Nine Vendor Risk Management Tips for the Board


risk-management-7-19-17.png2017 is already proving to be a very difficult year for bank boards. While being on a board can be a rewarding experience, increasing regulatory pressures certainly don’t make the position and its corresponding responsibilities any easier.

One particular area of intense focus by the regulators is third-party risk management. Ultimately, the regulators have stated that it is your responsibility to ensure that you have a third-party risk program in place that addresses your vendors and the level of risk they pose.

Aside from potential enforcement actions and fines from the regulators, an inadequate third-party risk program can leave your institution ill-prepared or vulnerable to a host of issues. Worsening vendor financial performance could be an indicator of woes to come, such as poor customer service, bugs and issues with its system. Banks that auto-renew vendor contracts could miss a chance to re-negotiate old contracts.

Poor due diligence could mean partnering with a vendor that is damaging to your institution’s reputation. For example, if you don’t understand where customer complaints are coming from and why, regulators could question your ability to properly oversee and monitor your vendor’s performance and manage the corresponding impact on your customers.

While there will always be unforeseen issues you cannot avoid, having an effective third-party risk policy and program in place can ensure your full compliance with the guidance and help steer you to partnerships that will benefit your institution.

And, even when those unforeseen issues do occur, and they will, you’re better prepared to react in an effective and organized manner. To help, here are nine tips to keep you on the right path.

Nine Vendor Risk Management Tips for the Board

1. Read and understand the guidance from your primary regulator as it pertains to third-party risk management. There are key expectations clearly identified in the guidance and they should give you ample fodder for asking your institution’s senior management team pertinent questions.

2. Set expectations and tone from the top. Make sure that from senior management all the way to the front-line customer service representatives, everyone understands his or her responsibilities when it comes to compliance with the rules, as well as how your organization wants to handle vendor-risk management.

3. Have your vendor risk management program thoroughly reviewed for any possible deficiencies and focus on areas that are often overlooked, such as fourth-party risk management or reviewing third parties’ procedures for complaint management.

4. Automate your third-party risk program. Most institutions have already taken the steps away from Excel and other spreadsheet programs in favor of ones that help to manage a complicated network of vendors and regulatory expectations.

5. Involve your internal audit department, compliance team and counsel in evaluating the effectiveness of the vendor management program.

6. Strongly consider making vendor management directly accountable to the board or the most senior risk committee at your institution. Firmly establish its independence from the various lines of business and ensure the needs of vendor management do not fall on deaf ears. Ensure that any issues raised, whether in the course of normal business or during examinations, are promptly and thoroughly addressed.

7. Invite the head of your vendor management program to report regularly at board meetings. A standard set of reports is adequate, but make sure that any concerns or significant issues are clearly called out and reflected in the minutes of the meetings.

8. Ensure those involved in vendor management have adequate resources, such as staffing and a high enough budget, as well as ample training and experience to do the job well. Seek outside independent expertise or outsource tasks where needed, particularly for highly technical items such as business continuity plan reviews for SSAE 18 analysis, attestation standards issued by the American Institute of CPAs.

9. Ask pertinent questions and drill down when anything seems amiss. Use industry news, new regulations and enforcement actions as opportunities to view your own vendor management program through that lens and see if there are areas of concern that should be addressed.

The world of vendor management isn’t easy and your job as a director is incredibly complex and overwhelming at times. Fortunately, done well, vendor risk management can also be a significant strategic advantage, allowing you to do business with well-managed companies in a compliant and cost-efficient manner.

Resources
Venminder Library
CFPB guidance 2016-02
FDIC FIL 44 2008
OCC Bulletin 2013 29
OCC Bulletin 2017 21
FFIEC Appendix J

Avoiding Pitfalls in Your Bank’s Data Processing Agreement


vendor-management-9-23-15.pngA bank’s core processing agreement is often, by far, its most significant vendor agreement. These lengthy and complex agreements are commonly weighted heavily in favor of the vendor and can be rife with traps, such as steep change-in-control and early termination penalties. Nonetheless, many banks enter into core processing agreements without prior review by counsel, or even reading the agreement themselves. In the current regulatory environment, which stresses and scrutinizes vendor risk management and diligence, a bank’s failure to review and negotiate its core processing agreement could easily result in regulatory criticism, as well as unanticipated costs and potential liability.

In the past few years, the bank regulatory agencies have issued new or updated guidance related to vendor diligence and risk management. In those issuances, the regulators express concern that banks’ vendor risk management practices may be inadequate, citing instances in which management has failed to properly assess and understand the risks and costs of their vendor relationships. Regulators are concerned that banks may enter into agreements that are detrimental to the bank’s employees, customers or other stakeholders. Banks are expected to have risk management processes that correspond with the level of risk and complexity of their vendor relationships. Those processes include due diligence, careful vendor selection, contract negotiation, proper termination mechanisms and ensuring proper oversight. Regulators further expect banks to have more comprehensive and rigorous oversight of management of third-party relationships that involve critical activities, which may include significant bank functions, such as payments, clearing, settlements and custody, or significant shared services, such as information technology.

Regulators conducting bank examinations expect to see adequate risk management policies and procedures in place. Proper due diligence, negotiation, and oversight for data processing contracts should be integral to those procedures. Contrary to what many may think, the terms of data processing agreements are negotiable. Some of the most unfavorable terms may be eliminated simply by emphasizing the regulatory or business necessity for those changes during negotiations. Key terms to address in the negotiation process include termination provisions, regulatory provisions, audit rights and performance standards, among others.

A less obvious concern with core processing agreements arises in the context of a bank merger or acquisition. Steep termination fees in a data processing contract can change the economics of a bank acquisition transaction, making the selling bank a less attractive target and negatively impacting shareholder returns on the sale. It is typical for the initial proposal of a data processing agreement to include contract termination fees equal to roughly 80 percent of the remaining fees payable during the term of the contract. In most cases, these termination fees are negotiable, and data processing providers may be receptive to a graduated termination fee schedule, such that termination fees are less severe later in the term of the contract. In addition, termination fee calculations in core processing agreements are often complex. As such, it will be important for bank management to understand the practical implications of those calculations. Data processing providers will often attempt to recoup any past credits or rebates through the termination fee formula. Understanding and negotiating these termination provisions on the front end can save millions of dollars for the acquiring bank, and ultimately increase returns for the bank’s shareholders.

If your bank is considering a new data processing vendor, or reaching the expiration of your current term and considering renewing with your old vendor, you should work through your regulatory vendor risk management and due diligence checklists before entering into a new contract. We further encourage you to identify a dedicated team, with access to bank counsel, to review and negotiate any proposed agreement. If your institution is considering a future sale or other business combination transaction, then negotiating your data processing contract is of paramount concern. Ultimately, an ignored termination provision in your core processing agreement has the potential to undermine a potential merger or materially impair shareholder returns.