Jamie Davis, Education and Product Manager
According to several publications, vendor management is supposed to be the hot topic for examiners over the next year(s). Additionally, financial institutions have more products for clients and more regulations to follow than ever before. With the growth and complexity of vendor management, compliance, and new banking products, the only option in many cases is to outsource certain functions. Several news sources have published recent articles reporting that outsourcing is most likely your best and least expensive way to operate. So kick back, relax, and enjoy life: you just outsourced, right? Wrong, there are two problems with this line of thinking. One, you’ve outsourced jobs that didn’t even exist ten years ago. You still have to do the one job that has made your life so hectic for the last twenty years. Two, now someone has to manage or monitor the vendors. The more vendors you have, the more effort it takes. And as we stated a minute ago, you probably have more vendors than ever before. If you are thinking what I’m thinking, then there is an easy way out. Just hire a vendor to manage your vendors. Bingo, problem solved. Now, if you can just figure out a way to get the Board to go along with this.
In the meantime, you may want to consider other options. To start with, you may want to create a vendor list. This is a list of vendors on which you have done your due diligence. These vendors do background checks, have a nondisclosure agreement with you, and may be able to provide you with their financials annually. So when work needs to be done, you can check your approved list to see if they can fix your issue or provide the appropriate service. There will be times when no one on your list can provide the needed service. Then you will need to do your due diligence and add another vendor to your approved list. This list will most likely grow over time and you should revisit it yearly to ensure everyone on the list still meets the needed criteria.
To make this compliance step official you probably should go ahead and create a policy. You have a policy for everything else, why not add one more for vendors? Verifying the identification of a vendor’s employee is always important. The number one social engineering trick is showing up as a “supposed” vendor. You may want to define the appropriate steps to take before allowing a vendor to begin work. Employees should look for an ID badge, call the business to confirm employment, and check with the employee who requested the service to ensure the need for the vendor. You don’t want a “supposed” printer repair man snooping around your back office if no one called to have a printer fixed. Be sure the vendor signs in if they will be in a secured area of your building. This way you have a log of who was there, when, and how long if something comes up later. Some institutions I have spoken with require a vendor, especially new vendors, to be accompanied with an institution’s employee when in secure areas. This may be more feasible for some of you than others, but it is worth considering.
As with other compliance measures, there are several keys to success: Policy, Monitoring, and Training. After you have defined approved vendors and put a policy in place, you must train your employees. First, be sure that all employees know the appropriate steps to identify people. Whether it is a phone call from a possible customer or in person with a possible vendor, employees must know what the rules are for identification. This should be in the forethought of their mind and not an afterthought. Second, all employees must realize that vendors must be selected judiciously. When a service is needed, they must consult the ISO to confirm the vendor is approved before signing a contract. Lastly, everyone should be trained on confirming and monitoring a vendor who is on-site. This may seem like a lot, but once implemented, it should be relatively simple to manage. Processes make perfect.