Vendors make promises. They say they’ll comply with applicable laws and regulations and that their security controls are impenetrable. They swear they’ll never violate the terms of their contract. But is that really what’s going to happen?
In an ideal world, financial institutions wouldn’t need to monitor vendors. Unfortunately, with the rapid increase in the size and complexity of third-party relationships (and the alarmingly high rate of third-party failures), FIs must continuously monitor vendors.
Ongoing monitoring ensures that vendors deliver products and services that advance your institution’s strategic goals while protecting it from damaging security breaches, financial loss, and business disruptions.
Financial institutions don’t have the luxury of hoping a vendor doesn’t make a mistake or act negligently. With ongoing monitoring, institutions can anticipate and remediate vendor issues before they become major problems. It empowers them to identify and take control of underperforming vendor relationships.
Table of Contents
Vendor monitoring is a regulatory requirement
What should financial institutions monitor?
Your vendor monitoring tools
Cyber monitoring is a must-have
Vendor monitoring systems
Regulators expect financial institutions to monitor their vendors. For banks, this requirement comes courtesy of the Interagency Guidance on Third-Party Relationships: Risk Management, released by the FDIC, Federal Reserve, and OCC in 2023. Other agencies, such as NCUA, have also focused on third-party monitoring in their supervisory guidance.
Regulators across the board are following the interagency guidance, which is viewed as industry best practice., and ensuring that expectations are met. The guidance spells out five steps for effective third-party risk management:
Ongoing vendor monitoring is highly “preferable” to examiners, but they don’t recommend a one-size-fits-all approach to vendor monitoring. Instead, they leave it up to financial institutions to determine their own third-party oversight policies and monitoring programs. These should be based on the nature and scope of their vendor relationships, the risks they pose, and the institution’s defined risk appetite.
Financial institutions don’t need to monitor every vendor with the same level of scrutiny – the company that provides catering services for your BBQs and holiday parties likely doesn’t require intense oversight.
FIs should focus monitoring efforts on critical or high-risk vendors: those that are integral to your institution’s operations or have access to legally protected consumer data.
Related: 3 Ways to Identify Critical Vendors
Let’s drill down into what financial institutions should monitor with vendors.
Changes in Business Strategy: Has your vendor entered any new business arrangements? Do these increase risk or impact a vendor’s ability to meet its contractual obligations?
Financial Condition: In addition to audited financial statements and SOC reports, FIs should monitor public SEC filings and online news stories that point to possible financial troubles.
Regulatory Compliance: Determine if vendors continue to comply with applicable laws and regulations. This includes examining past performance: a vendor with a history of compliance-related issues requires more robust monitoring.
Audit and Test Results: Evaluate and monitor all relevant tests, audits, and reports a vendor provides to ensure they can still meet their contractual obligations. If there are weaknesses, address them with the vendor. Your institution may need to add or adjust controls to limit risk.
Insurance Coverage: Does your vendor still have the necessary insurance coverage to protect your institution? Has its policy recently lapsed? Can they provide a certificate of insurance upon request?
Personnel Qualifications: Does your third party have high employee turnover? How do they train new and existing employees? Financial institutions should monitor changes in staffing and employment to ensure vendors possess the necessary expertise and experience to execute activities successfully.
Subcontractors: FIs must monitor their third parties’ vendor risk controls. Do they have an adequate third-party risk management program?
Operational Resiliency: Monitor how your vendors respond to emerging threats and vulnerabilities. Do they make the necessary adjustments to their controls as situations evolve? Do your vendors have business continuity and disaster recovery plans in the event of an unforeseen service disruption? Review test results and, if needed, follow up to find out if identified issues have been corrected.
Information Security: FIs should monitor third parties' ability to maintain the integrity and confidentiality of banking data. This includes legally protected consumer data if a vendor has access to it. Review the data they have access to and whether it’s still needed.
Change Management: Are you monitoring your vendors' ability to change course when confronted with new economic circumstances or regulations? When a significant regulatory change takes place, follow up with the vendor and find out how they are adapting to it.
Complaint Management: Keep track of both external and internal complaints about vendor products and services. These complaints should be logged, classified, and examined for trends that could signal a problem. Also, pay attention to complaint data provided by vendors (which they should be required by contract to record and provide). Monitor response times to consumer inquiries and speed of remediation.
Financial institutions have tools available to monitor third-party risk. They just need to use them effectively.
Reports and Audits
Unless you plan on hiding in the bushes outside your vendor’s offices, you need to rely on reporting for third-party monitoring. But there are different types of reports, and some are more valuable than others.
For instance, vendor self-reporting on system uptime, cybersecurity controls, and penetration testing results can be useful. After all, vendors are in the best position to report on their own resiliency. The problem with relying entirely on third-party self-reporting should be obvious: you have to trust that the information is accurate and up to date.
Third-party reports and documentation (SOC reports, external audit and exam results, certificates of insurance, etc.) offer the objectivity that self-reporting lacks. But there are still limitations to how much protection reports and audits conducted by third parties provide. These reports are a stitch in time and only tell you that vendors had their house in order during the testing or audit process.
Including audit rights in your contract with a vendor gives you more options. While you can’t waltz into your vendor’s business and demand an immediate audit, obligating vendors to disclose certain data on request promotes greater accountability and transparency.
Related: 3 Types of Vendor Monitoring
FIs must recognize that none of the above reporting requirements are freely given. Your contract should spell out every monitoring report, test, audit, or exam you need. You must have service-level agreements in the form of contract provisions, modifications, and addendums that establish reporting requirements. Remember: if it’s not written in the contract, it doesn’t exist.
If there are too many documents to collect and review or they are too confusing for staff to interpret, document collection and review can be outsourced.
Negative news monitoring
Negative news monitoring is a valuable tool, letting your institution know about events or changes that could potentially impact your institution. If the company is acquired, sued, hit with an enforcement action, or in the press for unfair business practices, you want to know about it and assess the risk.
Performance Metrics
Contracts and service-level agreements (SLAs) outline expectations and obligations for the delivery of products and services. A financial institution should define and track specific metrics for ensuring these obligations are met.
For instance, has customer support been available and responsive within the promised timeline? If there was an outage, was service restored within your defined recovery time objective (RTO) and up to your recovery point objective (RPO)? Is the software loading as quickly as it should or is it frequently lagging? Are expectations for uptime being met or are you noticing outages?
Tracking these metrics and comparing them to SLA expectations helps you understand if a vendor is delivering everything it promises.
Vendor meetings
Regulators recommend periodic visits and meetings with third-party vendors. Talking face-to-face with a vendor over a video call is an effective method for promptly addressing any issues and strengthening communication and collaboration. Onsite visits are often unnecessary and not the best use of resources unless you are sending an auditor or someone else who is specially trained.
Mitigating cyber risk is a game of whack-a-mole. Cybercriminals are becoming more sophisticated and deliberate in their attacks, often using social engineering tactics to penetrate systems and hold financial institutions hostage.
FIs have information security policies and practices to safeguard against cyber threats, such as employee phishing awareness training and penetration testing.
The problem? Many cyber breaches result from third-party vulnerabilities. And a vendor isn’t going to invite your IT team in to conduct white-hat testing of their systems.
Vendor cyber monitoring helps your FI determine if third parties are using the latest security controls and whether they are certified in information security standards. Third-party cyber monitoring scours the internet and dark web, discovering online chatter related to pending attacks.
The benefits of vendor cyber monitoring include:
Determining a vendor’s cyber resiliency. Proactively monitoring a vendor’s cyber risk offers key insights into its security posture. Are the third-party cyber vulnerabilities you discover major or minor? Is your vendor reporting these vulnerabilities, or is your institution discovering them? How quickly does a vendor fix problems after they’re identified? It’s important to compare your findings with a vendor’s self-reports and any independent reports (SOC, IT audits) to ensure consistency.
Creating a paper trail. Cyber monitoring allows you to document incidents to report to examiners. It also enables you to uncover patterns over time. Has your vendor successfully resolved a detected cyber vulnerability, or are they still struggling with the same issues? Documenting cyber incidents helps FIs decide whether the risk of continuing to do business with a vendor is worth the reward.
Holding vendors accountable. What does your contract say about the timeframe for reporting cyber incidents? Through monitoring, you may discover that contractual agreements are not being honored. Cyber monitoring allows FIs to prioritize the most harmful (and persistent) vulnerabilities and seek remediation from vendors. In particular, you want to know that a vendor is meeting expectations with:
Technology is your friend in ongoing vendor monitoring. Financial institutions can benefit from solutions that store and track key vendor documents (reports, audits, insurance coverage, etc.), track vendor incidents, collect, analyze, and summarize vendor reports, empower the institution to quantify risk for each vendor, and provide consistent methodologies for assessing vendors by criticality.
It’s also essential to have a method for managing findings uncovered by vendor monitoring efforts to ensure issues are promptly corrected.
Ongoing vendor monitoring is not easy but with the right reporting and vendor risk management systems, financial institutions can adhere to regulatory requirements and better protect themselves from third-party risk.
Need a refresher on vendor management? Check out our webinar: “Third-Party Vendor Management 101: The Basics”