Vendor Management Best Practices for Community Banks and Credit Unions

 
Vendors play an important role in the financial services industry. Financial institutions rely on third-party service providers to offer specialized services and technology assistance that help improve the overall quality and efficiency of their organizations.

To perform these services, vendors often must access, transmit, store or process sensitive information, including customers’ personal information. Financial institutions are responsible for managing the inherited risk, which is the residual risk the institution acquires, or inherits, from each service provider. Financial institutions must be aware of and responsible for any cybersecurity risks of their vendors and the potential for those vendors to expose the bank or credit union to additional risks.

Regulators have issued guidance to help in understanding and managing the risks associated with outsourcing a bank activity to a service provider. To remain in compliance with governing organizations, it is important for all financial institutions to strengthen their vendor management programs. These enhancements safeguard the confidentiality and availability of the data and also minimize the impact if a data breach occurs.

To help your community financial institution execute vendor management safeguards, here are some best practices for implementing a successful, secure and compliant vendor management program.

 

Complimentary eGuide
Why Automation is the Answer for Community Banks’ Vendor Management Challenge

Centralize Vendor Information

To efficiently manage multiple vendors and all the activities involved in managing a vendor relationship, it is important to have all information housed in one centralized location. It also serves as a central repository for regulatory reporting.

Assess Risk

Have a list of all vendors that conduct businesses with the financial institution and rank each vendor according to its level of access to critical data and importance to operational activities. For most institutions, only about 10-15% of vendors are considered high risk, but all outsourced relationships must be risk-assessed. Establish a risk tier and implement different controls for the different risk levels.

Review Controls and Perform Due Diligence

Once risks have been assessed, the financial institution should perform due diligence for all vendors, with the intensity of the effort commensurate with the risk category; low risk vendors may only need a cursory review, while high risk vendors need a deeper dive. Due diligence activities include reviewing and assessing the vendor’s financial health; knowledge and familiarity with the financial services industry and banking regulations; information security controls in place and ability to recover from breaches or disasters. These activities and the vendor relationships need to be documented and procedures put in place; that ensure the vendor information is updated and monitored on an ongoing basis. These same procedures must also insure that service providers are complying with any applicable consumer finance laws and regulations, and have a plan in place to promptly address and identify problems.

Proper Documentation and Reporting

In order to comply with newly implemented FFIEC regulations, every bank and credit union must be able to provide proper documentation on the monitoring of its vendor management program. This documentation should include (at a minimum) a current inventory of vendors, due diligence results, contracts, risk management reports, reports to the board of directors and independent review reports. It should also be able to easily identify all high inherent risk vendors and all high residual risk vendors.

Following these steps will help ensure your financial institution is in compliance with the regulations and guidelines around vendor management. Ultimately, it is the financial institution’s responsibility to ensure all sensitive data is protected. Implementing the above processes and procedures will help create a solid vendor management.