Prediction for 2017: Risk-based Exams Will Continue to Force Vendor Management Out of the Box

Bankers and credit union executives are always eager to find out what bank examiners want. It’s like there’s an answer key out there and if they ask around enough someone will hand them a copy.

But regulatory exams aren’t multiple choice. They are (almost literally) essay questions, and regulators expect different answers from different institutions. It’s a message regulators have driven home this year with the release of two significant changes to exam procedures. These changes further codify the agencies’ shift to a risk-based examination approach.

And in a surprise to no one, these changes address vendor management.

Let’s take a closer look at the FDIC’s Information and Technology Risk Examination (InTREx) Program and the FFIEC’s Uniform Interagency Consumer Compliance Rating System to see examples of this.

InTREx

Implemented on June 30, InTREx “is an enhanced, risk-based approach for conducting IT examinations.” The goal of the program is to ensure FIs are identifying and addressing IT and cybersecurity risks. Under InTREx, banks receive a list of 26 questions 90 days before their IT exam that touch on core processing, network, online banking, development and programming, and software services. Examiners use the answers to customize a more risk-based exam appropriate for the bank’s size and complexity.

The good news is that it’s 65 percent fewer questions than the Officer’s Questionnaire it’s replacing. It also addresses some of the same points at the FFIEC Cybersecurity Assessment Tool, meaning banks who use the tool will be well positioned to promptly answer questions.

But a shorter question list doesn’t mean less time answering them. Many questions require detailed descriptions that include information about third-party service providers. In fact, 5 of the 26 questions ask specifically about vendors:

  • Are any core applications (for example: loans, deposits, investments, trust, or general ledger) processed by an external service provider (including affiliated organizations)? If Yes, please list the core service provider(s) and the application(s) serviced.
  • Has the institution changed any core applications or core service providers since the previous examination, or are plans in place to change within the next 12 months? If Yes, please list the systems, applications or service providers that have changed or will change.
  • Does the institution use or support any custom software, or engage in any custom software development or programming (either internally or through a vendor)? If yes, please describe.
  • Does the institution have any foreign-based technology service providers? If yes, please describe.
  • Has the institution or any of its service providers experienced a cyber attack, significant security event, or operational interruption since the previous examination? If yes, please describe.

The list above does not include other questions asking about bank functions conducted in-house, remote access to network resources, and systems or applications hosted or processed in the cloud, which are likely to involve discussions of vendors.

The CC Rating System

The CC Rating System, announced in November and taking effect March 31, 2017, has similar risk-based expectations based on the size, complexity and risk profile of an institution. The original system from 1980 was developed for exams more focused on transactions than the risk-based approach used by examiners today, making the change official for the current risk-based approach regulators use today. (Regulators says the system doesn’t set new expectations, it just realigns the ratings with today’s approach.) Institutions will receive a score on a scale from one to five, with one being the high score. Regulators want to be sure institutions are dedicating appropriate resources to areas with the most risk of consumer harm.

The CC Rating System includes three categories: board and management oversight, compliance program, and violations of law and consumer harm. The first two categories are used to assess an institution’s compliance management system (CMS), which “extend to third-party relationships into which the financial institution has entered” because “such arrangements also may expose financial institutions to risks if not managed effectively.”

It goes on to say, “As noted in the Consumer Compliance Rating Definitions, examiners should evaluate activities conducted through third-party relationships as though the activities were performed by the institution itself.  Examiners should review a financial institution’s management of third-party relationships and servicers as part of its overall compliance program.”

What Does It Mean?

What do these two changes tell us about examinations and vendor management?

Compliance and risk don’t fit into tidy boxes, which is a fact that institutions can ignore at their own peril. As we head into 2017, vendor management continues to be an increasingly important element of an institution’s enterprise risk management program. It’s involved in nearly every risk an institution faces, from IT and cybersecurity to compliance with consumer laws. Expect more vendor management cameos in regulatory guidance and revisions down the road.

Just as examiners are moving away from a one-size-fits-all approach to examinations so that they can spend time on the most critical areas facing an institution, financial institutions need to be approaching vendor management with a similar risk-based approach. If an institution doesn’t have an effective vendor management program that includes risk assessments of vendors and ensures proper due diligence and monitoring, then the consequences will be clear in exam results or worse.