Today we’re looking at the FDIC’s approach to vendor management to better understand what the agency really wants from FIs. Different regulators use different terms to talk about vendor management. While they all ultimately have the same goal, they go about it in different ways.
Third-party risk is a hot button issue for regulators. When a bank outsources an activity to an outside vendor, it can introduce all kinds of risk. Vendor management is all about assessing, measuring, monitoring and controlling those risks.
The FDIC offers broad guidance on the topic, but perhaps the most concentrated source of information is the FDIC Compliance Exam Manual. Part VII on Unfair and Deceptive Practices hosts a section on Third Party Risk that spans 20 pages. It lets bankers know exactly what examiners will be looking for.
The FDIC begins by warning banks that not all vendors are created equal. The FDIC draws special attention to “significant” vendors. FIs often refer to these as high-risk or critical vendors. These can include vendors that:
- Are new to the FI or engage in activities new to the FI
- Perform critical functions
- Provide lending products or services, card payment transactions or are involved in deposit taking arrangements like affinity programs
- Touch sensitive customer information
- Material impact revenues or expenses or pose a risk that could materially impact earnings, capital or reputation
- Substantially expand an FI’s geographic market or offers products or services for a large number of the FI’s consumers
- Provide a service exposing the FI to risky consumer protection regulations
- Directly market products or services that could cause customers to experience financial loss
Significant vendors not only require strong oversight and controls, but the FDIC expects FIs to regularly review how effective these oversight and controls are. From policies and procedures to internal controls, training, monitoring and external auditing, FIs need to demonstrate their vendor management compliance efforts are consistent and ongoing.
FDIC guidance says an effective third-party risk management compliance program has four main elements:
- Risk assessment
- Due diligence
- Contract structuring and review
Let’s take a look at each of these elements to understand what exactly the FDIC expects.
Identifying significant vendors is an essential part of an FI’s vendor management risk assessment, but it’s just one part. The FDIC wants FIs to use a broad approach to risk management that considers everything from the bank’s overall approach to enterprise risk management (ERM) to the practical elements of what resources are available.
- Strategic plan and business strategy. An institution should know how much strategic risk its willing to embrace based on its “size, resources, capacity, and number of employees.” It should also analyze the “benefits, costs, legal aspects, and the potential risks” of a third party to see if the potential risks fall within the institution’s comfort zone and are consistent with the FI’s plans and strategies.
- Risks/Rewards. Senior management should compare the benefits of having the third party conduct an activity compared to another third party or the institution itself.
- Resources. Does the institution have the internal resources to analyze and control specific risks? It should be able to “identify performance criteria, internal controls, reporting needs, and contractual requirements.” It also needs to oversee and manage the relationship and have a way to resolve problems. When documents come in, including SSAE 16s, financial statements, business continuity plans, incident response plans, the institution must be able to review them comprehensively.
- Consumer friendly. Management must determine whether the third party’s activities may be “viewed as predatory, discriminatory, abusive, unfair, or deceptive to consumers.”
- Significant relationships. There should be a process for identifying “significant,” or high-risk vendors, and ensuring the board reviews and approves these vendors.
Management should conduct third-party vendor due diligence before a contract is signed and throughout the duration of the relationship. The more risk a vendor presents, the deeper the diligence should go. The goal is to understand the vendor’s financials, experience, legal and regulatory knowledge, reputation and “the scope and effectiveness of its operations and controls.”
An FI should consider the vendor’s:
Financial condition: Audited financial statements, filings, annual reports, litigation and how the contract would impact the vendor’s financial condition.
Experience: Does the company have the experience and capacity to do the job? Will it need to expand to accommodate the FI? What other business activities is it engaged in? Is it knowledgeable about consumer protection laws and regulations? What are the qualifications of its principals?
Business approach: “Strategies and goals, including service philosophies, quality initiatives, efficiency improvements, and employment policies.” Also inquire about use of subcontractors and vendor and institution management responsibilities.
Internal controls: What kind of internal controls, systems and data security and privacy protections does the vendor have? Does it have audit coverage? What are its business resumption, continuity and contingency plans? How strong are its management information systems? Does it have insurance coverage? What are its underwriting criteria?
Marketing: How will the vendor use the institution’s name on materials and websites?
Contract Structuring and Review
The FDIC Compliance Exam Manual includes essential contract elements. More than a check list of must-haves in a written agreement, these are the items that should be easy to understand and track. They include:
- Written contract. Approved by the board and reviewed by legal counsel.
- Prohibited unless proper due diligence can be conducted.
- Clearly defined performance standards. Carefully selected to measure performance.
- Payment terms. Itemizes fixed and variable charges and all other fees.
- Frequency and types of reports and audits. Specifies promised documents which may include performance, audits, financial, security, consumer complaint, and business resumption testing reports.
- Data privacy. Includes protecting non-public personal information and informing the institution of breaches.
- Complaint resolution. Details how they will be handled.
- Business continuity planning. Outlines protections for backing up data and detailed operating procedures for disaster recovery and contingency plans.
- Default, termination and dispute resolution provisions. Includes remedies.
- Ownership issues. Addresses intellectual property such as use of logos and copyrighted materials as well as data generated by the third party.
Both board and management oversight are necessary for successful vendor management. Each has a different role to play.
Board. It starts at the top with the board. Not only must the board approve significant vendor agreements, but it must document how it reached that decision. There also needs to be proof that significant vendor agreements are overseen and reviewed annually and whenever there is a material change to the program.
Management. Management is responsible for a period review of the vendor’s operations to ensure they the vendor is controlling risk and living up to the contracts terms. Management needs to consider its:
- A compliance management system to ensure ongoing compliance with consumer protection laws and regulations plus internal policies and procedures.
- Staff. The FDIC recommends that an individual or committee be tasked with overseeing significant vendor relationships. These individuals should be qualified for the task and work with compliance and other operational areas such as audit.
- Task list. This should include monitoring “quality of service, risk management practices, financial condition, and applicable controls and reports.” The results, along with the institution’s policies and procedures, should be used to decide if a vendor needs to be terminated or probated.
- Reporting. Findings from the oversight process should be periodically reported to the board or a committee. This is particularly true for weaknesses, which should be identified, documented and quickly remediated.
- Documentation. Contracts, business plans, risk analyses, due diligence, and documents related to oversight activities, including board and committee reports, should be kept for a defined period of time.
What do these elements tell us about the FDIC’s overall approach to vendor management?
Ultimately, the FDIC is looking for documented processes. It sees vendor risk management as an ongoing process, one that begins with due diligence before a contract is signed and continues with monitoring and risk assessments throughout the length of the relationship.
For the FDIC, compliance is about more than lists of significant vendors and piles of vendor reports. It’s about understanding the process an FI went through to manage and control the risk.
The agency wants to know the reasons justifying a decision and see proof that the board is involved in the risk management of third-party vendors. It wants to understand an institution’s approach to ERM and where a particular vendor fits from an enterprise risk management perspective. It wants FIs to have the necessary resources to analyze reports and carefully negotiate and track contracts. It wants to be confident that the board and management have the necessary tools and processes to ensure the safety and soundness of the institution regarding third party risk.
For this to happen effectively and efficiently, FIs need a comprehensive, top-down approach to vendor management. There are too many moving pieces and procedures that must be executed and documented to let vendor management casually languish. Taking a broad view of ERM and vendor management, allows an FI to leverage the risk assessment, measurement, control and mitigation work performed by departments throughout the institution, streamlining and improving processes.
Learn how Nvendor can help you align vendor management at your institution with FDIC examiner expectations.