<img src="https://ws.zoominfo.com/pixel/pIUYSip8PKsGpxhxzC1V" width="1" height="1" style="display: none;">

How to Avoid Common Third-Party Risk Management Mistakes

author
6 min read
Sep 12, 2024

Financial institutions need to do more to protect themselves and consumers from third-party vendor risk. It’s a common theme in stories of financial institution enforcement actions, data breaches, and service interruptions and in the Interagency Guidance on Third-Party Relationships: Risk Management released in 2023.  

Third-party relationships help financial institutions reach their goals – but without careful oversight they can also damage an institution’s operations, reputation, compliance posture, customers or members, and even the bottom line.  

Here are four common third-party risk management mistakes and strategies for avoiding them. 

Mistake #1: Failing to protect consumer data

Failing to protect consumer data from vendor breaches and mismanagement exposes financial institutions to significant cyber, operational, and regulatory risk. 

Just ask the institutions impacted by the MoveIt data breach in May 2023 when a ransomware attack leaked customer names, addresses, birthdates, and Social Security numbers. 

The source of the vulnerability for most banks caught up in the breach: third or fourth-party relationships.  

According to a Bank Director survey: 

  • An outside relationship caused 14% of respondents to be breached 
  • Just 4% of banks were directly compromised.  (The other 82% weren’t impacted.)  

With the increased threat of cyberattacks and the potential for serious consumer harm, regulators are sharpening their focus on due diligence when assessing vendors’ information security programs. 

The problem isn’t always a headline-grabbing cyberattack. Sometimes it’s vendor incompetence. When Morgan Stanley closed two data centers in 2016, there was no due diligence into the vendor’s experience decommissioning hard drives and servers. 

The bank chose the wrong vendor. The inexpeirenced vendor didn’t delete the personally identifiable information (PII) of millions of clients and then sold the PII-laden equipment in an online auction. Morgan Stanley paid $161.5 million in fines, a civil money penalty, and faced two lawsuits for its lack of due diligence in vetting this vendor. 

Financial institutions should take the following steps to prevent third-party incidents and protect consumer data: 

  • Consider controls that limit third-party access to your organization’s consumer data, including multi-factor authentication and end-to-end encryption 
  • Assess a vendor’s data management policies and processes, including the disposal of sensitive data 
  • Review the results of vulnerability and penetration tests 
  • Determine a vendor’s ability to take corrective actions to address deficiencies discovered through vulnerability and penetration tests 
  • Guage a vendor’s policies and procedures related to pre-employment background checks and employee security training 
  • Evaluate physical security protocols and controls to safeguard facilities containing sensitive consumer data 
  • Assess a vendor’s patching cadence, which varies depending on its IT environment 
  • Rate a vendor’s experience and expertise in performing contracted activities 
  • Require the right to conduct onsite visits 

While SOC-2 reports are a great starting point for assessing a third party’s data privacy controls, they aren’t the be-all and end-all. Ongoing vendor cyber monitoring gives financial institutions clearer sightlines in spotting potential issues and proactively protecting consumer data.  

Mistake #2: Neglecting third-party consumer compliance 

Regulators have made it clear: your vendors’ compliance mistakes are your compliance mistakes. And when it comes to consumer compliance, vendors make mistakes. 

If your third party accepts consumer deposits or handles transactions, it’s essential ensure your vendor understands the applicable regulations and has a strong compliance management system (CMS) to ensure compliance.  

It’s a theme we’ve seen play out repeatedly in 2024. In just the first quarter, four financial institutions faced enforcement actions stemming from technology service provider compliance lapses. These included Bank Secrecy Act (BSA) deficiencies, the failure to secure disclosures and approvals from customers, and the failure to resolve account disputes under Regulation E.  

The Federal Deposit Insurance Corporation (FDIC) also penalized several institutions for vendors exaggerating the benefits of products, according to its 2024 Consumer Compliance Supervisory Highlights. The FDIC emphasizes that FIs must monitor how third-party products are advertised. 

Financial institutions can avoid vendor consumer compliance missteps by: 

  • Obtaining the right to monitor and be informed about a third party’s consumer compliance issues, including timely remediation if problems arise 
  • Measuring a third party’s compliance with consumer protection laws against its contractual obligations 
  • Ensuring that vendors with new technologies or innovative banking products adhere to consumer compliance laws and regulatory requirements 
  • Regularly reviewing marketing materials, including scripts, promotional materials, and phone conversations, to ensure vendors meet consumer compliance requirements 
  • Engaging compliance experts (either internally or externally) to review vendors’ consumer compliance policies and processes 

Ensuring that your third parties adhere to consumer compliance regulations protects your institution from legal risks and costly enforcement actions while helping maintain your industry reputation. 

Related: Vendor’s Keeper: How to Make Sure Your Third-Party Vendors Aren’t Creating a Compliance Nightmare  

Mistake #3: Falling short in contract negotiations 

It’s not news that financial institutions should negotiate contracts with vendors. But vendor contracts are about more than price. Strong vendor contracts address everything from regulatory requirements to performance benchmarks. 

Many small and mid-sized financial institutions are at a disadvantage in negotiating contracts with vendors. Community banks and credit unions often feel pressured to accept a vendor’s standard contract. This is a mistake.  

Third-party service providers love standard contracts, free from the addendums and provisions that protect your institution. You need to insist on these. Remember, if it’s not in writing, your vendor won't take responsibility for its mistakes. 

Financial institutions should address the following in negotiating contracts with vendors: 

  • The scope of the arrangement with a detailed explanation of the service provided, benefits, and support 
  • Performance benchmarks in the form of service-level agreements (SLAs) that define metrics for measuring performance and penalties for not meeting benchmarks 
  • Confidentiality agreements that protect an FI’s proprietary information and consumer data 
  • Audit rights that require vendors to share the results of independent audits within a specified timeframe 
  • Vendor business continuity plans, including recovery time objectives (RTOs), recovery point objectives (RPOs), and testing frequency 
  • Indemnification and legal liability for the institution and vendor 
  • Subcontracting arrangements and a vendor’s third-party risk management program 
  • Termination clauses that outline the costs of early termination, data return and disposal, and timeframes 

The above list doesn’t cover every aspect of vendor contract negotiations. For a more comprehensive perspective, please download our whitepaper on negotiating cost-saving contracts that protect your FI from third-party risk.   

Download: Protect Your Interests: How to Negote Cost-Saving Vendor Contracts 

Mistake #4: Inadequate vendor monitoring 

The days when financial institutions could review pertinent vendor documents once a year have long since passed. Effective third-party risk management demands ongoing monitoring, particularly for critical vendors. 

Monitoring vendors is about more than protecting your institution from disasters. It’s about demonstrating operational resilience and safeguarding your institution’s reputation. 

For example, last December members of 60 credit unions couldn’t access online and mobile banking and bill pay for days due to a ransomware attack when a business continuity and disaster recovery provider failed to patch a vulnerability despite warnings from the FBI. The attack began against the business continuity provider and then spread to the parent company’s data processing unit – which was the vendor used by the affected credit unions. 

While it doesn’t appear that the attack compromised consumer data, it was a nightmare for  members whose bills went unpaid and were unable transfer funds for days. 

How often were the impacted credit unions receiving reports from this vendor? Would more effective vendor monitoring have made a difference? Perhaps. It certainly wouldn’t have hurt. 

Vendors aren’t always quick to report problems. Sometimes they don’t even know that they have a problem. This is where vendor monitoring can help. 

Typical vendor monitoring activities that mitigate third-party risk include: 

  • Receiving audits and reports, including vendor self-reports and third-party reports (SOC reports, external audit and exam results, certificates of insurance, etc.) 
  • Negative news monitoring that highlights company changes, acquisitions, lawsuits, enforcement actions, or bad press 
  • Assessment of performance metrics to ensure vendors are meeting obligations (in the case of the data breach above, the credit unions may have benefitted in knowing more about their provider’s business continuity plans and metrics) 
  • Periodic meetings with third-party representatives to discuss performance, operational issues, and other matters 
  • On-site evaluation and reviews 

Financial institutions need to look at the big picture when it comes to third-party risk monitoring. That includes understanding how a vendor is connected to other business units and whether there are subcontracting relationships that might impact their security and operational resilience. 

Optimizing your financial institution’s third-party risk management program 

These third-party risk management mistakes are just a few examples of why third-party risk management requires a proactive program. Manual processes and yearly reports are no longer enough. If that’s your status quo, it needs to go. 

That’s why so many financial institutions now rely on vendor risk management software to understand and proactively manage third-party risk. They are also investing in training for vendor management professionals, ensuring they are equipped with both the tools and knowledge to keep pace and avoid common mistakes.  

Where are examiners finding the most third-party risk management violations? 

Download our report: 2024 Compliance Exam Findings: Top Third-Party Risk Management Violations 

Download Now

Subscribe to the Nsight Blog