Earlier this month Federal Reserve Governor Michelle Bowman announced that the Federal Reserve is working with the other supervisory agencies to update its third-party guidance.
Bowman, who fills the community bank seat on the board, had a lot of ideas about how vendor management guidance could be improved. Her suggestions include:
Consistency across the banking agencies.
Having one guidance for all the supervisory agencies would make it easier for banks and their third-party vendors and partners to navigate regulatory expectations. As a starting point, Bowman encourages the Fed to adopt the Office of the Comptroller of the Currency’s guidance.
Share insights from Fed’s due diligence.
The Fed regularly examines third-party service providers, but only shares the results with the providers’ clients. Bowman believes sharing some of that information with all banks, such as sharing who and what is evaluated at key providers, could provide due diligence insights to all banks. She’s asked Fed staff to collaborate with other agencies to develop ideas for making this work.
Better define due diligence.
Bowman would like to see the Fed clarify the “necessary elements” of vendor due diligence, including “where it begins and ends.” Bowman is particularly interested in giving banks clarity on the types of questions they should ask potential third-party vendors and what the Fed considers a “satisfactory answer.” She also recommends guidance be flexible based on the type of partnership, with suggestions on what due diligence looks like for a fintech partner vs another type of critical vendor.
Bowman noted that third-party monitoring is particularly onerous for smaller banks and has “encouraged” Fed staff to find more ways to tailor regulatory expectations for community banks with less than $1 billion in assets.
Let banks share due diligence.
Bowman thinks banks could benefit from pooling due diligence efforts.
Why Pooling Vendor Management Resources is Risky
While banks welcome more clarity when it comes to third-party vendor guidance, there are concerns about one of Bowman’s suggestions: the idea of banks pooling due diligence efforts.
At first glance, pooling vendor management resources sounds like a good idea. Banks looking to save money in the back office may see another bank using the same payroll or core vendor and wonder why not share information on vendors to save costs. Why not leverage each other’s efforts? The problem is that every vendor relationship is unique.
Vendor agreements differ from institution to institution. They vary depending on:
- the products and options selected
- the monitoring and performance metrics negotiated in the service level agreement (SLA)
- the criticality of the vendor to the bank’s operations.
Imagine two banks that outsource SBA lending to a third-party vendor. Bank A gets about 2 percent of its revenue from SBA loans. Bank B gets 56 percent of its revenue from SBA lending. Bank B is going to want to put a lot more work into managing this relationship than the other due to the criticality of the relationship. Yes, Bank A has an interest in monitoring and managing the SBA vendor, but it pales in comparison to the importance of the vendor relationship to Bank B. If Bank A offers to share its vendor management resources with Bank B, Bank B may save some money on vendor management, but it could end up costing the bank far more if the vendor fails to perform.
The same is true of vendor data centers. Different product sets may use different data centers. If one FI uses a product with one data center and another FI has a product that uses another data center, the information is not interchangeable—but that could easily go unnoticed when swapping information. That would leave one bank at an elevated risk of a data center issue because it has no way of knowing if the data center’s controls are effective.
For pooling to work, a bank would have to do more than find another bank with the same vendor. It would need to carefully compare all agreements to make sure that both banks are interested in collecting the same information using a methodology that works for both banks. This is especially tricky for core providers, which offer an endless array of options, pricing and terms.
Another potential issue is data security and nondisclosure agreements. Vendors want to keep information about how their systems work, including how they handle data and its transmittal. Sharing information about a vendor with another bank may, in theory, be violating the vendor’s nondisclosure agreement if you don’t get permission in advance.
Why Regulators Allow for Risk and Vendor Management Flexibility
There is a reason why the regulatory agencies give FIs flexibility in how they execute their risk and vendor management programs. Every FI gets to choose the best structure and processes for risk and vendor management based on the FI’s size and complexity. That may mean a chief risk officer consulting a committee or a part-time vendor manager juggling multiple roles.
Sharing pooled vendor management resources is not a good idea because it overlooks these differences. In the past, we’ve discussed how checklists don’t work for vendor management because vendor management needs more than a one-size-fits-all solution. The same goes for pooling vendor management resources. Like a checklist, it seems like a simple solution, but the reality is far more complicated.
As the Fed moves forward with its updates to its third-party provider guidance, we’ll find out which of these suggestions make it in and which get cast aside. Until then, we’ll keep you updated on the latest third-party vendor regulatory updates.
To hear more about the hazards of pooling vendor management resources, check out this ABA podcast, Pooling Vendor Resources Is Not Beneficial for a Bank, recorded by Michael Berman at the Conference for Community Bankers in Phoenix, Ariz., last month.