Financial institutions need to do more to protect themselves and consumers from third-party vendor risk. It’s a common theme in stories of financial institution enforcement actions, data breaches, and service interruptions and in the Interagency Guidance on Third-Party Relationships: Risk Management released in 2023.
Third-party relationships help financial institutions reach their goals – but without careful oversight they can also damage an institution’s operations, reputation, compliance posture, customers or members, and even the bottom line.
Here are four common third-party risk management mistakes and strategies for avoiding them.
Failing to protect consumer data from vendor breaches and mismanagement exposes financial institutions to significant cyber, operational, and regulatory risk.
Just ask the institutions impacted by the MoveIt data breach in May 2023 when a ransomware attack leaked customer names, addresses, birthdates, and Social Security numbers.
The source of the vulnerability for most banks caught up in the breach: third or fourth-party relationships.
According to a Bank Director survey:
With the increased threat of cyberattacks and the potential for serious consumer harm, regulators are sharpening their focus on due diligence when assessing vendors’ information security programs.
The problem isn’t always a headline-grabbing cyberattack. Sometimes it’s vendor incompetence. When Morgan Stanley closed two data centers in 2016, there was no due diligence into the vendor’s experience decommissioning hard drives and servers.
The bank chose the wrong vendor. The inexpeirenced vendor didn’t delete the personally identifiable information (PII) of millions of clients and then sold the PII-laden equipment in an online auction. Morgan Stanley paid $161.5 million in fines, a civil money penalty, and faced two lawsuits for its lack of due diligence in vetting this vendor.
Financial institutions should take the following steps to prevent third-party incidents and protect consumer data:
While SOC-2 reports are a great starting point for assessing a third party’s data privacy controls, they aren’t the be-all and end-all. Ongoing vendor cyber monitoring gives financial institutions clearer sightlines in spotting potential issues and proactively protecting consumer data.
Regulators have made it clear: your vendors’ compliance mistakes are your compliance mistakes. And when it comes to consumer compliance, vendors make mistakes.
If your third party accepts consumer deposits or handles transactions, it’s essential ensure your vendor understands the applicable regulations and has a strong compliance management system (CMS) to ensure compliance.
It’s a theme we’ve seen play out repeatedly in 2024. In just the first quarter, four financial institutions faced enforcement actions stemming from technology service provider compliance lapses. These included Bank Secrecy Act (BSA) deficiencies, the failure to secure disclosures and approvals from customers, and the failure to resolve account disputes under Regulation E.
The Federal Deposit Insurance Corporation (FDIC) also penalized several institutions for vendors exaggerating the benefits of products, according to its 2024 Consumer Compliance Supervisory Highlights. The FDIC emphasizes that FIs must monitor how third-party products are advertised.
Financial institutions can avoid vendor consumer compliance missteps by:
Ensuring that your third parties adhere to consumer compliance regulations protects your institution from legal risks and costly enforcement actions while helping maintain your industry reputation.
Related: Vendor’s Keeper: How to Make Sure Your Third-Party Vendors Aren’t Creating a Compliance Nightmare
It’s not news that financial institutions should negotiate contracts with vendors. But vendor contracts are about more than price. Strong vendor contracts address everything from regulatory requirements to performance benchmarks.
Many small and mid-sized financial institutions are at a disadvantage in negotiating contracts with vendors. Community banks and credit unions often feel pressured to accept a vendor’s standard contract. This is a mistake.
Third-party service providers love standard contracts, free from the addendums and provisions that protect your institution. You need to insist on these. Remember, if it’s not in writing, your vendor won't take responsibility for its mistakes.
Financial institutions should address the following in negotiating contracts with vendors:
The above list doesn’t cover every aspect of vendor contract negotiations. For a more comprehensive perspective, please download our whitepaper on negotiating cost-saving contracts that protect your FI from third-party risk.
Download: Protect Your Interests: How to Negote Cost-Saving Vendor Contracts
The days when financial institutions could review pertinent vendor documents once a year have long since passed. Effective third-party risk management demands ongoing monitoring, particularly for critical vendors.
Monitoring vendors is about more than protecting your institution from disasters. It’s about demonstrating operational resilience and safeguarding your institution’s reputation.
For example, last December members of 60 credit unions couldn’t access online and mobile banking and bill pay for days due to a ransomware attack when a business continuity and disaster recovery provider failed to patch a vulnerability despite warnings from the FBI. The attack began against the business continuity provider and then spread to the parent company’s data processing unit – which was the vendor used by the affected credit unions.
While it doesn’t appear that the attack compromised consumer data, it was a nightmare for members whose bills went unpaid and were unable transfer funds for days.
How often were the impacted credit unions receiving reports from this vendor? Would more effective vendor monitoring have made a difference? Perhaps. It certainly wouldn’t have hurt.
Vendors aren’t always quick to report problems. Sometimes they don’t even know that they have a problem. This is where vendor monitoring can help.
Typical vendor monitoring activities that mitigate third-party risk include:
Financial institutions need to look at the big picture when it comes to third-party risk monitoring. That includes understanding how a vendor is connected to other business units and whether there are subcontracting relationships that might impact their security and operational resilience.
These third-party risk management mistakes are just a few examples of why third-party risk management requires a proactive program. Manual processes and yearly reports are no longer enough. If that’s your status quo, it needs to go.
That’s why so many financial institutions now rely on vendor risk management software to understand and proactively manage third-party risk. They are also investing in training for vendor management professionals, ensuring they are equipped with both the tools and knowledge to keep pace and avoid common mistakes.
Where are examiners finding the most third-party risk management violations?
Download our report: 2024 Compliance Exam Findings: Top Third-Party Risk Management Violations