TPRM 101: What is a Critical Vendor?

Financial institutions often ask for a list of universal critical vendors. They assume there must be a master list of industry-designated third parties that are always critical – and these financial institutions are inevitably disappointed.

There is no universal list of critical vendors. A vendor's criticality depends on the institution contracting with it, its access to protected consumer data (or banking proprietary data), and how significant its services are to a financial institution’s operations.

Consider a core provider. A financial institution’s core provider is absolutely a critical vendor. But if a company that provides cores also offers BSA training, and an institution only uses that vendor for BSA training (the institution’s core comes from another provider), the vendor isn’t critical to the financial institution. It doesn’t have access to protected data. If the vendor fails to perform as promised, it will not significantly impact the bank.

A critical vendor for one institution might not be a critical vendor for another, and vice versa.

Financial institutions must understand who their critical vendors are to implement the right risk controls and satisfy regulatory requirements. Critical vendors require greater due diligence, more thoughtful and deliberate contract negotiations, and ongoing monitoring throughout the lifecycle of the relationship.

Here, we will give you a high-level overview to help you identify your critical vendors and discuss how to manage the risks of these third-party relationships.

Table of Contents

Identifying your critical vendors

• Operational risk
• Compliance risk
• Financial risk
• Strategic risk
• Reputation risk

Vendor risk categories
Managing critical vendor risk
Takeaway: Managing critical vendors is about having the right tools

Identifying your critical vendors

Regulatory guidance on what constitutes a critical vendor is deliberately vague. The agencies often refer to high-risk, significant, or critical vendors and the need for enhanced due diligence and oversight of these third-party relationships. But, because the criticality of vendors differs by institution, they can’t offer a one-size-fits-all definition either.

For example, a bank might consider its telephone provider a critical vendor if it has only one option for telephone service. A bank with numerous telephone providers would likely not consider this vendor high-risk.

The recent Interagency Guidance on Third-Party Relationships: Risk Management offers banks a three-part test to determine whether a vendor is high-risk.

According to the guidance, critical vendors are those that:

• Would cause an institution to face significant risk if the vendor failed to meet expectations 
  
• Have a significant impact on customers 
  
• Have a significant impact on an institution’s financial condition or operations

Each financial institution must identify its critical operations and the third-party partnerships that support them. These standards vary from institution to institution, but here are some good questions to get started. If the answer to one of these questions is yes, it might be a critical vendor.

Operational risk

Does/would your vendor?

• Perform critical functions (payments, clearing, settlements, custody, etc.)  
  
• Provide lending products or services, card payment transactions, or deposit-taking arrangements like affinity programs  
  
• Create significant continuity/resilience risk if it fails to meet expectations  
  
• Majorly impact operations if the institution has to find an alternate third party or if the outsourced activity has to be brought in-house  
  
• Represent the only vendor available

Compliance risk

Does your vendor?

• Have access to sensitive customer or institutional information  
  
• Provide a service exposing the FI to risky consumer protection regulations  
  
• Pose a material compliance risk

Financial risk

Does your vendor?

• Have a material impact on revenues or expenses or pose a risk that could materially impact earnings, capital, or reputation  
  
• Require a substantial resource investment (includes the cost of the actual product/ service plus the resources to oversee the relationship and manage its risk)

Strategic risk

Does your vendor?

• Expose your financial institution to new activities  
  
• Substantially expand your geographic market or offer products or services for a large number of your consumers  
  
• Impact the execution of your institution’s long/short-term strategic vision

Reputation risk

Does your vendor?

• Directly market products or services that could cause customers to experience financial loss 
  
• Involve ESG risk

Free Download: Download our Critical Vendor Identification Checklist

While financial institutions can consider other factors, it’s not always cut and dried. Take annual cost as an example. Some financial institutions consider cost a factor in identifying critical vendors. If you’ve hired a construction firm to remodel branch locations, this will be an enormous expense. But this doesn’t mean the construction company is a critical vendor, requiring the same due diligence and documentation (SOC reports, financial records) as other high-risk vendors.

Another mistaken standard is reputation. Just because a vendor has a sterling reputation doesn’t mean an institution can skimp on due diligence. If the vendor poses enough risk, it needs thorough vetting.

Related: 3 Ways to Identify Critical Vendors for Your Financial Institution

Vendor risk categories

How many vendor risk categories do you need? Some financial institutions stick with low, medium, and high risk. But characterizing all critical vendors as high-risk may not be a refined enough approach. 

FIs may classify critical vendors as low-high risk, medium-high risk, or high-risk, depending on their access to sensitive data and their potential impact on banking operations. Some have a tier for vendors with access to GLBA data but aren’t otherwise high-risk. Evaluating the number of critical vendors your institution partners with (and ranking them accordingly) is essential to third-party risk mitigation.

Related: Is it Easier to Have Less or More Vendor Types?

Managing critical vendor risk

Now that we have identified ways to determine a vendor’s criticality, let’s jump into how financial institutions can manage critical vendor risk.

Planning

Critical vendors require more planning and consideration. FIs should consider: 

• The strategic purpose of the arrangement and how it aligns with your institution’s business goals, risk tolerance, and internal policies 
• A vendor’s interaction and impact on banking consumers
• Estimated costs of the third-party relationship
• Access to IT systems and confidential information
• Ability to oversee and manage the risks of the third parties' activities
• Plans to onboard another third party or bring an activity in-house if necessary
  

Related: Creating the Perfect Risk Management Plan

Due Diligence

Financial institutions should evaluate the following for critical vendors:

• Financial statements (self-reported statements, public SEC filings, SOC reports) 
  
• Consumer complaints filed with agencies such as the FTC and CFPB 
  
• Past litigation and outcomes 
  
• Qualifications of key personnel, including succession planning, background check policies and procedures, and employee training 
  
• Information security controls (SOC reports, independent audits, data backup capabilities) 
  
• Business continuity and disaster recovery plans, policies, test results, and redundancies 
  
• Subcontractor arrangements 
  
• Insurance coverage and indemnification
  

Risk Assessments

All vendors need risk assessments, but critical vendors require more thorough and frequent assessments to identify new and emerging risks. There is inherent risk (risk without any controls) and residual risk (the risks that remain after controls are implemented). Risk assessments enable financial institutions to understand if their vendor risk controls effectively align residual risks with their defined tolerance. 

Third-party risk assessments are not a one-and-done process. You'll need to update them as new regulations emerge, your institution’s risk tolerance changes, and vendors offer new products and services.

Contract Negotiation

Contract negotiations with third parties are vital, especially for critical vendors. Service-level agreements (SLAs) are contractual provisions that establish expectations for the delivery of products and services. 

Does your contract stipulate uptime for technology providers? What are the financial consequences if vendors fail to deliver? Given their importance to your institution’s operations, FIs need quantifiable and trackable performance benchmarks for critical vendors. It’s also important to include access to audits and other due diligence documents in the contract because a vendor is not required to provide these.

Vendor Monitoring

Critical vendors require more monitoring and oversight than low or medium-risk vendors. Increased oversight of these third parties might include cyber monitoring, negative news monitoring, and the right to audit.

Related: TPRM 101: What is Ongoing Vendor Monitoring for Financial Institutions

Takeaway: Managing critical vendors is about having the proper tools

It’s easy to become overwhelmed with the process of identifying critical vendors and managing the risks they present. Financial institutions might have hundreds (if not thousands) of vendors. But, with the right vendor management solution FIs can successfully manage the risks associated with critical vendors. 

FIs gain a distinct advantage when they have a system for storing and monitoring essential vendor documents. These systems help institutions create customizable risk assessments, classify vendors by criticality, and engage in continuous monitoring.

More questions about critical vendors? Check out our webinar: "What a Difference a Vendor Makes: Determining Your Critical Vendors."