In today’s fast-paced banking environment, most financial institutions use a number of third-party vendors to keep bank operations running smoothly. In a recent banking survey, 47 percent of banks cited the use of spreadsheets to help keep track of their third-party providers. While many banks have systematized vendor management and implemented new vendor management software, there are still a large number of banks that do not actively manage their vendors at all. Further still, there are some institutions who view “vendor management” as simply knowing who their vendors are based on a review of the bank’s accounts payable report.
While an accounts payable report allows the bank to keep track of each vendor partner and the services they provide, this is not what regulators are looking for when evaluating an institution’s vendor management program. According to the FFIEC IT Examination Handbook, having a comprehensive list of vendors means nothing if it is not being used to identify risks and manage compensating controls of those risks for each third party service provider. Without a proactive approach to vendor management, banks are opening themselves up to increased levels of risk that can have a negative impact on the institution’s financial standing, compliance posture and overall ability to serve its customers.
Here are the top 5 consequences your bank could face by not having a solid vendor management program in place:
- Missing Yearly Opt-out Dates
Today, too many banks are taking a reactive approach to vendor management which can lead to some major problems for these institutions down the line. For example, a bank may be unhappy with its current vendor and want to look for other alternatives, but in this reactive approach, the bank is really only managing its vendors when there is an immediate issue. When it comes to vendor management, proactively monitoring third-party providers and fully understanding the parameters of the vendor contract can help alleviate this by preventing an institution from being locked into a contract with a vendor that is not performing up to standards.
- Unnecessary Costs
Contract management represents a major component of effective vendor management and overall budgeting and profitability. We’ve found that once banks begin an efficient vendor management program, they have a better picture of how their money is being spent, as many discover that they’ve been spending money on services that their bank is no longer using. A common, simple example is a bank that had been spending $45 monthly on a phone line for a fax machine that was no longer in the branch. While by itself, this is a relatively small expense, when bundled with other incremental savings, it can lead to meaningful savings.
- Loss of Critical Bank Services
What would happen if your bank’s item processing provider went out of business without warning? For many community banks, this could lead to weeks of researching new vendors, evaluating each choice, and negotiating new contracts. For many banks, being without a critical service is not an option, so it is imperative that banks closely monitor their vendor’s financial statements and have alternative options in place.
- Vendor Cybersecurity Events
Without a solid vendor management program, financial institutions may actually be opening themselves up to increased cybersecurity risk. Community banks should understand that their cybersecurity posture is only as good as the cybersecurity of their vendors. Often, a third-party service provider can unknowingly provide a back entrance to hackers who are looking to steal sensitive customer data. Having a procedure in place to identify the risks associated with each vendor will help banks to effectively research third-party providers and help mitigate potential risks to the institution
- Non-compliance With Government Regulations
Today, bank vendor management processes must align with examiner expectations or the institution runs the risk of being written up and receiving a low CAMELS score. If you are not properly tracking, reviewing, and heavily monitoring your vendors, your bank could be sitting on a time bomb. Some financial institutions haven’t received a written warning from examiners yet only because they haven’t had to update their processes for some time, or because the regulator was focused on another process at the time of the last review. In our experience however, a bank is rarely written up for just one offense. If an examiner sees that the bank isn’t following through on vendor management, they may begin to look more closely into its business continuity plan or cybersecurity procedures as well.
Driving Compliance Through Technology
Since regulators have placed higher importance on how community banks manage their vendors, it can be extremely difficult (or impossible) to gain the required level of insight from a list or a spreadsheet. Simply knowing who your vendors are is not what regulators are looking for. Examiners expect banks to take appropriate steps to mitigate risk and keep the institution safe. Therefore, it is important to have a good understanding of which vendors have access to your institution’s data and how that impacts the banks’ ability to function on a daily basis.
Financial institutions can take a more proactive approach by including non-disclosure agreements, tracking vendor contracts, having a third-party audit their vendors, and analyzing the existing – and emerging — risks. Banks should also confirm that their vendors have the right controls in place to serve the institution properly and have a backup plan in place should that vendor fail to perform. Proactively managing vendors allows banks to better meet regulatory demands, prepare for the unexpected and maintain their good reputation.