Nine Vendor Risk Management Tips for the Board

risk-management-7-19-17.png2017 is already proving to be a very difficult year for bank boards. While being on a board can be a rewarding experience, increasing regulatory pressures certainly don’t make the position and its corresponding responsibilities any easier.

One particular area of intense focus by the regulators is third-party risk management. Ultimately, the regulators have stated that it is your responsibility to ensure that you have a third-party risk program in place that addresses your vendors and the level of risk they pose.

Aside from potential enforcement actions and fines from the regulators, an inadequate third-party risk program can leave your institution ill-prepared or vulnerable to a host of issues. Worsening vendor financial performance could be an indicator of woes to come, such as poor customer service, bugs and issues with its system. Banks that auto-renew vendor contracts could miss a chance to re-negotiate old contracts.

Poor due diligence could mean partnering with a vendor that is damaging to your institution’s reputation. For example, if you don’t understand where customer complaints are coming from and why, regulators could question your ability to properly oversee and monitor your vendor’s performance and manage the corresponding impact on your customers.

While there will always be unforeseen issues you cannot avoid, having an effective third-party risk policy and program in place can ensure your full compliance with the guidance and help steer you to partnerships that will benefit your institution.

And, even when those unforeseen issues do occur, and they will, you’re better prepared to react in an effective and organized manner. To help, here are nine tips to keep you on the right path.

Nine Vendor Risk Management Tips for the Board

1. Read and understand the guidance from your primary regulator as it pertains to third-party risk management. There are key expectations clearly identified in the guidance and they should give you ample fodder for asking your institution’s senior management team pertinent questions.

2. Set expectations and tone from the top. Make sure that from senior management all the way to the front-line customer service representatives, everyone understands his or her responsibilities when it comes to compliance with the rules, as well as how your organization wants to handle vendor-risk management.

3. Have your vendor risk management program thoroughly reviewed for any possible deficiencies and focus on areas that are often overlooked, such as fourth-party risk management or reviewing third parties’ procedures for complaint management.

4. Automate your third-party risk program. Most institutions have already taken the steps away from Excel and other spreadsheet programs in favor of ones that help to manage a complicated network of vendors and regulatory expectations.

5. Involve your internal audit department, compliance team and counsel in evaluating the effectiveness of the vendor management program.

6. Strongly consider making vendor management directly accountable to the board or the most senior risk committee at your institution. Firmly establish its independence from the various lines of business and ensure the needs of vendor management do not fall on deaf ears. Ensure that any issues raised, whether in the course of normal business or during examinations, are promptly and thoroughly addressed.

7. Invite the head of your vendor management program to report regularly at board meetings. A standard set of reports is adequate, but make sure that any concerns or significant issues are clearly called out and reflected in the minutes of the meetings.

8. Ensure those involved in vendor management have adequate resources, such as staffing and a high enough budget, as well as ample training and experience to do the job well. Seek outside independent expertise or outsource tasks where needed, particularly for highly technical items such as business continuity plan reviews for SSAE 18 analysis, attestation standards issued by the American Institute of CPAs.

9. Ask pertinent questions and drill down when anything seems amiss. Use industry news, new regulations and enforcement actions as opportunities to view your own vendor management program through that lens and see if there are areas of concern that should be addressed.

The world of vendor management isn’t easy and your job as a director is incredibly complex and overwhelming at times. Fortunately, done well, vendor risk management can also be a significant strategic advantage, allowing you to do business with well-managed companies in a compliant and cost-efficient manner.

Venminder Library
CFPB guidance 2016-02
FDIC FIL 44 2008
OCC Bulletin 2013 29
OCC Bulletin 2017 21
FFIEC Appendix J

The Three Top Reasons For Vendor Consolidation

vendor-manangement-11-8-16.pngWhy should banks and credit unions consider consolidating their vendor relationships? Here are three top reasons why:

1. Save Time And Money
Banks and credit unions that reduce the number of their vendor partnerships can increase their operational efficiency and productivity. When an institution partners with multiple vendors, typically that means staff has to deal with multiple back-end systems, often accessing each system numerous times a day and struggling to keep abreast of all of the updates for every system. Sometimes, staff is even unnecessarily bogged down with having to deal with duplicative systems from multiple vendors.

Consolidating vendor relationships also can significantly reduce the amount of training for staff as well as for customers. Bank and credit union staff typically has to train customers on how to use vendors’ private-labeled portals, and that can be time-consuming, particularly if a financial institution uses multiple vendors with multiple portals. But if an institution uses the same vendor for multiple solutions that all have the same look and feel and the same technology, then training of both staff and customers is significantly reduced.

When banks and credit unions are able to negotiate fewer contracts, they can conduct less due diligence on potential vendors, as well as get more for their money by reducing the amount of monitoring and reporting required for risk and assessment compliance. On the other hand, having multiple contracts with multiple vendors adds even more burden to staff because they will also have to monitor different contract term dates for renewal, and then they’ll have to determine how one expiring contract could impact solutions from other vendors.

Furthermore, when a bank or credit union uses fewer vendors, the institution has more negotiating power because it frees up more dollars with the remaining vendors. The higher the volume provided to a vendor, the more likely they will offer their best pricing resulting in lower cost.

2. Save On Vendor Due Diligence
Financial institutions are increasingly responsible for keeping up with the third-party vendor management requirements of the Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency, the National Credit Union Administration, the Federal Reserve, and for state-chartered institutions, the requirements of state regulators.

For example, the FDIC’s Guidance for Managing Third-Party Risk (FIL-44-2008), provides four main elements of an effective third-party risk management process: risk assessment, due diligence in selecting a third party, contract structuring and review and oversight. But today, there’s even more heightened scrutiny, as a number of high-profile security breaches of major vendors has caused regulators to make sure that financial institutions are actually taking all the necessary steps spelled out in the regulations, such as the IT handbook of the Federal Financial Institutions Examination Council (FFIEC).

Banks and credit unions can find it very time consuming to conduct the proper due diligence and ongoing monitoring on each vendor. By partnering with a one vendor, financial institutions can significantly reduce their compliance burden.

3. Help Customers
Consolidating vendors can enable banks to greatly elevate the experience for their customers, by providing a single platform that is easy to navigate. Banks may also have access to additional monitoring and reporting of customer activity to help prevent and detect fraud.

Vendor consolidation can provide substantial return on investment by saving time and achieving cost savings, as well as reduce regulatory burdens by providing the right monitoring and reporting to meet compliance requirements. Partnering with a one vendor can not only save time and money and boost return on investment, but also enhance customer loyalty by elevating the user experiences on the platform.

Why Banks Are Buying Design Firms

design-1-22-16.pngWithin the past 18 months, two of the industry’s more innovative banks have made some seemingly odd acquisitions. McLean, Virginia-based Capital One Financial Corp., in October 2014, acquired Adaptive Path. The Spanish-based BBVA (Banco Bilbao Vizcaya Argentaria) acquired Spring Studio in April 2015. The common thread between these acquisitions? Both are San Francisco-based user experience and design firms.

Banks are seeing a critical need to improve customer experience, says Norm DeLuca, managing director of digital banking at Bottomline Technologies, a technology provider for commercial banks. He believes that changing consumer expectations and competition both within the industry and from fintech startups are contributing to a heightened focus on user experience. “One of the biggest differentiators that fintechs and new innovators lead with is a much simpler and [more] attractive user experience,” he says.

Customers increasingly identify their financial institution through their online experiences more than personal interactions, says Simon Mathews, chief strategy officer at San Francisco-based Extractable, a digital design agency. He believes that Capital One and BBVA found a way to more quickly improve the digital experience at their institutions. It’s a relatively new field, and good user experience designers aren’t easy to find. “What’s the quickest way to build a team? Go buy one,” says Mathews.

Design is only one piece of the puzzle. “Great design is important, but it really is only the tip of the iceberg on user experience,” says DeLuca.

A bank can’t expect to place a great design on top of outdated technology and create a good user experience, says Mathews. Data plays a key role. Customers with multiple accounts want to see their total relationship with the bank in one spot. That requires good, clean data, says Mathews.

The products and services offered by a financial institution need to be integrated. Can the customer easily manage and access separate products, such as loans and deposit accounts? Often, the process can be disjointed, and it’s a competitive disadvantage for the bank. “You might as well be buying from separate providers, if the experiences are separate,” says DeLuca.

Data analytics can also help banks personalize products and services for the customer, says Stephen Greer, an analyst with the research firm Celent. The industry is spending a lot on data analytics, “largely to craft that perfect customer experience,” he says.

While technology can be updated, organizational challenges are more difficult to overcome. Banks tend to operate within silos–deposit accounts in one area, wealth management in another and that doesn’t align with the needs of the consumer. “They don’t think, necessarily, about the total experience the user has,” says Mathews. “Users move fluidly between [delivery] channels.”

Great user experience requires “a really deep understanding of customer’s lives, and the environment they’re in, and what they’re trying to do and why,” says Jimmy Stead, executive vice president of e-commerce at Frost Bank, based in San Antonio, Texas, with $28 billion in assets.

Many banks rely on vendors for their technology needs, but “if the user experience relies on the vendors that they’re working with, and those vendors have solutions that are not customizable, then it’s really hard for them to address the customer experience,” says Alex Jimenez, a consultant and formerly senior vice president of digital and payments innovation at $7.1 billion asset Rockland Trust Co., based in Rockland, Massachusetts.

According to a June 2015 poll of banks and credit unions conducted by Celent, more than one-third rely on the user experience supplied by the bank’s vendor for online banking, mobile and tablet applications, with minimal customization. Realizing the increasing importance of the online channel, Frost Bank decided to build its own online banking platform internally in 2000, and continues to manage its user experience in-house. The bank still works with vendors, but is picky when it comes to those relationships. “How can we integrate them seamlessly into our experience?” Stead says he asks of vendors.

Today, expectations are shaped by Apple and Amazon, companies that have done a great job of defining the consumer experience. While more innovative banks like BBVA and Capital One are making user experience a priority, many financial institutions don’t provide a cohesive digital experience, or let their website and mobile app lag behind consumer expectations.

“We can’t fall too much in love with what we have today,” says Stead. “Technology moves so fast.”

Getting Started With Third-Party Risk Management: Two Key Questions

risk-manangement-12-22-15.pngBanks often outsource technology services to third-party vendors. In light of increased regulatory attention and third-party involvement in day-to-day business operations, many bank boards and senior management teams are considering their approach to developing a third-party risk management program. A thoughtful approach based on an initial assessment of the bank’s current state can result in better risk management and compliance that aren’t overly burdensome. Addressing two important questions will help begin the process of successfully launching an effective third-party risk management program.

Does our bank have a full inventory of its contracts and agreements?
While most banks have some type of contract management system, many typically use low-tech storage facilities—like databases of scanned copies or even hard copies in file cabinets—from which data can’t be extracted. Such storage facilities rarely contain complete records of all executed contracts, and even simple data like contract renewal notification and expiration dates are not tagged or automated. In such environments, contract terms and conditions don’t keep pace with changes to regulations and the business environment, and financial reporting and accounting concepts, such as unrecorded liabilities, contingencies, and financial commitments, exist but may not be understood or monitored.

To address such drawbacks, banks should do a complete inventory of critical relationships to ensure that they have a complete inventory of current contracts. The contracts should meet current regulatory and business requirements, and data within the contracts should be metatagged, meaning tagged with coding in a web page so it can found with a search engine. Banks should consider establishing standard, required contract terms and using technology to track compliance. Increasingly, contracts are being moved into third-party risk management systems for a “single-book-of-record” view and improved risk management beyond basic compliance.

How do we identify all relevant third parties and manage the overall effort?
The potential universe of third parties in an organization can seem endless—from global companies to intercompany affiliates to mom-and-pop providers. On top of that, the potential universe of third parties is never constant. Companies regularly are onboarding and terminating third parties and expanding or reducing third-party services. While it is important to build data and artifacts (certificates of insurance, documentation of financial viability, or Service Organization Control reports, for example) that support a risk assessment at the third-party relationship level, it is easy to lose sight of the entire population of third-party relationships. Depending on how a bank defines third parties, that population could include franchisees, external salespeople and debt holders, among others. This is one area of risk management where completeness counts.

To make such a project manageable, banks should create a strategy and roadmap to systematically identify third parties using an inclusive definition. Banks should invest in the initial data-gathering phase and make it an enterprise-wide endeavor. Effective sources of relevant information include surveys conducted by the various lines of business, contract facilities and databases, accounts-payable systems, and legal counsel. The process needs to be sustainable or the population soon will become invalid. Banks should conduct an initial review of third-party relationships by identifying categories and potential risk factors to assist with prioritizing the evaluation. The project strategy and roadmap should start with the third parties that pose a higher risk. The project roadmap should include necessary activities and the timing and resource needs related to existing and future third-party due diligence and assessments.

Moving Forward
As financial institutions work to effectively comply with the regulatory guidance and manage the risks associated with third-party relationships, creating a strategy and roadmap will help achieve compliance and avoid an overly burdensome process.

Six Tips to Safely Sell Add-On Products

Walking the High WireFinancial services executives face a tough dilemma these days.

Most Americans are satisfied with their primary bank and eager to learn about additional products, according to a 2012 study conducted by the Banking Administration Institute. And it’s no secret that selling add-on products is a great way to increase loyalty, retention and ultimately, revenue. But offering add-on products in today’s regulatory environment can be like trying to keep your balance on a high-wire. How do you sell these products without jeopardizing your relationships with federal regulators?

The key is to sell products that benefit consumers such as credit monitoring, payment protection plans, car rental insurance and identity theft protection. In fact, credit score reporting services and identity theft alerts have the highest growth and revenue potential, according to the 2013 Growth and Revenue Potential of Emerging Financial Services study. The Market Rates Insight study found that credit score reporting has a 71.4 percent potential growth rate, while identity theft alerts have a 70.8 percent potential growth rate.

In addition, some add-on products—like credit monitoring—are not only good for your business, but they’re also good for the economy. Credit monitoring helps educate consumers about their credit reports and scores so they can work toward achieving—or keeping—high scores. This, in turn, makes them better candidates for loans and lines of credit, which not only helps your institution but also helps the economy when these individuals buy cars, homes or start a business.

Regulators, however, not only look at the add-on products, but they also look at how organizations market and service these products. Therefore, organizations need to be honest and forthright during the entire lifecycle of the product.

Below are six best practices for a safe and effective way to market and service add-on products.

  1. Transparency Tops the List
    This is of the utmost importance, as regulators continue to crack down on credit card companies and banks that employ deceptive and unfair marketing practices. To avoid punitive damage, companies need to make sure their marketing materials accurately and precisely describe their products. Marketing materials should be written clearly and designed in an easy-to-read format.
  2. Tread Lightly with Employee Incentive Programs
    It’s okay to offer employee incentive programs to sell add-on products but make sure these programs follow appropriate guidelines. Employees need to realize that honesty trumps incentives or commissions every time and they need to be monitored to make sure they abide by this ethical standard.
  3. Stir Customer Care into the Mix
    Customer care scripts and manuals need to be as transparent and easy-to-understand as your marketing materials. Be sure to conduct quality assurance reviews on a regular basis to assess scripts and training materials to make sure they are fair to your customers. Organizations should also conduct real time monitoring of calls to make sure your employees treat your customers with respect.
  4. Cancellations Must Be Honored
    This is where some companies have gone awry. Cancellation requests should be handled in a manner that’s consistent with your product’s terms and conditions. Don’t mislead your consumers by advertising one thing and doing another. Cancellations should be handled with the same courtesy as enrollments.
  5. Keep a Watchful Eye on Affiliates
    Affiliates and third-party providers aren’t always accountable. After all, they may come and go, but your business is here to stay. If you hire third parties to handle marketing or other functions related to your add-on products, make sure they are held to the same standards as your in-house staff.
  6. Keep a Tight Lid on It
    In order to keep a tight lid on the lifecycle of your add-on products, you need a systematic program of controls, monitoring, auditing and documentation. By implementing a company-wide program you can ensure that everyone is on the same page and that you have documentation and controls in place for auditors and regulators.

Is It Worth It?
At a glance, implementing these measures may seem like a lot of work. But in reality, these measures should probably be implemented for your core products and services anyway, so including the add-ons shouldn’t be too demanding. Plus, the add-ons can add value to your products and help the economy at the same time. Taking care of consumers helps the economy, the longevity of your business, and it pleases regulators, so there is no reason not to do so.

For more information, visit

Risks Surrounding New Products and Services and Third-Party Vendors

6-6-14-barack.pngWe advise our clients to read the speeches given by all of the bank regulators to get an early indication of what issues might be highlighted at their upcoming examinations, and to prepare accordingly. With the financial crisis hopefully in the rear view mirror, this year regulators seem to be emphasizing issues surrounding risk management. Of particular concern seems to be the establishment of new products and services and the oversight of third-party vendors, which are topics that both Rick Warren of Crowe Horwath LLP and I will discuss at the upcoming Bank Audit & Risk Committees Conference.

As banks explore new products and services to help improve their earnings, and as the number and complexity of their third-party relationships increases, regulators are becoming concerned that risk management is not keeping pace. In response, the OCC recently issued its “Third-Party Relationships” guidance and the Federal Reserve issued its “Guidance on Managing Outsourcing Risk.” These were in addition to the FDIC’s existing “Guidance for Managing Third-Party Risk” and the OCC’s 2004 guidance, “Risk Management of New, Expanded, or Modified Bank Products and Services.” Through these documents and others, the agencies are conveying their collective concern that new products and services and vendor relationships could significantly impact banks’ operational, compliance, reputation, strategic and credit risk profiles. Accordingly, directors and senior management should understand that there are now heightened expectations in those areas, and not just for the largest institutions.

General Requirements
To place this issue in proper context, the establishment of new products and services and monitoring of third party vendors should be handled in a risk-based manner. A bank’s arrangement with its snow plow vendor will not require the same amount of scrutiny as its relationship with its core processor. Banks are expected to employ more comprehensive and rigorous oversight and management resources in those areas where there is significant risk of major customer impact, resource investment, or operational disruption.

New Products and Services
Regulators expect banks to engage in a rigorous and deliberative process when establishing new products and services. This process should involve all relevant stakeholders within the organization, including directors, and include the following elements:

  1. Due diligence. All risks associated with the new product or service should fit within the bank’s overall business strategy and risk profile.
  2. Risk management controls and processes. Policies, procedures, information and reporting systems, audit and compliance should all be adapted to the implementation of the product or service.
  3. Performance monitoring. Ongoing monitoring systems should be established to ensure that the product or service continually meets applicable expectations.

Third-Party Vendor Management
The regulatory agencies consistently discuss an effective third-party vendor risk management process involving a continuous cradle-to-grave “life cycle,” rather than a static analysis that is applied only at the inception of the relationship. This approach should include:

  1. Appropriate planning. Conduct a thorough cost-benefit analysis and assess the impact of the relationship throughout the bank’s operations.
  2. Due diligence and third-party selection. Ensure that the vendor has the requisite experience, reputation, financial capabilities and security systems.
  3. Contract negotiation. Imbed into contracts important provisions such as those relating to appropriate responsibilities, performance measures, indemnification, contingency plans and dispute resolution.
  4. Ongoing monitoring. Dedicate employees with sufficient experience and expertise to oversee and monitor the vendor, commensurate with the level of risk and complexity of the relationship.
  5. Termination. Plan to ensure that relationships terminate in an efficient and seamless manner, either through discontinuance or migration of the responsibilities to another provider or to the bank itself.
  6. Oversight and accountability. Commit appropriate oversight resources from the board level through senior management to employees who manage third-party relationships on a daily basis.
  7. Documentation and reporting. Create an effective system to inventory all third-party relationships and report findings appropriately throughout the bank.
  8. Independent review. Ensure that periodic reviews are conducted by internal auditors or an independent third party and that the results are reported directly to the board.

It has become clear over the last few months that examiners are increasingly asking more probing questions regarding new products and services and third-party vendor risk. Judging by the corrective and punitive enforcement actions being issued or threatened by regulators, banks should be prepared to give good answers to those questions, or risk serious consequences.