.ly/QbovSC
  • FEDERAL DEPOSIT INSURANCE CORPORATION, Financial Institution Letter 44-2008, “Guidance for Managing Third-Party Risk,” (2008), http://1.usa.gov/167maC
  • BOARD OF GOVENORS OF THE FEDERAL RESERVE SYSTEM, SR-0017, “Guidance on the Risk Management of Outsourced Technology Services,” (2000), http://1.usa.gov/MKGCiA
  • OFFICE OF THE COMPTROLLER OF THE CURRENCY, OCC 2001-47, “Risk Management Principles,” (2001), http://bit.ly/OjrlWr

1 Ms. Schaefer would like to thank Megan M. Westenberg and Evan T. Nolan for their assistance in writing this article.

2 OFFICE OF THE COMPTROLLER OF THE CURRENCY, OCC 2001-47, “Risk Management Principles,” (2001), http://bit.ly/OjrlWr (hereinafter “the OCC Guidance”).

3 Id.

4 FEDERAL FINANCIAL INSTITUTIONS EXAMINATION COUNCIL, Information Technology Examination Handbook: “Outsourcing Technology Booklet,” (June 2004), http://bit.ly/QbovSC (hereinafter “the FFIEC Handbook”).

5 FEDERAL DEPOSIT INSURANCE CORPORATION, Financial Institution Letter 44-2008, “Guidance for Managing Third-Party Risk,” http://1.usa.gov/167maC (hereinafter “the FDIC Guidance”).

6 See Interagency Guidelines Establishing Information Standards, 12 C.F.R. § 364 app. B (2012); 12 C.F.R. § 30 app. B (2012); 12 C.F.R. § 170 app. B (2012) (discussing the FDIC’s and OCC’s requirements for banks to manage and control risk and oversee service provider arrangements); BOARD OF GOVERNORS OF THE FEDERAL RESERVE SYSTEM, SR-0017, “Guidance on the Risk Management of Outsourced Technology Services,” (2000), http://1.usa.gov/MKGCiA, (hereinafter “the Federal Reserve Guidance”)

7 See the Federal Reserve Guidance, the FDIC Guidance, the OCC Guidance, and the FFIEC Handbook (collectively, “the Interagency Guidelines”).

8 The OCC Guidance.

9 The FFIEC Handbook.

10 The OCC Guidance.

11 The material detailed in Step One is adapted from the Interagency Guidelines.

12 The material detailed in Step Two is adapted from FEDERAL FINANCIAL INSTITUTIONS EXAMINATION COUNCIL, eBanking IT Examination Handbook (August 2003), p. A-8; and the Interagency Guidelines.

13 The material detailed in Step Three is adapted from the Interagency Guidelines.

14 The material detailed in Step Four is adapted from the Interagency Guidelines.

15 FEDERAL FINANCIAL INSTITUTIONS EXAMINATION COUNCIL, Information Technology Examination Handbook: “Supervision of Technology Service Providers,” Appendix C, http://bit.ly/QbpbaB.

16 Portions of the material in the Conclusions section are adapted from the OCC Guidelines.

This article is for general information purposes and should not be regarded as legal advice.