No one knows how to stretch a dollar for maximum impact like the marketing department. Tasked with reaching an ever-expanding audience covering a broad mix of digital and traditional channels, they are masters at finding the best ways to cut through the clutter and deliver their financial organization’s message.
Yet, few do it alone. Nearly two-thirds of business-to-business companies outsource at least some of their marketing activities, according to HubSpot. This includes everything from telemarketing and promotional materials to digital activities like social media and content marketing, marketing analytics, and search engine optimization (SEO).
Partnering with third-party vendors gives marketing the ability to maximize its spending power. As marketing grows ever more specialized, few departments can afford full-time marketing staff with all the cutting-edge expertise needed. Outsourcing allows marketing the flexibility to allocate its spending across a wide variety of marketing disciplines, shifting gears and tapping into new approaches while accessing experts they couldn’t afford to keep on staff.
While the benefits of outsourcing marketing activities are well documented, it’s not without its challenges. The financial services industry is one of the most highly regulated industries in the U.S. Financial organizations must follow strict state and federal laws and regulations, particularly when it comes to data security and consumer protection—and that holds true for their third-party vendors too.
That makes vendor management essential for any marketing department that relies on outside vendors.
Marketing typically focuses on the talent, experience, and cost of creative partners when selecting vendors. It wants to know if a vendor can deliver quality work on time as promised. But there’s more to vendor management than cost and deadlines.
Vendor management is the process financial organizations and other companies use to manage the risks, or possibility of an unexpected outcome, of third-party vendor relationships. For instance, marketing might worry that a campaign won’t engage customers or that they are investing too many ad dollars on the wrong distribution channel.
The problem is a lot more can go wrong with a vendor than a missed deadline, and these failures can have steep consequences including lawsuits, regulatory enforcement actions and fines, and a damaged reputation, among others.
Where can vendor relationships go wrong? Let’s take a look at some of the biggest risks marketing needs to consider.
The only thing worse than getting in trouble for making a mistake is getting in trouble when somebody else makes a mistake. That’s the situation financial institutions face when a third-party vendor acting on behalf of the bank doesn’t comply with laws and regulations.
When it comes to vendor compliance, ignorance isn’t bliss. Regulators will hold your organization accountable for your vendor’s actions. Regulators don’t differentiate between actions taken by a financial organization and actions taken by a vendor on an organization’s behalf. Blaming the vendor is not an acceptable defense.
It is absolutely imperative that marketing performs due diligence to review third-party vendors’ compliance policies and procedures and its history of regulatory compliance.
When it comes to compliance, there is no such thing as an unimportant rule. If you find any evidence that your third-party vendor isn’t adhering to rules or policies, that’s a sign there may be a bigger problem.
Common areas where third-party vendors create compliance risk include:
Disclosures. Federal regulation requires specific disclosures when advertising financial products and services. The Truth in Lending Act (TILA), implemented by Reg Z, specifies rules for advertising loans (including annual percentage rates, down payment, repayment, and finance charges), while the Truth in Savings Act, implemented by Reg DD, limits how words like “free,” “no cost,” and “fees waived” can be used in ads for deposit accounts. It also requires the use of annual percentage yield when advertising rates. Both the Federal Deposit Insurance Corporation (FDIC) and the U.S. Department of Housing and Urban Development (HUD) have requirements for use of their logo and membership status in advertisements.
Vendors that write, design, and produce advertising materials must be familiar with these rules and should be able to document how they ensure their compliance practices are thorough and up to date. If they make a mistake with disclosures, expect regulators to notice and call you out.
Fair lending. Marketing would never intentionally do anything to cause your organization to discriminate against an applicant based on race, ethnicity, gender, or another prohibited basis factor. But that’s exactly what can happen if marketing or its third-party vendors don’t consider the impact of marketing’s efforts on the community.
Marketing needs to consider how and where it markets and how those activities influence who applies for loans. It needs to regularly assess its marketing budget and efforts, including the mediums used and geographic areas targeted.
Is your applicant pool consistent with your market’s demographics? If not, you may not be marketing in a way that reaches all the members of your community, especially low-to moderate income (LMI) and majority minority neighborhoods.
This includes third-party vendors that market products and services on the organization’s behalf. If a third-party vendor’s marketing activities contribute to unbalanced efforts that leave out protected groups, it can draw the attention of regulators.
The Consumer Financial Protection Bureau (CFPB) and other regulatory agencies are using a broader approach to identifying redlining, or the practice of denying credit to residents of certain areas due to the high number of ethnic or racial minorities living there. The CFPB warned it will be examining “decision-making in advertising, pricing, and other areas” to ensure companies are testing for and remediating discriminatory practices that violate federal law against unfair practices.
For example, one recent redlining enforcement action called out a lender for featuring only white non-Hispanic models and loan officers in its marketing campaigns.
Vendor management helps identify if marketing’s vendors understand these responsibilities.
Digital redlining. Fair lending is an increasing problem in the digital age, where advertisers can micro-target consumers based on specific characteristics. It’s one thing to target small business owners, but an entirely different matter if it’s used to specifically exclude someone based on their age, race, gender, disability or a member of another protected category. There’s even a term for it: digital redlining.
In 2018, the U.S. Department of Housing and Urban Affairs (HUD) issued a formal complaint against Facebook for digital redlining. HUD says Facebook allowed landlords and home sellers to use its advertising platform to discriminate against borrowers by letting advertisers filter who saw ads based on gender, disability, family status, religion, national origin or identity, and location. By limiting who saw housing ads, Facebook was contributing to redlining and other forms of discrimination.
UDAAP. UDAAP stands for "Unfair, Deceptive and Abusive Acts or Practices" and is any act or practice that is:
UDAAP violations are one of the most common—and costliest—sources of enforcement actions. Marketing and advertising are particularly susceptible to UDAAP violations. Common examples include misleading costs and terms, breaking promises in prescreened offers, creating an artificial sense of urgency, and advertising fixed rates on variable loans.
In 2016 the CFPB forced First National Bank of Omaha to pay $32.25 million in restitution and fines when one of its vendors used deceptive marketing to lure consumers into debt cancellation add-on products.
When advertising, marketing and any third-party vendors should be aware of UDAAP and consider the target audience’s level of education, financial sophistication, and access to your marketing. The regulatory agencies are on the lookout for UDAAP violations. You need to be too.
Telemarketing & email. The Federal Trade Commission (FTC) is responsible for enforcing laws that regulate telemarketing and email practices. Any vendor engaging in marketing on your financial organization’s behalf should comply with the CAN-SPAM Act, the Telephone Sales Marketing Rule, and other laws limiting how consumers can be reached for marketing purposes.
Digital accessibility. Accessibility is essential when designing websites, apps, and online documents. There is a long history of financial organizations being sued for violating the Americans with Disabilities Acts (ADA) when services weren’t accessible by visually, hearing or speech-impaired individuals.
Marketing sometimes has to share customer data with a third-party vendor so the vendor can do its job. That might include name, address, telephone number, products and services used, or other sensitive information.
The Gramm-Leach-Bliley Act (GLBA) of 1999 and other privacy laws, requires financial institutions to protect individual’s private information. If a vendor data breach exposes that information, there are real consequences for your financial organization, making it essential that marketing’s vendor management program ensures that all vendors with access to non-public personal information (NPPI) have strong data security protections in place.
There’s no faster way to end up on the front page of the local paper than being the victim of a data breach that releases consumers’ sensitive information. No one will care or remember that it was the vendor’s fault.
Vendor mistakes can hurt your financial organization’s reputation. Aggressive telemarketing, inappropriate or offensive advertising materials, data breaches, fraud, and violations of consumer protection laws can all make your institution look bad. It can also hurt your institution if your vendor has its own public perception problem. Being linked to a bad actor is never a good look.
Don’t entrust your reputation to just any third-party vendor. Marketing should engage in due diligence as part of its vendor management program. As any good marketer knows, reputations are easy to damage and hard to repair.
Fourth-party risk is the risk created when a third-party vendor subcontracts to another vendor. Not only do you have to trust that your vendor is doing the right thing, but you also have to trust that it has a strong enough vendor management program to ensure its vendors are also doing the right thing.
Marketing’s vendor management program should assess fourth-party risk.
You need to be sure your vendor is giving you objective advice and performing to the best of its abilities. You want it to look out for your interests, not just its own.
Is the contract written in a way that financially penalizes your organization for leaving but creates no accountability for vendor non-performance? Will your proprietary information be held in confidence? Is the CEO of a critical vendor married to the CEO of your biggest competitor? Does its board have a financial interest in a competitor?
Vendor management provides tools to make sure your vendor has and adheres to an ethics program.
Outsourcing marketing activities to third-party vendors exposes your financial organization to risk, but that doesn’t mean you shouldn’t use vendors to help accomplish your marketing objectives. It means you need to be smart when outsourcing and have a vendor management program to control those risks.
Vendor management is all about identifying, measuring, monitoring, and mitigating risks. It’s an ongoing process that can be broken down into four phases:
Ask questions such as: Does the activity prevent a compliance risk? Does your organization have the in-house resources needed to manage the relationship?
Next, assess whether the vendor relationship will be a high-risk vendor (also known as a critical vendor) that will require extra oversight. Examples of critical vendors are vendors with access to confidential data, vendors that pose significant compliance risk, and vendors who have the potential to damage your organization’s reputation.
Understanding these risks will help you evaluate vendors and consider ways to minimize the risk of working with them.
Due diligence is necessary both before a contract is signed and throughout the duration of the relationship.
The more risk a vendor presents, the deeper the diligence should go. Just because your organization has dealt with a vendor in the past doesn’t mean it can skimp on due diligence when taking on a new activity. The information you gather and review will help let you know what to expect from a vendor relationship, if anything has changed, and what controls should be put in place to reduce risk enough to make your institution comfortable.
Contract negotiation. Contracts are more than pricing agreements. They are important documents that outline terms and conditions. It’s important to have policies and procedures in place for negotiating strong contracts with controls that protect your organization.
Contracts should outline the rights and responsibilities of both the vendor and the organization, including provisions that ensure the institution has access to due diligence documents. Topics to address include: confidentiality, dispute resolution, subcontracting, business continuity and contingency plans, frequency of data reports and audits, data privacy, and ownership of intellectual property. It should also ensure transparency into fourth-party vendors (the vendor’s vendors).
Best practices for marketing vendor contract management includes storing all vendor contracts in a central location and highlighting key provisions, including costs, dates and other important terms and conditions.
It’s important to regularly assess the effectiveness of your vendor’s controls to understand whether your third-party vendor is performing as expected, including if it remains compliant with all laws and regulations. Controls should be tested regularly, and the institution should track whether vendors are meeting service-level agreements, performance metrics and other contractual terms as well as complying with legal and regulatory requirements. This ongoing due diligence should include monitoring the quality of service, risk management practices, financials and controls and reports. The results, along with the institution’s policies and procedures, should be used to decide if a vendor needs to be terminated or put on probation.
Real-time cyber monitoring can also help guard against data breaches and determine if your vendor is still a good partner.
Managing marketing vendor relationships may seem like a heavy lift. After all, the primary purpose of the marketing department is to generate leads and build the brand, not checking up on vendor compliance.
But good vendor management is good marketing because it protects your organization’s brand and reputation. It helps ensure that vendors are treating consumers with the same care and responsibility as your organization, and it reduces the likelihood of your organization receiving bad press. It also protects the marketing team, preventing the career damage that can result from being associated with an expensive or well-publicized mistake.
Marketing vendor management is also simpler than you think—if you are using the right tools. The key is to implement an organized vendor management program.
Develop a centralized, standardized process. Don’t reinvent the vendor management process every time a new third-party vendor joins your ranks. Make sure your organization has a vendor management program that addresses every step in the vendor management lifecycle—from risk assessments to monitoring. There should be a standardized approach for risk assessments to ensure consistency and thoroughness.
It should also be centralized and built into your vendor selection process. While it takes time to implement a system and train everyone to follow it, it is a huge time and money saver down the road by identifying and correcting potential problems early on.
Consider adopting a vendor management solution that can help minimize administrative tasks like updating due diligence by providing automated alerts and notifications. This way you spend less time on vendor management so you can focus on your main marketing objectives.
Don’t do it alone. The creative types in marketing may not feel well-suited for reviewing due diligence documents. Letting someone else collect and summarize these documents can give you more time for interpreting what the results mean to your organization. This can be a vendor manager at your organization if your organization already has a vendor management program, or it can be outsourced to outside experts.
Similarly, third-party cyber monitoring can be outsourced to your IT department or an outside provider to give you real-time information on third-party vendor cyber controls, including actionable alerts telling you what to do if a problem is detected.
If your marketing department doesn’t have a good vendor management program that risk assesses vendors, provides enhanced oversight of critical vendors, and actively monitors vendors for compliance, it’s got a gaping hole that could cost your organization thousands or millions of dollars in lawsuits and regulatory fines or damage the organization’s reputation in the community.
A little vendor management can go a long way to protecting your job, your department, and your financial organization.