third-party vendors

Valentine’s Day was last month, but the Office of the Comptroller of the Currency (OCC) has answers for your burning relationship questions—at least the ones having to do with your FI’s third-party vendors.

The OCC released a Frequently Asked Questions (FAQ) supplement to OCC Bulletin 2013-29, Third-Party Relationships: Risk Management Guidance, last week. It replaces the version the agency released in 2017.

Looking at the new answers, a few themes emerge.

  1. The definition of a vendor is very broad. What counts as a vendor? The list is long. Ask yourself:
  • Does your FI have a business arrangement with an appraiser or an appraisal management company?
  • Do you receive professional services from law firms, consultants or audit firms?
  • Do companies provide your FI maintenance, catering or custodial services?
  • Does your FI refer consumers to another FI, company, or person who then compensates you for the lead?
  • Does your FI have marketplace lending arrangements?
  • Does your FI receive direct service from a data aggregator?
  • Does your FI rely on third-party models?

If you answered yes to one of the above questions, that third-party relationship is considered a vendor and should be subject to your FI’s vendor management process.

Another area of confusion is bank data aggregators. If an FI gets direct service from a data aggregator via a business arrangement, it’s a third-party vendor. Yet the OCC warns that even if FIs don’t have a direct relationship they should still perform due diligence on the aggregator’s business experience and reputation to ensure customer data will be safe. This includes “screen scraping,” or using customer login data with their permission to gather data. It can cause operational and reputation risk, the agency says.

The fact that the OCC felt the need clarify the definition of a vendor is a sign that some FIs are struggling to identify all their third-party vendors. Make sure that your FI is using a broad definition. You don’t want to accidentally omit a critical vendor.

  1. Vendor management is a subset of risk management. Vendor management gets a lot of special attention because vendor failures can cause severe material harm to your FI. That doesn’t mean it’s a stand-alone function.

Vendor management falls under the umbrella of risk management. It allows an FI to decide if the potential risks of working with a vendor align with the FI’s risk appetite and strategic goals. Vendor management follows the same lifecycle as risk management:

  • Identify
  • Assess
  • Mitigate
  • Monitor
  • Report

Recognizing that vendor management is risk management is especially important when it comes to mitigation. FIs engage in vendor due diligence to assess risk and the effectiveness of controls.

The OCC makes a point of reminding banks that if they can’t get the due diligence documents they need, it’s important to risk assess the value of working with the vendor. Riskier activities may require additional risk controls. In the case of vendors, that can include backups.

  1. Using vendors for vendor management is fine—as long as the risk judgement is performed by the FI.

From due diligence and ongoing monitoring to contract negotiation, FIs are welcome to use vendors to help management third-party vendor relationships. However, the final call of whether a vendor relationship falls within an FI’s risk tolerance must be made by the FI.

Every FI needs to tailor its third-party vendor management processes to its own needs based on its size, complexity and other unique attributes. The risk any given vendor poses differs from bank to bank and depends, in part, on the specific products and services that vendor provides.

It includes:

  • How the vendor fits into the FI’s strategic plan and risk appetite
  • The amount of risk and the FI’s ability to control it

Vendor management vendors should also be risk assessed and managed.

 Featured image for Ask Me Anything Q&A
NCONTRACTS
2020 EVENTS