Vendor risk management is an ongoing process—one that begins with due diligence before a contract is signed and continues with monitoring throughout the length of the relationship. This blog series on the Top 10 risks will help you more effectively address how third-party vendor risk throughout every department in your financial institution.

#5 Compliance Risk

What’s worse than getting in trouble for breaking the rules? Getting in trouble when somebody else breaks the rules.

That’s a danger financial institutions face when they outsource product and service delivery to third-party vendors. It’s called compliance risk, which is the risk that a third-party vendor will either knowingly or accidentally violate a law, regulation, rule or an institution’s own internal policies.

It’s not a rare occurrence. FIs are regularly called out by regulators when their vendors fail to follow the rules. In worst-case scenarios, these failures can result in enforcement actions, millions of dollars in fines and bad publicity. (Talk about reputation and financial risk!) Recent high profile infractions include protecting the rights of servicemembers, overdraft, and credit card add-on programs.

It’s all goes back to that now common refrain: You can outsource activities but you can’t outsource responsibility for those activities. Regulators expect FIs to view vendor compliance efforts as an extension of the bank’s own efforts.

Compliance risk is one of the 10 biggest vendor risks facing FIs—and the reason why FIs need to know the whats, hows and whens of its vendors’ compliance programs. The only way to be confident that rules will be followed is to fully assesses a vendor for potential compliance risk and then take steps to mitigate and monitor that risk.

Know the Risks

Where to begin? It helps to know when compliance risk is most likely to occur. According to the OCC’s Third-Party Relationships Risk Management Guidance[1], it’s when:

  • products, services, or systems associated with third-party relationships are not properly reviewed for compliance;
  • the third party’s operations are not consistent with laws, regulations, ethical standards, or the bank’s policies and procedures;
  • a third party implements or manages a product or service in a manner that is unfair, deceptive, or abusive to the recipient of the product or service;
  • a bank licenses or uses technology from a third party that violates a third party’s intellectual property rights;
  • the third party does not adequately monitor and report transactions for suspicious activities to the bank under the Bank Secrecy Act or Office of Foreign Asset Control;
  • a bank’s oversight program does not include appropriate audit and control features, particularly when the third party is implementing new bank activities or expanding existing ones;
  • when activities are further subcontracted;
  • when activities are conducted in foreign countries;
  • when customer and employee data is transmitted to foreign countries;
  • conflicts of interest between a bank and a third party are not appropriately managed;
  • transactions are not adequately monitored for compliance with all necessary laws and regulations; and
  • a bank or its third parties have not implemented appropriate controls to protect consumer privacy and customer and bank records.

It’s a comprehensive list—one that touches on several other types of risk including operational, reputation, country, transaction and cyber risk. That makes it essential for management and departments across an FI to work together to effectively gather and analyze vendor findings.

Look to see that vendors:

  • Are aware of both new and existing regulations and have policies and procedures in place to implement them.
  • Have audit and control features that demonstrate their compliance.
  • Maintain logs and practices for monitoring transactions for suspicious activity and compliance with others laws and regulations.

Data privacy is of particular interest to regulators these days, making it important to ensure compliance with relevant laws, regulations and best practices.

[1] https://www.occ.gov/news-issuances/bulletins/2013/bulletin-2013-29.html#append-a