The Sword of Damocles: Best Practices for Managing Vendor Risk

4-2-14-Vendor-management.pngLike the ancient courtier Damocles who had a sword dangled over his head, banks are in a precarious position. Regulators can and do fine banks who fail to manage the risk posed by third party vendors. This article is a guide for boards wanting to implement a successful vendor management program.


The economics underlying modern banking necessitate that certain operational functions be outsourced to non-bank entities. The prudential regulators recognize the benefits and efficiencies provided by third-party vendors—reduced costs, new product offerings and enhanced performance—but they also bemoan the inherent problems. To combat the risks caused by outsourcing, regulators expect all banking institutions to have in place written risk management programs, which mitigate operational risk, strategic risk, concentration risk, compliance risk, transaction risk, credit risk, legal risk and reputation risk. Federal regulators review these risk management programs during examinations to determine whether a financial institution’s third-party relationships create more risk than that financial institution can identify, monitor, manage and control.

Requiring banks to tailor their risk management plans to include third-party vendors is not a new regulatory initiative. Over the years the various federal regulatory bodies, including the Office of the Comptroller of the Currency, the Federal Reserve and the Federal Deposit Insurance Corp. (FDIC), have published guidance pieces that advise banks on how to best manage their third-party vendors. While the text of the guidance has varied, the crux of the message has remained constant: Boards of directors and senior management must manage third-party vendors to the same extent as in-house operations, and the two groups bear ultimate responsibility for any harm caused by a vendor’s failure to adhere to federal consumer financial law.

Customizing Your Plan

With that edict ringing in their ears, boards of directors and senior management rightfully worry whether their respective institution’s risk management plan adequately meets regulators’ expectations. Regulators have made clear that no single plan works for every bank; instead, each financial institution must customize its plan to address its individual risk profile. As a bank’s size and complexity increases, so must its risk management plan. With that being said, certain elements and qualities are routinely included in successful plans, regardless of the firm’s size. The suggestions listed below provide a framework for a comprehensive and successful risk management plan.

Step by Step

Step 1 List of Vendors:
The board should assemble a comprehensive list of all existing third-party vendors. This list may include only a few dozen vendors for smaller banks, or up to several thousand for larger institutions. For those institutions that are not able to query this information from their IT systems, enterprise-wide surveys offer a relatively cheap and time-friendly method of compiling the necessary data. Once the vendor list is completed, the board should implement a system to ensure that new vendors are added to, and all old vendors are removed from the list as necessary.

Step 2 List of Potential Risks:
The board and management should develop a comprehensive list of potential risks that result from vendor relationships. Understanding the inherent risks is critical to the board enacting the proper audit routines and measures that will be used to track the vendor’s adherence to applicable standards. In its white paper addressing this topic, consultants McKinsey & Company suggested that banks should establish certain “breakpoints” for each category of vendor and then assign a relative weight and importance for each breakpoint. For example, a bank could assemble a list of potential violations of the Fair Debt Collection Practices Act, which the bank would apply to any relationship with a third-party debt collector.

Step 3 Risk Categories:
Leveraging its master lists of vendors and potential risks, the board should assign a relative risk factor to each existing and potential supplier based on the supplier’s ability to disrupt and negatively impact the bank’s normal operations. Such a risk assessment is known as risk-based segmentation or third-party stratification. The board is free to establish as many categories as it sees fit, but a simple three-tiered scale of “high-medium-low” or “critical-material-minor” should be adequate. By assigning a relative risk factor to each supplier, the board can ensure that its bank’s resources are allocated efficiently and effectively. A simple but effective way to compile the information necessary to make the assignment is for the bank to create a questionnaire and require each vendor to supply certain answers. The vendor’s responses and supplied documentation should then be reviewed by an independent third party within the institution.

Step 4 Due Diligence:
According to McKinsey & Co., the nature of the due diligence required of banks has expanded beyond the traditional assessments for supplier, operations and IT security risks. Banks must perform due diligence for potential vendors that is commensurate with the vendor’s assigned risk category. Comprehensive due diligence involves a review of all available information about a potential third party, with a specific focus on the entity’s financial condition, relevant experience, knowledge of applicable laws and regulations, reputation, and scope and effectiveness of its operations and controls.

Step 5 Contract Structuring and Review:
After selecting a new vendor, management should ensure that both parties outline their specific expectations and obligations in a written contract. The board of directors also should establish a policy requiring its approval for any contract deemed to be above a certain risk threshold, which likely should be anything categorized as high/critical or medium/material. The FDIC’s guidance advises institutions to seek legal counsel for any significant contract, and also recommends contractual provisions that prohibit assignment, transfer or subcontracting by the third-party vendor to another entity “unless and until the financial institution determines that such [action] would be consistent with the due diligence standards for selection for third parties.” The board must also remain cognizant that indemnity agreements, no matter how strongly written, cannot obviate its ultimate responsibility for the actions of the financial institution’s third-party vendors. Finally, senior management should implement a system to track contract related events such as maturities and renewal dates.

Step 6 Oversight:
Much like the due diligence required before selecting a new third-party vendor, banks also are tasked with monitoring their existing relationships. The FDIC’s guidance requires monitoring of vendors that are considered to be “significant” or “material,” which includes: a new relationship or one that involves implementing a new bank activity; a function that will have a material effect on the bank’s revenues or expenses, or potentially could significantly affect earnings or capital; a vendor that will perform a critical function, market a bank product or service, or provide a product or perform a service related to subprime lending or card payment transactions; or a vendor that will store, access, transmit or perform transactions on sensitive customer information. Typical risk management plans call for due diligence annually for suppliers listed as high/critical, every 18 months to two years for suppliers listed as medium/material, and every three years for suppliers categorized as low/minor. The bank also should employ rules-based testing to ensure that only those areas that cause a potential risk are tested.

The board also should ensure that those employees tasked with monitoring are given the proper training, and that senior management regularly updates the board regarding the bank’s risk management program. Banks also should maintain a list of critical suppliers as part of their disaster contingency plans. Finally, banks should implement a quality assurance function, whereby the institutions track consumer complaints against their affiliated third party vendors. Only through such monitoring can banks recognize troubling patterns or high frequencies of complaints against particular vendors.

While the federal regulators have not specifically exempted community banks from the third-party vendor monitoring requirements, those entities recognize that community banks have simpler business models and fewer resources. Thus, the level of due diligence expected from a $50-billion asset bank will differ greatly from that of a $500-million asset bank. As explained by the FDIC, “The precise use of a risk management process is dependent upon the nature of the third-party relationship, the scope and magnitude of the activity, and the risk identified.”

In summary, the federal regulators have tasked each board of directors with determining the proper level of due diligence and oversight required for the institution’s third party vendor management program. After consulting with its bank’s federal regulator and its own senior management, the board must rely upon its business acumen and understanding of the bank’s operation to implement a system that is commensurate with the inherent risks.

For more guidance from regulators on how to choose and oversee outside vendors, click here.