While the issue of vendor management and oversight is not new to the financial services industry, recent enforcement regulations actions by the Office of the Comptroller of the Currency (OCC), the Consumer Financial Protection Bureau (CFPB) and the Federal Financial Institutions Examination Council (FFIEC) have given financial institutions a new set of regulations to follow.
The Times They Are a-Changin’
In fact, earlier this year the FFIEC issued an update to the Business Continuity Handbook to assist financial institutions in understanding and managing the risks associated with outsourcing a bank activity to a service provider. The new appendix, appendix J, entitled Strengthening the Resilience of Outsourced Technology Services, focuses on third-party oversight and cybersecurity, confirming that these two areas will come under ever-increasing scrutiny. Banks are now more than ever, encouraged to conduct due diligence and take their own steps to ensure vendors address security gaps.
The definition of service provider has expanded, which means that most institutions will need to expand their list of managed vendors way beyond simply those that provide banking services. The Federal Reserve issued a regulatory update in 2013 titled “Guidance on Managing Outsourcing Risk.” In it, they defined “service providers as all entities that have entered into a contractual relationship with a financial institution to provide business functions or activities.”
Regulators know the vast majority of financial institutions outsource at some point, in fact recent studies put the number of financial institutions that either transmit, process or store information with third-parties at more than 90 percent. They also know that most recent cyber security incidents affecting financial institutions involved third-party service providers.
CyberSecurity is an additional reason for enhanced vendor management.
Why? Because banks must manage the “inherited risk” of their vendors. Inherited risk is the residual risk the institution acquires, or inherits, from each service provider. Banks must be aware and responsible for any cybersecurity risks of their vendors and the potential for those vendors to expose the bank to additional risks. Incident response is also an area financial institutions need to monitor and control, because when preventive controls aren’t effective, responsive controls must compensate.
Spreadsheets are simply not enough
Most community financial institutions do not have a formal internal department dedicated to vendor management and have historically failed to stay on top of their third-party relationships because of a lack of manpower and resources. In fact, only one out of 300 of our clients, has a dedicated vendor relationship manager. Instead, this position usually falls underneath the IT department, on a part-time basis and many still perform this process manually. About 90 percent of our clients keep track of their vendor management activities manually using Excel. However, for an average community financial institution to properly perform vendor due diligence and vendor management, some form of automation is required because the process of managing ongoing due diligence and contract tracking with multiple vendors is a very time consuming task.
In addition, a certain set of expertise is required to adequately perform this important function. To adequately perform vendor management responsibilities, the person must be able to maintain their expertise on an ongoing basis, have the time to work closely with the business manager who owns the relationship and be able to work with the vendor or other stakeholders within the bank when necessary, as well as have a strong technology background and truly understand banking and financial services.
With regulators now demanding greater control and accountability from financial institutions, how will your financial institution enhance its vendor management program?