Regulators recognize that third-party vendors play a critical role in delivering products and services and take compliance with vendor management regulations very seriously. What are they looking for?
1. Documented processes. Vendor management isn’t an ad hoc activity. It’s a thoughtful, strategic exercise in keeping your financial institution and the customers, members, and consumers it serves safe. Examiners expect to see a documented plan for managing vendors and ensuring they remain compliant.
2. Identification of compliance risks. It’s hard to guard against a risk if you don’t know it exists.
3. Ongoing vendor management and compliance risk management. Just because a vendor is compliant today doesn’t mean it will be compliant tomorrow. There needs to be ongoing monitoring of vendors to determine if anything has changed that would impact its ability to remain compliant—including keeping up with regulatory change.
4. Justification for decisions, including how risk is identified, managed, and mitigated. Why did the FI decide to outsource? Why are vendor management and the compliance management system structured the way they are? It’s not enough to simply have policies and procedures. Examiners want to see the logic behind it. If you can’t make a good business case for your decisions, it can call your whole program into question.
5. Resources to analyze reports and carefully negotiate and track contracts. One of the reasons FIs outsource to vendors is because they don’t have the internal resources to accomplish a task—but that doesn’t mean an FI won’t need to expend any resources on that activity. When calculating the costs and benefits of outsourcing to a third-party vendor, don’t forget to include the resources necessary to oversee the vendor and analyze reports as well as contract management. These resources are essential to a compliant vendor relationship.
Related: Third-Party Provider Data Breaches: 3 Lessons Learned
6. Vendor management ties into the CMS. Vendor management and the compliance management system work best as a pair. Compliance wants to be certain that vendors are compliant. Vendor management wants to know the rules and regulations vendors need to be following. If the two areas aren’t linked, they can end up duplicating each other’s work—or an important element may get lost in the shuffle.
7. Evidence of board and management oversight. Vendor management is such an important issue that the board and management need to be involved, especially when it comes to critical vendors. Make sure you document board meetings, minutes, and reports dealing with vendor management.
8. Understanding of how vendor selection ties into ERM. Outsourcing to a vendor isn’t just a question of resources and convenience. It’s about strategy. Risk plays an important role in ensuring that an institution’s mission, vision, and values influence an institution’s strategy, strategic plan, and ultimately its strategic success. Selecting a vendor is about aligning the benefits of the vendor relationship with the FI’s risk tolerance.
Want more insights into vendor management and compliance best practices? Download our whitepaper Vendor’s Keeper: Top Tips for Making Sure Your Third-Party Vendors Aren’t Creating a Compliance Nightmare.
Related: Examining the Examiner: What the OIG Has to Say About the FDIC