Reviewing Recent Bank Guidance on Third-Party Risk

Written by

Financial institutions are increasingly ramping up partnerships with third-party organizations that offer technologies that promulgate efficiencies or add new banking products to drive revenues.

As these partnerships increase, the risk to the banking system is also increasing. In June, the Federal Deposit Insurance Corp., the Board of Governors of the Federal Reserve and the Office of the Comptroller of the Currency released finalized interagency guidance over third-party risk management practices that financial institutions must consider when entering into business arrangements with third parties.

Two notable differences from the guidance initially proposed in 2021 are the need for financial institutions to establish a complete inventory of all third-party relationships and a call out of relationships with fintech organizations that interact directly with an institution’s customers.

The principles-based guidance allows institutions to look at their third-party relationships using a risk-based approach. Higher-risk activities, including critical activities, should receive more comprehensive and diligent oversight from management. Smaller community and regional banks will likely have more work to do to follow this guidance, which will be particularly relevant for institutions with significant fintech relationships.

The guidance provides five key points that institutions should integrate into their risk management procedures over the entire life cycle of a business arrangement with a third party.

1. Planning: Before conducting business with a third party, banks must create a plan to determine the type of risk and related complexities involved. Once the institution identifies such risks, it can design and establish necessary mitigation techniques.

The guidance specified that to understand the risks associated with a third party, an institution should carefully consider the following in the planning process:

  • The strategic purpose of the arrangement.
  • Benefits and risks of the relationship.
  • The volume of transactions involved.
  • Related direct and indirect costs.
  • The impact of the relationship on employees and customers.
  • The physical and information security implications.
  • Monitoring the third party’s compliance with laws and regulations.
  • Ongoing oversight of the relationship.
  • Potential contingency plans.

Once an institution fully evaluates all factors, it can build a risk matrix to visualize whether the exposure involved in the relationship would be within the institution’s risk tolerance levels.

2. Due diligence: The new guidance states that the level of due diligence an institution needs to perform on a third party should be proportionate to the risk associated with the potential relationship. Where the arrangement points to greater complexities or higher risk to the bank, the bank should deploy more thorough due diligence procedures. No matter the arrangement, institutions need to evaluate their ability to identify, assess, monitor and mitigate risks that arise.

If a financial institution is unable to perform the appropriate due diligence on a prospective third party without proper alternatives identified to support the relationship, the bank may likely need to forego the relationship.

3. Contract negotiation: Important to any third-party relationship is negotiating a contract that allows the bank to perform continuous and effective risk management practices. If there is difficulty in negotiating these aspects with the third party, the institution needs to analyze the related risk and weigh whether it is acceptable to enter into a relationship.

Importantly, the board of directors should be aware of negotiations to dispel its oversight responsibilities, whether through direct involvement or updates from an approved negotiating delegate.

4. Ongoing monitoring: Ongoing monitoring is imperative as institutions navigate a rapidly changing banking environment. Establishing different techniques or mechanisms to track the risk landscape and determine the emerging risks are just as important to monitoring as a cadence of regular reviews over current risks.

The agencies did not outline “any specific approach to ongoing monitoring. Rather, the guidance continues to state that a banking organization’s ongoing monitoring, like other third-party risk management processes, should be appropriate for the risks associated with each third-party relationship, commensurate with the banking organization’s size, complexity, and risk profile and with the nature of its third-party relationships.”

5. Termination: Lastly, if an institution has decided the relationship has run its course, an efficient and timely termination is beneficial. The institution should consider transitioning any service provided through the relationship to another third party or bringing it in-house.

Governance
The regulators also highlighted three critical governance practices for such relationships.

  • Oversight and accountability: The board of directors is ultimately responsible for the oversight of third-party risk management. This includes providing management with guidance on the risk appetite to enter into third-party relationships, as well as approving management policies and procedures.
  • Independent reviews: The guidance calls out the need for independent, periodic reviews that assess the adequacy of the risk management process, as well as management’s processes, procedures and controls for adequacy and effective operation.
  • Documentation and reporting: Institutions will need to thoroughly document their third-party risk management processes, procedures and outcomes of related independent reviews.

Risk management necessitates perpetual enhancement. As institutions continue to partner with third parties to offer new capabilities, remaining vigilant by incorporating the five key points from the guidance is essential. These techniques help safeguard the stability, trust and sustainability of the financial services industry.

A version of this article originally appeared on RSM US.

Considerations for Post-CECL Adoption

Written by

Over the last 10 years, banks have discussed and debated the current expected credit loss, or CECL, accounting standard. Many of the larger banks adopted the standard in 2020, with the majority of smaller banks adopting on Jan. 1, 2023.

While the industry has adopted CECL, here are some items to consider in 2023 to position your institution for success in your next regulatory exam or external audit.

Prepare a CECL Adoption “Package”
When your regulators and auditors arrive in 2023, they will likely ask about your CECL implementation process. One way to address their questions is to prepare a package that  includes:

  • Board-approved allowance for credit losses, or ACL, policy.
  • The initial adoption calculation.
  • The consideration of unfunded commitments, which are recorded as a liability on the bank’s balance sheet, and debt securities, both available-for-sale and held-to-maturity.
  • The bank’s narrative that supports its CECL calculation, which should include a summary of the selected model and methodology, assessment of qualitative factors and forecasting and a summary of any individually evaluated loans.
  • The initial adoption journal entry, a reconciliation to your CECL calculation and documentation of a review and approval of the journal entry.
  • Third-party vendor management documentation and CECL model validation.

Third-Party Vendor Management
If your bank is using a third-party vendor for its CECL calculation, be sure to document the vendor management considerations over this calculation annually in accordance with your bank’s vendor management policies and your primary regulator’s guidance.

Make sure this documentation includes procedures the bank has taken to gain comfort over the third party’s calculation, obtaining a service organization controls (SOC) report for the calculation and a CECL model validation for the third-party calculation. Your institution may need to get support from the vendor to assist with articulating the math behind the calculation and a recalculation of the ACL on an individual loan basis.

Perform Back Testing in 2023
As the bank’s CECL model “ages” in 2023, management should document back testing of the model to verify it is functioning as expected. Back testing can aid the bank in understanding the model and how estimates and varying economic results impact it.

As your bank develops its back testing procedures, consider comparing estimated data points to actual results, including prepayment speeds, loan charge-offs and recoveries, economic data points and loan balances. Additionally, management should consider sensitivity or stress testing of the model, including analysis of various scenarios or assumptions and their impact on loss estimates.

Add CECL to the 2023 Internal Audit Plan
The CECL model, like the historic incurred loss model, should be subject to the bank’s internal audit plan. This internal audit program can include reviewing the policies and procedures, gaining an understanding of the model, reviewing the assumptions in the model for reasonableness and consistency with other assumptions and reviewing the model access. It should also include procedures to verify calculations are appropriately reviewed by management and governance.

CECL Model Validation
As bank regulators discussed in the 2020 interagency policy statement on the allowances for credit losses, model validation is an essential element to a properly functioning process for a bank, and should be completed annually. Validation activities for a bank include evaluating and concluding on the conceptual soundness of the model, including developmental evidence, performing ongoing monitoring activities, including process verification and benchmarking and analyzing model output, according to the interagency statement.

The CECL model validation, which is a frequently overlooked part of CECL implementation, should be performed by an individual or firm that is independent from the model’s design, implementation, operations and ownership. Additionally, the interagency statement states the external auditor of the bank may impair independence if they also perform the CECL model validation.

The information contained herein is general in nature and is not intended, and should not be construed, as legal, accounting, investment, or tax advice or opinion provided by CliftonLarsonAllen LLP (CliftonLarsonAllen) to the reader.

CLA exists to create opportunities for our clients, our people, and our communities through our industry-focused wealth advisory, digital, audit, tax, consulting, and outsourcing services. CLA (CliftonLarsonAllen LLP) is an independent network member of CLA Global. See CLAglobal.com/disclaimer. Investment advisory services are offered through CliftonLarsonAllen Wealth Advisors, LLC, an SEC-registered investment advisor.

Optimize Fintech Spending With 3 Key ROI Drivers

Written by

Bankers are evaluating their innovation investments more closely as customer expectations continue to skyrocket and margins shrink. Technology spending shows no sign of slowing any time soon. In fact, Insider Intelligence forecasts that U.S. banks’ overall technology spending will grow to an estimated $113.71 billion in 2025, up from $79.49 billion in 2021.

The evolution of the fintech marketplace is challenging banks to strategically choose their next fintech project and calculate the return on those investments. How do they ensure that they’re spending the money in the right places, and with the right providers? How can they know if the dollars dedicated toward their tech stack are actually impacting the bottom line? They can answer these key questions by evaluating three key ROI drivers that correlate with different stages of the customer journey: acquire, serve and deepen or broaden.

The first ROI driver, acquire, relates to investments focused on customer acquisition that are often the main focus of new technology initiatives — for good reason. Technology that supports customer acquisition, such as account opening or loan origination, makes bold claims about reducing abandonment and driving higher conversion rates. However, these systems can also lead to a disjointed user experience when prospects move between different systems, each with their own layout and aesthetic.

When bankers search for solutions that improve customer acquisition, they should ensure the solution provides the level of flexibility required to meet and exceed customer expectations. A proof of concept as part of the procurement process can help the bank validate the claims made by the fintechs under consideration. Remember: A tool that is more configurable on the front-end likely requires more up-front work to launch, but should pay dividends with a higher conversion rate. A style guide that describes the bank’s design principles can help implementation go smoother by ensuring new customers enjoy a visually consistent, trustworthy onboarding experience that reinforces their decision to open the account or apply for the loan.

The next ROI driver, serve, is about critically evaluating customer service costs, whether that’s achieved through streamlining internal processes, integrating disparate systems or empowering customers with self-service interfaces. While these investments are usually aimed at increasing profitability, they often contribute to higher customer satisfaction.

An often-overlooked opportunity is to delegate and crowdsource content through nonbank messaging channels, like YouTube or Reddit. A Gartner study found that millennials and Gen Z customers prefer third-party customer service channels; some customers even reported higher satisfaction after resolving their issue via outside channels. A majority of financial services leaders say they are challenged to provide enough self-service options for customers; those looking to address that vulnerability and improve profitability and customer satisfaction may want to explore self-service as a compelling way to differentiate.

The final ROI driver is about unlocking growth by pursuing strategies that deepen or broaden your bank’s relationships with existing customers while expanding the strategic core of the company. A study by Bain & Co. evaluated the effectiveness of different growth moves performed by 1,850 companies over a five-year period. Researchers found six types of growth strategies that outperformed: expand along the value chain, grow new products and services, use new distribution channels, enter new geographies, address new customer segments and finally, move into the “white space” with a new business built around a strong capability.

The key to any successful innovation initiative is to view it not as a one-time event, but rather a discipline that becomes central to your institution’s strategic planning. Bain found that the average companies successfully launches a new growth initiatives only 25% of the time. However, that rate more than doubles when organizations embrace innovation as a cyclical process that they practice with rigor and discipline.

As your bank seeks to better prioritize, optimize and evaluate its fintech investments, carefully consider these three key ROI drivers to identifying where the greatest need stands can help. This will ensure your institution’s valuable technology dollars and employee efforts are spent wisely for both the benefit of the customer and growth of the bottom line.

Core Processing? Find the Aces Up Your Sleeve

Written by

Outsourced core processing usually represents regional and community banks’ most significant — and most maligned — contractual relationship. Core technology is a heavy financial line item, an essential component of bank operations and, too often, a contractual minefield.

But contrary to popular belief, it is possible for banks to negotiate critical contractual issues with core processing providers. No matter their size, banks can negotiate both the business and legal terms of these agreements. Technology consultants and outside legal counsel can play impactful, complementary roles to help level the playing field. Be certain that your bank is well advised and allocating adequate resources to these matters.

Critical Contractual Issues
From a legal angle, we at BFKN routinely look at and comment on dozens of separate points in a typical agreement — some of which are of critical importance as the arrangement matures. We have favorably revised termination penalties, service levels and remedies, the definition and ownership of data, caps on annual fee increases, limitations of liability, information security and business continuity provisions, ongoing diligence and audit rights, deconversion fees and the co-termination of all services and products, among many other items.

Exclusivity provisions which prevent banks from securing competing products without incurring penalties are also a focus for many organizations seeking to futureproof their core processing; a vendor reserving exclusivity, whether outright or through volume minimums, can hinder the bank’s ability to innovate.

Engaging External Resources
Banks are generally at a disadvantage in vendor contract negotiations, given that vendors negotiate their forms frequently against many parties and banks do not. Fortunately, there is a robust industry of technology consultants, of varying degrees of competence and quality, that work specifically in the core processing and technology vendor space. Most banks should engage both technology consultants, which can tackle the practical and business angles of the vendor relationship, and outside legal counsel, to focus on legal and regulatory concerns.

When considering whether to bring in outside advisors, executives at institutions considering a change in their vendor or approaching a renewal or significant change in their core processing services should ask the following questions:

  • Has the bank thoroughly evaluated its existing relationship and potential alternatives?
  • Would it be helpful to have an outside consultant with a perspective on the current market review the key business terms and pricing considerations?
  • Is the bank confident that the existing agreement sufficiently details the parties’ legal rights and responsibilities? Could it benefit from an informed legal review?
  • If considering an extension of an existing relationship, can any proposed changes be addressed sufficiently in an amendment to the existing contract, or is it time for a full restatement (and a full review) of the documentation?
  • Are there strategic considerations, such as a potential combination with another entity or the exploration of a fintech venture, that may raise complex issues down the line?

Leveraging Internal Resources
Dedicating the right internal resources also helps banks ensure that they maximize their leverage when negotiating a core processing agreement. As a general matter, directors and senior management should have an ongoing familiarity with the bank’s vendor relationship. For many, this can seem a Herculean task. Core processing contracts often span hundreds of pages and terms are gradually added, dropped and altered through overriding amendments. Nevertheless, by understanding, outlining, and tracking key contractual terms and ongoing performance, directors and senior management can proactively assess the processor and apprise its limitations.

This engagement can result in better outcomes. Are there any performance issues or problems with the bank’s current vendor? If a provider is falling short, there may be alternatives. Diverse technology offerings are introduced to the market continually. Of course, establishing a new relationship can be a painstaking process, and there are risks to breaking with the “devil you know.” Yet we are having more conversations with banks that are exploring less-traditional core technology vendors and products.

Short of a wholesale switch of vendors and products, it is possible for banks to negotiate for contractual protections against a vendor’s limitations. And even if senior management takes the lead in negotiating against the vendor, directors can play a valuable role in the negotiation process. We’ve seen positive and concrete results when the board or a key director is engaged at a high level.

If it’s time to start negotiating with a core processing provider, don’t leave your chips on the table. Fully utilizing both internal and external resources can ensure that the bank’s core processing relationship supports the bank for years to come.

Effective Oversight of Fintech Partnerships

Written by

For today’s banks, the shift to digital and embracing financial technology is no longer an option but a requirement in order to compete.

Fintechs enable banks to deploy, originate and service customers more effectively than traditional methods; now, many customers prefer these channels. But banks are often held back from jumping into fintech and digital spaces by what they view as insurmountable hurdles for their risk, compliance and operational teams. They see this shift as requiring multiple new hires and requiring extensive capital and technology resources. In reality, many smaller institutions are wading into these spaces methodically and effectively.

Bank oversight and management must be tailored to the specific products and services and related risks. These opportunities can range in sophistication from relatively simple referral programs between a bank and a fintech firm, which require far less oversight to banking as a service (often called BaaS) which requires extensive oversight.

A bank’s customized third-party oversight program, or TPO, is the cornerstone of a successful fintech partnership from a risk and compliance perspective, and should be accorded appropriate attention and commitment by leadership.

What qualifies as an existing best-in-class TPO program at a traditional community bank may not meet evolving regulatory expectations of a TPO that governs an institution offering core products and services through various fintech and digital partners. Most banks already have the hallmarks of a traditional TPO program, such as reviewing all associated compliance controls of their partner/vendor and monitoring the performance on a recurring basis. But for some banks with more exposure to fintech partners, their TPO need to address other risks prior to onboarding. Common unaccounted-for risks we see at banks embarking on more extensive fintech strategies include:

  • Reviewing and documenting partners’ money transmission processes to ensure they are not acting as unlicensed money transmitters.
  • Reviewing fintech deposit account’s set up procedures.
  • Assessing fintech partner marketing of services and/or products.
  • Ensuring that agreements provide for sufficient partner oversight to satisfy regulators.
  • Procedures to effectively perform required protocols that are required under the Bank Secrecy Act, anti-money laundering and Know Your Customer regulations, and capture information within the bank’s systems of record. If the bank relies on the fintech partner to do so, implementing the assessment and oversight process of the fintech’s program.
  • Assessing the compliance and credit risks associated with fintech partner underwriting criteria such as artificial intelligence, alternative data and machine learning.
  • Assessing the impact of the fintech strategy on the bank’s fair lending program and/or Community Reinvestment Act footprint.
  • The potential risk of unfair, deceptive or abusive acts or practices through the fintech partner’s activities.
  • True lender risks and documenting the institution’s understanding of the regulations surrounding the true lender doctrine.
  • Assessing customer risk profile changes resulting from the expansion of the bank’s services and or products and incorporating these changes into the compliance management system.
  • Revising your overall enterprise risk management program to account for the risks associated with any shift in products and services.

Finally, regulators expect this shift to more fintech partnerships to become the norm rather than the exception. They view it as an opportunity for banks to provide greater access to products and services to the underbanked, unbanked and credit invisible. Over the last couple of years, we have seen a number of resources deployed by bank regulators in this space, including:

  • Regulators creating various offices to address how banks can best utilize data and technology to meet consumer demands while maintaining safety, soundness, and consumer protection. The Federal Deposit Insurance Corp. has built FDITECH, the Office of the Comptroller of the Currency has an Office of Innovation, as does the Federal Reserve Board. The CFPB has aggregated their efforts to deploy sandboxes and issue “No-Action Letters” through its own Innovation Office.
  • The Federal Reserve issued a guide for community banks on conducting due diligence on financial technology firms in August 2021.
  • OCC Acting Comptroller Michael Hsu gave remarks at the Fintech Policy Summit 2021 in November 2021.
  • In November 2021, the OCC issued a release clarifying bank authority to engage in certain cryptocurrency activities, as well as the regulator’s authority to charter national trust banks.

Adopting best practices like the ones we listed above, as well as early communication with regulators, will place your bank in a great position to start successfully working with fintechs to expand and improve your bank’s products and services and compete in today’s market.

Three Tips to Manage Third-Party Cybersecurity Risk

Written by

Third-party vendors enable community banks to deliver essential products and services to consumers, but they can also be a weak link in their cybersecurity strategy.

The events of 2020 have made it imperative for banks to focus on protecting their employees, consumers and valuable assets — making cybersecurity a persistent priority for executive management. Ransomware has escalated at an alarming rate, leading community banks to engage even more with managed security service providers to strengthen their cybersecurity strategies. Given the critical nature of omnipresent cybersecurity and the continuous dependency on third-party providers, here are some practical tips for managing third-party risk in your cybersecurity strategy.

1. Collaborate Across Your Institution
It’s common to have a dedicated vendor management team or department at community banks, but it’s important to avoid a silo mentality when dealing with risk. Know your bank’s risk appetite and make sure everyone involved in risk management knows it as well.

Evaluate third parties against that appetite. Vendor assessments are critical to ensure your business will reap the benefits of the services you expect to receive.

Document third-party products and services in your environment. Update operational, IT and cybersecurity policies, as well as business continuity plans to include your vendors, outlining their roles and responsibilities — especially in the event of an outage, incident, or disaster.

2. Due Diligence is Key
Ensure your bank has a detailed process for evaluating third parties prior to signing contracts. One good way to prevent a third-party cyber incident is to ensure third parties have strong cybersecurity programs. The Federal Financial Institutions Examination Council states, “Financial institutions must understand the complex nature of arrangements with outside parties and ensure adequate due diligence for the engagement of the relationships and ongoing monitoring.”

Establish how your bank’s data is handled to protect the privacy of your employees and customers. Who owns the data and who has access to it? How long will data be retained? What happens to data if you terminate your contract? Make sure the bank documents data ownership and management in its third-party contracts. A data breach caused by a third party can endanger customer privacy and violate data privacy laws, including the General Data Protection Regulation and California Consumer Privacy Act.

3. Trust but Verify
It’s important to ensure that services continue to perform as expected after determining the need for third-party services and conducting due diligence to ensure the best fit. The phrase “trust but verify,” while originally used in a political context, is often used to describe this practice in vendor management.

Periodically review the bank’s vendors to ensure they’re meeting the obligations set in the Service Level Agreements (SLAs), which can help address issues before an incident can occur. If appropriate, the board should consider engaging an independent provider to audit, monitor or alert of any issues that could impact the vendor’s ability to meet their SLA.

Banks should consider supporting their vendor management strategy with technology solutions that can:

  1. Track vendors, subsidiaries, relationship owners, documentation and contacts.
  2. Perform vendor due diligence and analyze criticality, usage and spend.
  3. Deliver surveys and risk assessments to external third-party contacts.
  4. Manage contract review and renewals.
  5. Coordinate with legal, procurement, compliance and other functions.
  6. Monitor key vendor metrics via personalized dashboards and dynamic reports.

Third-party risk is an important component of any bank’s cybersecurity strategy and should align with its enterprise risk management and information security programs. Using a common risk framework that includes vendor management will promote collaboration, integration and visibility across the bank. Ultimately, the result is a reliable and consistent process that can help you protect and service your customers.

Nine Vendor Risk Management Tips for the Board

Written by


risk-management-7-19-17.png2017 is already proving to be a very difficult year for bank boards. While being on a board can be a rewarding experience, increasing regulatory pressures certainly don’t make the position and its corresponding responsibilities any easier.

One particular area of intense focus by the regulators is third-party risk management. Ultimately, the regulators have stated that it is your responsibility to ensure that you have a third-party risk program in place that addresses your vendors and the level of risk they pose.

Aside from potential enforcement actions and fines from the regulators, an inadequate third-party risk program can leave your institution ill-prepared or vulnerable to a host of issues. Worsening vendor financial performance could be an indicator of woes to come, such as poor customer service, bugs and issues with its system. Banks that auto-renew vendor contracts could miss a chance to re-negotiate old contracts.

Poor due diligence could mean partnering with a vendor that is damaging to your institution’s reputation. For example, if you don’t understand where customer complaints are coming from and why, regulators could question your ability to properly oversee and monitor your vendor’s performance and manage the corresponding impact on your customers.

While there will always be unforeseen issues you cannot avoid, having an effective third-party risk policy and program in place can ensure your full compliance with the guidance and help steer you to partnerships that will benefit your institution.

And, even when those unforeseen issues do occur, and they will, you’re better prepared to react in an effective and organized manner. To help, here are nine tips to keep you on the right path.

Nine Vendor Risk Management Tips for the Board

1. Read and understand the guidance from your primary regulator as it pertains to third-party risk management. There are key expectations clearly identified in the guidance and they should give you ample fodder for asking your institution’s senior management team pertinent questions.

2. Set expectations and tone from the top. Make sure that from senior management all the way to the front-line customer service representatives, everyone understands his or her responsibilities when it comes to compliance with the rules, as well as how your organization wants to handle vendor-risk management.

3. Have your vendor risk management program thoroughly reviewed for any possible deficiencies and focus on areas that are often overlooked, such as fourth-party risk management or reviewing third parties’ procedures for complaint management.

4. Automate your third-party risk program. Most institutions have already taken the steps away from Excel and other spreadsheet programs in favor of ones that help to manage a complicated network of vendors and regulatory expectations.

5. Involve your internal audit department, compliance team and counsel in evaluating the effectiveness of the vendor management program.

6. Strongly consider making vendor management directly accountable to the board or the most senior risk committee at your institution. Firmly establish its independence from the various lines of business and ensure the needs of vendor management do not fall on deaf ears. Ensure that any issues raised, whether in the course of normal business or during examinations, are promptly and thoroughly addressed.

7. Invite the head of your vendor management program to report regularly at board meetings. A standard set of reports is adequate, but make sure that any concerns or significant issues are clearly called out and reflected in the minutes of the meetings.

8. Ensure those involved in vendor management have adequate resources, such as staffing and a high enough budget, as well as ample training and experience to do the job well. Seek outside independent expertise or outsource tasks where needed, particularly for highly technical items such as business continuity plan reviews for SSAE 18 analysis, attestation standards issued by the American Institute of CPAs.

9. Ask pertinent questions and drill down when anything seems amiss. Use industry news, new regulations and enforcement actions as opportunities to view your own vendor management program through that lens and see if there are areas of concern that should be addressed.

The world of vendor management isn’t easy and your job as a director is incredibly complex and overwhelming at times. Fortunately, done well, vendor risk management can also be a significant strategic advantage, allowing you to do business with well-managed companies in a compliant and cost-efficient manner.

Resources
Venminder Library
CFPB guidance 2016-02
FDIC FIL 44 2008
OCC Bulletin 2013 29
OCC Bulletin 2017 21
FFIEC Appendix J

The Three Top Reasons For Vendor Consolidation

Written by


vendor-manangement-11-8-16.pngWhy should banks and credit unions consider consolidating their vendor relationships? Here are three top reasons why:

1. Save Time And Money
Banks and credit unions that reduce the number of their vendor partnerships can increase their operational efficiency and productivity. When an institution partners with multiple vendors, typically that means staff has to deal with multiple back-end systems, often accessing each system numerous times a day and struggling to keep abreast of all of the updates for every system. Sometimes, staff is even unnecessarily bogged down with having to deal with duplicative systems from multiple vendors.

Consolidating vendor relationships also can significantly reduce the amount of training for staff as well as for customers. Bank and credit union staff typically has to train customers on how to use vendors’ private-labeled portals, and that can be time-consuming, particularly if a financial institution uses multiple vendors with multiple portals. But if an institution uses the same vendor for multiple solutions that all have the same look and feel and the same technology, then training of both staff and customers is significantly reduced.

When banks and credit unions are able to negotiate fewer contracts, they can conduct less due diligence on potential vendors, as well as get more for their money by reducing the amount of monitoring and reporting required for risk and assessment compliance. On the other hand, having multiple contracts with multiple vendors adds even more burden to staff because they will also have to monitor different contract term dates for renewal, and then they’ll have to determine how one expiring contract could impact solutions from other vendors.

Furthermore, when a bank or credit union uses fewer vendors, the institution has more negotiating power because it frees up more dollars with the remaining vendors. The higher the volume provided to a vendor, the more likely they will offer their best pricing resulting in lower cost.

2. Save On Vendor Due Diligence
Financial institutions are increasingly responsible for keeping up with the third-party vendor management requirements of the Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency, the National Credit Union Administration, the Federal Reserve, and for state-chartered institutions, the requirements of state regulators.

For example, the FDIC’s Guidance for Managing Third-Party Risk (FIL-44-2008), provides four main elements of an effective third-party risk management process: risk assessment, due diligence in selecting a third party, contract structuring and review and oversight. But today, there’s even more heightened scrutiny, as a number of high-profile security breaches of major vendors has caused regulators to make sure that financial institutions are actually taking all the necessary steps spelled out in the regulations, such as the IT handbook of the Federal Financial Institutions Examination Council (FFIEC).

Banks and credit unions can find it very time consuming to conduct the proper due diligence and ongoing monitoring on each vendor. By partnering with a one vendor, financial institutions can significantly reduce their compliance burden.

3. Help Customers
Consolidating vendors can enable banks to greatly elevate the experience for their customers, by providing a single platform that is easy to navigate. Banks may also have access to additional monitoring and reporting of customer activity to help prevent and detect fraud.

Vendor consolidation can provide substantial return on investment by saving time and achieving cost savings, as well as reduce regulatory burdens by providing the right monitoring and reporting to meet compliance requirements. Partnering with a one vendor can not only save time and money and boost return on investment, but also enhance customer loyalty by elevating the user experiences on the platform.

Why Banks Are Buying Design Firms

Written by


design-1-22-16.pngWithin the past 18 months, two of the industry’s more innovative banks have made some seemingly odd acquisitions. McLean, Virginia-based Capital One Financial Corp., in October 2014, acquired Adaptive Path. The Spanish-based BBVA (Banco Bilbao Vizcaya Argentaria) acquired Spring Studio in April 2015. The common thread between these acquisitions? Both are San Francisco-based user experience and design firms.

Banks are seeing a critical need to improve customer experience, says Norm DeLuca, managing director of digital banking at Bottomline Technologies, a technology provider for commercial banks. He believes that changing consumer expectations and competition both within the industry and from fintech startups are contributing to a heightened focus on user experience. “One of the biggest differentiators that fintechs and new innovators lead with is a much simpler and [more] attractive user experience,” he says.

Customers increasingly identify their financial institution through their online experiences more than personal interactions, says Simon Mathews, chief strategy officer at San Francisco-based Extractable, a digital design agency. He believes that Capital One and BBVA found a way to more quickly improve the digital experience at their institutions. It’s a relatively new field, and good user experience designers aren’t easy to find. “What’s the quickest way to build a team? Go buy one,” says Mathews.

Design is only one piece of the puzzle. “Great design is important, but it really is only the tip of the iceberg on user experience,” says DeLuca.

A bank can’t expect to place a great design on top of outdated technology and create a good user experience, says Mathews. Data plays a key role. Customers with multiple accounts want to see their total relationship with the bank in one spot. That requires good, clean data, says Mathews.

The products and services offered by a financial institution need to be integrated. Can the customer easily manage and access separate products, such as loans and deposit accounts? Often, the process can be disjointed, and it’s a competitive disadvantage for the bank. “You might as well be buying from separate providers, if the experiences are separate,” says DeLuca.

Data analytics can also help banks personalize products and services for the customer, says Stephen Greer, an analyst with the research firm Celent. The industry is spending a lot on data analytics, “largely to craft that perfect customer experience,” he says.

While technology can be updated, organizational challenges are more difficult to overcome. Banks tend to operate within silos–deposit accounts in one area, wealth management in another and that doesn’t align with the needs of the consumer. “They don’t think, necessarily, about the total experience the user has,” says Mathews. “Users move fluidly between [delivery] channels.”

Great user experience requires “a really deep understanding of customer’s lives, and the environment they’re in, and what they’re trying to do and why,” says Jimmy Stead, executive vice president of e-commerce at Frost Bank, based in San Antonio, Texas, with $28 billion in assets.

Many banks rely on vendors for their technology needs, but “if the user experience relies on the vendors that they’re working with, and those vendors have solutions that are not customizable, then it’s really hard for them to address the customer experience,” says Alex Jimenez, a consultant and formerly senior vice president of digital and payments innovation at $7.1 billion asset Rockland Trust Co., based in Rockland, Massachusetts.

According to a June 2015 poll of banks and credit unions conducted by Celent, more than one-third rely on the user experience supplied by the bank’s vendor for online banking, mobile and tablet applications, with minimal customization. Realizing the increasing importance of the online channel, Frost Bank decided to build its own online banking platform internally in 2000, and continues to manage its user experience in-house. The bank still works with vendors, but is picky when it comes to those relationships. “How can we integrate them seamlessly into our experience?” Stead says he asks of vendors.

Today, expectations are shaped by Apple and Amazon, companies that have done a great job of defining the consumer experience. While more innovative banks like BBVA and Capital One are making user experience a priority, many financial institutions don’t provide a cohesive digital experience, or let their website and mobile app lag behind consumer expectations.

“We can’t fall too much in love with what we have today,” says Stead. “Technology moves so fast.”

Getting Started With Third-Party Risk Management: Two Key Questions

Written by


risk-manangement-12-22-15.pngBanks often outsource technology services to third-party vendors. In light of increased regulatory attention and third-party involvement in day-to-day business operations, many bank boards and senior management teams are considering their approach to developing a third-party risk management program. A thoughtful approach based on an initial assessment of the bank’s current state can result in better risk management and compliance that aren’t overly burdensome. Addressing two important questions will help begin the process of successfully launching an effective third-party risk management program.

Does our bank have a full inventory of its contracts and agreements?
While most banks have some type of contract management system, many typically use low-tech storage facilities—like databases of scanned copies or even hard copies in file cabinets—from which data can’t be extracted. Such storage facilities rarely contain complete records of all executed contracts, and even simple data like contract renewal notification and expiration dates are not tagged or automated. In such environments, contract terms and conditions don’t keep pace with changes to regulations and the business environment, and financial reporting and accounting concepts, such as unrecorded liabilities, contingencies, and financial commitments, exist but may not be understood or monitored.

To address such drawbacks, banks should do a complete inventory of critical relationships to ensure that they have a complete inventory of current contracts. The contracts should meet current regulatory and business requirements, and data within the contracts should be metatagged, meaning tagged with coding in a web page so it can found with a search engine. Banks should consider establishing standard, required contract terms and using technology to track compliance. Increasingly, contracts are being moved into third-party risk management systems for a “single-book-of-record” view and improved risk management beyond basic compliance.

How do we identify all relevant third parties and manage the overall effort?
The potential universe of third parties in an organization can seem endless—from global companies to intercompany affiliates to mom-and-pop providers. On top of that, the potential universe of third parties is never constant. Companies regularly are onboarding and terminating third parties and expanding or reducing third-party services. While it is important to build data and artifacts (certificates of insurance, documentation of financial viability, or Service Organization Control reports, for example) that support a risk assessment at the third-party relationship level, it is easy to lose sight of the entire population of third-party relationships. Depending on how a bank defines third parties, that population could include franchisees, external salespeople and debt holders, among others. This is one area of risk management where completeness counts.

To make such a project manageable, banks should create a strategy and roadmap to systematically identify third parties using an inclusive definition. Banks should invest in the initial data-gathering phase and make it an enterprise-wide endeavor. Effective sources of relevant information include surveys conducted by the various lines of business, contract facilities and databases, accounts-payable systems, and legal counsel. The process needs to be sustainable or the population soon will become invalid. Banks should conduct an initial review of third-party relationships by identifying categories and potential risk factors to assist with prioritizing the evaluation. The project strategy and roadmap should start with the third parties that pose a higher risk. The project roadmap should include necessary activities and the timing and resource needs related to existing and future third-party due diligence and assessments.

Moving Forward
As financial institutions work to effectively comply with the regulatory guidance and manage the risks associated with third-party relationships, creating a strategy and roadmap will help achieve compliance and avoid an overly burdensome process.