Third-party Risk: Managing Your Vendor Relationships
Third-party Risk: Managing Your Vendor Relationships
Third-party risk continues to be a hot button issue for regulators. When your financial institution outsources activity to an outside vendor, it can introduce a number of risks. Vendor management, or third-party relationship management, is about identifying, measuring, monitoring and controlling those risks.
Different regulators may use different terms to discuss vendor management; however, all have ultimately the same goal. Financial institutions should maintain a strong analytical process in monitoring third party relationships, keeping in mind that not all third-party relationships present the same level of risk. OCC guidance states that “A community bank should adopt risk management practices commensurate with the level of risk and complexity of its third-party relationships”. Banks should determine the risks associated with each third-party relationship and adjust risk management practices accordingly. Regulators expect banks to perform due diligence and ongoing monitoring for all third-party relationships.
An effective vendor management process incorporates phases over the life of the vendor relationship:
- Planning– Identifying and accessing risk
- Due Diligence in Third-Party selection– Management should conduct third-party vendor due diligence prior to signing a contract and throughout the duration of the relationship. The more risk a vendor presents, the greater in depth the diligence should go.
- Contract Negotiation– Contracts should outline the rights and responsibilities of both the vendor and the bank.
- Ongoing Monitoring– Monitor to ensure the vendor is living up to its contractual obligations as well as assist in being aware when a vendor expands its focus and begins engaging in critical activities.
- Termination– A bank should have a plan to end vendor relationship efficiently.
The OCC Bulletin 2013-29 advises banks that not all vendors are created equal. The OCC expects more comprehensive oversight and management over “critical,” or high-risk vendors. These are vendor relationships that involve critical activities such as “significant bank functions (e.g., payments, clearing, settlements, custody) or significant shared services (e.g., information technology), or other activities that:
- could cause a bank to face significant risk if the third party fails to meet expectations;
- could have significant customer impacts;
- require significant investment in resources to implement the third-party relationship and manage the risk;
- could have a major impact on bank operations if the bank has to find an alternate third party or if the outsourced activity has to be brought in-house.”
Periodic independent reviews should be conducted on the third-party risk management process, particularly when a bank involves third parties in critical activities. Independent reviews help assist in managing the effectiveness of the vendor management process and determine if any adjustments in controls are warranted.
Vendor Management compliance is about more than lists of critical vendors and vendor reports. It’s about understanding the choices and decisions a Bank makes in selecting a vendor and in actively choosing to continue its relationship. Regulators are looking for the reasons justifying a decision and see proof of Board oversight. It is imperative that the board and management have the necessary tools and processes to ensure continued compliance and a plan to efficiently end the relationship if needed. The bank should be aware of any changes in third-party relationships and how those changes impact risk.
Article compiled by Kay Scarselli, for additional information please email kscarselli@fosaudit.com
Kay Scarselli | Risk Management | Third Party Risk | Vendor Management