Financial institutions rely heavily on third-party service providers to offer specialized expertise and services to ensure the institution is successful – something reflected by the results of Safe Systems’ recent 2017 Community Bank Information Technology Outlook Study. In fact, when you add up the number of third-party providers associated with a single institution, the total can be staggering. Results of the study indicate that 32% of respondents currently manage 1-25 vendors; 31% manage 26-50; and 28% manage between 51-100 vendors.
The responsibility for properly overseeing outsourced relationships and the risks associated with that activity ultimately lies with the institution’s board of directors and senior management. It is the Information Security Officer (ISO), or sometimes the CIO or CTO, who is responsible for communicating with the board and helping it manage the process. Unfortunately, sometimes senior management and/or the board may not fully understand the need for comprehensive vendor management, or the pitfalls of neglecting due diligence of service providers.
In order to effectively communicate with the board, the ISO must first thoroughly understand exactly what examiners are looking for. Federal regulators have issued guidelines recently to help institutions better understand and manage the risks associated with outsourcing a bank activity (including functions that support a bank activity) to a service provider. The FFIEC IT Examination Handbook was revised to help guide banks, their boards of directors and management on how to properly establish and maintain effective vendor and third-party management programs.
Understand Examiner Expectations for the Board and Senior Management
Lack of board and management involvement has direct consequences. Inability to prove board oversight can lead to a poor CAMELS score (and subsequent FDIC insurance premium increase), enforcement actions such as an MOU (Memorandum of Understanding), or financial penalties. Examiners expect the board and senior management to develop and implement enterprise-wide policies to govern the outsourcing process consistently. These policies should address outsourced relationships from an end-to-end perspective, including establishing the need to outsource a function, selecting a provider, negotiating the contract, monitoring the vendor regularly, and discontinuing the business relationship. Examiners also expect to see evidence that an institution’s higher-risk vendor relationships receive additional scrutiny above and beyond providers that present less risk to the institution.
2018 Community Bank Information Technology Outlook
Streamline Vendor Management Oversight
While it is more important than ever for the board of directors and management to oversee and manage the risk associated with vendors, many continue to struggle with the best way to efficiently and successfully accomplish this. According to the survey, 48% of respondents are still using a basic spreadsheet to manage their vendors. While this may have worked in the past, regulators now expect all vendors to be assessed, easily overwhelming the manual process. In addition, spreadsheets provide no proactive alerting mechanism for expiring contracts and upcoming vendor reviews. They also do not provide the ability to collaborate across the organization and make producing management reports and documentation more challenging than it should be.
Many financial institutions are looking for ways to more effectively manage their outsourced vendors, protect themselves from the risk, and maintain government compliance and regulatory requirements. Oftentimes, financial institutions determine that implementing an industry-specific and automated vendor management program is the most cost-efficient method to control and manage these risks. Implementing automated vendor management solutions built around the specific needs of all of the key players within the financial institution saves a tremendous amount of time and money, reduces risks and also eliminates compliance headaches. A complete vendor management system ensures your board of directors and management are notified of all of the critical activities and actions required to effectively monitor a third-party relationship, ensuring all risk assessments, controls reviews and documentation are up-to-date.
Communicating with the board of directors and upper management can be a daunting task, but it is extremely important for financial institutions to ensure the appropriate people are involved in their vendor management program. Doing so not only saves the financial institution time in the long run by helping to focus resources, but also helps protect financial institutions from future poor exams, penalties, fines and additional regulatory scrutiny. Ultimately, it is the Board of Director’s responsibility to protect itself and its sensitive data. Having buy-in and participation from the Board and Senior Management helps ensure that this important Information Security process gets the attention it requires.
For more information please download our complimentary white paper, 2017 Community Bank Information Technology Outlook Study.