Third-party risk is a hot button issue for regulators. When a financial institution (FI) outsources an activity to an outside vendor, it can introduce all kinds of risk. Vendor management is all about assessing, measuring, monitoring and controlling those risks.
Different regulators use different terms to talk about vendor management. While they all ultimately have the same goal, they go about it in different ways. Today we’re looking at the Federal Reserve’s approach to vendor management to better understand what the agency really wants from FIs.
The Federal Reserve’s Guidance on Managing Outsourcing Risk, released December 5, 2013, offers comprehensive insights on the subject. Over the course of 12 pages, it explains the types of risk that most concern the Fed. It also highlights the core elements of an effective “service provider risk management program.”
The Fed makes it clear that vendor management starts at the top with the board of directors, which sets policies for vendor risk management. It then filters down to senior management, which is responsible for creating and managing a framework built on those policies and reporting on the results.
It also emphasizes the importance of applying different levels of oversight to vendors based on how “critical, complex or involved with critical activities” they are. Critical vendors are those that:
- Have a substantial impact on an FI’s financial condition;
- Are critical to the institution’s ongoing operations;
- Involve sensitive customer information or new bank products or services; or
- Pose material compliance risk.”
The Fed acknowledges that vendor risk management programs can vary based on the types of outsourcing an institution does, but generally offers six core program elements:
- Risk assessments
- Due diligence and selection
- Contract provisions and considerations
- Incentive compensation review
- Oversight and monitoring
- Business continuity and contingency plans
Let’s take a look at each of these elements to understand what exactly the Federal Reserve expects.
The Fed says that outsourcing can expose an institution to many types of risk, including compliance risk, concentration risk, reputation risk, country risk, operational risk and legal risk. FIs need to consider these risks when entering a new vendor relationship or when deciding to continue with an existing one.
Items to consider include:
- Strategic plan and business strategy.
- Risks/Rewards of outsourcing an activity and outsourcing it to a specific vendor, including cost.
- Availability of quality vendors.
- Ability to effectively oversee vendor.
Risk management is an ongoing process. The Fed expects an FI to have and follow policies dictating how often risk assessments are updated. Should an update reveal a new or emerging risk, an FI should take steps to mitigate that risk.
Due Diligence and Selection
Before a contract is signed, an FI should conduct third-party vendor due diligence. It should continue that diligence throughout the duration of the relationship. But not every vendor requires the same level of scrutiny. The “scope, complexity and importance” of the vendor relationship should determine how deep an institution needs to dig. The goal is to understand the vendor’s financials, experience, legal and regulatory knowledge, reputation and controls.
An FI should consider the vendor’s:
- Business background, reputation, and strategy.
- Financial performance and condition.
- Operations and internal controls.
The Fed also calls out a few outsourced activities that pose additional risks requiring additional due diligence and monitoring. These including suspicious activity reports, internal auditing, risk management and using foreign-based service providers.
Contract Provisions and Considerations
The Fed’s Guidance on Managing Outsourcing Risk lists essential contract elements. More than a check list of must-haves in a written agreement, contracts should outline the rights and responsibilities of both the vendor and the bank. They should be specific, detailed and provide measurable benchmarks. Of the twelve pages of guidance, four and half pages or 37% of the guidance is devoted to contractual controls that should be utilized to control the risk in working with third parties. Points to address include:
- Scope. The rights and responsibilities of both the vendor and the FI.
- Cost and compensation. The Fed expects the contract to define every possible fee or charged paid by the bank and the vendor.
- Right to audit. Defines the types of audits and reports the FI will have access to and when.
- Performance measures. Define measurable performance standards.
- Information security. The Fed devotes more space to data security and confidentiality than any other area: one entire page out of the 14-page document. Its main focus is on ensuring there are contract provisions defining how customer information, particularly nonpublic, personal information (NPI), will be protected; ensuring data breaches will be reported and properly handled; and insisting that the vendor will follow all laws governing customer information confidentiality, including the Gramm-Leach-Bliley Act and Federal Financial Institutions Examination Council (FFIEC) guidelines.
- Ownership and license. How data can be used and who owns it.
- Indemnification. Contracts should indemnify an FI from vendor negligence.
- Default and termination. The contract should define what qualifies as a default and how it can be remedied. It should also outline potential reasons for termination and detail how much notification must be given and when data will be returned.
- Dispute resolution. A dispute resolution process should be outlined.
- Limits on liability. The board and management should decide if the risk of a vendor failing to perform align reasonably with any vendor limits of liability.
- Insurance. Vendors should have proof of adequate insurance.
- Customer complaints. The contract should address complaint tracking and resolution.
- Business resumption and continuity. Contracts should address a vendor’s business continuity planning.
- Foreign-based service providers. Choose a jurisdiction for disputes and understand if the contract can be enforced abroad.
- Subcontracting. The contract should state whether subcontracting is permitted and, if so, define the vendor’s due diligence and monitoring process.
Incentive Compensation Review
The Fed is the only bank regulator to make incentive compensation review a core element in the vendor risk management process. In addition to including it in the contract discussion, the Fed wants to be sure that FIs aren’t financially motivating vendors to make risky choices, for instance misrepresenting the terms of a product to make commission. It’s a mistake too many institutions have made.
Oversight and Monitoring
Oversight is the process staff uses to ensure an FI is fulfilling its contractual obligations and meeting performance standards. The Fed expects it to be risk-based, with higher risk vendors requiring more in depth oversight and monitoring. Areas to monitor include:
- Financial condition. Review the health of the vendor and its major subcontractors.
- Internal controls. FIs should review the controls of significant vendors, including SOC-2 reports and the FFIEC Technology Service Provider exam report, if available.
- Escalation of oversight activities. If a vendor’s performance is falling short, there should be processes in place to increase oversight and monitoring. There should be a plan to find an alternate vendor in case termination is necessary.
FIs should ensure that vendors performing critical services have contingency plans. They should also have a process that ensures the FI regularly assesses and tests the effectiveness of the plan and understands how the vendor’s plan fits with its own. The Fed also wants FIs to have an “exit strategy,” including a lineup of alternative providers.
Now that we know what the Fed is looking for, it’s important to understand what this tells us about the Fed’s overall approach to vendor management.
Ultimately, the Fed sees vendor risk management as an ongoing process. It begins with risk assessment and due diligence before a contract is signed and continues with monitoring throughout the length of the relationship, with special attention paid to business continuity planning and incentive compensation. It emphasizes a system built around processes, reporting, and careful oversight and management.
For the Fed, compliance is about more than lists of critical vendors and vendor reports. It’s about understanding the choices and decisions an FI made in selecting a vendor and in actively choosing to continue its relationship. It also wants FIs to be sure they have the expertise and resources to manage the process successfully. It stresses the importance of boards that drafts policies and senior management teams that execute them and regularly report back the results.
For this to happen effectively and efficiently, FIs need a comprehensive, top-down approach to vendor management. There are too many moving pieces, including procedures and documentation, touching too many areas and departments to let vendor management casually languish. FIs need a robust analytics process that takes a broad view of enterprise risk management (ERM) and vendor management, allowing an FI to leverage the risk assessment, measurement, control and mitigation work performed by departments throughout the institution to streamline and improve processes while ensuring major changes are noticed and addressed.