Prioritizing vendor management compliance
If you’ve felt the list of regulations impacting vendor management grow longer every quarter, you may be wondering what you can do to stay current and keep the examiners at bay. Horror stories abound of examinations of vendor oversight taking longer and of examiners asking for increasingly complex documentation and evidence of your vendor programs.
The problem is that compliance and vendor management have become increasingly intertwined. Today’s financial institutions are not only accountable for their own actions, but also for the actions of the various vendors that provide services on their behalf, whether it be mortgage or credit card operations or Information Technology (IT). As banks outsource more activities to third parties, and more of those activities are subject to regulations, the stakes are higher. “Know your vendor’s vendor’s vendor” seems to be the phrase that rules the day.
Much of the attention focuses on the largest banks but community banks and credit unions are also at risk as they outsource more activities. In fact, they may be exposed to more risk; a smaller institution could not weather the financial and reputational effects of an enforcement action as well as a larger institution.
As with most compliance mandates, uncertainty abounds. Is every type of vendor subject to the same regulations? Does it make sense to have a one-size-fits-all vendor management program? What are the cost implications? Financial institutions must revamp their vendor management programs to make sure they identify risks ahead of time and protect against costly regulatory enforcement actions and civil monetary penalties.
Here are three tips to help your organization improve its efficacy and efficiency around vendor management:
Get the right information to the right people at the right time. Most institutions have developed vendor management programs exclusively for IT and information security compliance. Today’s compliance requirements impact a myriad of activities from mortgage servicing to marketing. Your vendor management program must ensure that the people appropriate to make vendor-related decisions are involved in the process. It’s no longer wise to have everything handled in just one department. Organize vendors by the activities they perform, and then identify how different regulations affect that vendor and its activities. Those personnel in your institution who know the vendor and deal with its products or services daily are best equipped to evaluate the risks a particular vendor poses to your institution.
Standardize vendor management processes. Once financial institutions understand the specific impact that different regulations have on each vendor, they must create a formalized process for risk assessment, vendor training and risk management. Assign oversight of each vendor relationship and each contract to a specific management executive within your organization. Also, ensure that your initial consideration of vendors, due diligence processes and ongoing vendor risk assessments and contract compliance reviews follow a consistent structure, schedule and format to ensure nothing falls through the cracks.
Apply reasonable judgment to different vendors. Not every vendor requires the same level of risk management and oversight. A payment-processing provider is subject to significantly more regulations than a landscaping service. Factors that influence a vendor’s risk profile include the degree of impact to your performance: is this vendor “mission critical” to your operations, or could they be easily replaced if they do not or cannot perform satisfactorily? Likewise, the sensitivity of the data that vendors handle or come into contact with plays a big role in the degree of risk they may pose. A holistic and consistent approach to your vendor management practices will help your institution to understand which vendors and activities need the most oversight and enforcement. A smart first step is to determine which vendors pose the greatest risk to your institution and ensure a thorough evaluation of their capabilities and performance happens throughout the relationship. Both initial and ongoing due diligence are the keys to ensuring proper oversight.