Third-Party Vendors: Love ’Em or Leave ’Em
Banks are increasingly outsourcing services to third-party vendors, which introduces all kinds of business risks. Here’s how banks can get a grip on that relationship and manage the anxiety.
Financial institutions, and specifically, banks, are constantly adapting to a rapidly changing industry—one that demands seemingly unlimited products for the public, flexible data management, always-on customer service, and regulatory compliance. But along with those efforts to expand their offerings comes a heaping of extra anxiety. Why? Because the institutions are increasingly outsourcing the creation and maintenance of their services to third-party vendors.
From developing mobile apps to processing transactions to protecting proprietary information, third-party vendors are being entrusted with responsibilities that can expose financial institutions to huge risks. The threat of cyber attack is just one of many, but it’s a biggie: In the past 12 months alone, 63% of security compromises in the financial industry originated through deficiencies in third-party systems.
Relying on third-party vendors presents a number of additional risks, such as service interruptions or late delivery of products. Any such shortfalls by key service providers can have a meaningful impact on a financial institution’s compliance, profitability or reputation.
Regulators have taken notice. In October 2013, the Office of the Comptroller of the Currency (OCC) issued a comprehensive bulletin entitled “Third-Party Relationships: Risk Management Guidance.” It states that banks “should adopt risk management processes commensurate with the level of risk and complexity of its third-party relationships.” The Federal Deposit Insurance Corporation (FDIC), the Board of Governors of the Federal Reserve System and other regulatory authorities have also issued their own, similar guidance and continue to provide updates.
But given the number of vulnerabilities at hand—operations, compliance, and reputation, to name three—third-party risk management can be a complex affair. To better manage and mitigate the threats, banks can apply basic enterprise risk management principles. Here are some common approaches.
Look Inside Before Going Outside
Assessing your institution’s abilities prior to choosing a third-party vendor is crucial. For instance, does your institution have the proper oversight process to appropriately assess, measure, monitor, and control risks associated with the third party? Be especially observant of expectations related to any personal identifiable information (PII) because an information breach would be harmful to your institution’s reputation.
Check Their Business Rep
Conduct due diligence by fully reviewing the status and condition of the third party. Assess their business and reputation by examining their strategy and goals to make sure they do not conflict with yours. Do they have a proper legal and regulatory compliance program to reassure you they will adhere to laws and regulations? Has any regulatory enforcement or other legal action been taken against them? How healthy is their financial condition? Are they fully insured against losses attributable to dishonest acts? Do they carry proper levels of liability coverage for losses attributable to negligence, loss of data, and protection of documents?
Get Tough and Get It in Writing
Protect your institution’s interests with a strong contract that specifies key performance measures, service-level agreements, and benchmarks. This should include the right to conduct on-site visits to the third-party vendor and the right to audit, accept or reject the work product. Require remediation if there are deficiencies. The latter is a must—if the defects are severe it may be appropriate to terminate the contract as quickly as possible.
Watch ’Em Like a Hawk
You’ve got a lot at stake with the relationship, so set up the third party for success. Make sure your company’s oversight of the third party correspond to the extant level of risk. Foster trust, but stay vigilant—develop your own auditable compliance plan.
What to Do if the Wheels Start to Come Off
Be upfront about how and when you step in to examine processes. It’s helpful to identify the escalation points of contact on both sides ahead of time and clearly specify when there are breaches, service disruptions or material changes to the third party’s business. Spell out the dispute resolution process (arbitration, mediation, etc.) in the contract and how expenses will be handled. Important: Make sure you have a contingency plan in place—either to go with an alternate supplier or bring it all back in-house.
Clearly, managing the quality and sustainability of a third-party relationship requires significant effort on the part of a bank. Having a playbook ahead of time will ensure that the bank’s management, risk professionals, internal auditors, and board members are able to make critical decisions on a timely basis. Seeking expert advice around developing and executing the playbook can help put everyone’s mind at ease.