Let’s face it, managing multiple vendor relationships can be a headache! Today many financial institutions are looking to streamline their IT vendor relationships as much as possible and want vendors and core providers that will include all their products and services in a single contract. While that may seem nice and easy from a vendor management perspective, it increases risk with that vendor, which is against the FFIEC guidance regulations.
Understanding the Compliance Risks
In fact, earlier this year the FFIEC issued an update to the Business Continuity Handbook to help financial institutions in understanding and managing the risks associated with outsourcing a bank activity to a service provider. The new appendix, appendix J, entitled Strengthening the Resilience of Outsourced Technology Services, focuses on third-party oversight and cybersecurity, confirming that these two areas will come under ever-increasing scrutiny.
One-Stop Shops Increase Your Compliance Risks
While having one vendor to manage may seem like a good idea, putting all your eggs in one basket concentrates your risk factors. It is wiser to work with several vendors, which spreads out risk and does not force an institution to rely solely on one service provider. This can be a challenge if you work with a core vendor or processor that bundles all services together.
The intertwined relationship between the financial institution and the core processor that bundles all services makes it difficult for the institution to make IT changes and leaves little room for negotiation with their network monitoring services. The more services your institution has with core processors, the less you are able to negotiate on renewal pricing. In addition, if you switch core processors, you run the risk of being charged a fee for converting from one platform to another. If your financial institution’s internal network servers are intermixed with core banking servers and you decide to switch your core system, your IT network and IT management system will need to change or be modified.
A majority of core providers have acquired their IT network management provider. The acquired companies usually have a large cross section of core clients, but once acquired, these IT service providers are primarily interested in servicing and growing their core provider relationships. Core processors that build their own IT managed services internally often don’t have the experience and understanding of how to make other core systems run optimally with IT networks.
Working with an IT network management provider that is owned by a core banking software provider that is different from your bank’s core system is not a good long term strategic fit for your bank. The core-owned IT management services companies are focused on their company’s core banking systems. Their knowledge of other core systems will diminish over time, and their interest is really being in a one-stop shop for their core clients. There are often issues and finger pointing between a bank and its core provider over network issues and these situations will only be exacerbated by such a relationship.
Assessing Non-Compliance Risk and Minimize It
When determining your institution’s risk assessment when it comes to IT network management, some areas to think about are the timing of your bank’s core renewal, the likelihood your bank may change core processors, and the likelihood your bank may acquire another bank. In addition, track the year-over-year count of banks with your same core processing solution supported by your IT services provider. If that number is going down, the risks of losing expertise specific to your institution’s configuration also goes down.
In order to avoid these pitfalls, it is important to separate IT network operations providers from your core system. Having separate support providers also strengthens the network from a security standpoint, increases flexibility and addresses the FFIEC vendor diversification issue. This separation provides you with the flexibility needed to make changes easily or independently, make the best decisions on internal network management, and not be tied to one vendor to manage IT network activities and core banking functions.